IETF Logo Mail Archive

Re: [sidr] draft-sidr-rpki-rtr

Joe Touch <touch@isi.edu> Mon, 15 August 2011 16:50 UTC

Return-Path: <touch@isi.edu>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D89221F8C64 for <sidr@ietfa.amsl.com>; Mon, 15 Aug 2011 09:50:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.985
X-Spam-Level:
X-Spam-Status: No, score=-102.985 tagged_above=-999 required=5 tests=[AWL=-0.986, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2b9niKM4gzqV for <sidr@ietfa.amsl.com>; Mon, 15 Aug 2011 09:50:55 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id 9DA5D21F8C61 for <sidr@ietf.org>; Mon, 15 Aug 2011 09:50:55 -0700 (PDT)
Received: from [128.9.160.166] (abc.isi.edu [128.9.160.166]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id p7FGp7Go000626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 15 Aug 2011 09:51:07 -0700 (PDT)
Message-ID: <4E494E7B.3050809@isi.edu>
Date: Mon, 15 Aug 2011 09:51:07 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>
References: <4DAF44AC.8060408@isi.edu><E3076C4C-F27C-40A8-A033-2EBB8C39A3D2@cisco.com><4DAF796C.7010807@isi.edu><BANLkTi=Oc-fEKOYCRQqM97wPxSSXjrdTRw@mail.gmail.com><409BDC5C-FE86-444A-BC0D-6DA00E7BF0F3@isi.edu><BANLkTikLi2p7UipJ!TRSQqVOL6GkLn=j9iA@mail.gmail.com><F0FABE61-FC1D-45ED-A21D-ED7A1228A997@isi.edu><01eb01cc0325$6e4fd260$4001a8c0@gateway.2wire.net><4DB592B3.3090805@isi.edu><033e01cc05a8$0a82f160$4001a8c0@gateway.2wire.net><4DB9A456.3060709@isi.edu><BANLkTikg18FV5H0bOdOfWMzpTcm_B__EVQ@mail.gmail.com><017b01cc13ff$0cb6da40$4001a8c0@gateway.2wire.net><BANLkTink82qvhge6rRhqt5+h-2mEkKBMhA@mail.gmail.com><m21uzwr3tw.wl%randy@psg.com> <BANLkTimPnMfE1ii=6uwAckoFY0yUU=w43g@mail.gmail.com> <011701cc58d4$fbbd4ce0$4001a8c0@gateway.2wire.net> <4E455B3A.7030005@isi.edu> <01ad01cc5b2b$8cf52860$4001a8c0@gateway.2wire.net>
In-Reply-To: <01ad01cc5b2b$8cf52860$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: sidr@ietf.org
Subject: Re: [sidr] draft-sidr-rpki-rtr
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2011 16:50:56 -0000

Hi, Tom,

On 8/15/2011 2:13 AM, t.petch wrote:
...
> I was thinking, as I am sure you know, of draft-ietf-tsvwg-iana-ports where my
> recollection is that in WGLC, last December, the issue of unifying the two
> ranges did get raised and was declared out of scope.

For that doc. It will be addressed in the user port recommendations, 
though it's not clear yet whether it will be resolved or just the issues 
documented.

 > Then in IETF LC, in
> January, there were comments that the I-D did not give enough guidance to IANA
> as to what to do when reviewing a request, the underlying concern being that
> ports are a scarce resource and should be conserved.  At that time, the concern
> was more that protocols should not be allowed a second port for security but
> should be designed to negotiate security in-band:-(  but I read into that the
> concern as also being that system ports are even more scarce and so the rules
> should be tighter.

The rate of port allocations hasn't changed in over a decade; recent 
reforms have served well to conserve the space. They've focused on 
avoiding gratuitous allocations of ranges of ports, not the security 
issue or the user/system issue.

> I also recall a TLS discussion as to whether two ports are better than one for
> security, with no clear consensus emerging.

Yes. For other related protocol issues, the general consensus is "mux in 
band", i.e., that ports are scarce and that additional ports should 
never be allocated solely for performance or software complexity reasons.

Security has other issues - e.g., port filtering, for one. However, the 
primary argument in favor of separate secure/insecure ports appears to 
be focused solely on performance, AFAICT.

FWIW, there are already examples where multiple protocol 'stacks' 
require separate ports because the muxing can't happen in-band.

> So I anticipate some more discussion along these lines at IETF LC and would like
> us to have an answer ready.  Two system ports would seem to be the most
> demanding request to make and so the one needing the most justification.

For this service, the key question isn't whether there should be a 
secure port, but why there would ever be a need for an insecure one -- 
especially if these are in the system range.

> As you say, netconf over ssh went 'system', but netconf over TLS did not, nor
> did SNMP over ssh.

Whether a service goes into system or user is up to the protocol 
designer, and whether you all feel that this provides any benefit or not.

As to the hurdles once you pick a range, yes - there will be more for 
system ports than for user ports. One part you're already clean on - 
this being an IETF proposed standard. The allocations of ports aren't 
particularly more conservative for system vs user, except (as above) 
that the argument for purely non-secure ports is even more thin.

Joe

v2.23.0 | Report a Bug | By Email