Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]

[Simon Leinen <simon@limmat.switch.ch>]

McDonald, Ira writes:
> It is not possible to use NetConf (or SHOULD NOT be) without strong
> authentication - in any case, security professionals do NOT accept
> the pseudo-security of "well known ports" based on their numeric
> values.

Right, but using a <1024 port seems to be the convention for protocols
that talk with system-level entities - and a device's configuration
agent is certainly an example of one.  Therefore I think a port from
the well-known/system/privileged range is appropriate here.

I agree that "privileged" ports are a weak security mechanism.  But
then I don't understand why you are so worried about our contribution
to exhausting them.  Once the other 300 or so privileged ports will be
used up, people will simply be forced to abandon this weak security
concept (or try to reclaim old port assignments that have fallen out
of use, or open up another range of "privileged" ports).

In my personal experience, low port numbers seem to give security
admins a warmer and fuzzier feeling when you ask them to open ports in
their filters.  Therefore I think <1024 port would make NETCONF
deployment easier, if only slightly.
-- 
Simon.


--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>