Proposed resolution for security issues with draft-ietf-tsvwg-iana-ports-08

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 15 November 2010 19:43 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 416D23A6D0F for <tsvwg@core3.amsl.com>; Mon, 15 Nov 2010 11:43:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.991
X-Spam-Level:
X-Spam-Status: No, score=-99.991 tagged_above=-999 required=5 tests=[AWL=-0.545, BAYES_50=0.001, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4sBw50JEN-V for <tsvwg@core3.amsl.com>; Mon, 15 Nov 2010 11:43:45 -0800 (PST)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 896573A6C05 for <tsvwg@ietf.org>; Mon, 15 Nov 2010 11:43:45 -0800 (PST)
Received: from [10.20.30.150] (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id oAFJiP5U082477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <tsvwg@ietf.org>; Mon, 15 Nov 2010 12:44:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240824c9073b8e611a@[10.20.30.150]>
Date: Mon, 15 Nov 2010 11:44:24 -0800
To: tsvwg@ietf.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Proposed resolution for security issues with draft-ietf-tsvwg-iana-ports-08
Content-Type: text/plain; charset="us-ascii"
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2010 19:43:46 -0000

As this list and the TLS has seen, there is a wide variety of views on how to deal with fallback-to-insecure in protocols. I believe that the security community has no consensus on what this means, much less how to do it. My earlier proposal (continue to allow registration of two ports) was popular with some, unpopular with others; similarly, so was "force all protocols to use one port".

Therefore, I retract my proposal to allow two-port registrations for fallback-to-insecure. However, I still recommend some changes to the text to reflect the view that STARTTLS is not the only way to have such a feature on one port.

This will be an interesting IETF Last Call discussion.

I propose the following changes to draft-ietf-tsvwg-iana-ports:

Section 7.2 current:
o  IANA will allocate only one assigned port number for all versions
   of a service (e.g., running the service with or without a security
   mechanism, or for updated variants of a service)

Section 7.2 current:
o  IANA will normally allocate only one assigned port number for all versions
   of a service (e.g., running the service with or without a security
   mechanism, or for updated variants of a service). This policy can
   be overridden by the expert reviewer.

Section 7.2 current:
   Further,
   previous separation of protocol variants based on security
   capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is
   not recommended for new protocols, because all new protocols should
   be security-capable and capable of negotiating the use of security
   in-band.

Section 7.2 proposed:
   Further,
   previous separation of protocol variants based on security
   capabilities (e.g., HTTP on TCP port 80 vs. HTTPS on TCP port 443) is
   not recommended for new protocols, because all new protocols should
   be security-capable.

--Paul Hoffman, Director
--VPN Consortium