Date: Tue, 21 Nov 2000 18:48:11 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: csxbcs@comp.leeds.ac.uk (Ben Smithurst) Cc: kris@FreeBSD.ORG (Kris Kennaway), res02jw5@gte.net (Jason Halbert), grog@lemis.com (Greg Lehey), chat@FreeBSD.ORG (FreeBSD Chat) Subject: Re: Is any efnet server still running? Message-ID: <200011211848.LAA28165@usr08.primenet.com> In-Reply-To: <20001121094756.C14517@comp.leeds.ac.uk> from "Ben Smithurst" at Nov 21, 2000 09:47:56 AM
next in thread | previous in thread | raw e-mail | index | archive | help
> > Fortunately, there's irc.freebsd.org :-) > > Unfortunately it requires ident, which the machines here at Leeds > don't have, which sort of keeps me out. Perhaps that's intentional. > ;-) Anyone know the admins and want to ask them to relax the ident > requirement? It's a security precaution, and is unlikely to be relaxed, so long as the administrator remains sane. The point of ident is to hold the machine administrator responsible for the actions of users on the machine, by allowing the offending user to be reported accurately to the administrator of an offending machine. Failure of the administrator to take action will result in the machine being diked out of the IRC community. An administrator may choose to spoof this data (root access is required to bind a priviledged port), but if they do so, then the site will be held globally responsible for the actions of an individual user. Mail servers generally require that forward and reverse address resolutions map to the same values, such that the forward autority, vested in the domain delegation, and the reverse authroity, vested in the in-addr.arpa. delegation, are required to correlate. By doing this, they ensure against DNS spoofing by SPAMmers, and can dike a SPAMmer out of the SMTP community. Of course, individual Windows boxes can lie about this, as can FreeBSD desktops, but in general, one can also dike dialups (non-static address assignments) out of the community as well, to ensure that dialups are forced through their ISPs servers, and then the community can hold the ISP accountable for their relay traffic (IRC or SMTP) and ensure ISP compliance with policy enforcement. IPv6 stateless autoconfiguration adds some additional complexity, but it's actually managable by permitting proxy reverse using the original sites forward to ensure the requesting system has provable credentials. I expect that mail servers will refuse connections from machines in the autoconfiguration space, for which the reverse mapping doesn't result in a host name for which they are authortative, and a forward mapping doesn't result in the same address (meaning that someon has spoofed a reverse mapping). So this means that laptop.visitor.com could walk into example.com, get an IPv6 state autoconfiguration address via WaveLAN, go to their home DNS server with their X.509 certificate and set up their forward mapping via DNSUPDAT, and then ask via unauthenticated DNSUPDAT that the local in-addr.arpa. delegation say that the address belongs to laptop.visitor.com, instead of some host in example.com; before this is permitted, the local DNS server would contact the visitor.com DNS server to verify the forward mapping; a match permits the mapping, with a TTL of 1/2 that of the forward mapping (and which the client would need to renew periodically, just like the forward mapping). Then the laptop would need to relay outbound email through a mail server at visitor.com, and everything would Just Work. The same thing could be applied to the IRC situation, of course... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011211848.LAA28165>