Re: Security issues with draft-ietf-tsvwg-iana-ports-08

Magnus Westerlund <magnus.westerlund@ericsson.com> Sat, 06 November 2010 01:33 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5ECEE3A69B7 for <tsvwg@core3.amsl.com>; Fri, 5 Nov 2010 18:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.499
X-Spam-Level:
X-Spam-Status: No, score=-106.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvMscKq4FH+j for <tsvwg@core3.amsl.com>; Fri, 5 Nov 2010 18:33:13 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 267883A69B8 for <tsvwg@ietf.org>; Fri, 5 Nov 2010 18:33:12 -0700 (PDT)
X-AuditID: c1b4fb3d-b7b28ae00000135b-19-4cd4b066edf3
Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id E2.17.04955.660B4DC4; Sat, 6 Nov 2010 02:33:26 +0100 (CET)
Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Sat, 6 Nov 2010 02:33:11 +0100
Received: from [153.88.47.236] ([153.88.47.236]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Sat, 6 Nov 2010 02:33:10 +0100
Message-ID: <4CD4B053.8010001@ericsson.com>
Date: Sat, 06 Nov 2010 02:33:07 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; sv-SE; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Eliot Lear <lear@cisco.com>
Subject: Re: Security issues with draft-ietf-tsvwg-iana-ports-08
References: <4CCD6B0B.5040804@isode.com> <p06240842c8f7b9ba2577@[10.20.30.150]> <4CD27ECF.1010500@cisco.com> <p06240802c8f8882552b4@[10.20.30.150]> <4CD2FAEB.5020606@cisco.com>
In-Reply-To: <4CD2FAEB.5020606@cisco.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 06 Nov 2010 01:33:11.0231 (UTC) FILETIME=[92B4E4F0:01CB7D52]
X-Brightmail-Tracker: AAAAAA==
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Nov 2010 01:33:14 -0000

Eliot Lear skrev 2010-11-04 19:26:
> Hi Paul,
> 
> I think you've raised some really good points, but I am still concerned
> about one issue, and I'm not sure this draft is the place to fix it: if
> applicants are left with the impression that IANA won't allocate another
> port for additional security, perhaps they get to think about it NOW. 
> If on the other hand, they think they can always apply later, they will
> think about it LATER.  I would rather they think about it NOW.  In
> practice I don't know that they actually will think about it NOW, but
> rather simply reserve a means to STARTTLS (or the like), and so again, I
> don't if we can fix this one.  That just leaves stewardship.
> 
> Eliot

Paul and Eliot,

I have to agree with Eliot here. I clearly can understand your view on
how things has been and are. I would like to start with pointing out
that most ports allocated to protocols each years are not done by IETF,
nor discussed in IETF at all.

We also know that if considered from start there is little issue with
doing TLS and non TLS on the same port. I agree that retrofitting an old
protocol is not necessarily as easy nor deployable. I do expect the port
review team will actually approve a request for a second port if there
is shown need.

I think the issue here is to strike a balance in the text so that it is
clear that for existing protocol it might be possible to get a second
port, but we really do expect new protocols to have support from the
start to do TLS on that single port.

I also think reserving ports for old protocols is a bad idea. We have no
immediate shortage of ports, if I remember Joe's calculations correctly
our current consumption rate would result in run out for TCP in around
50 years. Thus reserving for this purpose seems strange, as the
protocols that do truly need a second port can get one. So to avoid
sending a message, that I don't want to send nor reserve ports when not
needed I think this idea should be skipped.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------