Re: Proposed resolution for security issues with draft-ietf-tsvwg-iana-ports-08
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 17 November 2010 10:19 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B630D3A68DA for <tsvwg@core3.amsl.com>; Wed, 17 Nov 2010 02:19:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.534
X-Spam-Level:
X-Spam-Status: No, score=-106.534 tagged_above=-999 required=5 tests=[AWL=0.065, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PgKieywHhBQM for <tsvwg@core3.amsl.com>; Wed, 17 Nov 2010 02:19:47 -0800 (PST)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 8451F3A68BE for <tsvwg@ietf.org>; Wed, 17 Nov 2010 02:19:47 -0800 (PST)
X-AuditID: c1b4fb3d-b7c05ae0000028e7-f6-4ce3ac6f5b66
Received: from esessmw0197.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 39.B1.10471.F6CA3EC4; Wed, 17 Nov 2010 11:20:32 +0100 (CET)
Received: from [147.214.183.21] (153.88.115.8) by esessmw0197.eemea.ericsson.se (153.88.115.88) with Microsoft SMTP Server id 8.2.234.1; Wed, 17 Nov 2010 11:20:31 +0100
Message-ID: <4CE3AC6F.1030402@ericsson.com>
Date: Wed, 17 Nov 2010 11:20:31 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; sv-SE; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: Proposed resolution for security issues with draft-ietf-tsvwg-iana-ports-08
References: <p06240824c9073b8e611a@[10.20.30.150]>
In-Reply-To: <p06240824c9073b8e611a@[10.20.30.150]>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2010 10:19:50 -0000
Hi Paul, Many thanks for suggesting a way forward on your last call comment. I think this resolution is in general fine with me. In the name of port space preserving, I would desire a somewhat stronger formulation in the first change about that you really shouldn't expect IANA to allocate you more than one port number per protocol. Cheers Magnus Paul Hoffman skrev 2010-11-15 20:44: > As this list and the TLS has seen, there is a wide variety of views on how to deal with fallback-to-insecure in protocols. I believe that the security community has no consensus on what this means, much less how to do it. My earlier proposal (continue to allow registration of two ports) was popular with some, unpopular with others; similarly, so was "force all protocols to use one port". > > Therefore, I retract my proposal to allow two-port registrations for fallback-to-insecure. However, I still recommend some changes to the text to reflect the view that STARTTLS is not the only way to have such a feature on one port. > > This will be an interesting IETF Last Call discussion. > > I propose the following changes to draft-ietf-tsvwg-iana-ports: > > Section 7.2 current: > o IANA will allocate only one assigned port number for all versions > of a service (e.g., running the service with or without a security > mechanism, or for updated variants of a service) > > Section 7.2 current: > o IANA will normally allocate only one assigned port number for all versions > of a service (e.g., running the service with or without a security > mechanism, or for updated variants of a service). This policy can > be overridden by the expert reviewer. > > Section 7.2 current: > Further, > previous separation of protocol variants based on security > capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is > not recommended for new protocols, because all new protocols should > be security-capable and capable of negotiating the use of security > in-band. > > Section 7.2 proposed: > Further, > previous separation of protocol variants based on security > capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is > not recommended for new protocols, because all new protocols should > be security-capable. > > --Paul Hoffman, Director > --VPN Consortium > -- Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Proposed resolution for security issues with draf… Paul Hoffman
- Re: Proposed resolution for security issues with … Magnus Westerlund
- Re: Proposed resolution for security issues with … Eliot Lear