draft-ietf-tsvwg-port-use-04.txt   draft-ietf-tsvwg-port-use-05.txt 
TSVWG J. Touch TSVWG J. Touch
Internet Draft USC/ISI Internet Draft USC/ISI
Intended status: Best Current Practice May 14, 2014 Intended status: Best Current Practice September 17, 2014
Expires: November 2014 Expires: March 2015
Recommendations for Transport Port Uses Recommendations for Transport Port Number Uses
draft-ietf-tsvwg-port-use-04.txt draft-ietf-tsvwg-port-use-05.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on November 14, 2014. This Internet-Draft will expire on March 17, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Abstract Abstract
This document provides recommendations to application and service This document provides recommendations to application and service
designers on how to use the transport protocol port number space to designers on how to use the transport protocol port number space. IT
help in its preservation. complements (but does not update) RFC6335, which focuses on IANA
process.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Conventions used in this document..............................2 2. Conventions used in this document..............................3
3. History........................................................3 3. History........................................................3
4. Current Port Use...............................................4 4. Current Port Number Use........................................4
5. What is a Port?................................................5 5. What is a Port Number?.........................................5
6. Conservation...................................................6 6. Conservation...................................................7
6.1. Firewall and NAT Considerations...........................7 6.1. Guiding Principles........................................7
7. How to Use Assigned Ports......................................8 6.2. Firewall and NAT Considerations...........................8
7.1. Is a port assignment necessary?...........................8 7. How to Use Assigned Port Numbers...............................9
7.2. How Many Ports?..........................................10 7.1. Is a port number assignment necessary?....................9
7.3. Picking a Port Number....................................10 7.2. How Many Port Numbers?...................................11
7.4. Support for Security.....................................11 7.3. Picking a Port Number....................................11
7.5. Support for Future Versions..............................12 7.4. Support for Security.....................................13
7.6. Transport Protocols......................................13 7.5. Support for Future Versions..............................14
7.7. When to Request an Assignment............................14 7.6. Transport Protocols......................................14
7.8. Squatting................................................15 7.7. When to Request an Assignment............................15
7.9. Other Considerations.....................................16 7.8. Squatting................................................17
8. Security Considerations.......................................16 7.9. Other Considerations.....................................17
9. IANA Considerations...........................................16 8. Security Considerations.......................................17
10. References...................................................16 9. IANA Considerations...........................................18
10.1. Normative References....................................16 10. References...................................................18
10.2. Informative References..................................17 10.1. Normative References....................................18
11. Acknowledgments..............................................19 10.2. Informative References..................................19
11. Acknowledgments..............................................21
1. Introduction 1. Introduction
This document provides information and advice to system designers on This document provides information and advice to system designers on
the use of transport port numbers and services. It provides a the use of transport port numbers. It provides a detailed historical
detailed historical background of the evolution of transport port background of the evolution of transport port numbers and their
numbers and their multiple meanings. It also provides specific multiple meanings. It also provides specific recommendations to
recommendations on how to use assigned ports. system designers on how to use assigned port numbers. Note that this
document provides information to potential port number applicants
that complements the IANA process described in BCP165 [RFC6335], but
it does not update that document.
2. Conventions used in this document 2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119]. document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance. interpreted as carrying RFC-2119 significance.
In this document, the characters ">>" preceding an indented line(s) In this document, the characters ">>" preceding an indented line(s)
indicates a compliance requirement statement using the key words indicates a compliance requirement statement using the key words
listed above. This convention aids reviewers in quickly identifying listed above. This convention aids reviewers in quickly identifying
or finding the explicit compliance requirements of this RFC. or finding the explicit compliance requirements of this RFC.
3. History 3. History
The term 'port' was first used in [RFC33] to indicate a simplex The term 'port' was first used in [RFC33] to indicate a simplex
communication path from an individual process. At a meeting communication path from an individual process and originally applied
described in [RFC37], an idea was presented to decouple connections to only the Network Control Program (NCP) connection-oriented
between processes and links that they use as paths, and thus to protocol. At a meeting described in [RFC37], an idea was presented
include source and destination socket identifiers in packets. to decouple connections between processes and links that they use as
[RFC38] provides further detail, describing how processes might have paths, and thus to include numeric source and destination socket
more than one of these paths and that more than one path may be identifiers in packets. [RFC38] provides further detail, describing
active at a time. As a result, there was the need to add a process how processes might have more than one of these paths and that more
identifier to the header of each message so that incoming messages than one path may be active at a time. As a result, there was the
could be demultiplexed to the appropriate process. [RFC38] further need to add a process identifier to the header of each message so
suggested that 32 bits would be used for these identifiers. [RFC48] that incoming messages could be demultiplexed to the appropriate
discusses the current notion of listening on a specific port, but process. [RFC38] further suggested that 32 bit numbers would be used
does not discuss the issue of port determination. [RFC61] notes that for these identifiers. [RFC48] discusses the current notion of
the challenge of knowing the appropriate port numbers is "left to listening on a specific port number, but does not discuss the issue
the processes" in general, but introduces the concept of a "well- of port number determination. [RFC61] notes that the challenge of
known" port for common services. knowing the appropriate port numbers is "left to the processes" in
general, but introduces the concept of a "well-known" port number
for common services.
[RFC76] proposed a "telephone book" by which an index would allow [RFC76] proposed a "telephone book" by which an index would allow
ports to be used by name, but still assumed that both source and port numbers to be used by name, but still assumed that both source
destination ports are fixed by such a system. [RFC333] proposed that and destination port numbers are fixed by such a system. [RFC333]
a port pair, rather than an individual port, would be used on both proposed that a port number pair, rather than an individual port
sides of the connection for demultiplexing messages. This is the number, would be used on both sides of the connection for
final view in [RFC793] (and its predecessors, including [IEN112]), demultiplexing messages. This is the final view in [RFC793] (and its
and brings us to their current meaning. [RFC739] introduced the predecessors, including [IEN112]), and brings us to their current
notion of generic reserved ports for groups of protocols, such as meaning. [RFC739] introduced the notion of generic reserved port
"any private RJE server" [RFC739]. Although the overall range of numbers for groups of protocols, such as "any private RJE server"
such ports was (and remains) 16 bits, only the first 256 (high 8 [RFC739]. Although the overall range of such port numbers was (and
bits cleared) in the range were considered assigned. remains) 16 bits, only the first 256 (high 8 bits cleared) in the
range were considered assigned.
[RFC758] is the first to describe a list of such well-known ports, [RFC758] is the first to describe port numbers as being used for TCP
as well as describing ranges used for different purposes: (previous RFCs all refer to only NCP). It includes a list of such
well-known port numbers, as well as describing ranges used for
different purposes:
Binary Octal Binary Octal
----------------------------------------------------------- -----------------------------------------------------------
0-63 0-77 Network Wide Standard Function 0-63 0-77 Network Wide Standard Function
64-127 100-177 Hosts Specific Functions 64-127 100-177 Hosts Specific Functions
128-223 200-337 Reserved for Future Use 128-223 200-337 Reserved for Future Use
224-255 340-377 Any Experimental Function 224-255 340-377 Any Experimental Function
In [RFC820] those range meanings disappeared, and a single list of In [RFC820] those range meanings disappeared, and a single list of
assignments is presented. By [RFC900] the ranges appeared as decimal number assignments is presented. This is also the first time that
numbers rather than the octal ranges used previously. [RFC1340] port numbers are described as applying to a connectionless transport
increased this range from 0..255 to 0..1023, and began to list TCP (UDP) rather than only connection-oriented transports.
and UDP port assignments individually (although the assumption was,
and remains, that once assigned a port applies to all transport
protocols, including TCP, UDP, recently SCTP and DCCP, as well as
ISO-TP4 for a brief period in the early 1990s). [RFC1340] also
established the Registered range of 1024-59151, though it notes that
it is not controlled by the IANA at that point. The list provided by
[RFC1700] in 1994 remained the standard until it was declared
replaced by an on-line version, as of [RFC3232] in 2002.
4. Current Port Use By [RFC900] the ranges appeared as decimal numbers rather than the
octal ranges used previously. [RFC1340] increased this range from
0..255 to 0..1023, and began to list TCP and UDP port number
assignments individually (although the assumption was that once
assigned a port number applies to all transport protocols, including
TCP, UDP, recently SCTP and DCCP, as well as ISO-TP4 for a brief
period in the early 1990s). [RFC1340] also established the
Registered range of 1024-59151, though it notes that it is not
controlled by the IANA at that point. The list provided by [RFC1700]
in 1994 remained the standard until it was declared replaced by an
on-line version, as of [RFC3232] in 2002.
The current IANA website (www.iana.org) indicates three ranges of 4. Current Port Number Use
port assignments:
RFC6335 indicates three ranges of port number assignments:
Binary Hex Binary Hex
----------------------------------------------------------- -----------------------------------------------------------
0-1023 0x03FF Well-Known (also System) 0-1023 0x03FF System (also Well-Known)
1024-49151 0x0400-0xBFFF Registered (also User) 1024-49151 0x0400-0xBFFF User (also Registered)
49152-65535 0xC000-0xFFFF Dynamic (also Private) 49152-65535 0xC000-0xFFFF Dynamic (also Private)
Well-known encompasses the range 0..1023. On some systems, use of System (also Well-Known) encompasses the range 0..1023. On some
these ports requires privileged access, e.g., that the process run systems, use of these port numbers requires privileged access, e.g.,
as 'root', which is why these are referred to as System ports. The that the process run as 'root' (i.e., as a privileged user), which
ports from 1024..49151 denotes non-privileged services, known as is why these are referred to as System port numbers. The port
Registered; because these ports do not run with special privileges, numbers from 1024..49151 denotes non-privileged services, known as
they are often referred to as User ports. Dynamic (also known as User (also Registered), because these port numbers do not run with
Private) ports are not assigned. special privileges. Dynamic (also Private) port numbers are not
assigned.
Both Well-Known and Registered ports are assigned through IANA, so Both System and User port numbers are assigned through IANA, so both
both are sometimes called 'registered ports'. As a result, the term are sometimes called 'registered port numbers'. As a result, the
'registered' is ambiguous, referring either to the entire range 0- term 'registered' is ambiguous, referring either to the entire range
49151 or to the User ports. Complicating matters further, System 0-49151 or to the User port numbers. Complicating matters further,
ports do not always require special (i.e., 'root') privilege. For System port numbers do not always require special (i.e., 'root')
clarity, the remainder of this document refers to the port ranges as privilege. For clarity, the remainder of this document refers to the
System, User, and Dynamic. port number ranges as System, User, and Dynamic, to be consistent
with IANA process [RFC6335].
5. What is a Port? 5. What is a Port Number?
A port is a 16-bit number used for two distinct purposes: A port number is a 16-bit number used for two distinct purposes:
o Demultiplexing transport connections within an end host o Demultiplexing transport endpoint associations within an end
host
o Identifying a service o Identifying a service
The first purpose requires that each transport connection between a The first purpose requires that each transport endpoint association
given pair of IP addresses use a different pair of ports, but does (e.g., TCP connection or UDP pairwise association) using a given
not require either coordination or registration of port use. It is transport between a given pair of IP addresses use a different pair
the second purpose that drives the need for a common registry. of port numbers, but does not require either coordination or
registration of port number use. It is the second purpose that
drives the need for a common registry.
Consider a user wanting to run a web server. That service could run Consider a user wanting to run a web server. That service could run
on any port, provided that all clients knew what port to use to on any port number, provided that all clients knew what port number
access that service at that host. Such information can be to use to access that service at that host. Such information can be
distributed out-of-band, e.g., in the URI: distributed out-of-band, e.g., in the URI:
http://www.example.com:51509/ http://www.example.com:51509/
Ultimately, the correlation of a service with a port number is an Ultimately, the correlation of a service with a port number is an
agreement between just the two endpoints of the connection. A web agreement between just the two endpoints of the association. A web
server can run on port 53, which might appear as DNS traffic to server can run on port number 53, which might appear as DNS traffic
others but will connect to browsers that know to use port 53 rather to others but will connect to browsers that know to use port number
than 80. 53 rather than 80.
As a concept, a service is the combination of ISO Layers 5-7 that As a concept, a service is the combination of ISO Layers 5-7 that
represents an application protocol capability. For example www (port represents an application protocol capability. For example www (port
80) is a service that uses HTTP as an application protocol and number 80) is a service that uses HTTP as an application protocol
provides access to a web server [RFC2616]. However, it is possible and provides access to a web server [RFC2616]. However, it is
to use HTTP for other purposes, such as command and control. This is possible to use HTTP for other purposes, such as command and
why some current service names (HTTP, e.g.) are a bit overloaded - control. This is why some current service names (HTTP, e.g.) are a
they describe not only the application protocol, but a particular bit overloaded - they describe not only the application protocol,
service. but a particular service.
IANA assigns ports so that Internet endpoints do not need pairwise, IANA assigns port numbers so that Internet endpoints do not need
explicit coordination of the meaning of their port numbers. This is pairwise, explicit coordination of the meaning of their port
the primary reason for requesting assigned ports with IANA - to have numbers. This is the primary reason for requesting assigned port
a common agreement between all endpoints on the Internet as to the numbers with IANA - to have a common agreement between all endpoints
meaning of a port. on the Internet as to the default meaning of a port number.
Ports are sometimes used by intermediate devices on a network path, Port numbers are sometimes used by intermediate devices on a network
either to monitor available services, to monitor traffic (e.g., to path, either to monitor available services, to monitor traffic
indicate the data contents), or to intercept traffic (to block, (e.g., to indicate the data contents), or to intercept traffic (to
proxy, relay, aggregate, or otherwise process it). In each case, the block, proxy, relay, aggregate, or otherwise process it). In each
intermediate device interprets traffic based on the port number. It case, the intermediate device interprets traffic based on the port
is important to recognize that any interpretation of ports - except number. It is important to recognize that any interpretation of port
at the endpoints - may be incorrect, because ports are meaningful numbers - except at the endpoints - may be incorrect, because port
only at the endpoints. Further, ports may not be visible to these numbers are meaningful only at the endpoints. Further, port numbers
intermediate devices, such as when the transport protocol is may not be visible to these intermediate devices, such as when the
encrypted (as in network- or link-layer tunnels), or when a packet transport protocol is encrypted (as in network- or link-layer
is fragmented (in which case only the first fragment has the port tunnels), or when a packet is fragmented (in which case only the
information). Such port invisibility may interfere with these in- first fragment has the port number information). Such port number
network port-based capabilities. invisibility may interfere with these in-network port number-based
capabilities.
Ports can also be useful for other purposes. Assigned ports can Port numbers can also be useful for other purposes. Assigned port
simplify end system configuration, so that individual installations numbers can simplify end system configuration, so that individual
do not need to coordinate their use of arbitrary ports. Such installations do not need to coordinate their use of arbitrary port
assignments can also simplify firewall management, so that a single, numbers. Such assignments can also simplify firewall management, so
fixed firewall configuration can either permit or deny a service. that a single, fixed firewall configuration can either permit or
deny a service.
It is useful to differentiate a port number from a service name. The
former is a numeric value that is used directly in transport
protocol headers as a demultiplexing and service identifier. The
latter is primarily a user convenience, where the default map
between the two is considered static and resolved using a cached
index. This document focuses on the former because it is the
fundamental network resource. Dynamic maps between the two, i.e.,
using DNS SRV records, are discussed further in Section 7.1.
6. Conservation 6. Conservation
Assigned ports are a scarce resource that is globally shared by the Assigned port numbers are a limited resource that is globally shared
entire Internet community. As a result, every attempt should be made by the entire Internet community. As of 2014, approximately 5850 TCP
to conserve ports and request assignments only for those that are and 5570 UDP port numbers have been assigned out of a total range of
absolutely necessary. 49151. As a result of past conservation, current port use is small
and the current rate of assignment avoids the need for transition to
larger number spaces. This conservation also helps avoid the need
for IANA to rely on port number reclamation, which is practically
impossible even though procedurally permitted [RFC6335].
There are a variety of ways that systems can conserve port numbers: IANA aims to assign only one port number per service, including
variants [RFC6335], but there are other benefits to using fewer port
numbers for a given service. Use of multiple port numbers can make
applications more fragile, especially when firewalls block a subset
of those port numbers or use ports numbers to route or prioritize
traffic differently. As a result:
>> Each port requested MUST be justified as independently necessary.
6.1. Guiding Principles
This document provides recommendations for users that also help
conserve port number space. Again, this document does not update
BCP165 [RFC6335], which describes the IANA procedures for managing
transport port numbers and services. Port number conservation is
based on a number of basic principles:
o A single assigned port number can support different functions o A single assigned port number can support different functions
over separate connections, determined using in-band over separate endpoint associations, determined using in-band
information. FTP data connection can transfer binary or text information. An FTP data connection can transfer binary or
files, the latter translating line-terminators, as indicated text files, the latter translating line-terminators, as
in-band over the control port [RFC959]. indicated in-band over the control port number [RFC959].
o A single assigned port can indicate the Dynamic port(s) on o A single assigned port number can indicate the Dynamic port
which different capabilities are supported, as with passive- number(s) on which different capabilities are supported, as
mode FTP [RFC959]. with passive-mode FTP [RFC959].
o Several existing services can indicate the Dynamic port(s) on o Several existing services can indicate the Dynamic port
which other services are supported, such as with mDNS and number(s) on which other services are supported, such as with
portmapper [RFC1833] [RFC6762] [RFC6763]. mDNS and portmapper [RFC1833] [RFC6762] [RFC6763].
o Copies of an existing service can be differentiated by using o Copies of an existing service can be differentiated by using
different IP addresses, either on different hosts or as different IP addresses, either on different hosts or as
different real or virtual interfaces (or even operating different real or virtual interfaces (or even operating
systems) on the same host. systems) on the same host.
o Copies of some existing services can be differentiated using o Copies of some existing services can be differentiated using
in-band information (e.g., URIs in HTTP Host field and TLS in-band information (e.g., URIs in HTTP Host field and TLS
Server Name Indication extension) [RFC2616] [RFC3546]. Server Name Indication extension) [RFC2616] [RFC3546].
o Different performance requirements can already be supported o Services requiring varying performance properties can already
using separate connections or endpoints with different be supported using separate endpoint associations (connections
capabilities or configurations. or other associations), each configured to support the desired
properties.
Port numbers are intended to differentiate services, not
performance, replicas, connections, or payload types. Port numbers
are also a very small space, so it is never appropriate to consume
port numbers to save larger spaces, such as IP addresses.
Others have noted "think twice about modifying TCP, then don't"
[RFC1263]. In this case, similar advice might be:
o Think twice before asking for an assigned port, then try not
to.
o If more than one port is desired, consider revising the Port numbers are intended to differentiate services, not variations
architecture until only one is needed, or, preferably, none. of performance, replicas, pairwise endpoint associations, or payload
types. Port numbers are also a small space compared to other
Internet number spaces; it is never appropriate to consume port
numbers to conserve larger spaces such as IP addresses.
6.1. Firewall and NAT Considerations 6.2. Firewall and NAT Considerations
Assigned ports are useful for configuring firewalls and other port- Assigned port numbers are useful for configuring firewalls and other
based systems for access control. Ultimately, these ports indicate port-based systems for access control. Ultimately, these port
services only to the endpoints, and any intermediate device that numbers indicate services only to the endpoints, and any
assigns meaning to a value can be incorrect. End systems might agree intermediate device that assigns meaning to a value can be
to run web services (HTTP) over port 53 (typically used for DNS) incorrect. End systems might agree to run web services (HTTP) over
rather than port 80, at which point a firewall that blocks port 80 port number 53 (typically used for DNS) rather than port number 80,
but permits port 53 would not have the desired effect. However, at which point a firewall that blocks port number 80 but permits
assigned ports often are important in helping configure firewalls. port number 53 would not have the desired effect. However, assigned
port numbers often are important in helping configure firewalls.
Using Dynamic ports, or explicitly-indicated ports indicated in-band Using Dynamic port numbers, or explicitly-indicated port numbers
over another service (such as with FTP) often complicates firewall indicated in-band over another service (such as with FTP) often
and NAT interactions [RFC959]. FTP over firewalls often requires complicates firewall and NAT interactions [RFC959]. FTP over
direct support for deep-packet inspection (to snoop for the Dynamic firewalls often requires direct support for deep-packet inspection
port for the NAT to correctly map) or passive-mode FTP (in which (to snoop for the Dynamic port number for the NAT to correctly map)
both connections are opened from the client side). or passive-mode FTP (in which both connections are opened from the
client side).
7. How to Use Assigned Ports 7. How to Use Assigned Port Numbers
Ports are assigned by IANA by a set of documented procedures [RFC Port numbers are assigned by IANA by a set of documented procedures
6335]. The following section describes the steps users can take to [RFC6335]. The following section describes the steps users can take
help assist with the use of assigned ports, and with preparing an to help assist with the use of assigned port numbers, and with
application for a port assignment. preparing an application for a port number assignment.
7.1. Is a port assignment necessary? 7.1. Is a port number assignment necessary?
First, it is useful to consider whether a port assignment is First, it is useful to consider whether a port number assignment is
required. In many cases, a new assignment may not be needed, for required. In many cases, a new number assignment may not be needed,
example: for example:
o Is this really a new service, or can an existing service o Is this really a new service, or can an existing service
suffice? suffice?
o Is this an experimental service [RFC3692]? If so, consider o Is this an experimental service [RFC3692]? If so, consider
using the current experimental ports [RFC2780]. using the current experimental ports [RFC2780].
o Is this service independently useful? Some systems are o Is this service independently useful? Some systems are
composed from collections of different service capabilities, composed from collections of different service capabilities,
but not all component functions are useful as independent but not all component functions are useful as independent
services. Ports are typically shared among the smallest services. Port numbers are typically shared among the smallest
independently-useful set of functions. Different service uses independently-useful set of functions. Different service uses
or properties can be supported in separate connections after or properties can be supported in separate pairwise endpoint
an initial negotiation, e.g., to support software associations after an initial negotiation, e.g., to support
decomposition. software decomposition.
o Can this service use a Dynamic port that is coordinated out- o Can this service use a Dynamic port number that is coordinated
of-band, e.g.: out-of-band, e.g.:
o By explicit configuration of both endpoints. o By explicit configuration of both endpoints.
o By shared information within the same host (e.g., a o By shared information within the same host (e.g., a
configuration file or indicated within a URI). configuration file or indicated within a URI).
o Using information exchanged on a related service: FTP, SIP, o Using information exchanged on a related service: FTP, SIP,
etc. [RFC959] [RFC2543]. etc. [RFC959] [RFC2543].
o Using an existing port discovery service: portmapper, mDNS, o Using an existing port discovery service: portmapper, mDNS,
etc. [RFC1833] [RFC6762] [RFC6763]. etc. [RFC1833] [RFC6762] [RFC6763].
There are a few good examples of reasons that more directly suggest There are a few good examples of reasons that more directly suggest
that not only is a port not necessary, but it is directly counter- that not only is a port number not necessary, but it is directly
indicated: counter-indicated:
o Ports are not for performance. Performance enhancement can o Port numbers are not intended to differentiate performance
occur within separate connections. variations within the same service, e.g., high-speed vs.
ordinary speed. Performance variations can be supported within
a single port number in context of separate pairwise endpoint
associations.
o Additional ports are not to replicate an existing service. For o Additional port numbers are not intended to replicate an
example, a device is configured using a typical web browser existing service. For example, if a device is configured to
then it is a copy of HTTP port 80 and does not warrant a new use a typical web browser then it the port number used for
that service is a copy of the http service that is already
assigned to port number 80 and does not warrant a new
assignment. However, an automated system that happens to use assignment. However, an automated system that happens to use
HTTP framing - but cannot be accessed by a browser - might be HTTP framing - but cannot be accessed by a browser - might be
a new service. A good way to tell is "can an unmodified client a new service. A good way to tell is "can an unmodified client
of the existing service interact with the proposed service"? of the existing service interact with the proposed service"?
If so, that service would be a copy of an existing service and If so, that service would be a copy of an existing service and
does not merit a new assignment. does not merit a new assignment.
o Separate ports are not for insecure versions of existing (or o Separate port numbers are not intended for insecure versions
new) secure services. Consider that a service that includes of existing (or new) secure services. A service that already
required security would be made vulnerable by having the same requires security would be made more vulnerable by having the
capability accessible without security. same capability accessible without security.
Note that the converse is different, i.e., it can be useful to Note that the converse is different, i.e., it can be useful to
create a new, secure service that replicates an existing create a new, secure service that replicates an existing
insecure service on a new port assignment. This can be insecure service on a new port number assignment. This can be
necessary when the existing service is not backward-compatible necessary when the existing service is not backward-compatible
with security enhancements, such as the use of TLS or SSL with security enhancements, such as the use of TLS [RFC5246].
[Hi95] [RFC5246].
New services should support security or should consider
optional security. A new service should not need a port for an
insecure version; at best, this would be a performance issue
(see the first bullet), and at worst this presents a new
vulnerability.
o Ports are not for indicating different service versions. o Port numbers are not intended for indicating different service
Version differentiation should be handled in-band, e.g., using versions. Version differentiation should be handled in-band,
a version number at the beginning of a connection or e.g., using a version number at the beginning of an
transaction. This may not be possible with legacy assignments, association (e.g., connection or other transaction). This may
but all new assignments should incorporate support for version not be possible with legacy assignments, but all new
indication. assignments should incorporate support for version indication.
Some users may not need assigned port numbers at all, e.g., SIP Some users may not need assigned port numbers at all, e.g., SIP
allows voice calls to use Dynamic ports [RFC2543]. Some systems can allows voice calls to use Dynamic ports [RFC2543]. Some systems can
register services in the DNS, using SRV entries. These services can register services in the DNS, using SRV entries. These services can
be discovered by a variety of means, including mDNS, or via direct be discovered by a variety of means, including mDNS, or via direct
query [RFC6762] [RFC6763]. In such cases, users can more easily query [RFC6762] [RFC6763]. In such cases, users can more easily
request a SRV name, which are assigned first-come, first-served from request a SRV name, which are assigned first-come, first-served from
a much larger namespace. a much larger namespace.
IANA assigns port numbers, but this assignment is typically used IANA assigns port numbers, but this assignment is typically used
only for servers, i.e., the host that listens for incoming only for servers, i.e., the host that listens for incoming
connections. Clients, i.e., hosts that initiate connections, connections or other associations. Clients, i.e., hosts that
typically refer to those assigned ports but do not need port initiate connections or other associations, typically refer to those
assignments for their endpoint. assigned port numbers but do not need port number assignments for
their endpoint.
7.2. How Many Ports? Finally, an assigned port number is not a guarantee of exclusive
use. Traffic for any service might appear on any port number, due to
misconfiguration or deliberate misuse. Service designers are
encouraged to validate traffic based on its content.
As noted earlier, systems might require a single port assignment, 7.2. How Many Port Numbers?
but rarely require multiple ports. There are a variety of known ways
to reduce port use. Although some may be cumbersome or inefficient, As noted earlier, systems might require a single port number
they are always preferable to consuming additional ports. assignment, but rarely require multiple port numbers. There are a
variety of known ways to reduce port number use. Although some may
be cumbersome or inefficient, they are always preferable to
consuming additional port numbers.
Such techniques include: Such techniques include:
o Use of a discovery service, either a shared service (mDNS), or o Use of a discovery service, either a shared service (mDNS), or
a discovery service for a given system [RFC6762] [RFC6763]. a discovery service for a given system [RFC6762] [RFC6763].
o Multiplex packet types using in-band information, either on a o Multiplex packet types using in-band information, either on a
per-message or per-connection basis. Such demultiplexing can per-message or per-connection basis. Such demultiplexing can
even hand-off different connections and types of connections even hand-off different messages and connections among
among different processes, such as is done with FTP [RFC959]. different processes, such as is done with FTP [RFC959].
There are some cases where it is still important to have assigned There are some cases where it is still important to have assigned
port numbers, largely to traverse either NATs or firewalls. Although port numbers, largely to traverse either NATs or firewalls. Although
automatic configuration protocols have been proposed and developed, automatic configuration protocols have been proposed and developed
system designers cannot yet rely on their presence. (e.g., STUN [RFC5389], TURN [RFC5766], and ICE [RFC5245]), system
designers cannot yet rely on their presence.
In the past, some services were assigned multiple ports or sometimes In the past, some services were assigned multiple port numbers or
fairly large port ranges (e.g., X11). This occurred for a variety of sometimes fairly large port ranges (e.g., X11). This occurred for a
reasons: port conservation was not widely understood, assignments variety of reasons: port number conservation was not as widely
were not as ardently reviewed, etc. This no longer reflects current appreciated, assignments were not as ardently reviewed, etc. This no
practice and such assignments are not considered to constitute a longer reflects current practice and such assignments are not
precedent for future assignments. considered to constitute a precedent for future assignments.
7.3. Picking a Port Number 7.3. Picking a Port Number
Given a demonstrated need for a port number assignment, the next Given a demonstrated need for a port number assignment, the next
question is how to pick the desired port number. An application for question is how to pick the desired port number. An application for
a port assignment does not need to include a desired port number; in a port number assignment does not need to include a desired port
that case, IANA will select from those currently available. number; in that case, IANA will select from those currently
available.
Users should consider whether the requested port number is Users should consider whether the requested port number is
important. For example, would an assignment be acceptable if IANA important. For example, would an assignment be acceptable if IANA
picked the port number value? Would a TCP port number assignment be picked the port number value? Would a TCP (or other transport
needed useful if the corresponding UDP one were unavailable protocol) port number assignment be useful by itself? If so, a TCP
(assuming the proposed service needed only a TCP port)? (UDP) port number can be assigned whose port number is already (or
can be subsequently) assigned to a different transport protocol.
The most critical issue in picking a number is selecting the desired The most critical issue in picking a number is selecting the desired
range, i.e., System vs. User ports. The distinction was intended to range, i.e., System vs. User port numbers. The distinction was
indicate a difference in privilege; originally, System ports intended to indicate a difference in privilege; originally, System
required privileged ('root') access, while User ports did not. That port numbers required privileged ('root') access, while User port
distinction has since blurred because some current systems do not numbers did not. That distinction has since blurred because some
limit access control to System ports and because some System current systems do not limit access control to System port numbers
services have been replicated on User numbers (e.g., IRC). Even so, and because some System services have been replicated on User
System port assignments have continued at an average rate of 3-4 per numbers (e.g., IRC). Even so, System port number assignments have
year over the past 7 years (2007-2013), indicating that the desire continued at an average rate of 3-4 per year over the past 7 years
to keep this distinction continues. (2007-2013), indicating that the desire to keep this distinction
continues.
As a result, the difference between System and User ports needs to As a result, the difference between System and User port numbers
be treated with caution. Developers are advised to treat services as needs to be treated with caution. Developers are advised to treat
if they are always run without privilege. As a result: services as if they are always run without privilege. As a result:
>> Developers SHOULD NOT apply for System ports because the >> Developers SHOULD NOT apply for System port numbers because the
increased privilege they provide is not always enforced. increased privilege they are intended to provide is not always
enforced.
Even when developers seek a System port, it may be very difficult to Even when developers seek a System port number, it may be very
obtain. System port assignment requires IETF Review or IESG Approval difficult to obtain. System port number assignment requires IETF
and justification that both User and Dynamic port ranges are Review or IESG Approval and justification that both User and Dynamic
insufficient [RFC6335]. port number ranges are insufficient [RFC6335].
>> System implementers SHOULD enforce the need for privilege for >> System implementers SHOULD enforce the need for privilege for
processes to listen on System ports. processes to listen on System port numbers.
At some future date, it might be useful to deprecate the distinction At some future date, it might be useful to deprecate the distinction
between System and User ports altogether. Services typically require between System and User port numbers altogether. Services typically
elevated ('root') privileges to bind to a System port, but many such require elevated ('root') privileges to bind to a System port
services go to great lengths to immediately drop those privileges number, but many such services go to great lengths to immediately
just after connection establishment to reduce the impact of an drop those privileges just after connection or other association
attack using their capabilities. Such services might be more establishment to reduce the impact of an attack using their
securely operated on User ports than on System ports. Further, if capabilities. Such services might be more securely operated on User
System ports were no longer assigned, it would cost only 180 of the port numbers than on System port numbers. Further, if System port
1024 system values (17%), or 180 of the overall 49152 assigned numbers were no longer assigned, as of 2014 it would cost only 180
values (<0.04%). of the 1024 System values (17%), or 180 of the overall 49152
assigned (System and User) values (<0.04%).
7.4. Support for Security 7.4. Support for Security
Just as a service is a way to obtain information or processing from Just as a service is a way to obtain information or processing from
a host over a network, an service can also be the opening through a host over a network, a service can also be the opening through
which to attack that host. Given the current state of cybersecurity which to attack that host. This vulnerability can be mitigated a
in the Internet, the following advice is prudent: number of ways:
>> New services SHOULD support security, either directly or via a >> New services SHOULD support security, either directly or via a
secure transport such as TLS [RFC5246]. secure transport such as TLS [RFC5246].
>> Insecure versions of new secure services SHOULD be avoided >> Insecure versions of new or existing secure services SHOULD be
because of the new vulnerability they create. avoided because of the new vulnerability they create.
>> When simultaneously requesting both a secure and an insecure
port, strong justification MUST be provided for the insecure port.
Precedent (citing other protocols that use an insecure port) is not
strong justification by itself. A strong case for utility of the
insecure service is REQUIRED for approval of the insecure port.
>> Security SHOULD NOT rely on port number distinctions alone; every >> Security SHOULD NOT rely on port number distinctions alone; every
service, whether secure or not, SHOULD expect to be attacked. service, whether secure or not, is likely to be attacked.
There is debate as to how to secure legacy insecure services There is debate as to how to secure legacy insecure services
[RFC6335]. Some argue that secure variants should share the existing [RFC6335]. Some argue that secure variants should share the existing
port assignment, such that security is enabled on a per-connection port number assignment, such that security is enabled on a per-
basis [RFC2817]. Others argue that security should be supported on a connection or other association basis [RFC2817]. Others argue that
new port assignment and be enabled by default. IANA currently security should be supported on a new port number assignment and be
permits either approach, although use of a single port is consistent enabled by default. IANA currently permits either approach, although
with port conservation. A separate port might be important for use of a single port number is consistent with port number
security coordination (e.g., firewall management), but this might conservation. A separate port number might be important for security
further argue for deprecation of the insecure variant. coordination (e.g., firewall management), but this might further
argue for deprecation of the insecure variant.
Optional security can penalize performance, requiring additional Optional security can penalize performance, requiring additional
round-trip exchanges before a connection can be established. As round-trip exchanges before a connection or other association can be
discussed earlier, ports are a critical resource and it is established. As discussed earlier, port numbers are a critical
inappropriate to consume assignments to increase performance. resource and it is inappropriate to consume assignments to increase
performance. As a result, the need for separate ports for both
secure and insecure variants is not justified merely for performance
- either for the connection or association establishment performance
or differences in data performance between secure and insecure
variants.
Note however that a new service might not be eligible for IANA Note however that a new service might not be eligible for IANA
assignment of both an insecure and a secure variant of the same assignment of both an insecure and a secure variant of the same
service, and similarly IANA might be skeptical of an assignment for service, and similarly IANA might be skeptical of an assignment for
an insecure port for a secure service. In both cases, security of an insecure port number for a secure service. In both cases,
the service is compromised by adding the insecure port assignment. security of the service is compromised by adding the insecure port
number assignment.
7.5. Support for Future Versions 7.5. Support for Future Versions
Current IANA assignments are expected to support the multiple Current IANA assignments are expected to support the multiple
versions on the same assigned port [RFC6335]. Versions are typically versions on the same assigned port number [RFC6335]. Versions are
indicated in-band, either at the beginning of a connection or typically indicated in-band, either at the beginning of a connection
association, or in each protocol message. or other association, or in each protocol message.
>> Version support SHOULD be included in new services. >> Version support SHOULD be included in new services.
>> Version numbers SHOULD NOT be included in either the service name >> Version numbers SHOULD NOT be included in either the service name
or service description. or service description.
Again, the port number space is far too limited to be used as an Again, the port number space is far too limited to be used as an
indicator of protocol version or message type. Although this has indicator of protocol version or message type. Although this has
happened in the past (e.g., for NFS), it should be avoided in new happened in the past (e.g., for NFS), it should be avoided in new
requests. requests.
7.6. Transport Protocols 7.6. Transport Protocols
IANA assigns port numbers specific to one or more transport IANA assigns port numbers specific to one or more transport
protocols, typically UDP and TCP, but also SCTP, DCCP, and any other protocols, typically UDP and TCP, but also SCTP, DCCP, and any other
standard transport protocol [RFC768] [RFC793] [RFC4340] [RFC4960]. standard transport protocol [RFC768] [RFC793] [RFC4340] [RFC4960].
Originally, IANA port assignments were concurrent for both UDP and Originally, IANA port number assignments were concurrent for both
TCP; other transports were not indicated. However, to conserve space UDP and TCP; other transports were not indicated. However, to
and to reflect increasing use of other transports, assignments are conserve space and to reflect increasing use of other transports,
now specific only to the transport being used. assignments are now specific only to the transport being used.
In general, a service should request assignments for multiple In general, a service should request assignments for multiple
transports using the same service name and description on the same transports using the same service name and description on the same
port number only when they all reflect essentially the same service. port number only when they all reflect essentially the same service.
Good examples of such use are DNS and NFS, where the difference Good examples of such use are DNS and NFS, where the difference
between the UDP and TCP services are specific to supporting each between the UDP and TCP services are specific to supporting each
transport. E.g., the UDP variant of a service might add sequence transport. E.g., the UDP variant of a service might add sequence
numbers and the TCP variant of the same service might add in-band numbers and the TCP variant of the same service might add in-band
message delimiters. message delimiters. This document does not describe the appropriate
selection of a transport protocol for a service.
>> Service names and descriptions for multiple transport port >> Service names and descriptions for multiple transport port number
assignments SHOULD match only when they describe the same service, assignments SHOULD match only when they describe the same service,
excepting only enhancements for each supported transport. excepting only enhancements for each supported transport.
When the services differ, their service names and descriptions When the services differ, their service names and descriptions
should reflect that difference. E.g., if TCP is used for the basic should reflect that difference. E.g., if TCP is used for the basic
control protocol and UDP for an alarm protocol, then the services control protocol and UDP for an alarm protocol, then the services
might be "name-ctl" and "name-alarm". A common example is when TCP might be "name-ctl" and "name-alarm". A common example is when TCP
is used for a service and UDP is used to determine whether that is used for a service and UDP is used to determine whether that
service is active (e.g., via a unicast, broadcast, or multicast test service is active (e.g., via a unicast, broadcast, or multicast test
message) [RFC1122]. The following convention has been used by IANA message) [RFC1122]. The following convention has been used by IANA
for several years to indicate this case: for several years to distinguish discovery services, such as are
used to identify endpoints capable of a given service:
>> When UDP is used for discovery of an active TCP service, the UDP >> Names of discovery services SHOULD use an identifiable suffix;
service name SHOULD end in "-disc". the suggestion is "-disc".
Some services are used for discovery, either in conjunction with a Some services are used for discovery, either in conjunction with a
TCP service or as a stand-alone capability. Such services will be TCP service or as a stand-alone capability. Such services will be
more reliable when using multicast rather than broadcast (over IPv4) more reliable when using multicast rather than broadcast (over IPv4)
because IP routers do not forward "all nodes" (all 1's, i.e., because IP routers do not forward "all nodes" (all 1's, i.e.,
255.255.255.255 for IPv4) broadcasts and have not been required to 255.255.255.255 for IPv4) broadcasts and have not been required to
support subnet-directed broadcasts since 1999 [RFC1812] [RFC2644]. support subnet-directed broadcasts since 1999 [RFC1812] [RFC2644].
This issue is relevant only for IPv4 because IPv6 does not support This issue is relevant only for IPv4 because IPv6 does not support
broadcast. broadcast.
>> UDP over IPv4 multi-host services SHOULD use multicast rather >> UDP over IPv4 multi-host services SHOULD use multicast rather
than broadcast. than broadcast.
Designers should be very careful in creating services over Designers should be very careful in creating services over
transports that do not support congestion control or error recovery, transports that do not support congestion control or error recovery,
notably UDP. There are several issues that should be considered in notably UDP. There are several issues that should be considered in
such cases, each summarized from [RFC5405]: such cases, as summarized in Table 1 in [RFC5405]. In addition, the
following recommendations apply to service design:
>> UDP services SHOULD be rate limited so that they use only nominal
network capacity. Users should keep in mind that "nominal" may vary
depending on the deployment environment and may be very low.
>> UDP services that use multipoint communication SHOULD be >> Services that use multipoint communication SHOULD be scalable,
scalable, and SHOULD NOT rely solely on the efficiency of multicast and SHOULD NOT rely solely on the efficiency of multicast
transmission for scalability. transmission for scalability.
>> UDP services SHOULD include congestion detection and back-off. >> Services SHOULD NOT use UDP as a performance enhancement over
TCP, i.e., to circumnavigate TCP's congestion control.
>> UDP SHOULD NOT be used as a performance enhancement over TCP,
i.e., to circumnavigate TCP's congestion control.
7.7. When to Request an Assignment 7.7. When to Request an Assignment
Assignments are typically requested when a user has enough Assignments are typically requested when a user has enough
information to reasonably answer the questions in the IANA information to reasonably answer the questions in the IANA
application. IANA applications typically take up to a few weeks to application. IANA applications typically take up to a few weeks to
process, with some complex cases taking up to a month. The process process, with some complex cases taking up to a month. The process
typically involves a few exchanges between the IANA Ports Expert typically involves a few exchanges between the IANA Ports Expert
Review team and the applicant. Review team and the applicant.
An application needs to include a description of the service, as An application needs to include a description of the service, as
well as to address key questions designed to help IANA determine well as to address key questions designed to help IANA determine
whether the assignment is justified. whether the assignment is justified. The application should be
complete and not refer solely to the Internet Draft, RFC, a website,
or any other external documentation.
Services that are independently developed can be requested at any Services that are independently developed can be requested at any
time, but are typically best requested in the last stages of design time, but are typically best requested in the last stages of design
and initial experimentation, before any deployment has occurred that and initial experimentation, before any deployment has occurred that
cannot easily be updated. cannot easily be updated.
>> Users MUST NOT deploy implementations that use assigned ports >> Users MUST NOT deploy implementations that use assigned port
prior their assignment by IANA. numbers prior their assignment by IANA.
>> Users MUST NOT deploy implementations that default to using the >> Users MUST NOT deploy implementations that default to using the
experimental System ports (1021 and 1022 [RFC4727]) outside a experimental System port numbers (1021 and 1022 [RFC4727]) outside a
controlled environment where they can be updated with a subsequent controlled environment where they can be updated with a subsequent
assigned port [RFC3692]. assigned port [RFC3692].
Deployments that use ports before deployment complicate IANA Deployments that use port numbers before deployment complicate IANA
management of the port space. Keep in mind that this recommendation management of the port number space. Keep in mind that this
protects existing assignees, users of current services, and recommendation protects existing assignees, users of current
applicants for new assignments; it helps ensure that a desired services, and applicants for new assignments; it helps ensure that a
number and service name are available when assigned. The list of desired number and service name are available when assigned. The
currently unassigned numbers is just that - *currently* unassigned. list of currently unassigned numbers is just that - *currently*
It does not reflect pending applications. Waiting for an official unassigned. It does not reflect pending applications. Waiting for an
IANA assignment reduces the chance that an assignment request will official IANA assignment reduces the chance that an assignment
conflict with another deployed service. request will conflict with another deployed service.
Applications made through Internet Draft / RFC publication typically Applications made through Internet Draft / RFC publication (in an
use a placeholder ("PORTNUM") in the text, and use an experimental stream) typically use a placeholder ("PORTNUM") in the text, and
port number until a final assignment has been made [RFC6335]. That implementations use an experimental port number until a final
assignment is initially indicated in the IANA Considerations section assignment has been made [RFC6335]. That assignment is initially
of the document, and is tracked by the RFC Editor. When the RFC indicated in the IANA Considerations section of the document, which
reaches the last stages of publication, that request is forwarded to is tracked by the RFC Editor. When a document has been approved for
IANA for handling. At that time, IANA typically requests that the publication and proceeds to IESG Approval, that request is forwarded
applicant fill out the application form on their website, because to IANA for handling. IANA will make the new assignment accordingly.
not every protocol document addresses the information required. At that time, IANA may also request that the applicant fill out the
"Early" assignments can be made when justified, e.g., for early application form on their website, e.g., when the RFC does not
directly address the information expected as per [RFC6335]. "Early"
assignments can be made when justified, e.g., for early
interoperability testing, according to existing process [RFC4020] interoperability testing, according to existing process [RFC4020]
[RFC6335]. [RFC6335].
Using this single application process also ensures that IANA has
complete information even if the RFC publication is interrupted. For
this reason as well, the application should be complete and not
refer solely to the Internet Draft, RFC, a website, or any other
external documentation.
>> Users writing specifications SHOULD use symbolic names for port >> Users writing specifications SHOULD use symbolic names for port
numbers and service names until an IANA assignment has been numbers and service names until an IANA assignment has been
completed. completed. Implementations SHOULD use experimental port numbers
during this time, but those numbers MUST NOT be cited in
documentation except as interim.
7.8. Squatting 7.8. Squatting
"Squatting" describes the use of a number from the assigned range in "Squatting" describes the use of a number from the assigned range in
deployed software without IANA assignment. It is hazardous because deployed software without IANA assignment. It is hazardous because
IANA cannot track such usage and thus cannot avoid making legitimate IANA cannot track such usage and thus cannot avoid making legitimate
assignments that conflict with such unauthorized usage. assignments that conflict with such unauthorized usage.
Note that there are numerous services that have squatted on such Such "squatted" port numbers remain unassigned, and IANA retains the
numbers that are in widespread use. Even such widespread de-facto right to assign them when requested by applicants. Protocol
use may not justify a later IANA assignment of that value, designers are reminded that is never appropriate to use port numbers
especially if either the value has already been assigned to a that have not been directly assigned [RFC6335]. In particular, any
legitimate applicant or if the service would not qualify for an unassigned code from the assigned ranges will be assigned by IANA,
assignment of its own accord. and any conflict will be easily resolved as the protocol designer's
fault once that happens (because they would not be the assignee).
This may reflect in the public's judgment on the quality of their
expertise and cooperation with the Internet community.
Regardless, there are numerous services that have squatted on such
numbers that are in widespread use. Designers who are using such
port numbers are encouraged to apply for an assignment. Note that
even widespread de-facto use may not justify a later IANA assignment
of that value, especially if either the value has already been
assigned to a legitimate applicant or if the service would not
qualify for an assignment of its own accord.
7.9. Other Considerations 7.9. Other Considerations
As noted earlier, System ports should be used sparingly, and it is As noted earlier, System port numbers should be used sparingly, and
better to avoid them altogether. This avoids the potentially it is better to avoid them altogether. This avoids the potentially
incorrect assumption that the service on such ports run in a incorrect assumption that the service on such port numbers run in a
privileged mode. privileged mode.
Port names and numbers are not intended to be changed. Once Port numbers are not intended to be changed; this includes the
deployed, it can be very difficult to recall every implementation, corresponding service name. Once deployed, it can be very difficult
so the assignment should be retained. However, in cases where the to recall every implementation, so the assignment should be
current assignee of a name or number has reasonable knowledge of the retained. However, in cases where the current assignee of a name or
impact on such uses, and is willing to accept that impact, the name number has reasonable knowledge of the impact on such uses, and is
or number of an assignment can be changed [RFC6335] willing to accept that impact, the name or number of an assignment
can be changed [RFC6335]
Aliases, or multiple service names for the same port number, are no Aliases, or multiple service names for the same port number, are no
longer considered appropriate [RFC6335]. longer considered appropriate [RFC6335].
8. Security Considerations 8. Security Considerations
This document discusses ways to conserve port numbers, notably This document discusses ways to conserve port numbers, notably
through encouraging demultiplexing within a single port. As such, through encouraging demultiplexing within a single port number. As
there may be cases where two variants of a protocol - insecure and such, there may be cases where two variants of a protocol - insecure
secure (such as using optional TLS) or different versions - are and secure (such as using optional TLS) or different versions - are
suggested to share the same port. suggested to share the same port number.
This document reminds protocol designers that port numbers are not a This document reminds protocol designers that port numbers do not
substitute for security, and should not alone be used to avoid protect against denial of service overload or guarantee that traffic
denial of service or firewall traffic, notably because their use is should be trusted. Using assigned numbers for port filtering isn't a
not regulated or validated. substitute for authentication, encryption, and integrity protection.
The port number alone should not be used to avoid denial of service
or firewall traffic because their use is not regulated or validated.
9. IANA Considerations 9. IANA Considerations
The entirety of this document focuses on IANA issues, notably The entirety of this document focuses on IANA issues, notably
suggestions that help ensure the conservation of port numbers and suggestions that help ensure the conservation of port numbers and
provide useful hints for issuing informative requests thereof. provide useful hints for issuing informative requests thereof.
10. References 10. References
10.1. Normative References 10.1. Normative References
skipping to change at page 17, line 23 skipping to change at page 19, line 7
Nov. 2008. Nov. 2008.
[RFC6335] Cotton, M., L. Eggert, J. Touch, M. Westerlund, and S. [RFC6335] Cotton, M., L. Eggert, J. Touch, M. Westerlund, and S.
Cheshire, "Internet Assigned Numbers Authority (IANA) Cheshire, "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry", BCP 165, RFC Transport Protocol Port Number Registry", BCP 165, RFC
6335, August 2011. 6335, August 2011.
10.2. Informative References 10.2. Informative References
[Hi95] Hickman, K., "The SSL Protocol", February 1995.
[IEN112] Postel, J., "Transmission Control Protocol", IEN 112, [IEN112] Postel, J., "Transmission Control Protocol", IEN 112,
August 1979. August 1979.
[RFC33] Crocker, S., "New Host-Host Protocol", RFC 33 February [RFC33] Crocker, S., "New Host-Host Protocol", RFC 33 February
1970. 1970.
[RFC37] Crocker, S., "Network Meeting Epilogue", RFC 37, March [RFC37] Crocker, S., "Network Meeting Epilogue", RFC 37, March
1970. 1970.
[RFC38] Wolfe, S., "Comments on Network Protocol from NWG/RFC [RFC38] Wolfe, S., "Comments on Network Protocol from NWG/RFC
skipping to change at page 18, line 24 skipping to change at page 20, line 5
[RFC900] Reynolds, J., and J. Postel, "Assigned numbers", RFC 900, [RFC900] Reynolds, J., and J. Postel, "Assigned numbers", RFC 900,
June 1984. June 1984.
[RFC959] Postel, J., and J. Reynolds, "FILE TRANSFER PROTOCOL [RFC959] Postel, J., and J. Reynolds, "FILE TRANSFER PROTOCOL
(FTP)", RFC 959, October 1985. (FTP)", RFC 959, October 1985.
[RFC1122] Braden, B. (Ed.), "Requirements for Internet Hosts -- [RFC1122] Braden, B. (Ed.), "Requirements for Internet Hosts --
Communication Layers", RFC 1122, October 1989. Communication Layers", RFC 1122, October 1989.
[RFC1263] O'Malley, S., and L. Peterson, "TCP Extensions Considered
Harmful", RFC 1263, October 1991.
[RFC1340] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1340, [RFC1340] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1340,
July 1992. July 1992.
[RFC1700] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1700, [RFC1700] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1700,
October 1994. October 1994.
[RFC1812] Baker, F. (Ed.), "Requirements for IP Version 4 Routers", [RFC1812] Baker, F. (Ed.), "Requirements for IP Version 4 Routers",
RFC 1812, June 1995. RFC 1812, June 1995.
[RFC1833] Srinivasan, R., "Binding Protocols for ONC RPC Version 2", [RFC1833] Srinivasan, R., "Binding Protocols for ONC RPC Version 2",
skipping to change at page 19, line 21 skipping to change at page 20, line 47
[RFC4020] Kompella, K. and A. Zinin, "Early IANA Allocation of [RFC4020] Kompella, K. and A. Zinin, "Early IANA Allocation of
Standards Track Code Points", BCP 100, RFC 4020, February Standards Track Code Points", BCP 100, RFC 4020, February
2005. 2005.
[RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion
Control Protocol (DCCP)", RFC 4340, March 2006. Control Protocol (DCCP)", RFC 4340, March 2006.
[RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol",
RFC 4960, September 2007. RFC 4960, September 2007.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245, April
2010.
[RFC5246] Dierks, T., and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T., and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5389] Rosenberg, J., R. Mahy, P. Matthews, and D. Wing, "Session
Traversal Utilities for NAT", RFC 5389, October 2008.
[RFC5766] Mahy, R., P. Matthews, and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766, April 2010.
[RFC6762] Cheshire, S., and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S., and M. Krochmal, "Multicast DNS", RFC 6762,
February 2013. February 2013.
[RFC6763] Cheshire, S., and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S., and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, February 2013. Discovery", RFC 6763, February 2013.
11. Acknowledgments 11. Acknowledgments
This work benefitted from the feedback from Lars Eggert, Gorry This work benefitted from the feedback from Lars Eggert, Gorry
Fairhurst, and Eliot Lear, as well as discussions of the IETF TSVWG Fairhurst, and Eliot Lear, as well as discussions of the IETF TSVWG
 End of changes. 96 change blocks. 
368 lines changed or deleted 454 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/