Re: [secdir] review of draft-ietf-tsvwg-iana-ports-09

Joe Touch <> Tue, 01 February 2011 19:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C874F3A6FF8; Tue, 1 Feb 2011 11:14:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.591
X-Spam-Status: No, score=-104.591 tagged_above=-999 required=5 tests=[AWL=2.008, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UXT-oWVcJ3EX; Tue, 1 Feb 2011 11:14:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 07D113A6FE2; Tue, 1 Feb 2011 11:14:01 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id p11JGmYY020737 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 1 Feb 2011 11:16:48 -0800 (PST)
Message-ID: <>
Date: Tue, 01 Feb 2011 11:16:48 -0800
From: Joe Touch <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: "Murphy, Sandra" <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
Subject: Re: [secdir] review of draft-ietf-tsvwg-iana-ports-09
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Feb 2011 19:14:02 -0000

Hi, Sandy,

On 2/1/2011 11:07 AM, Murphy, Sandra wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
> There is a required format for communication of a request to the IANA, I
> presume by email. I did not see any mention of the email address to
> which the request should be sent (RFC5226 also doesn’t seem to mention it).

It's a web form. The doc refers to that in Sec 2:

    Information about the assignment procedures for the port registry has
    existed in three locations: the forms for requesting port number
    assignments on the IANA web site [SYSFORM][USRFORM], an introductory
    text section in the file listing the port number assignments
    themselves (known as the port numbers registry) [PORTREG], and two
    brief sections of the IANA Allocation Guidelines [RFC2780].

I.e., communication is initiated through the forms.

> The procedure requires that the same previous Assignee (or Contact) make
> any subsequent request about a port/name assignment, where the email
> address is provided in the request. Security question: how does the IANA
> know that it is communicating with the same Assignee/Contact? There’s no
> recommendation for security of that communication.

Can you clarify what that would mean? I am not aware of any IETF process 
that requires presenting credentials beyond an email address.

> In the IANA section there is a paragraph:
>       IANA is instructed to create a new service name entry in the service
>       name and port number registry [PORTREG] for any entry in the
>       "Protocol and Service Names"  registry [PROTSERVREG] that does not
>       already have one assigned.
> Are there no guidelines for creating the new service name?

See Sec 8.1. The new assignment procedure allows for service names to be 
requested without port numbers