transparent ident conntracking?

[Jacek Konieczny]

On Thu, Dec 06, 2001 at 10:50:26AM -0800, Tom Marshall wrote:
> Personally, I feel that ident is a useless protocol. 
No it is very usefull.

> It is based on the
> assumption that ports below 1024 can be trusted.  This may have been true as
> recent as 10 years ago, but it is certainly not true now.  The only thing
> that I know of which requires ident is IRC.

ident is usefull only for the administrator of the ident server. It may
be very usefull for him, but only when other administrators log ident
replies.

I am administrating a masqerading router and a net of hundreds of people
behind it. When someone of them do something bad (send SPAM, hack
someone's machine) I am responsible for this, as this came from my 
IP address. I have the router configured so it answers differently
for connections from each of masqeraded host. Notice, that _my_ router
generates reply, not client's machine. It is sane, as it describes
connection from _my_ IP.
Now when the SPAM was sent by some server which adds ident string to
mail headers I can trace the real origin and punish right person.
Unfortunately many servers don't do that :-(. That's why I have to log
each SMTP connection going through my router (fortunataly most mail is
sent via my servers, so I don't have to log them separately). 

ident protocol is the only solution I know to distinguish different
users of one ip. It may be multiuser machine (this is what ident was
designed for) or masqeraded IP.

ident really has no value, when it comes from single person/account. But
this doesn't mean it is useless!

And one more thing: I don't think forwarding ident replies has any
sense, when we know that the source cannot be trusted. If the forwarder
knows better who owns the connection, than it should make the ident
reply.

Greets,
        Jacek