Thread: IDENT and IPv6 (was Re: [GENERAL] pg_hba.conf change in 7.4)
[ moved to -hackers ]
Bruce Momjian <pgman@candle.pha.pa.us> writes:
>> We are also wonder if there is a version of Ident server
>> that the PostgreSQL community knows that will work
>> with IPv6.
> That is the big question. I would think Solaris ships with one, but
> maybe not. Is 7.4/Solaris/ident not a workable combination? Folks?
Has anyone tested our Ident support under IPv6 on *any* OS?
Right offhand I don't see anything in the RFC 1413 protocol that would
break in moving from IPv4 to IPv6, but that doesn't mean there isn't
anything. One issue that catches my eye is that RFC 1413 assumes that
"port number" is a unique identifier of a connection within a particular
host; that assumption might be shaky in a system that's got multiple IP
addresses. (In particular I wonder whether IPv4 and IPv6 will share a
common port number address space on a system handling both ...)
regards, tom lane
On Sat, Dec 06, 2003 at 02:09:25PM -0500, Tom Lane wrote: > [ moved to -hackers ] > > Bruce Momjian <pgman@candle.pha.pa.us> writes: > >> We are also wonder if there is a version of Ident server > >> that the PostgreSQL community knows that will work > >> with IPv6. > > > That is the big question. I would think Solaris ships with one, but > > maybe not. Is 7.4/Solaris/ident not a workable combination? Folks? > > Has anyone tested our Ident support under IPv6 on *any* OS? > > Right offhand I don't see anything in the RFC 1413 protocol that would > break in moving from IPv4 to IPv6, but that doesn't mean there isn't > anything. One issue that catches my eye is that RFC 1413 assumes that > "port number" is a unique identifier of a connection within a particular > host; that assumption might be shaky in a system that's got multiple IP > addresses. (In particular I wonder whether IPv4 and IPv6 will share a > common port number address space on a system handling both ...) The tcp connection is two ip/port combinations. The ident connection should use the same ip address as the other end connected too, and says which port numbers, so you know the combination. I haven't tried it ident using postgresql, but I did for other things and I know it works there. Kurt
Hi, The ident server we currently use is pidentd 3.0.16 from : http://www.lysator.liu.se/ or ftp://ftp.lysator.liu.se/pub/ident/servers I am looking to see if Solaris has an ident server but have not found it. Gan At 8:21 pm +0100 2003/12/6, Kurt Roeckx wrote: >On Sat, Dec 06, 2003 at 02:09:25PM -0500, Tom Lane wrote: >> [ moved to -hackers ] >> >> Bruce Momjian <pgman@candle.pha.pa.us> writes: >> >> We are also wonder if there is a version of Ident server >> >> that the PostgreSQL community knows that will work >> >> with IPv6. >> >> > That is the big question. I would think Solaris ships with one, but >> > maybe not. Is 7.4/Solaris/ident not a workable combination? Folks? >> >> Has anyone tested our Ident support under IPv6 on *any* OS? >> >> Right offhand I don't see anything in the RFC 1413 protocol that would >> break in moving from IPv4 to IPv6, but that doesn't mean there isn't >> anything. One issue that catches my eye is that RFC 1413 assumes that >> "port number" is a unique identifier of a connection within a particular >> host; that assumption might be shaky in a system that's got multiple IP >> addresses. (In particular I wonder whether IPv4 and IPv6 will share a >> common port number address space on a system handling both ...) > >The tcp connection is two ip/port combinations. The ident >connection should use the same ip address as the other end >connected too, and says which port numbers, so you know the combination. > >I haven't tried it ident using postgresql, but I did for other >things and I know it works there. > > >Kurt -- +--------------------------------------------------------+ | Seum-Lim GAN email : slgan@lucent.com | | Lucent Technologies | | 2000 N. Naperville Road, 6B-403F tel : (630)-713-6665 | | Naperville, IL 60566, USA. fax : (630)-713-7272 | | web : http://inuweb.ih.lucent.com/~slgan | +--------------------------------------------------------+
On Sat, Dec 06, 2003 at 01:30:02PM -0600, Seum-Lim Gan wrote: > Hi, > > The ident server we currently use is pidentd 3.0.16 The only I could find in a short time was oidentd. It says it runs on Linux, *BSD and Solaris. http://dev.ojnk.net/ I've been told that FreeBSD's inetd's internal identd supports it too. Kurt
On Sat, Dec 06, 2003 at 01:30:02PM -0600, Seum-Lim Gan wrote: > Hi, > > The ident server we currently use is pidentd 3.0.16 > from : > http://www.lysator.liu.se/ or > ftp://ftp.lysator.liu.se/pub/ident/servers The ChangeLog of it says: Solaris 8 (including IPv6) support added. But I have a feeling it's better supported in the 3.1 test versions. Kurt
Kurt Roeckx wrote: >On Sat, Dec 06, 2003 at 01:30:02PM -0600, Seum-Lim Gan wrote: > > >>Hi, >> >>The ident server we currently use is pidentd 3.0.16 >>from : >>http://www.lysator.liu.se/ or >>ftp://ftp.lysator.liu.se/pub/ident/servers >> >> > >The ChangeLog of it says: Solaris 8 (including IPv6) support >added. > >But I have a feeling it's better supported in the 3.1 test >versions. > > > 3.0.16's KNOWNBUGS file says this: * In general - wait for Pidentd 3.1 befor using it with IPv6 systems. Of course, using ident for any sort of security mechanism is not good practice anyway, except possibly on the local host. Over a network it is totally untrustworthy. cheers andrew