Re: Security issues with draft-ietf-tsvwg-iana-ports-08

Eliot Lear <lear@cisco.com> Thu, 04 November 2010 18:26 UTC

Return-Path: <lear@cisco.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CC1B28C0E7 for <tsvwg@core3.amsl.com>; Thu, 4 Nov 2010 11:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=4.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nC01+98HZvj9 for <tsvwg@core3.amsl.com>; Thu, 4 Nov 2010 11:26:18 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 18E4128C0DB for <tsvwg@ietf.org>; Thu, 4 Nov 2010 11:26:17 -0700 (PDT)
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArIDAByY0kyQ/khLgWdsb2JhbACDJ55WFQEBFiIiowSKLpESgSKDMXMEilU
X-IronPort-AV: E=Sophos;i="4.58,297,1286150400"; d="scan'208";a="68353672"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-1.cisco.com with ESMTP; 04 Nov 2010 18:26:28 +0000
Received: from ams3-vpn-dhcp6931.cisco.com (ams3-vpn-dhcp6931.cisco.com [10.61.91.18]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id oA4IQR8c003266; Thu, 4 Nov 2010 18:26:27 GMT
Message-ID: <4CD2FAEB.5020606@cisco.com>
Date: Thu, 04 Nov 2010 19:26:51 +0100
From: Eliot Lear <lear@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: Security issues with draft-ietf-tsvwg-iana-ports-08
References: <4CCD6B0B.5040804@isode.com> <p06240842c8f7b9ba2577@[10.20.30.150]> <4CD27ECF.1010500@cisco.com> <p06240802c8f8882552b4@[10.20.30.150]>
In-Reply-To: <p06240802c8f8882552b4@[10.20.30.150]>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tsvwg@ietf.org
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2010 18:26:19 -0000

Hi Paul,

I think you've raised some really good points, but I am still concerned
about one issue, and I'm not sure this draft is the place to fix it: if
applicants are left with the impression that IANA won't allocate another
port for additional security, perhaps they get to think about it NOW. 
If on the other hand, they think they can always apply later, they will
think about it LATER.  I would rather they think about it NOW.  In
practice I don't know that they actually will think about it NOW, but
rather simply reserve a means to STARTTLS (or the like), and so again, I
don't if we can fix this one.  That just leaves stewardship.

Eliot