Re: [NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
Julien ÉLIE <julien@trigofacile.com> Fri, 02 December 2016 22:13 UTC
Return-Path: <ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org>
X-Original-To: ietfarch-nntpext-archive@ietfa.amsl.com
Delivered-To: ietfarch-nntpext-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A1E129447 for <ietfarch-nntpext-archive@ietfa.amsl.com>; Fri, 2 Dec 2016 14:13:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RP_MATCHES_RCVD=-2.896] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7CJXB1P-8jRS for <ietfarch-nntpext-archive@ietfa.amsl.com>; Fri, 2 Dec 2016 14:13:45 -0800 (PST)
Received: from hope.eyrie.org (hope.eyrie.org [IPv6:2001:470:30:84:e276:63ff:fe62:3535]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8271C129446 for <nntpext-archive@ietf.org>; Fri, 2 Dec 2016 14:13:45 -0800 (PST)
Received: from hope.eyrie.org (localhost [IPv6:::1]) by hope.eyrie.org (Postfix) with ESMTP id 7357B68515 for <nntpext-archive@ietf.org>; Fri, 2 Dec 2016 14:13:44 -0800 (PST)
X-Original-To: ietf-nntp@lists.eyrie.org
Delivered-To: ietf-nntp@lists.eyrie.org
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by hope.eyrie.org (Postfix) with ESMTPS id 0A6DE67E0E for <ietf-nntp@lists.eyrie.org>; Fri, 2 Dec 2016 14:13:41 -0800 (PST)
Received: from macbook-pro-de-julien-elie.home ([92.170.5.52]) by mwinf5d05 with ME id FADf1u00P17Lgi403ADgiV; Fri, 02 Dec 2016 23:13:40 +0100
X-ME-Helo: macbook-pro-de-julien-elie.home
X-ME-Auth: anVsaWVuLmVsaWU0ODdAd2FuYWRvby5mcg==
X-ME-Date: Fri, 02 Dec 2016 23:13:40 +0100
X-ME-IP: 92.170.5.52
References: <148035153084.5510.13278742493736503746.idtracker@ietfa.amsl.com> <81e67a36-c913-c9b5-b613-51c7f184eab6@trigofacile.com> <6fd124c5-6c1c-38b0-76a9-635bc96e2d1c@trigofacile.com> <CE74EB40-E7D8-4CC5-AF29-DD732C03C3AC@me.com>
To: ietf-nntp@lists.eyrie.org
From: Julien ÉLIE <julien@trigofacile.com>
Organization: TrigoFACILE -- http://www.trigofacile.com/
Message-ID: <b067038b-bdb9-a005-8e61-4282ca602b63@trigofacile.com>
Date: Fri, 02 Dec 2016 23:13:39 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <CE74EB40-E7D8-4CC5-AF29-DD732C03C3AC@me.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [NNTP] Last Call: <draft-elie-nntp-tls-recommendations-01.txt> (Use of Transport Layer Security (TLS) in the Network News Transfer Protocol (NNTP)) to Proposed Standard
X-BeenThere: ietf-nntp@lists.eyrie.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: NNTP protocol discussion <ietf-nntp.lists.eyrie.org>
List-Unsubscribe: <https://lists.eyrie.org/mailman/options/ietf-nntp>, <mailto:ietf-nntp-request@lists.eyrie.org?subject=unsubscribe>
List-Archive: <https://lists.eyrie.org/pipermail/ietf-nntp/>
List-Post: <mailto:ietf-nntp@lists.eyrie.org>
List-Help: <mailto:ietf-nntp-request@lists.eyrie.org?subject=help>
List-Subscribe: <https://lists.eyrie.org/mailman/listinfo/ietf-nntp>, <mailto:ietf-nntp-request@lists.eyrie.org?subject=subscribe>
Errors-To: ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org
Sender: ietf-nntp <ietf-nntp-bounces+nntpext-archive=ietf.org@lists.eyrie.org>
Hi Sabahattin,
>> As strict TLS over a dedicated port is the current TLS best
>> practice to use, what should we do for transit servers? We
>> currently have no NNSP/TLS port. Do you believe we should ask to
>> register a new port NNSP/TLS? Otherwise, what should we recommend?
>> (My fear is that adoption and use of that new port by news servers
>> will be slow, or even will never be happening...)
>
> Not for me to argue with the wisdom of the crowd, I'm sure, but I've
> never liked the idea of going back to TLS "wrapper" ports; it just
> wastes precious IANA resources for absolutely no reason whatsoever
> and, as you just highlighted, is in any event unlikely to make a
> meaningful impact in practice.
>
> Maybe you could compromise; describe the use of the secure port, give
> it a name, but then only register that port when implementers go
> looking for it. Downside is that the RFC cannot specify a fixed port
> number.
Thanks for your valuable comment.
Would the following wording suit you?
TCP port 563 is dedicated to NNTP over TLS, and registered in the
IANA Service Name and Transport Protocol Port Number Registry for
that usage. NNTP implementations using TCP port 563 begin the TLS
negotiation immediately upon connection and then continue with the
initial steps of an NNTP session. This use of strict TLS on a
separate port is the preferred way of using TLS with NNTP.
If a host wishes to offer separate servers for transit and reading
clients, TCP port 563 SHOULD be used for the reading server using
strict TLS. Regarding the transit server, though TCP port 433 is
registered for NNSP (Network News Streaming Protocol), no dedicated
port is currently registered for NNSP over TLS. If a transit server
offers strict TLS, it SHOULD either use TCP port 433 if it does not
accept connections without TLS, or another unused port of its choice
communicated to all its clients using strict TLS.
Question to all: is NNSP still a name to be used? I do not see it in
RFCs, but only in the IANA service name registry.
Maybe we should ask to rename that port to NNTP?
FYI, RFC 3977 uses the following wording:
The official TCP port for the NNTP service is 119. However, if a
host wishes to offer separate servers for transit and reading
clients, port 433 SHOULD be used for the transit server and 119 for
the reading server.
--
Julien ÉLIE
« – Tu n'as rien remarqué d'étrange chez cet Arverne ?
– Oui, son accent. » (Astérix)
- [NNTP] Fwd: Last Call: <draft-elie-nntp-tls-recom… Julien ÉLIE
- Re: [NNTP] Fwd: Last Call: <draft-elie-nntp-tls-r… Julien ÉLIE
- Re: [NNTP] Last Call: <draft-elie-nntp-tls-recomm… Sabahattin Gucukoglu
- Re: [NNTP] Last Call: <draft-elie-nntp-tls-recomm… Julien ÉLIE
- Re: [NNTP] Last Call: <draft-elie-nntp-tls-recomm… Sabahattin Gucukoglu
- Re: [NNTP] Last Call: <draft-elie-nntp-tls-recomm… Julien ÉLIE
- Re: [NNTP] Last Call: <draft-elie-nntp-tls-recomm… Sabahattin Gucukoglu
- Re: [NNTP] Last Call: <draft-elie-nntp-tls-recomm… Julien ÉLIE