Suggestion for improved identD

>There isn't necessarily just a single user on the other end of a PPP
  Perhaps I should have phrased it as "single user network
  connection" and not "PPP". I'm less concerned with the
  PPP as a protocol than as its modern usage to connect the
  dialup user.

And how do you tell the difference between a single user connection
and multi-user connection? They both use PPP. Are you going to make
all the Linux users out there have to start negotiating with their
ISPs just to allow them to be on?

>Many things will break if the actual user and the user
>that PPP intercepted identd asserts do not match.


Yup. IRC bots, for instance. They expect certain specific information
to grant authority, and if the PPP server substitutes it, it can't be
correct all the time on systems with two or more users since the PPP
server won't know which user is on which port (without actually going
to that machine to ask ... but then what's the point).

>Providing such information may be a violation of confidentiality if

  Login string. e.g. username.

Dialup account id? Unfortunately this is usually also the e-mail
address by just appending and thus giving out tons
of addresses to spammers.

I won't subject my customers to this.

>Because the PPP access device cannot know, unless it also tracks all the
>traffic involved, what ports are in fact in use, it would have to give

  If l2 is up, it's up. That's fairly basic...

So if I request an ident on port 15421, is the PPP server going to answer
it even though, there is in fact no active port 15421 on that machine?
You want PPP servers to track all those SYN and RST?

>I believe you misunderstand the purpose of identd. It was intended to

So you do understand that the data wasn't intended to be trusted if
you have no trust of the machine (and certainly most of them out there
cannot be trusted).

>Why do you want this data?

  My personal crusade against packet monkeys, spammers, and
  irresponsible admins who support them by pretending that
  the net is free for all to abuse.

I applaud the goals. I don't think this is a viable mechanism to
achieve them.

BTW, I blocked access to SMTP other than to my own servers for all my
dialup non-LAN customers. I don't like abuse, and won't put up with
it, either from my customers, or to them. But this identd idea is not
something I will do to my customers. The cure is worse than the disease.

The answer is simple. Don't trust identd responses. Just don't ask
for that data and then you don't have to worry about it being forged.