Re: [secdir] secdir review of draft-ietf-tsvwg-port-use

"Dan Harkins" <> Tue, 03 February 2015 00:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 13DE51A8845; Mon, 2 Feb 2015 16:18:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id boTgFehBcnyi; Mon, 2 Feb 2015 16:18:00 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 264991A8856; Mon, 2 Feb 2015 16:17:53 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id C03E010224008; Mon, 2 Feb 2015 16:17:52 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Mon, 2 Feb 2015 16:17:52 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <> <>
Date: Mon, 02 Feb 2015 16:17:52 -0800
From: Dan Harkins <>
To: Joe Touch <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <>
Subject: Re: [secdir] secdir review of draft-ietf-tsvwg-port-use
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Feb 2015 00:18:02 -0000

  Hi Joe,

On Mon, February 2, 2015 10:29 am, Joe Touch wrote:
> Hi, Dan,
> It should be easy to add DTLS where TLS is cited. IPsec is an
> interesting issue; I can add a few sentences to the security
> considerations area about that - e.g., that IPsec protects in a
> different way than TLS/DTLS, and that one key aspect of its
> configuration is port-specific parameters, which means it may be
> difficult to use separate IPsec policies on different services unless
> their port numbers are known and fixed in advance (even if using dynamic
> port numbers).

  There's also the issue that even if it uses fixed ports the app has
no assurance that IPsec will even be protecting it. From the app's
perspective it's basically write-and-pray.

> That latter is probably 2-3 short sentences, and I think would be
> worthwhile.

  That would be great and would address my comment.



> Joe
> On 1/30/2015 4:04 PM, Dan Harkins wrote:
>>    Hello,
>>    I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>>    This draft provides some advice and recommendations on protocol
>> port use to application and service designers. It has a nice, brief
>> history of port usage and a nice list of guiding principles to help
>> conserve port space. It will make a nice BCP. In my opinion it is Ready
>> For Publication. With that said, I do have a small comment. In section
>> 7.4 the draft says that TLS should be used to protect services that do
>> not provide their own security directly. It might be worth while adding
>> mention of DTLS and IPsec. And if the latter is not something that
>> should be recommended then justification for that stance should be
>> given.
>>    regards,
>>    Dan.