IETF Logo Mail Archive

Re: [NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard

Sabahattin Gucukoglu <listsebby@me.com> Sat, 17 December 2016 18:18 UTC

Return-Path: <ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org>
X-Original-To: ietfarch-nntpext-archive@ietfa.amsl.com
Delivered-To: ietfarch-nntpext-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CDA41296C8 for <ietfarch-nntpext-archive@ietfa.amsl.com>; Sat, 17 Dec 2016 10:18:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.189
X-Spam-Level:
X-Spam-Status: No, score=-7.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=me.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCLBRJQNYRYb for <ietfarch-nntpext-archive@ietfa.amsl.com>; Sat, 17 Dec 2016 10:18:50 -0800 (PST)
Received: from hope.eyrie.org (hope.eyrie.org [IPv6:2001:470:30:84:e276:63ff:fe62:3535]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37B001294B6 for <nntpext-archive@ietf.org>; Sat, 17 Dec 2016 10:18:50 -0800 (PST)
Received: from hope.eyrie.org (localhost [IPv6:::1]) by hope.eyrie.org (Postfix) with ESMTP id 6A28B68275 for <nntpext-archive@ietf.org>; Sat, 17 Dec 2016 10:18:49 -0800 (PST)
X-Original-To: ietf-nntp@lists.eyrie.org
Delivered-To: ietf-nntp@lists.eyrie.org
Received: from pv33p04im-asmtp001.me.com (pv33p04im-asmtp001.me.com [17.143.181.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by hope.eyrie.org (Postfix) with ESMTPS id 019DA67E0E for <ietf-nntp@lists.eyrie.org>; Sat, 17 Dec 2016 10:18:47 -0800 (PST)
Received: from process-dkim-sign-daemon.pv33p04im-asmtp001.me.com by pv33p04im-asmtp001.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) id <0OIC00L00DAE8P00@pv33p04im-asmtp001.me.com> for ietf-nntp@lists.eyrie.org; Sat, 17 Dec 2016 18:18:39 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=me.com; s=4d515a; t=1481998719; bh=Fvl+XCsaP6dIYpaG6c6E/hQlyfQmOh54fKNPZuzI158=; h=Content-type:MIME-version:Subject:From:Date:Message-id:To; b=FEQyp/C6LtkNeuIsXn2/eeKaUivi+MBWHhtxN5jl8WfpCdGj3elJeeM1pTpdTyQuC U4kGtJOwCAgYxeOyL5eH9vCGKrL648ionvdjQXbSLHEOD+WUv/uUAnzXiR5N9OPGIp PYosMCVs3tBiPb1QZj2++1AWcO8nTOnwKCZIReBAAYl3OmkJFr0UjESxD/FDDINh9H 1Gcz5NfzMRwjEbUFiL6zkW1SFookJ5JJvidKsQmzJPTylzE5mfc74+viyG3kq1phge dD0PVYUbpHGZQDyHOgTrCBbJFxOJ7EFW5u5JsY5ryUECO0twNuFghYjSNar45Z4kY1 BXdiiBlfsN/SA==
Received: from [172.16.16.155] (unknown [90.155.50.12]) by pv33p04im-asmtp001.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) with ESMTPSA id <0OIC00DGSDJ1M950@pv33p04im-asmtp001.me.com>; Sat, 17 Dec 2016 18:18:39 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-12-17_13:,, signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1034 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1612170315
Content-type: text/plain; charset="windows-1252"
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Sabahattin Gucukoglu <listsebby@me.com>
In-reply-to: <82382bf5-aa9c-9a1f-d00f-8926838239e9@trigofacile.com>
Date: Sat, 17 Dec 2016 18:18:36 +0000
Content-transfer-encoding: quoted-printable
Message-id: <07CE5484-38EC-40C2-ACE6-EFC5A0D87357@me.com>
References: <148035153084.5510.13278742493736503746.idtracker@ietfa.amsl.com> <81e67a36-c913-c9b5-b613-51c7f184eab6@trigofacile.com> <6fd124c5-6c1c-38b0-76a9-635bc96e2d1c@trigofacile.com> <CE74EB40-E7D8-4CC5-AF29-DD732C03C3AC@me.com> <b067038b-bdb9-a005-8e61-4282ca602b63@trigofacile.com> <4FD56723-50B8-46DF-A2D8-CF2843F2D326@me.com> <82382bf5-aa9c-9a1f-d00f-8926838239e9@trigofacile.com>
To: Julien ÉLIE <julien@trigofacile.com>
X-Mailer: Apple Mail (2.2104)
Cc: ietf-nntp@lists.eyrie.org
Subject: Re: [NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
X-BeenThere: ietf-nntp@lists.eyrie.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: NNTP protocol discussion <ietf-nntp.lists.eyrie.org>
List-Unsubscribe: <https://lists.eyrie.org/mailman/options/ietf-nntp>, <mailto:ietf-nntp-request@lists.eyrie.org?subject=unsubscribe>
List-Archive: <https://lists.eyrie.org/pipermail/ietf-nntp/>
List-Post: <mailto:ietf-nntp@lists.eyrie.org>
List-Help: <mailto:ietf-nntp-request@lists.eyrie.org?subject=help>
List-Subscribe: <https://lists.eyrie.org/mailman/listinfo/ietf-nntp>, <mailto:ietf-nntp-request@lists.eyrie.org?subject=subscribe>
Errors-To: ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org
Sender: ietf-nntp <ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org>

Hi,

On 17 Dec 2016, at 14:16, Julien ÉLIE <julien@trigofacile.com> wrote:
> Thanks for your proposal, that I suggested to the reviewer from the security directorate during Last Call.  It finally appeared over-complicated to use port 433 sometimes for strict TLS, and sometimes not, only depending on how the configuration of the server is done.

This is completely understandable. :)  It would have been a matter of mutual agreement only, which is always going to risk confusion.

> Here is the current text.  I hope you're fine with it.  Otherwise, please tell what you reckon is wrong.
> 
> 
>   The third and fourth paragraphs in Section 1 of [RFC4642] are
>   replaced with the following text:
> 
>      TCP port 563 is dedicated to NNTP over TLS, and registered in the
>      IANA Service Name and Transport Protocol Port Number Registry for
>      that usage.  NNTP implementations using TCP port 563 begin the TLS
>      negotiation immediately upon connection and then continue with the
>      initial steps of an NNTP session.  This use of strict TLS on a
>      separate port is the preferred way of using TLS with NNTP.
> 
>      If a host wishes to offer separate servers for transit and reading
>      clients, TCP port 563 SHOULD be used for strict TLS with the
>      reading server, and an unused port of its choice different than
>      TCP port 433 SHOULD be used for strict TLS with the transit
>      server.  The ports used for strict TLS should be clearly
>      communicated to the clients, and specifically that no plain-text
>      communication occurs before the TLS session is negotiated.
> 
>      As some existing implementations negotiate TLS via a dynamic
>      upgrade from unencrypted to TLS-protected traffic during an NNTP
>      session on well-known TCP ports 119 or 433, this specification
>      formalizes the STARTTLS command in use for that purpose.  However,
>      as already mentioned above, implementations SHOULD use strict TLS
>      on a separate port.
> 
>      Note: a common alternative to protect NNTP exchanges with transit
>      servers that do not implement TLS is the use of IPsec with
>      encryption [RFC4301].

This is very reasonable.  No confusion about existing ports and clear that arranged strict TLS is preferable.  I don't have any objection at all.  Peering arrangements always make it possible to arrange the ports in use.

> I've also added your name in the Acknowledgments Section.

Thanks.

Cheers,
Sabahattin

v2.23.0 | Report a Bug | By Email