Hi,
There is a question of whether we need a system port or just a
registered port.
As co-chair, I think the WG should be involved in this discussion.
The document is scheduled to be discussed by the IESG on Thursday, so
quick responses are important.
Would a registered port be adequate for syslog/tls, or is there a
compelling reason why it MUST be a system port?
David Harrington
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Lars Eggert [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 13, 2008 2:53 AM
To: ext Joseph Salowey (jsalowey)
Subject: Re: DISCUSS: draft-ietf-syslog-transport-tls
Hi,
On 2008-8-13, at 9:05, ext Joseph Salowey (jsalowey) wrote:
This was discussed in the working group. The following is a list of
reasons that were given in support of a system port (somewhat
paraphrased):
1. We expect syslog-tls to become widespread adopted (if we would
not
expect this, we could simply drop the effort - this is why the WG
has
been rechartered).
Sure, but widely adopted != needs a port < 1024. Lots of widely-
adopted protocols use a registered port in the 1024-49151 range.
2. Syslog traditionally has been assigned a dedicated port in the
system
range (514 and 601).
3. Syslog was considered important enough to assign a dedicated port
in
the past (601 with RFC 3195) - the same should apply to this effort
We've been continuing to run out of system port space since those
ports were allocated. If there is no technical reason for a low port
number, I'd like to push back a bit on historic consistency as an
argument.
4. The syslog daemon is considered an essential system service and
part
of many important operating systems
True, but see my answer to 1.
5. Operators expect a dedicated port for an essential protocol
6. A dedicated port greatly reduces the likelihood of syslogd
startup
errors due to port being used by another process
7. A dedicated port greatly reduces ambiguity, which is especially
important as a number of SOHO deceives/applications is expected to
implement the protocol. For low-knowledge, "nearly plug-and-play"
scenarios, senders and receivers need a universal understanding of
the
port number to use.
As for 5-7, syslog will get a dedicated port, but in the 1024-49151
range instead of one < 1024.
8. (derived argument) Combining argument #1 and #4, there will be a
very large number of systems utilizing that port, thus justifying
assigning a scarce resource.
I think these arguments are convincing, but I am unsure as to the
criteria for assigning a system port.
draft-ietf-tsvwg-iana-ports has some text on this.
Basically, the difference between the well-known and registered port
ranges has been diminishing to the point where it has become
irrelevant. For example, on a few operating systems, only root can
bind to well known ports. This is not a security feature, quite the
opposite - most system daemons only become root to bind to the port
and then drop privileges to run as a regular user and sometimes even
in a sandbox, as to not become an attack vector. If they used a
registered port, they'd not even need to jump through these hoops.
Al that said, I agree that this change in IANA policy hasn't been
widely communicated and the corresponding document hasn't gotten IETF
consensus yet. If the WG and the rest of the IETF thinks that we
shouldn't strictly apply it for this reason at this time, I can live
with that and will clear the DISCUSS on the call Thursday. (There are
only around 200 system ports left, however, so at some point we do
need to start raising the bar.)
Lars
