how to identify a customer by its network info?

Question

I'm deploying a Linux device to multiple customers. A device executes an application that connects to my server. I need to uniquely identify a customer and map to its ID on server side. I cannot change a device soft for each customer individually and I wouldn't like to check its MAC address to simplify bulk deployment. I can change an application though (and server). What's a good solution for this problem?

I think about resolving device IP address to host name on server side. Before the device connects to the server the first time, the server should be configured with this customer host name. I worry about host name because a customer can have couple of host names and invalid one can be provided for server configuration. Also I worry about DNS updates that can take some time. Is it possible that I won't resolve new public IP address recently assigned to correct host name?

EDIT:

The devices is a off-the-shelf Linux computer. Before deployment we unpack it and switch its SD card with prepared one that contains Linux image with our app. No need to power it on. The device cannot be easy connected to monitor, only accessed from network.

@m0ntassar: its simple SSL TCP connection with custom protocol — Andriy Tylychko, Dec 22 '11 at 14:31
So to summarize, you're sending customers a turnkey appliance that must phone home to your server, and you want the server to be able to identify who that client is when it connects? — Bart Silverstrim, Dec 22 '11 at 14:35
@BartSilverstrim: yes, to identify and to match with preconfigured customer name — Andriy Tylychko, Dec 22 '11 at 18:29

score 1 · Accepted Answer · answered Dec 22 '11 at 15:20

1

I can't think of a foolproof way to do this through normal, network discovery means IF you're not willing to either customize the device or are willing to record information like the MAC address or some other unique identifier and pairing that with the client records you have on-file at your server.

Think of how ISPs track their Customer Premise Equipment (CPE) like cable modems: there's almost always a serial number and of course the MAC address and that stored along with the customer ID in their CRM or inventory management application.

You could try using reverse DNS of the public IP your box is NAT'ing/egressing out as, but that's not always going to tell you what you need to match that up with a client.

And since you're using SSL, why not client certificates (or SSH key pairs and tunnel your custom protocol over SSH)? That would be a unique, easily scriptable solution with a plethora of open libraries and community support that would (as it's supposed to) guarantee authenticity of the server and the client.

answered Dec 22 '11 at 15:20

gravyface

13,957
19
68
100

+1 for the client certificates. Makes the most sense. – Driftpeasant Dec 22 '11 at 15:29
@gravyface: pls check my edit. SSH key pairs requires individual configuration of each device, right? Unfortunately, this can overcomplicate bulk deployment. Recording MAC address is a bit simpler, but still requires powering the device on – Andriy Tylychko Dec 22 '11 at 18:40
1

@andy - your client certificates could be automatically generated on the first powerup of the appliance. I deploy VMs in almost the same manner and use the fingerprints to keep track. – Tim Brigham Dec 22 '11 at 19:29
@timbrigham: can you please elaborate about fingerprints? right now I think I really cannot avoid powering it on before deployment – Andriy Tylychko Dec 22 '11 at 19:34

how to identify a customer by its network info?

1 Answers1