Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

[Magnus Westerlund <magnus.westerlund@ericsson.com>]

TLS experts,

There currently a WG last call ongoing in on the IANA Procedures for the
Management of the Service Name and Transport Protocol Port Number
Registry update document.
https://datatracker.ietf.org/doc/draft-ietf-tsvwg-iana-ports/

A WG last call comment on this document was raised by Paul Hoffman:
http://www.ietf.org/mail-archive/web/tsvwg/current/msg10305.html

My summary of that comment is that STARTTLS for SMTP (RFC 3207) has
shown to have some security issues, be complexer to implement than using
two ports and thus less popular. Thus the registration rules should be
less restrictive in assigning an additional port for TLS version of
services/applications/protocols.

The downside of less restrictive port allocation rules is that the port
space will be consumed at a higher rate. Thus there is need to determine
what is the most suitable trade-off here.

Clearly if the security issues are serious when one multiplex TLS and
non-secured version of the protocol on the same port we must allow such
port allocations. However if the issues are minor and the primarily
issue is implementation complexity then saving the limited port space is
probably more important.

Your input into these questions would be very appreciated.

Thanks

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------