IP Masquerading and ident [suggestion]

Mikael Abrahamsson (mike@uplift.sparta.lu.se)
Wed, 24 Apr 1996 01:22:54 +0200 (MET DST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Tamas Nyitrai: "Stable?"
Previous message: Theodore Y. Ts'o: "Re: Must modules be GPL'ed?"

A common problem is that if you're using IP masquerading, you're
condensing a lot of traffic to seem to appear from just one machine, and
there is no way to tell afterwards what traffic originated from what
machine that was masqueraded.

Now, I have a suggestion for a hack that I think would do the world a lot
of good :)

Being able to have a list of IPs and corresponding usernames, and that
these should be able to be identified using (perhaps hacked) identd.

Let's say we have a local net with the following IPs and users:

192.168.0.10 Joe
192.168.0.11 Jane
192.168.0.12 John

Now, a request that comes from Joes IP, and is masqueraded should still be
able to be identified thru either this list of IPs, or the request should
be forwarded to the machines own ident-port for identification on that
machine.

The first (one user, one IP) is good for the specific situation I've
encountered here, that a cable network in my home town has about 20 people
connected via cable, but they're using a linux machine to IP masquerade
this net, and everybody seems to be coming from the linux machine. If
there is some kind of abuse from any of these, they are not traceable.
These machines are mainly windows machines, and from the ISPs point of
view, untrustable. They should rely on the ISP list of usernames/IPs.

The second option (forwarding ident requests to the internal machine) is
good if you trust the machines being masqueraded. If you have several
multiuser machines being masqueraded it's not good to have one IP-one
user, but instead you want the machine to identify what user is doing
which.

The best thing would of course be that this is totally configurable per
IP, so that if someone who is trusted internally can have his own machine
do ident-requests, but all the others are untrusted and thus the ISP
machine should handle ident requests from it's own list.

This doesnt seem like something awfully hard to accomplish to me, but hey,
I am not able to do it myself. I hope someone who is able to do it likes
the idea and implements it. If you need more input, send me an email.

This would help a little with the problem of identifying users on the net
nowadays. If linux could implement this, it would show the makers of
terminal servers that this is possible, and they might also implement it.

Btw, I guess you could even do this if you're using linux as a router.
Just intercept packets going to port 113 (ident) on the internal net, and
supply the username from some kind of list, and send it back to the
requesting machine with the dialup IP as sender. This would enable all
ISPs who use linux as dialup-boxes to supply ident replies to their dialup
lines, even if they're dynamically assigned (has to be linked to some kind
of list of who is on which IP at the moment of course).

Any input on my ideas is appreciated

Next message: Tamas Nyitrai: "Stable?"
Previous message: Theodore Y. Ts'o: "Re: Must modules be GPL'ed?"