Suggestion for improved identD

Ehud Gavron writes:

Suggestion: PPP access devices intercept identD requests
  and return the authenticated access string.

Reasoning: Modern ``stacks'' used by end-users -- especially
  those on throwaway accounts, fake any identD response.
  This makes tracking those people tougher.

Methods: 1: identD v2, new port, intercepted by access devices
     which support it.

  2: modification to hosts requirement RFCs, making
     access devices responsible for intercepting identD
     requests to their PPP clients.

  3: a security RFC ``suggesting'' 1 or 2

Thoughts appreciated, as are comments, flames, blames, and anything
of some content.

I've done this for a couple of internet providers in Western Australia.
Either by using transparent proxying under Linux (one used a Linux term
server..), or a route-map to a *nix box on a Cisco.

There are a few privacy issues too - if you want to see who is online,
you just send out ident requests to all dialup lines, and the 'real' idents
are returned. One Perth ISP fixed this by using a hash of the username.
That fixes IRC bans (so they can just ban *!*hash@* ) .. and if
someone wants to track a user down, they ring the ISP and hand over the


Plus, for some applications it doesn't matter. One of the biggest applications
of identd is for IRC, and the IRC model is broken. For example,, my home PC running Linux, HAS a working identd. But
although Efnet IRC servers always recognize it, DALnet servers never do.
(Hey, Mr. Nielsen, fix your servers. :slight_smile: