Suggestion for improved identD

Adrian_Chadd · May 21, 1998, 5:19am

Jon Lewis writes:

Suggestion: PPP access devices intercept identD requests
and return the authenticated access string.

Thoughts appreciated, as are comments, flames, blames, and anything
of some content.

Not every dialup connection is a single end luser on a win95 box. What
about ISDN connections where there's a whole network of real computers and
different users (on each computer)? How does the NAS decide which
connections to intercept for and which not to? Even if you knew the
username, what good will it do you 1000 miles away? Those providers who
care can fine the user if you tell them the IP and time of day. Those who
don't care won't care if you tell them "I was spammed by
abc123@yournets.net".

Its more of blocking services.

When I implemented the forced ident setup, if a user had a static IP, then
the ident was passed through. Only if they were a dynamic IP dialup client
would the ident be forced.

The idea here is not to provide a username. Its to provide a method of
identifying a dialup user, in a way that doesn't change with each login.
Since most things already query ident, then why not go this path and make
ident 'trusted' on dynamic IP NAS connections?

Adrian

Jay_R_Ashworth · May 21, 1998, 1:50pm

Ok, I almost like this.

The only problem I can see is when the dynamic dialup user is still a
linux box... but in that case, the administative control _still_ vests
in the subscriber. How about: proxy intercept the ident port and
return something based on the dialup ID unless a) the port is a static
connection or b) the user has specifically requested to do their own
identing. Now, it would be nice to be able to tag which idents come
from the proxy and which don't... but we're getting into signed-identd
territory now.

Cheers,
-- jra

Paul_Mansfield · May 21, 1998, 2:14pm

could the ident be intercepted, so that the ident result from the dialler
was retagged? tricky...

in just the same way that adding SMTP or NNTP headers allows additional
tracking but doesn't prevent the originator of news or mail from supplying
their own.

Paul

Jay_R_Ashworth · May 21, 1998, 2:20pm

Yeah, you could do a full proxy-ident: retrieve the userid from the
end-user, and then resend it yourself. But all you'd be tagging it as
is: _I_ didn't generate this...

Cheers,
-- jra

Tom_Perrine · May 22, 1998, 4:01am

I've been following the "need a better IDENT" thread for a bit, and
have some questions and suggestions.

Let's see if we can *really* define what it is we really want, and
figure out if IDENT or "son of IDENT" is really the answer.

Sorry for the length and the over-pedanticism (is that a word? ),
I'm trying to summarize a whole bunch of ideas and messages here, and
be really specific about the real problem we're trying to solve.

There seem to be two completely different motivations for wanting a
"better IDENT":

1. To allow IRC operators (and others) to block access to abusive (or
undesired) remote users more selectively than by blocking an
entire domain or net-block.

    The desire here is essentially for a real-time authentication for
    ad-hoc users from administrative domains over which you have no
    control, which you may not "trust", and for which the user
    identification (username/"nick") AND the IP address are selected
    either by the user (the nick) or by the domain (dynamic IP
    addresses).

    This is a *hard* problem. Basically you are trying to not trust
    anything presented by the connection or the user, and make an
    authentication decision.

    As long as the end user can generate new identities at will, you
    are stuck. They can generate new ones at least as fast as you can
    block old ones. Unless you force people to go through some
    registration process that either forces a delay (you can't use
    your new nick until tomorrow), or some "validation step", you will
    never win.

2. To allow domain administrators to determine, after-the-fact, who
    is responsible for or was "in control" of activities coming from a
    specific IP address or net-block, in an administrative domain that
    they do not control or have access to, at a given time in the
    past.

    The desire here is to be able to identify the human responsible
    for such mis-behaviors as denial of service, undesired probes and
    intrusion attempts (or successes!). It is usually considered
    acceptable if the mechanism gives you some sort of token that you
    can then present to the owner of the source domain, who can then
    identify their user by way of RADIUS or other user authentication
    logs.

    This is a much easier problem, and is the *exactly* one for which
    IDENT was designed, as long as the IDENT server is under the
    control of the administrative domain, and not the end user. In
    other words, the connection came from and the IDENT server is on a
    time-sharing machine under some kind of "responsible" control.

Trying to address the "not under control of the end user" is the
restriction that the "proxy-IDENT" proposals is trying to address.

    What I don't understand is why you can't just present the IP
    address, and the time of the mis-behavior to the network owners;
    they should be able to identify the responsible person from the
    dial-up authentication (RADIUS or other) logs. Even if there is a
    complete network behind the dial-up (or ISDN or whatever), there
    *had* to be an authentication of some sort to establish the
    connection, or they have bigger problems that will not be solved
    by a "better IDENT". At worst, they can delegate the problem to
    whoever authenticated: "Find and solve the problem before we allow
    any of your connections. If this cuts off several people that's
    *your* problem. Its your subnet and your account. You are
    responsible for it. Fix it."

This note seems to be desiring function #1, e.g. ad-hoc user
authentication:

Manar_Hussain · May 22, 1998, 2:39pm

I've been following the thread too and there's another desire we have for
something like IDENT which oddly enough we were considering just a few days
ago. We "host domains" for clients for whom we do not provide net access
and where on some occassions their access provider will block mail sent
"from" the domain we host.

E.g. dial up user with provided email "joe@isp.com" get's us to run the
domain "joe.com" and wants to use the email "me@joe.com" but can't then
send his mail through his access provider for whatever reasons.

We then want to help out and allow this user to relay through one of our
servers but sure as hell don't want to run an open mail relay. The best
solution is to have some trigger that joe can initiate/host that let us
know we can aloow mails from a given machine at a given time.

The starting point for this was a hook into the pop server which means that
any machine that successfully picks up mail via pop get's added to a list
with a time stamp - and that the mails server will then refer to this list
and let any such machine send mail (say within 15 minutes).

What we thought would be much nicer is if Joe ran something sort of simple
deamon process which the mail server could query to confirm that he was a
valid user - hence the interest in the thread ...

Manar

Derek_Balling · May 22, 1998, 2:53pm

   What I don't understand is why you can't just present the IP
   address, and the time of the mis-behavior to the network owners;
   they should be able to identify the responsible person from the
   dial-up authentication (RADIUS or other) logs. Even if there is a
   complete network behind the dial-up (or ISDN or whatever), there
   *had* to be an authentication of some sort to establish the
   connection, or they have bigger problems that will not be solved
   by a "better IDENT". At worst, they can delegate the problem to
   whoever authenticated: "Find and solve the problem before we allow
   any of your connections. If this cuts off several people that's
   *your* problem. Its your subnet and your account. You are
   responsible for it. Fix it."

I think the answer to this question is that a LOT of ISP admins don't have
the time to handle the flood of complaints that would come about from
IRC-based complaints. This is why many of the larger ISP's at some point in
time get banned from IRC servers in general... As an example, there are
plenty of Netcom users who have made "general IRC attacks" (channel
takeovers, nuking users, etc.) and Netcom is banned, as a whole, from a
number of servers (or at least was several years ago when last I used IRC).
Complaints to Netcom would generally go unanswered because when it came to
having time to deal with complaints, IRC ones - which generally come down
to a he-said,she-said situation, go ignored. A user can produce "a log of
what happened", but give me 10 minutes with vi and I can produce an IRC log
that says the Pope pronounced Jesus a pagan wizard.

Not that I personally care about IRC Servers' demands (I personally
consider them a good idea turned into a hideous waste of bandwidth), but
their concern is real, from their point-of-view, and the network admins
they need to deal with generally are unresponsive because of the very
nature of IRC.

Derek

Edward_S_Marshall · May 23, 1998, 3:14am

    The desire here is essentially for a real-time authentication for
    ad-hoc users from administrative domains over which you have no
    control, which you may not "trust", and for which the user
    identification (username/"nick") AND the IP address are selected
    either by the user (the nick) or by the domain (dynamic IP
    addresses).

Not authenticate. Authenticate would imply that the data being returned is
reliable.

All I think that people are asking for here is a unique identifier of that
user, that can be depended upon to return the same result every time a
query regarding that user is sent. That's all. It doesn't need to be a
username, or anything personally identifying; in fact, it -should- be
something obscure...the idea to use a hash of the username, for instance.
Just something that uniquely identifies the user between sessions to
remote networks.

Using ident might be a poor choice for this, because of some people
wanting to operate their own ident mechanisms. Perhaps a new scheme, which
from the outset is "blessed" to be intercepted as it passes through a
terminal server, would be more politically correct.

What I don't understand is why you can't just present the IP
address, and the time of the mis-behavior to the network owners;

Laziness and lack of tools on the part of many ISPs. While a timestamp and
IP address can reliably and uniquely identify a user to an ISP, it can't
do so all by itself...someone at the ISP needs to take the time to
correlate that IP address and timestamp in logs.

Many ISPs, as unfortunate as it is, have no tools to perform quick lookups
like this. Thus, many complaints may fall on deaf ears, due to the
unwillingness of the ISP to investigate them (which in turn is due to
their lack of tools or skills to retrieve this information quickly).

Not that it's an excuse. But it's a rationale.

Tom_Perrine · May 26, 1998, 5:18pm

If you have started a prosecution in any jurisdiction for a DENIAL OF
SERVICE attack on any of your resources, please contact me directly.

We've identified the individual (inDUHvidual?) and we're exploring our
options. We've been involved in prosecuting intrusions :-), but not a
DoS (yet).

- --
Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000

Tim_Gibson · May 26, 1998, 10:36pm

You'd probably do alittle better down there, but here in Canada it's
considered common mischief and doesn't qualify the CCC's section 342
theft of services clause. Likely a better option though since you can
easily prove some kind of damages, but it's hard to convince a judge you
lost 1000s when nothing physical was taken.

Tim Gibson