A real example, with names

Harald Tveit Alvestrand harald at alvestrand.no
Thu May 8 16:09:25 CEST 2003 


--On torsdag, mai 08, 2003 15:26:50 +0300 john.loughney at nokia.com wrote:

> Hi Keith,
>
>> do you think writing up 30 pages of detailed explanation is
>> constructive?
>
> In some cases a 2 or 5 page document would be enough, at least for
> me.  Many times, I am just looking for documentation why I should
> or should not do 'x'.  Here is a good example, actually involving
> you.
>
> When I took over the editorship of the Diameter Base spec, I
> was given a comment by the IESG that using different ports
> for TLS & non-TLS traffic violated a long-held IESG policy.  Of course,
> this policy is not written down.  As I have certain job responsibilities,
> folks at home were asking me what problems are caused by this,
> for which I had no answer.  After some pestering, someone, Bert W.
> I think, pointed me to an SMTP RFC with some discussion about port
> usage ... it didn't really provide me with convincing material,
> but I was motivated to get the doc done, so I made the fix.
>
> A bit later, in another WG, the same issue came up again.  The WG
> Security advisor, when asked about this mentioned - 'Oh, that was
> Keith's big thing ... mumble, mumble.'  Further mail exchanges with
> him & the responsible AD did not produce any insight or conclusions,
> so I'm left with little insight or understanding if it is allowed
> to use multiple ports or not.  Currently, the WG is leaning towards
> a 2-port model; does this mean we'll suffer a gotcha during IESG
> review?

actually there's a little text around.... but I think this is what you were 
referring to....

RFC 2595 ("Using TLS with IMAP, POP3 and ACAP") says this:

7. imaps and pop3s ports

   Separate "imaps" and "pop3s" ports were registered for use with SSL.
   Use of these ports is discouraged in favor of the STARTTLS or STLS
   commands.

   A number of problems have been observed with separate ports for
   "secure" variants of protocols.  This is an attempt to enumerate some
   of those problems.

   - Separate ports lead to a separate URL scheme which intrudes into
     the user interface in inappropriate ways.  For example, many web
     pages use language like "click here if your browser supports SSL."
     This is a decision the browser is often more capable of making than
     the user.

   - Separate ports imply a model of either "secure" or "not secure."
     This can be misleading in a number of ways.  First, the "secure"
     port may not in fact be acceptably secure as an export-crippled
     cipher suite might be in use.  This can mislead users into a false
     sense of security.  Second, the normal port might in fact be
     secured by using a SASL mechanism which includes a security layer.
     Thus the separate port distinction makes the complex topic of
     security policy even more confusing.  One common result of this
     confusion is that firewall administrators are often misled into
     permitting the "secure" port and blocking the standard port.  This
     could be a poor choice given the common use of SSL with a 40-bit
     key encryption layer and plain-text password authentication is less
     secure than strong SASL mechanisms such as GSSAPI with Kerberos 5.

   - Use of separate ports for SSL has caused clients to implement only
     two security policies: use SSL or don't use SSL.  The desirable
     security policy "use TLS when available" would be cumbersome with
     the separate port model, but is simple with STARTTLS.

   - Port numbers are a limited resource.  While they are not yet in
     short supply, it is unwise to set a precedent that could double (or
     worse) the speed of their consumption.

There are also a few lines in the sec-cons draft dealing with a specific 
problem (virtual hosts) that is at the moment VERY painful for the folks 
hosting secure Web servers....

I think this is a typical case of:

- someone thinks through a problem, coming to a conclusion. In this case 
that separate ports for different versions of the same application protocol 
is a thoroughly bad idea.

- that someone explains this multiple times, convincing at least the people 
in a position to enforce policy at the time. But does not write down 
explicitly the full justification for it.

- the person leaves, and the policy remains in force. The quality of the 
explanations tends to deteriorate.

(FWIW, I personally think separate ports are just plain stupid, because 
they are a totally inappropriate granularity of security policy control, 
and their existence forms a slow, error-prone and eminently attackable form 
of security negotiation, but I've generally not had the energy to dive into 
those discussions, having other fish to fry so to speak, so you can't find 
many quotes from me on the subject....)

                    Harald

More information about the Problem-statement mailing list