IETF Logo Mail Archive

Re: Last Call: <draft-ietf-tsvwg-iana-ports-09.txt> (Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry) to BCP

Eric Rescorla <ekr@rtfm.com> Mon, 31 January 2011 19:49 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D367D3A6C64 for <ietf@core3.amsl.com>; Mon, 31 Jan 2011 11:49:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.705
X-Spam-Level:
X-Spam-Status: No, score=-102.705 tagged_above=-999 required=5 tests=[AWL=0.272, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ols8rC3UBEXq for <ietf@core3.amsl.com>; Mon, 31 Jan 2011 11:49:46 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id 4ADE03A6C57 for <ietf@ietf.org>; Mon, 31 Jan 2011 11:49:46 -0800 (PST)
Received: by gxk27 with SMTP id 27so2488031gxk.31 for <ietf@ietf.org>; Mon, 31 Jan 2011 11:53:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.90.20.6 with SMTP id 6mr9134238agt.200.1296503580841; Mon, 31 Jan 2011 11:53:00 -0800 (PST)
Received: by 10.90.116.7 with HTTP; Mon, 31 Jan 2011 11:53:00 -0800 (PST)
In-Reply-To: <DFEB1164-0F63-4FCF-A68D-EF7B2F807649@skype.net>
References: <20110118212603.5733.34489.idtracker@localhost> <B88A8A82-9C4A-40AC-89AF-F177260760F7@cisco.com> <ECA80A72-4E72-44D2-B40E-C90D7197E8C5@nokia.com> <4D421795.70505@isi.edu> <EFADE5D0-BB33-4418-B743-DFEC11B12740@cisco.com> <4D44F85D.5030407@isi.edu> <4D457FD9.5030905@vpnc.org> <B1E38EDF-E78E-47E2-B9A9-D7320A908217@nokia.com> <4D46CC62.1040006@vpnc.org> <3EEDEA1C-C34B-4F39-8E6E-AEDE50C1E504@nokia.com> <4D46D1D3.10701@vpnc.org> <F2152494-8C79-4A0F-951F-B3DB1D274A61@cisco.com> <4D46E2FF.7010203@cisco.com> <DFEB1164-0F63-4FCF-A68D-EF7B2F807649@skype.net>
Date: Mon, 31 Jan 2011 11:53:00 -0800
Message-ID: <AANLkTimkvJOdaBSp4r_Lqv5Q=zf1pH1rvhQB+Qf0BpLH@mail.gmail.com>
Subject: Re: Last Call: <draft-ietf-tsvwg-iana-ports-09.txt> (Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry) to BCP
From: Eric Rescorla <ekr@rtfm.com>
To: ietf@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jan 2011 19:49:47 -0000

On Mon, Jan 31, 2011 at 11:41 AM, Eric Rescorla <ekr@skype.net> wrote:
> So first, we already have a BCP that says  more or less all protocols must implement a secure version but deployment is optional. This is a good BCP, and it comes from the right area to say that - security. It's probably impacts design work in working groups more than any other BCP. It has IETF consensus. The IESG holds protocols to this.
>
> Now - I am at loss to see why forcing people to use one port will make it more likely to have secure protocols. This seems crazy.  Please do enlighten me.

I don't think it does.

At a high level, there are three ways in which insecure and secure
versions (by which I mostly mean channel security mechanisms such as
TLS) of the same protocol can coexist:

1. They can operate on totally different transport parameters (e.g., ports)
2. They can be demuxable by some indicator that's simply sent by one
side and accepted or rejected by the other side. (E.g., "If the first
byte is 20 this is TLS, else it's not)
3. It can be negotiated as in STARTTLS

In the first two of these, the client knows which version it wants
(secure or insecure) and there is no chance for the server to indicate
otherwise other than failing the connection. In the third, the sides
negotiate. So, I think the first question is which general design you
wish to have. Each of these have their merits: negotiation designs are
more complicated but allow for opportunistic security. Unfortunately,
they also allow for downgrade attack, as the experience with STARTTLS
for SMTP shows. By contrast, non-negotiation designs are easier to
implement and provide for referential integrity but not for
opportunistic security. IMO there is a place for both, though I
generally tend towards non-negotiated designs, in part out of a
feeling that the world would be better if people used encryption all
the time.

Clearly, if you're going to do a negotiation design you want a single port.
If you're going to do a non-negotiated design, then I don't see a huge
amount of value in using a single port. It's true that there is a port
consumption issue, but OTOH ports are there for protocol demuxing and
this is clearly another protocol. It's simply a lot easier to have
your TLS stack just start its thing rather than try to autodetect
whether you have TLS or some other protocol. So I would generally push
back on the claim that non-negotiated designs should have to have
demuxing in information in the dataflow rather than use the port.


> And on the topic, I'm still looking forward to an explanation of how the current CoAP design stomping all over the TLS code points would be an acceptable design.

I don't consider this an acceptable design and I've already told the
CoAP authors and chairs so. Speaking as chair, if the CoAP
authors/chairs wish to pursue this avenue they should bring it to the
TLS WG, which AFAIK they have not done.

-Ekr



>
> On Jan 31, 2011, at 9:27 , Eliot Lear wrote:
>
>>
>>
>> On 1/31/11 5:13 PM, Cullen Jennings wrote:
>>> Hmm ... I don't agree that solves the issue.
>>>
>>> Well lets say the request was coming from 3GPP for a protocol they designed - why should IANA be able to tell them no but IETF yes.
>>
>> Who, ultimately, is the steward of this precious resource?  If it is not
>> the IANA and it is not the IETF, then who?  To say that it is everyone's
>> responsibility is to avoid responsibility entirely.  Who gets to say
>> which standards organizations are stewards and which are not?
>>
>>> I think the policy issue here is fairly clear. We do not have consensus that in all cases that one should not have a second port for security (I'm basing this assertion on Magnus read of WG consensus and my read of IETF LC consensus). Therefore that should not be a ground for the expert reviewer (or IANA) to reject the registration. The document needs to be updated to make that clear or it does not reflect consensus. If the authors of the draft want to propose text for conditions when it would be ok to reject a second port for security purposes and see if they can get consensus for that text, that seems perfectly reasonable.
>>
>> This is a VERY VERY dangerous approach you propose, Cullen.  It is akin
>> to saying, "you can think about security later, because we'll have to
>> give you a port for it later."  We don't want to be saying that.
>>
>
>
> Cullen Jennings
> For corporate legal information go to:
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>
>
>
>

v2.23.0 | Report a Bug | By Email