[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]

To: Steve Moulton <moulton@snmp.com>
Subject: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
From: Andy Bierman <ietf@andybierman.com>
Date: Fri, 17 Mar 2006 08:56:18 -0800
Cc: "Netconf (E-mail)" <netconf@ops.ietf.org>
In-reply-to: <200603171634.k2HGYpSl029200@ws4.snmp.com>
References: <200603171634.k2HGYpSl029200@ws4.snmp.com>
User-agent: Thunderbird 1.5 (Windows/20051201)

Steve Moulton wrote:

On Friday, March 17 2006, Andy Bierman <ietf@andybierman.com> wrote:

We don't think we are improving security.
It is about following current practice, 'best' or otherwise.
IMO, there is a strong pre-existing expectation that a configuration
protocol like NETCONF should be in the system port number range.


As far as I can tell, the only security implication one way or the
other is whether non-netconf (i.e., other user) applications can
bind to the port, possibly preempting use by netconf (even though

the netconf service is likely to start before user applications).On unix-like systems, port numbers below 1024 enforce this.On non-unix-like systems, this argument may not hold.


If there is a difference wrt authentication, I don't see it (but my

security glasses are, at best, astigmatic).

So, to my understanding, there are two arguments for reserving
a port below 1024:  preempting user processes, and pre-existing
expectation as noted by Andy.  It is not clear to me that
those at IANA who gatekeep such things will find these sufficiently
strong arguments.


Well they should -- just follow the logic:

1) It doesn't matter what the port number is
2) Port numbers <1024 are not important, and therefore not scarce

3) Use a >1024 number anyway to preserve this relatively scarceresource (?)


OR

1) It doesn't matter what the port number is, except on unix implementations
2) Use a <1024 number, since their relative scarcity is irrelevant,

and it will help unix implementations prevent hackers from easilyspoofing

  the netconf agent.


---
Steve Moulton        SNMP Research, Inc            voice: +1 865 573 1434
Sr Software Engineer 3001 Kimberlin Heights Rd.    fax: +1 865 573 9197
moulton at snmp.com  Knoxville, TN 37920-9716 USA  http://www.snmp.com


Andy



--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
  - From: Steve Moulton <moulton@snmp.com>

Prev by Date: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Next by Date: RE: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Previous by thread: Re: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Next by thread: RE: Evaluation: draft-ietf-netconf-ssh-05.txt to Proposed Standar d [I06-051127-0011]
Index(es):
- Date
- Thread