IETF Logo Mail Archive

Re: Last Call: <draft-ietf-tsvwg-iana-ports-09.txt> (Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry) to BCP

Lars Eggert <lars.eggert@nokia.com> Thu, 27 January 2011 08:50 UTC

Return-Path: <lars.eggert@nokia.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3BA7B3A6959; Thu, 27 Jan 2011 00:50:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.883
X-Spam-Level:
X-Spam-Status: No, score=-103.883 tagged_above=-999 required=5 tests=[AWL=-0.284, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZsID7qUB0wc4; Thu, 27 Jan 2011 00:49:59 -0800 (PST)
Received: from mgw-da01.nokia.com (smtp.nokia.com [147.243.128.24]) by core3.amsl.com (Postfix) with ESMTP id 442243A6939; Thu, 27 Jan 2011 00:49:59 -0800 (PST)
Received: from mail.fit.nokia.com (esdhcp030222.research.nokia.com [172.21.30.222]) by mgw-da01.nokia.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p0R8qx67016593 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Jan 2011 10:53:00 +0200
Subject: Re: Last Call: <draft-ietf-tsvwg-iana-ports-09.txt> (Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry) to BCP
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.96.5 at fit.nokia.com
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: multipart/signed; boundary="Apple-Mail-15--16404008"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Lars Eggert <lars.eggert@nokia.com>
In-Reply-To: <B88A8A82-9C4A-40AC-89AF-F177260760F7@cisco.com>
Date: Thu, 27 Jan 2011 10:52:55 +0200
Message-Id: <ECA80A72-4E72-44D2-B40E-C90D7197E8C5@nokia.com>
References: <20110118212603.5733.34489.idtracker@localhost> <B88A8A82-9C4A-40AC-89AF-F177260760F7@cisco.com>
To: Cullen Jennings <fluffy@cisco.com>, Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1082)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (mail.fit.nokia.com); Thu, 27 Jan 2011 10:52:56 +0200 (EET)
X-Nokia-AV: Clean
Cc: IESG IESG <iesg@ietf.org>, IETF discussion list <ietf@ietf.org>, tsvwg@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 08:50:00 -0000

Hi

On 2011-1-27, at 2:12, Cullen Jennings wrote:
> Big Issues 1: I don't like mandating one port for secure and not secure versions of a protocol
> 
> I don't think this reflects IETF consensus given the number of protocols that deliberately choses to use two ports. I also don't think that it is a good idea in all cases. I believe the decision should be left to the people designing the protocol if they want one port or two. Let me give some examples

Paul Hoffman raised this issue as well (email from Nov 4 to this list.)

There was some discussion that lead to Paul suggesting specific edit to this document. (Which are not reflected in -09; us editors may have dropped the ball here). I'm attaching Paul's proposed changes below, could you check if you'd agree with them?

> Big Issue #2: The draft has close to no review advice for the expert reviewer.

Joe Touch (who leads the expert review team for ports) is working on a separate document (draft-touch-tsvwg-port-use). The first version of that draft was issued on the same day as the -09 version of iana-ports, which is why we don't refer to it. 

Does draft-touch-tsvwg-port-use have the content you are looking for? If so, we should refer to it. (We should probably refer to it anyway, in a "you may also want to read this" kind-of way.)

> Small Issue #3: I object to anonymous review
> 
> The current review is anonymous and this draft does not seem to change that. I don't like anonymous review - it's not how we do things at IETF and it encourages really bad behavior. I have several emails with an expert reviewer relayed via IANA where the conversation was going no where - once I knew the name of the reviewer, the whole conversation changed and stuff quickly came back to the realm of sane. I'm not willing to forward these emails to the list as that would just not be kind to anyone but I am happy to forward them to the IESG if they think looking at them is really critical.

I can see your point, and I personally have no problem with disclosing the reviewer identity. What do others think?

Lars

PS: Paul's proposed changes re item #1:

Begin forwarded message:
> From: Paul Hoffman <paul.hoffman@vpnc.org>
> Date: November 15, 2010 21:44:24 GMT+02:00
> To: <tsvwg@ietf.org>
> Subject: Proposed resolution for security issues with 	draft-ietf-tsvwg-iana-ports-08
> 
> As this list and the TLS has seen, there is a wide variety of views on how to deal with fallback-to-insecure in protocols. I believe that the security community has no consensus on what this means, much less how to do it. My earlier proposal (continue to allow registration of two ports) was popular with some, unpopular with others; similarly, so was "force all protocols to use one port".
> 
> Therefore, I retract my proposal to allow two-port registrations for fallback-to-insecure. However, I still recommend some changes to the text to reflect the view that STARTTLS is not the only way to have such a feature on one port.
> 
> This will be an interesting IETF Last Call discussion.
> 
> I propose the following changes to draft-ietf-tsvwg-iana-ports:
> 
> Section 7.2 current:
> o  IANA will allocate only one assigned port number for all versions
>   of a service (e.g., running the service with or without a security
>   mechanism, or for updated variants of a service)
> 
> Section 7.2 current:
[in the line above s/current/proposed/, I think]
> o  IANA will normally allocate only one assigned port number for all versions
>   of a service (e.g., running the service with or without a security
>   mechanism, or for updated variants of a service). This policy can
>   be overridden by the expert reviewer.
> 
> Section 7.2 current:
>   Further,
>   previous separation of protocol variants based on security
>   capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is
>   not recommended for new protocols, because all new protocols should
>   be security-capable and capable of negotiating the use of security
>   in-band.
> 
> Section 7.2 proposed:
>   Further,
>   previous separation of protocol variants based on security
>   capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is
>   not recommended for new protocols, because all new protocols should
>   be security-capable.
> 
> --Paul Hoffman, Director
> --VPN Consortium

v2.23.0 | Report a Bug | By Email