"Andrew Sullivan" <[EMAIL PROTECTED]> writes: > On Fri, Aug 31, 2007 at 12:30:02PM -0500, Decibel! wrote: >> >> Is it easy to spoof where an incoming connection request is coming from? >> Is there something else that makes ident on 127.0.0.1/32 insecure? > > It shouldn't be easy. Ident uses TCP, which is rather harder to > spoof.
Say what? It's actually quite easy to spoof TCP. There are even command-line tools to do it available in most Unix distributions. > If someone can originate spoofed TCP packets from 127.0.0.1, you gots bigger > problems than them being able to lie about the identity of a user. Well yes, there are other insecure services which look at the originating ip address. But hopefully fewer and fewer as time goes on. Once upon a time X was a big target since most X servers shipped trusting 127.0.0.1 and you could slip a request into the first data packet to trust other ip addresses which made attacking it considerably easier. These days X doesn't use ip addresses to handle authorization any more. Also modern distributions, at least on Linux, tend to install ip filters to block packets with source addresses like 127/8 coming from an external interface. However even today I wouldn't be confident that all operating systems do so or that they work correctly in all circumstances. -- Gregory Stark EnterpriseDB http://www.enterprisedb.com ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend