[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
On Friday, March 17 2006, Andy Bierman <ietf@andybierman.com> wrote:
> We don't think we are improving security.
> It is about following current practice, 'best' or otherwise.
> IMO, there is a strong pre-existing expectation that a configuration
> protocol like NETCONF should be in the system port number range.
As far as I can tell, the only security implication one way or the
other is whether non-netconf (i.e., other user) applications can
bind to the port, possibly preempting use by netconf (even though
the netconf service is likely to start before user applications).
On unix-like systems, port numbers below 1024 enforce this.
On non-unix-like systems, this argument may not hold.
If there is a difference wrt authentication, I don't see it (but my
security glasses are, at best, astigmatic).
So, to my understanding, there are two arguments for reserving
a port below 1024: preempting user processes, and pre-existing
expectation as noted by Andy. It is not clear to me that
those at IANA who gatekeep such things will find these sufficiently
strong arguments.
---
Steve Moulton SNMP Research, Inc voice: +1 865 573 1434
Sr Software Engineer 3001 Kimberlin Heights Rd. fax: +1 865 573 9197
moulton at snmp.com Knoxville, TN 37920-9716 USA http://www.snmp.com
--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>