draft-ietf-tsvwg-port-use-06.txt   draft-ietf-tsvwg-port-use-07.txt 
TSVWG J. Touch TSVWG J. Touch
Internet Draft USC/ISI Internet Draft USC/ISI
Intended status: Best Current Practice November 11, 2014 Intended status: Best Current Practice January 23, 2015
Expires: May 2015 Expires: July 2015
Recommendations for Transport Port Number Uses Recommendations for Transport Port Number Uses
draft-ietf-tsvwg-port-use-06.txt draft-ietf-tsvwg-port-use-07.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on May 11, 2015. This Internet-Draft will expire on July 23, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Abstract Abstract
This document provides recommendations to application and service This document provides recommendations to application and service
designers on how to use the transport protocol port number space. IT designers on how to use the transport protocol port number space. It
complements (but does not update) RFC6335, which focuses on IANA complements (but does not update) RFC6335, which focuses on IANA
process. process.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Conventions used in this document..............................3 2. Conventions used in this document..............................3
3. History........................................................3 3. History........................................................3
4. Current Port Number Use........................................4 4. Current Port Number Use........................................4
5. What is a Port Number?.........................................5 5. What is a Port Number?.........................................5
skipping to change at page 2, line 41 skipping to change at page 2, line 41
7.9. Other Considerations.....................................17 7.9. Other Considerations.....................................17
8. Security Considerations.......................................18 8. Security Considerations.......................................18
9. IANA Considerations...........................................18 9. IANA Considerations...........................................18
10. References...................................................18 10. References...................................................18
10.1. Normative References....................................18 10.1. Normative References....................................18
10.2. Informative References..................................19 10.2. Informative References..................................19
11. Acknowledgments..............................................21 11. Acknowledgments..............................................21
1. Introduction 1. Introduction
This document provides information and advice to system designers on This document provides information and advice to application and
the use of transport port numbers. It provides a detailed historical service designers on the use of transport port numbers. It provides
background of the evolution of transport port numbers and their a detailed historical background of the evolution of transport port
multiple meanings. It also provides specific recommendations to numbers and their multiple meanings. It also provides specific
system designers on how to use assigned port numbers. Note that this recommendations to designers on how to use assigned port numbers.
document provides information to potential port number applicants Note that this document provides information to potential port
that complements the IANA process described in BCP165 [RFC6335], but number applicants that complements the IANA process described in
it does not update that document. BCP165 [RFC6335], but it does not update that document.
2. Conventions used in this document 2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119]. document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance. interpreted as carrying RFC-2119 significance.
skipping to change at page 5, line 9 skipping to change at page 5, line 9
on-line version, as of [RFC3232] in 2002. on-line version, as of [RFC3232] in 2002.
4. Current Port Number Use 4. Current Port Number Use
RFC6335 indicates three ranges of port number assignments: RFC6335 indicates three ranges of port number assignments:
Binary Hex Binary Hex
----------------------------------------------------------- -----------------------------------------------------------
0-1023 0x03FF System (also Well-Known) 0-1023 0x0000-0x03FF System (also Well-Known)
1024-49151 0x0400-0xBFFF User (also Registered) 1024-49151 0x0400-0xBFFF User (also Registered)
49152-65535 0xC000-0xFFFF Dynamic (also Private) 49152-65535 0xC000-0xFFFF Dynamic (also Private)
System (also Well-Known) encompasses the range 0..1023. On some System (also Well-Known) encompasses the range 0..1023. On some
systems, use of these port numbers requires privileged access, e.g., systems, use of these port numbers requires privileged access, e.g.,
that the process run as 'root' (i.e., as a privileged user), which that the process run as 'root' (i.e., as a privileged user), which
is why these are referred to as System port numbers. The port is why these are referred to as System port numbers. The port
numbers from 1024..49151 denotes non-privileged services, known as numbers from 1024..49151 denotes non-privileged services, known as
skipping to change at page 10, line 17 skipping to change at page 10, line 17
ordinary speed. Performance variations can be supported within ordinary speed. Performance variations can be supported within
a single port number in context of separate pairwise endpoint a single port number in context of separate pairwise endpoint
associations. associations.
o Additional port numbers are not intended to replicate an o Additional port numbers are not intended to replicate an
existing service. For example, if a device is configured to existing service. For example, if a device is configured to
use a typical web browser then it the port number used for use a typical web browser then it the port number used for
that service is a copy of the http service that is already that service is a copy of the http service that is already
assigned to port number 80 and does not warrant a new assigned to port number 80 and does not warrant a new
assignment. However, an automated system that happens to use assignment. However, an automated system that happens to use
HTTP framing - but cannot be accessed by a browser - might be HTTP framing - but is not primarily accessed by a browser -
a new service. A good way to tell is "can an unmodified client might be a new service. A good way to tell is "can an
of the existing service interact with the proposed service"? unmodified client of the existing service interact with the
If so, that service would be a copy of an existing service and proposed service"? If so, that service would be a copy of an
would not merit a new assignment. existing service and would not merit a new assignment.
o Port numbers not intended for intra-machine communication. o Port numbers not intended for intra-machine communication.
Such communication can already be supported by internal Such communication can already be supported by internal
mechanisms (interprocess communication, shared memory, shared mechanisms (interprocess communication, shared memory, shared
files, etc.). When Internet communication within a host is files, etc.). When Internet communication within a host is
desired, the server can bind to a Dynamic port that is desired, the server can bind to a Dynamic port that is
indicated to the client using these internal mechanisms. indicated to the client using these internal mechanisms.
o Separate port numbers are not intended for insecure versions o Separate port numbers are not intended for insecure versions
of existing (or new) secure services. A service that already of existing (or new) secure services. A service that already
skipping to change at page 11, line 17 skipping to change at page 11, line 17
IANA assigns port numbers, but this assignment is typically used IANA assigns port numbers, but this assignment is typically used
only for servers, i.e., the host that listens for incoming only for servers, i.e., the host that listens for incoming
connections or other associations. Clients, i.e., hosts that connections or other associations. Clients, i.e., hosts that
initiate connections or other associations, typically refer to those initiate connections or other associations, typically refer to those
assigned port numbers but do not need port number assignments for assigned port numbers but do not need port number assignments for
their endpoint. their endpoint.
Finally, an assigned port number is not a guarantee of exclusive Finally, an assigned port number is not a guarantee of exclusive
use. Traffic for any service might appear on any port number, due to use. Traffic for any service might appear on any port number, due to
misconfiguration or deliberate misuse. Service designers are misconfiguration or deliberate misuse. Application and service
encouraged to validate traffic based on its content. designers are encouraged to validate traffic based on its content.
7.2. How Many Port Numbers? 7.2. How Many Port Numbers?
As noted earlier, systems might require a single port number As noted earlier, systems might require a single port number
assignment, but rarely require multiple port numbers. There are a assignment, but rarely require multiple port numbers. There are a
variety of known ways to reduce port number use. Although some may variety of known ways to reduce port number use. Although some may
be cumbersome or inefficient, they are always preferable to be cumbersome or inefficient, they are always preferable to
consuming additional port numbers. consuming additional port numbers.
Such techniques include: Such techniques include:
skipping to change at page 11, line 41 skipping to change at page 11, line 41
a discovery service for a given system [RFC6762] [RFC6763]. a discovery service for a given system [RFC6762] [RFC6763].
o Multiplex packet types using in-band information, either on a o Multiplex packet types using in-band information, either on a
per-message or per-connection basis. Such demultiplexing can per-message or per-connection basis. Such demultiplexing can
even hand-off different messages and connections among even hand-off different messages and connections among
different processes, such as is done with FTP [RFC959]. different processes, such as is done with FTP [RFC959].
There are some cases where it is still important to have assigned There are some cases where it is still important to have assigned
port numbers, largely to traverse either NATs or firewalls. Although port numbers, largely to traverse either NATs or firewalls. Although
automatic configuration protocols have been proposed and developed automatic configuration protocols have been proposed and developed
(e.g., STUN [RFC5389], TURN [RFC5766], and ICE [RFC5245]), system (e.g., STUN [RFC5389], TURN [RFC5766], and ICE [RFC5245]),
designers cannot yet rely on their presence. application and service designers cannot yet rely on their presence.
In the past, some services were assigned multiple port numbers or In the past, some services were assigned multiple port numbers or
sometimes fairly large port ranges (e.g., X11). This occurred for a sometimes fairly large port ranges (e.g., X11). This occurred for a
variety of reasons: port number conservation was not as widely variety of reasons: port number conservation was not as widely
appreciated, assignments were not as ardently reviewed, etc. This no appreciated, assignments were not as ardently reviewed, etc. This no
longer reflects current practice and such assignments are not longer reflects current practice and such assignments are not
considered to constitute a precedent for future assignments. considered to constitute a precedent for future assignments.
7.3. Picking a Port Number 7.3. Picking a Port Number
skipping to change at page 13, line 39 skipping to change at page 13, line 39
insecure service is REQUIRED for approval of the insecure port. insecure service is REQUIRED for approval of the insecure port.
>> Security SHOULD NOT rely on port number distinctions alone; every >> Security SHOULD NOT rely on port number distinctions alone; every
service, whether secure or not, is likely to be attacked. service, whether secure or not, is likely to be attacked.
There is debate as to how to secure legacy insecure services There is debate as to how to secure legacy insecure services
[RFC6335]. Some argue that secure variants should share the existing [RFC6335]. Some argue that secure variants should share the existing
port number assignment, such that security is enabled on a per- port number assignment, such that security is enabled on a per-
connection or other association basis [RFC2817]. Others argue that connection or other association basis [RFC2817]. Others argue that
security should be supported on a new port number assignment and be security should be supported on a new port number assignment and be
enabled by default. IANA currently permits either approach, although enabled by default. Either approach is currently permitted, although
use of a single port number is consistent with port number use of a single port number is consistent with port number
conservation. A separate port number might be important for security conservation. A separate port number might be important for security
coordination (e.g., firewall management), but this might further coordination (e.g., firewall management), but this might further
argue for deprecation of the insecure variant. argue for deprecation of the insecure variant.
Optional security can penalize performance, requiring additional Optional security can penalize performance, requiring additional
round-trip exchanges before a connection or other association can be round-trip exchanges before a connection or other association can be
established. As discussed earlier, port numbers are a critical established. As discussed earlier, port numbers are a critical
resource and it is inappropriate to consume assignments to increase resource and it is inappropriate to consume assignments to increase
performance. As a result, the need for separate ports for both performance. As a result, the need for separate ports for both
secure and insecure variants is not justified merely for performance secure and insecure variants is not justified merely for performance
- either for the connection or association establishment performance - either for the connection or association establishment performance
or differences in data performance between secure and insecure or differences in data performance between secure and insecure
variants. variants.
Note however that a new service might not be eligible for IANA Note however that a new service might not be eligible for IANA
assignment of both an insecure and a secure variant of the same assignment of both an insecure and a secure variant of the same
service, and similarly IANA might be skeptical of an assignment for service, and similarly applications requesting assignment for both
an insecure port number for a secure service. In both cases, an insecure port number for a secure service might not be
security of the service is compromised by adding the insecure port appropriate. In both cases, security of the service is compromised
number assignment. by adding the insecure port number assignment.
7.5. Support for Future Versions 7.5. Support for Future Versions
Current IANA assignments are expected to support the multiple Current IANA assignments are expected to support the multiple
versions on the same assigned port number [RFC6335]. Versions are versions on the same assigned port number [RFC6335]. Versions are
typically indicated in-band, either at the beginning of a connection typically indicated in-band, either at the beginning of a connection
or other association, or in each protocol message. or other association, or in each protocol message.
>> Version support SHOULD be included in new services. >> Version support SHOULD be included in new services.
skipping to change at page 16, line 37 skipping to change at page 16, line 37
Deployments that use port numbers before deployment complicate IANA Deployments that use port numbers before deployment complicate IANA
management of the port number space. Keep in mind that this management of the port number space. Keep in mind that this
recommendation protects existing assignees, users of current recommendation protects existing assignees, users of current
services, and applicants for new assignments; it helps ensure that a services, and applicants for new assignments; it helps ensure that a
desired number and service name are available when assigned. The desired number and service name are available when assigned. The
list of currently unassigned numbers is just that - *currently* list of currently unassigned numbers is just that - *currently*
unassigned. It does not reflect pending applications. Waiting for an unassigned. It does not reflect pending applications. Waiting for an
official IANA assignment reduces the chance that an assignment official IANA assignment reduces the chance that an assignment
request will conflict with another deployed service. request will conflict with another deployed service.
Applications made through Internet Draft / RFC publication (in an Applications made through Internet Draft / RFC publication (in any
stream) typically use a placeholder ("PORTNUM") in the text, and stream) typically use a placeholder ("PORTNUM") in the text, and
implementations use an experimental port number until a final implementations use an experimental port number until a final
assignment has been made [RFC6335]. That assignment is initially assignment has been made [RFC6335]. That assignment is initially
indicated in the IANA Considerations section of the document, which indicated in the IANA Considerations section of the document, which
is tracked by the RFC Editor. When a document has been approved for is tracked by the RFC Editor. When a document has been approved for
publication and proceeds to IESG Approval, that request is forwarded publication and proceeds to IESG Approval, that request is forwarded
to IANA for handling. IANA will make the new assignment accordingly. to IANA for handling. IANA will make the new assignment accordingly.
At that time, IANA may also request that the applicant fill out the At that time, IANA may also request that the applicant fill out the
application form on their website, e.g., when the RFC does not application form on their website, e.g., when the RFC does not
directly address the information expected as per [RFC6335]. "Early" directly address the information expected as per [RFC6335]. "Early"
skipping to change at page 17, line 19 skipping to change at page 17, line 19
documentation except as interim. documentation except as interim.
7.8. Squatting 7.8. Squatting
"Squatting" describes the use of a number from the assigned range in "Squatting" describes the use of a number from the assigned range in
deployed software without IANA assignment. It is hazardous because deployed software without IANA assignment. It is hazardous because
IANA cannot track such usage and thus cannot avoid making legitimate IANA cannot track such usage and thus cannot avoid making legitimate
assignments that conflict with such unauthorized usage. assignments that conflict with such unauthorized usage.
Such "squatted" port numbers remain unassigned, and IANA retains the Such "squatted" port numbers remain unassigned, and IANA retains the
right to assign them when requested by applicants. Protocol right to assign them when requested by applicants. Application and
designers are reminded that is never appropriate to use port numbers service designers are reminded that is never appropriate to use port
that have not been directly assigned [RFC6335]. In particular, any numbers that have not been directly assigned [RFC6335]. In
unassigned code from the assigned ranges will be assigned by IANA, particular, any unassigned code from the assigned ranges will be
and any conflict will be easily resolved as the protocol designer's assigned by IANA, and any conflict will be easily resolved as the
fault once that happens (because they would not be the assignee). protocol designer's fault once that happens (because they would not
This may reflect in the public's judgment on the quality of their be the assignee). This may reflect in the public's judgment on the
expertise and cooperation with the Internet community. quality of their expertise and cooperation with the Internet
community.
Regardless, there are numerous services that have squatted on such Regardless, there are numerous services that have squatted on such
numbers that are in widespread use. Designers who are using such numbers that are in widespread use. Designers who are using such
port numbers are encouraged to apply for an assignment. Note that port numbers are encouraged to apply for an assignment. Note that
even widespread de-facto use may not justify a later IANA assignment even widespread de-facto use may not justify a later IANA assignment
of that value, especially if either the value has already been of that value, especially if either the value has already been
assigned to a legitimate applicant or if the service would not assigned to a legitimate applicant or if the service would not
qualify for an assignment of its own accord. qualify for an assignment of its own accord.
7.9. Other Considerations 7.9. Other Considerations
skipping to change at page 18, line 15 skipping to change at page 18, line 15
longer considered appropriate [RFC6335]. longer considered appropriate [RFC6335].
8. Security Considerations 8. Security Considerations
This document discusses ways to conserve port numbers, notably This document discusses ways to conserve port numbers, notably
through encouraging demultiplexing within a single port number. As through encouraging demultiplexing within a single port number. As
such, there may be cases where two variants of a protocol - insecure such, there may be cases where two variants of a protocol - insecure
and secure (such as using optional TLS) or different versions - are and secure (such as using optional TLS) or different versions - are
suggested to share the same port number. suggested to share the same port number.
This document reminds protocol designers that port numbers do not This document reminds application and service designers that port
protect against denial of service overload or guarantee that traffic numbers do not protect against denial of service overload or
should be trusted. Using assigned numbers for port filtering isn't a guarantee that traffic should be trusted. Using assigned numbers for
substitute for authentication, encryption, and integrity protection. port filtering isn't a substitute for authentication, encryption,
The port number alone should not be used to avoid denial of service and integrity protection. The port number alone should not be used
or firewall traffic because their use is not regulated or validated. to avoid denial of service or firewall traffic because their use is
not regulated or validated.
The use of assigned port numbers is the antithesis of privacy
because they are intended to explicitly indicate the desired
application or service. Strictly, port numbers are meaningful only
at the endpoints, so any interpretation elsewhere in the network can
be arbitrarily incorrect. However, those numbers can also expose
information about available services on a given host. This
information can be used by intermediate devices to monitor and
intercept traffic as well as to potentially identify key endpoint
software properties ("fingerprinting"), which can be used to direct
other attacks.
9. IANA Considerations 9. IANA Considerations
The entirety of this document focuses on IANA issues, notably The entirety of this document focuses on suggestions that help
suggestions that help ensure the conservation of port numbers and ensure the conservation of port numbers and provide useful hints for
provide useful hints for issuing informative requests thereof. issuing informative requests thereof.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2780] Bradner, S., and V. Paxson, "IANA Allocation Guidelines [RFC2780] Bradner, S., and V. Paxson, "IANA Allocation Guidelines
For Values In the Internet Protocol and Related Headers", For Values In the Internet Protocol and Related Headers",
 End of changes. 16 change blocks. 
47 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/