[lug] open port

D. Stimits stimits at idcomm.com
Fri Mar 29 17:08:28 MST 2002 

Peter Hutnick wrote:
> 
> On Friday 29 March 2002 03:37 pm, D. Stimits wrote:
> 
> > Ident isn't really authentication, it's only real purpose is
> > anti-spoofing.
> 
> > It's archaic and weak, but I don't think it is a risk,
> > it is a help.
> 
> First, I'd consider it a personal favor if you would trim your replies.

Sometimes I do, depending on how fast I'm trying to answer and whether
the prior text seems relevant.

> 
> The problem with your argument is that that you grant that it is weak.  I
> assert that people rely on it.  The logical conclusion is that it is
> therefore a risk.

I completely disagree. The idea of opening up unneeded ports is very
valid, but I doubt anyone actually *relies* on it. It is always an
afterthought or addition, and it will never make things worse for the
user that accepts incoming traffic (within reasonable limits, ident as a
source of cracker entry is far far lower risk than almost anything
else...the risk of identd is one of "well, anything open can be
exploited...possibly"). I compare it to the risk of spoofing or
man-in-middle, and the advantages, though rare to need them, are just
too extreme in those cases to not have advantages outweigh risks.

> 
> To draw a parallel, it is like telnet.  It can be used to good effect in some
> situations, but for the most part it is more of a liability than an asset.
> The simplest policy is to not use it.
> 
> -Peter

Telnet has a complicated interaction, with known exploits over time.
Identd is a very different beast, to compare the two is an apples and
oranges argument. I could easily see a comparison between NFS, bind, and
ftp services, they all have complex programs and lots of historical
attacks. Identd doesn't fit in that category. I know there are flaws in
MD5 and various encryption algos, but I wouldn't stop encrypting things
just because plain text can't be broken (an overstrong analogy, but you
get the idea...I don't consider identd to be a hole, but light armor
instead).

D. Stimits, stimits at idcomm.com

More information about the LUG mailing list