Subject: Re: identd with NAT and IPv6 support.
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Jim Wise <jwise@draga.com>
List: tech-net
Date: 03/28/2002 01:23:21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Mar 2002, der Mouse wrote:

>>> Ident must die.
>> Right.  It serves no useful purpose.  At all.
>
>I don't know what you're on, but I know someone who would like to know
>where to get some.
>
>More seriously, I can certainly say that I as a sysadmin would never
>consider running a multiuser system connected to the net without an
>identd.  Nor would I waste any time dealing with an abuse complaint
>alleging abuse involving outoging TCP connections which didn't include
>the token returned by my identd (eg, if the complainant didn't bother
>to make the query).
>
>I'm repeatedly and depressingly surprised by how few people seem to
>actually understand what identd is useful for, and to whom.

Um, Okay.  If you want to include `browbeating people making abuse
complaints with nonsensical requirements', our set of uses for identd
has now grown to _one_.  Lets see what the judges say...

identd, even in -C mode does _not_ provide anything resembling security.
As it does not encrypt any form of sequence number, any user with the
ability to inject packets anywhere between client and server can inject
a packet with the same source port and ip as _was once used in the past_
by one of your users, and then inject the token _used at that time in
the past_ in an ident response.

And you're now _worse_ off than if you weren't using identd, because a
user can still spoof one of your users, but now you mistakenly believe
you have a secure system implicating that user.

- -- 
				Jim Wise
				jwise@draga.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8orbdN71lEcOYcw4RAqmfAJ0bOotnnxoKRnGRgdtOU3JQBZvAEgCgyxid
luB+nDd+gb81NhDiiIuWZu8=
=glBi
-----END PGP SIGNATURE-----