Subject: Re: identd + NAT
To: Michael Eriksson <Michael.Eriksson@era-t.ericsson.se>
From: Curt Sampson <email@example.com>
Date: 09/21/2001 13:41:09
On Thu, 20 Sep 2001, Michael Eriksson wrote:
> Do what I do, and run fair-identd from the pkg collection on the NAT
> machine. The Identification Protocol pretty much sucks anyway, so
> don't go overboard to deliver "correct" information.
It doesn't suck at all, if you understand the purpose. Here's how it's
supposed to work:
1. User from host A initiates a TCP connection to host B.
2. Host B queries host A with this connection information and asks,
"is there anything further I should log about this connection?"
3. Host A ident daemon responds, "yeah, this", and returns an
4. Later, host B's admin realises that something
bad/suspicious/whatever happened as a result of that connection,
and wants to ask host A's sysadmin to investigate this.
5. B's admin contacts A's admin with the date/time of the connection,
other relevant information, and the opaque token that was logged.
6. A's admin uses this information to track down perpetrator and
find out what's up.
So just include in the ident response any additional information you
would want should you be contacted in this way.
If it's a multi-user system, you may want to include something that will
enable you to map the connection back to a particular user. If it's a
single-user system (or in this case, home network), you may not need
any further information, and can return nothing useful.
Curt Sampson <firstname.lastname@example.org> +81 3 5778 0123 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC