On Sat, Nov 17, 2007, Amos Shapira wrote about "Re: FTP problem": > I'd change that to "In the Internet as stupid admins would like it to > be". Identd is the stupidest security-related protocol and had I not > seen it keep being mentioned for almost 20 years I wouldn't have > believed it still being used for anything else but waste of time and > network bandwidth.
You're absolutely right that identd is outdated, anachronistic, and should not be used let alone required, on the modern Internet. On many types of modern setups (e.g., firewalls, NAT), it couldn't work even if you wanted it to. However, identd, and the function it originally served, wasn't always the "stupidest security protocol" it seems to be now. The original idea was actually wise: assuming that you (some server) already know which machine you are talking to (i.e., an IP address), how do you know which *user* on that machine you are currently serving? You can ask (via the identd protocol) that machine to tell you which user owns the port you are connected to. So if the machine some.machine.com tells you that this user is "joe", then you can conclude that you are currently serving [EMAIL PROTECTED] Of course, some.machine.com can lie to you, and in reality you might be serving Moe, not Joe, or not serving any identifiable human at all (it might be a Windows machine without users, a worm, or who knows what). But everyone knew that. No system administrator would be as stupid as, for example, to allow somebody saying he is [EMAIL PROTECTED] to log in as the local user named "joe" without needing a password. Rather, the intention was most typically to have better *accountability* between cooperating systems. Let me give you a typical example (of what things used to look like 15 years ago). Let's say you were running an IRC server, and discovered that someone was abusing your server - e.g., harassing people, spamming, or whatever - and you wanted to block this person. You could block the IP address of that connection, but that doesn't even make sense today and made even less sense 15 years ago, when an IP address very often represented a UNIX computer used by hundreds of people (often - students in some university). But if that UNIX computer cooperated with you via identd and told you which *user* was contacting you, you could block just that single user. If the remote computer refused to answer, or you suspect it was lying to you, you could simply block its entire IP address. So both the server and the client (a multi-user machine) benefited by running identd honestly, and the client couldn't gain anything by lying. But as less and less Internet hosts were multi-user, less and less used Unix (and thus more and more did not have identd installed), more and more were behind NATs and firewalls - identd simply lost its usefulness. The "identity" and "accountability" of users is now more complicated than a simple [EMAIL PROTECTED] Perhaps more importantly: today, users don't want their ISPs to identify them to servers and thereby protected them from "collataral damage" of blocking (which is actually a real problem even today). Rather, today most users expect *privacy* - users often *want* to do secret, private, or outright illegal things in their account, and do not want their ISP to help the servers they contact to identify them! This is why identd is worthless on the modern Internet. > Does anyone here run an identd server or trust its replies? Of course not. Just like I don't run a gopher server, the "chargen" service, or other archaic services and protocols that nobody needs or wants these days. -- Nadav Har'El | Saturday, Nov 17 2007, 8 Kislev 5768 [EMAIL PROTECTED] |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |The path of least resistance is what http://nadav.harel.org.il |makes rivers and politicians crooked. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]