Hi, There is a question of whether we need a system port or just a registered port.
As co-chair, I think the WG should be involved in this discussion. The document is scheduled to be discussed by the IESG on Thursday, so quick responses are important. Would a registered port be adequate for syslog/tls, or is there a compelling reason why it MUST be a system port? David Harrington [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] -----Original Message----- From: Lars Eggert [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2008 2:53 AM To: ext Joseph Salowey (jsalowey) Subject: Re: DISCUSS: draft-ietf-syslog-transport-tls Hi, On 2008-8-13, at 9:05, ext Joseph Salowey (jsalowey) wrote: > This was discussed in the working group. The following is a list of > reasons that were given in support of a system port (somewhat > paraphrased): > > 1. We expect syslog-tls to become widespread adopted (if we would not > expect this, we could simply drop the effort - this is why the WG has > been rechartered). Sure, but widely adopted != needs a port < 1024. Lots of widely- adopted protocols use a registered port in the 1024-49151 range. > 2. Syslog traditionally has been assigned a dedicated port in the > system > range (514 and 601). > > 3. Syslog was considered important enough to assign a dedicated port > in > the past (601 with RFC 3195) - the same should apply to this effort We've been continuing to run out of system port space since those ports were allocated. If there is no technical reason for a low port number, I'd like to push back a bit on historic consistency as an argument. > 4. The syslog daemon is considered an essential system service and > part > of many important operating systems True, but see my answer to 1. > 5. Operators expect a dedicated port for an essential protocol > > 6. A dedicated port greatly reduces the likelihood of syslogd startup > errors due to port being used by another process > > 7. A dedicated port greatly reduces ambiguity, which is especially > important as a number of SOHO deceives/applications is expected to > implement the protocol. For low-knowledge, "nearly plug-and-play" > scenarios, senders and receivers need a universal understanding of the > port number to use. As for 5-7, syslog will get a dedicated port, but in the 1024-49151 range instead of one < 1024. > 8. (derived argument) Combining argument #1 and #4, there will be a > very large number of systems utilizing that port, thus justifying > assigning a scarce resource. > > I think these arguments are convincing, but I am unsure as to the > criteria for assigning a system port. draft-ietf-tsvwg-iana-ports has some text on this. Basically, the difference between the well-known and registered port ranges has been diminishing to the point where it has become irrelevant. For example, on a few operating systems, only root can bind to well known ports. This is not a security feature, quite the opposite - most system daemons only become root to bind to the port and then drop privileges to run as a regular user and sometimes even in a sandbox, as to not become an attack vector. If they used a registered port, they'd not even need to jump through these hoops. Al that said, I agree that this change in IANA policy hasn't been widely communicated and the corresponding document hasn't gotten IETF consensus yet. If the WG and the rest of the IETF thinks that we shouldn't strictly apply it for this reason at this time, I can live with that and will clear the DISCUSS on the call Thursday. (There are only around 200 system ports left, however, so at some point we do need to start raising the bar.) Lars _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
