draft-ietf-tsvwg-port-use-07.txt   draft-ietf-tsvwg-port-use-08.txt 
TSVWG J. Touch TSVWG J. Touch
Internet Draft USC/ISI Internet Draft USC/ISI
Intended status: Best Current Practice January 23, 2015 Intended status: Best Current Practice March 13, 2015
Expires: July 2015 Expires: September 2015
Recommendations for Transport Port Number Uses Recommendations for Transport Port Number Uses
draft-ietf-tsvwg-port-use-07.txt draft-ietf-tsvwg-port-use-08.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 23, 2015. This Internet-Draft will expire on September 13, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Abstract Abstract
This document provides recommendations to application and service This document provides recommendations to application and service
designers on how to use the transport protocol port number space. It protocol designers on how to use the assigned transport protocol
complements (but does not update) RFC6335, which focuses on IANA port number space and when to request a port assignment from IANA.
process. It provides designer guidelines on how to interact with the IANA
processes defined in RFC6335, thus serving to complement (but not
update) that document.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Conventions used in this document..............................3 2. Conventions used in this document..............................3
3. History........................................................3 3. History........................................................3
4. Current Port Number Use........................................4 4. Current Port Number Use........................................5
5. What is a Port Number?.........................................5 5. What is a Port Number?.........................................5
6. Conservation...................................................7 6. Conservation...................................................7
6.1. Guiding Principles........................................7 6.1. Guiding Principles........................................7
6.2. Firewall and NAT Considerations...........................8 6.2. Firewall and NAT Considerations...........................8
7. How to Use Assigned Port Numbers...............................9 7. Considerations for Requesting Port Number Assignments..........9
7.1. Is a port number assignment necessary?....................9 7.1. Is a port number assignment necessary?....................9
7.2. How Many Port Numbers?...................................11 7.2. How Many Assigned Port Numbers?..........................11
7.3. Picking a Port Number....................................12 7.3. Picking an Assigned Port Number..........................12
7.4. Support for Security.....................................13 7.4. Support for Security.....................................13
7.5. Support for Future Versions..............................14 7.5. Support for Future Versions..............................14
7.6. Transport Protocols......................................14 7.6. Transport Protocols......................................15
7.7. When to Request an Assignment............................15 7.7. When to Request an Assignment............................16
7.8. Squatting................................................17 7.8. Squatting................................................17
7.9. Other Considerations.....................................17 7.9. Other Considerations.....................................18
8. Security Considerations.......................................18 8. Security Considerations.......................................18
9. IANA Considerations...........................................18 9. IANA Considerations...........................................19
10. References...................................................18 10. References...................................................19
10.1. Normative References....................................18 10.1. Normative References....................................19
10.2. Informative References..................................19 10.2. Informative References..................................20
11. Acknowledgments..............................................21 11. Acknowledgments..............................................22
1. Introduction 1. Introduction
This document provides information and advice to application and This document provides information and advice to application and
service designers on the use of transport port numbers. It provides service designers on the use of assigned transport port numbers. It
a detailed historical background of the evolution of transport port provides a detailed historical background of the evolution of
numbers and their multiple meanings. It also provides specific transport port numbers and their multiple meanings. It also provides
recommendations to designers on how to use assigned port numbers. specific recommendations to designers on how to use assigned port
Note that this document provides information to potential port numbers. Note that this document provides information to potential
number applicants that complements the IANA process described in port number applicants that complements the IANA process described
BCP165 [RFC6335], but it does not update that document. in BCP165 [RFC6335], but it does not change any of the port number
assignment procedures described therein. This document is intended
to address concerns typically raised during Expert Review of
assigned port number applications, but it is not intended to bind
those reviews. RFC 6335 also describes the interaction between port
experts and port requests in IETF consensus document. Authors of
IETF consensus documents should nevertheless follow the advice in
this document and can expect comment on their port requests from the
port experts during IETF last call or at other times when review is
explicitly sought.
2. Conventions used in this document 2. Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119]. document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance. interpreted as carrying RFC-2119 significance.
In this document, the characters ">>" preceding an indented line(s) In this document, the characters ">>" preceding an indented line(s)
indicates a compliance requirement statement using the key words indicates a statement using the key words listed above. This
listed above. This convention aids reviewers in quickly identifying convention aids reviewers in quickly identifying or finding
or finding the explicit compliance requirements of this RFC. requirements for registration and recommendations for use of port
numbers in this RFC.
3. History 3. History
The term 'port' was first used in [RFC33] to indicate a simplex The term 'port' was first used in [RFC33] to indicate a simplex
communication path from an individual process and originally applied communication path from an individual process and originally applied
to only the Network Control Program (NCP) connection-oriented to only the Network Control Program (NCP) connection-oriented
protocol. At a meeting described in [RFC37], an idea was presented protocol. At a meeting described in [RFC37], an idea was presented
to decouple connections between processes and links that they use as to decouple connections between processes and links that they use as
paths, and thus to include numeric source and destination socket paths, and thus to include numeric source and destination socket
identifiers in packets. [RFC38] provides further detail, describing identifiers in packets. [RFC38] provides further detail, describing
skipping to change at page 4, line 12 skipping to change at page 4, line 23
numbers for groups of protocols, such as "any private RJE server" numbers for groups of protocols, such as "any private RJE server"
[RFC739]. Although the overall range of such port numbers was (and [RFC739]. Although the overall range of such port numbers was (and
remains) 16 bits, only the first 256 (high 8 bits cleared) in the remains) 16 bits, only the first 256 (high 8 bits cleared) in the
range were considered assigned. range were considered assigned.
[RFC758] is the first to describe port numbers as being used for TCP [RFC758] is the first to describe port numbers as being used for TCP
(previous RFCs all refer to only NCP). It includes a list of such (previous RFCs all refer to only NCP). It includes a list of such
well-known port numbers, as well as describing ranges used for well-known port numbers, as well as describing ranges used for
different purposes: different purposes:
Binary Octal Decimal Octal
----------------------------------------------------------- -----------------------------------------------------------
0-63 0-77 Network Wide Standard Function 0-63 0-77 Network Wide Standard Function
64-127 100-177 Hosts Specific Functions 64-127 100-177 Hosts Specific Functions
128-223 200-337 Reserved for Future Use 128-223 200-337 Reserved for Future Use
224-255 340-377 Any Experimental Function 224-255 340-377 Any Experimental Function
skipping to change at page 6, line 5 skipping to change at page 6, line 8
The first purpose requires that each transport endpoint association The first purpose requires that each transport endpoint association
(e.g., TCP connection or UDP pairwise association) using a given (e.g., TCP connection or UDP pairwise association) using a given
transport between a given pair of IP addresses use a different pair transport between a given pair of IP addresses use a different pair
of port numbers, but does not require either coordination or of port numbers, but does not require either coordination or
registration of port number use. It is the second purpose that registration of port number use. It is the second purpose that
drives the need for a common registry. drives the need for a common registry.
Consider a user wanting to run a web server. That service could run Consider a user wanting to run a web server. That service could run
on any port number, provided that all clients knew what port number on any port number, provided that all clients knew what port number
to use to access that service at that host. Such information can be to use to access that service at that host. Such information can be
distributed out-of-band, e.g., in the URI: explicitly distributed - for example, by putting it in the URI:
http://www.example.com:51509/ http://www.example.com:51509/
Ultimately, the correlation of a service with a port number is an Ultimately, the correlation of a service with a port number is an
agreement between just the two endpoints of the association. A web agreement between just the two endpoints of the association. A web
server can run on port number 53, which might appear as DNS traffic server can run on port number 53, which might appear as DNS traffic
to others but will connect to browsers that know to use port number to others but will connect to browsers that know to use port number
53 rather than 80. 53 rather than 80.
As a concept, a service is the combination of ISO Layers 5-7 that As a concept, a service is the combination of ISO Layers 5-7 that
represents an application protocol capability. For example www (port represents an application protocol capability. For example www (port
number 80) is a service that uses HTTP as an application protocol number 80) is a service that uses HTTP as an application protocol
and provides access to a web server [RFC7230]. However, it is and provides access to a web server [RFC7230]. However, it is
possible to use HTTP for other purposes, such as command and possible to use HTTP for other purposes, such as command and
control. This is why some current service names (HTTP, e.g.) are a control. This is why some current services (HTTP, e.g.) are a bit
bit overloaded - they describe not only the application protocol, overloaded - they describe not only the application protocol, but a
but a particular service. particular service.
IANA assigns port numbers so that Internet endpoints do not need IANA assigns port numbers so that Internet endpoints do not need
pairwise, explicit coordination of the meaning of their port pairwise, explicit coordination of the meaning of their port
numbers. This is the primary reason for requesting assigned port numbers. This is the primary reason for requesting assigned port
numbers with IANA - to have a common agreement between all endpoints numbers with IANA - to have a common agreement between all endpoints
on the Internet as to the default meaning of a port number. on the Internet as to the default meaning of a port number, which
provides the endpoints with a default port number for a particular
protocol or service.
Port numbers are sometimes used by intermediate devices on a network Port numbers are sometimes used by intermediate devices on a network
path, either to monitor available services, to monitor traffic path, either to monitor available services, to monitor traffic
(e.g., to indicate the data contents), or to intercept traffic (to (e.g., to indicate the data contents), or to intercept traffic (to
block, proxy, relay, aggregate, or otherwise process it). In each block, proxy, relay, aggregate, or otherwise process it). In each
case, the intermediate device interprets traffic based on the port case, the intermediate device interprets traffic based on the port
number. It is important to recognize that any interpretation of port number. It is important to recognize that any interpretation of port
numbers - except at the endpoints - may be incorrect, because port numbers - except at the endpoints - may be incorrect, because port
numbers are meaningful only at the endpoints. Further, port numbers numbers are meaningful only at the endpoints. Further, port numbers
may not be visible to these intermediate devices, such as when the may not be visible to these intermediate devices, such as when the
transport protocol is encrypted (as in network- or link-layer transport protocol is encrypted (as in network- or link-layer
tunnels), or when a packet is fragmented (in which case only the tunnels), or when a packet is fragmented (in which case only the
first fragment has the port number information). Such port number first fragment has the port number information). Such port number
invisibility may interfere with these in-network port number-based invisibility may interfere with these in-network port number-based
capabilities. capabilities.
Port numbers can also be useful for other purposes. Assigned port Port numbers can also be used for other purposes. Assigned port
numbers can simplify end system configuration, so that individual numbers can simplify end system configuration, so that individual
installations do not need to coordinate their use of arbitrary port installations do not need to coordinate their use of arbitrary port
numbers. Such assignments can also simplify firewall management, so numbers. Such assignments can also simplify firewall management, so
that a single, fixed firewall configuration can either permit or that a single, fixed firewall configuration can either permit or
deny a service. deny a service.
It is useful to differentiate a port number from a service name. The It is useful to differentiate a port number from a service name. The
former is a numeric value that is used directly in transport former is a numeric value that is used directly in transport
protocol headers as a demultiplexing and service identifier. The protocol headers as a demultiplexing and service identifier. The
latter is primarily a user convenience, where the default map latter is primarily a user convenience, where the default map
between the two is considered static and resolved using a cached between the two is considered static and resolved using a cached
index. This document focuses on the former because it is the index. This document focuses on the former because it is the
fundamental network resource. Dynamic maps between the two, i.e., fundamental network resource. Dynamic maps between the two, i.e.,
using DNS SRV records, are discussed further in Section 7.1. using DNS SRV records, are discussed further in Section 7.1.
6. Conservation 6. Conservation
Assigned port numbers are a limited resource that is globally shared Assigned port numbers are a limited resource that is globally shared
by the entire Internet community. As of 2014, approximately 5850 TCP by the entire Internet community. As of 2014, approximately 5850 TCP
and 5570 UDP port numbers have been assigned out of a total range of and 5570 UDP port numbers have been assigned out of a total range of
49151. As a result of past conservation, current port use is small 49151. As a result of past conservation, current assigned port use
and the current rate of assignment avoids the need for transition to is small and the current rate of assignment avoids the need for
larger number spaces. This conservation also helps avoid the need transition to larger number spaces. This conservation also helps
for IANA to rely on port number reclamation, which is practically avoid the need for IANA to rely on assigned port number reclamation,
impossible even though procedurally permitted [RFC6335]. which is practically impossible even though procedurally permitted
[RFC6335].
IANA aims to assign only one port number per service, including IANA aims to assign only one port number per service, including
variants [RFC6335], but there are other benefits to using fewer port variants [RFC6335], but there are other benefits to using fewer port
numbers for a given service. Use of multiple port numbers can make numbers for a given service. Use of multiple assigned port numbers
applications more fragile, especially when firewalls block a subset can make applications more fragile, especially when firewalls block
of those port numbers or use ports numbers to route or prioritize a subset of those port numbers or use ports numbers to route or
traffic differently. As a result: prioritize traffic differently. As a result:
>> Each port requested MUST be justified as independently necessary. >> Each assigned port requested MUST be justified by the applicant
as an independently useful service.
6.1. Guiding Principles 6.1. Guiding Principles
This document provides recommendations for users that also help This document provides recommendations for users that also help
conserve port number space. Again, this document does not update conserve assigned port number space. Again, this document does not
BCP165 [RFC6335], which describes the IANA procedures for managing update BCP165 [RFC6335], which describes the IANA procedures for
transport port numbers and services. Port number conservation is managing assigned transport port numbers and services. Assigned port
based on a number of basic principles: number conservation is based on a number of basic principles:
o A single assigned port number can support different functions o A single assigned port number can support different functions
over separate endpoint associations, determined using in-band over separate endpoint associations, determined using in-band
information. An FTP data connection can transfer binary or information. An FTP data connection can transfer binary or
text files, the latter translating line-terminators, as text files, the latter translating line-terminators, as
indicated in-band over the control port number [RFC959]. indicated in-band over the control port number [RFC959].
o A single assigned port number can indicate the Dynamic port o A single assigned port number can indicate the Dynamic port
number(s) on which different capabilities are supported, as number(s) on which different capabilities are supported, as
with passive-mode FTP [RFC959]. with passive-mode FTP [RFC959].
o Several existing services can indicate the Dynamic port o Several existing services can indicate the Dynamic port
number(s) on which other services are supported, such as with number(s) on which other services are supported, such as with
mDNS and portmapper [RFC1833] [RFC6762] [RFC6763]. mDNS and portmapper [RFC1833] [RFC6762] [RFC6763].
o Copies of an existing service can be differentiated by using o Copies of an existing service can also be operated on
different IP addresses, either on different hosts or as different IP addresses, either on different hosts or as
different real or virtual interfaces (or even operating different real or virtual interfaces (or even operating
systems) on the same host. systems) on the same host.
o Copies of some existing services can be differentiated using o Copies of some existing services can be differentiated using
in-band information (e.g., URIs in HTTP Host field and TLS in-band information (e.g., URIs in HTTP Host field and TLS
Server Name Indication extension) [RFC7230] [RFC6066]. Server Name Indication extension) [RFC7230] [RFC6066].
o Services requiring varying performance properties can already o Services requiring varying performance properties can already
be supported using separate endpoint associations (connections be supported using separate endpoint associations (connections
or other associations), each configured to support the desired or other associations), each configured to support the desired
properties. properties. E.g., a high-speed and low-speed variant can be
determined within the service using the same assigned port.
Port numbers are intended to differentiate services, not variations Assigned port numbers are intended to differentiate services, not
of performance, replicas, pairwise endpoint associations, or payload variations of performance, replicas, pairwise endpoint associations,
types. Port numbers are also a small space compared to other or payload types. Assigned port numbers are also a small space
Internet number spaces; it is never appropriate to consume port compared to other Internet number spaces; it is never appropriate to
numbers to conserve larger spaces such as IP addresses. consume assigned port numbers to conserve larger spaces such as IP
addresses.
6.2. Firewall and NAT Considerations 6.2. Firewall and NAT Considerations
Assigned port numbers are useful for configuring firewalls and other Assigned port numbers are useful for configuring firewalls and other
port-based systems for access control. Ultimately, these port port-based systems for access control. Ultimately, these numbers
numbers indicate services only to the endpoints, and any indicate services only to the endpoints, and any intermediate device
intermediate device that assigns meaning to a value can be that assigns meaning to a value can be incorrect. End systems might
incorrect. End systems might agree to run web services (HTTP) over agree to run web services (HTTP) over port number 53 (typically used
port number 53 (typically used for DNS) rather than port number 80, for DNS) rather than port number 80, at which point a firewall that
at which point a firewall that blocks port number 80 but permits blocks port number 80 but permits port number 53 would not have the
port number 53 would not have the desired effect. However, assigned desired effect. However, assigned port numbers often are important
port numbers often are important in helping configure firewalls. in helping configure firewalls.
Using Dynamic port numbers, or explicitly-indicated port numbers Using Dynamic port numbers, or explicitly-indicated port numbers
indicated in-band over another service (such as with FTP) often indicated in-band over another service (such as with FTP) often
complicates firewall and NAT interactions [RFC959]. FTP over complicates firewall and NAT interactions [RFC959]. FTP over
firewalls often requires direct support for deep-packet inspection firewalls often requires direct support for deep-packet inspection
(to snoop for the Dynamic port number for the NAT to correctly map) (to snoop for the Dynamic port number for the NAT to correctly map)
or passive-mode FTP (in which both connections are opened from the or passive-mode FTP (in which both connections are opened from the
client side). client side).
7. How to Use Assigned Port Numbers 7. Considerations for Requesting Port Number Assignments
Port numbers are assigned by IANA by a set of documented procedures Port numbers are assigned by IANA by a set of documented procedures
[RFC6335]. The following section describes the steps users can take [RFC6335]. The following section describes the steps users can take
to help assist with the use of assigned port numbers, and with to help assist with responsible use of assigned port numbers, and
preparing an application for a port number assignment. with preparing an application for a port number assignment.
7.1. Is a port number assignment necessary? 7.1. Is a port number assignment necessary?
First, it is useful to consider whether a port number assignment is First, it is useful to consider whether a port number assignment is
required. In many cases, a new number assignment may not be needed, required. In many cases, a new number assignment may not be needed,
for example: for example:
o Is this really a new service, or can an existing service o Is this really a new service, or can an existing service
suffice? suffice?
skipping to change at page 9, line 49 skipping to change at page 10, line 9
configuration file, indicated within a URI, or using configuration file, indicated within a URI, or using
interprocess communication). interprocess communication).
o Using information exchanged on a related service: FTP, SIP, o Using information exchanged on a related service: FTP, SIP,
etc. [RFC959] [RFC3261]. etc. [RFC959] [RFC3261].
o Using an existing port discovery service: portmapper, mDNS, o Using an existing port discovery service: portmapper, mDNS,
etc. [RFC1833] [RFC6762] [RFC6763]. etc. [RFC1833] [RFC6762] [RFC6763].
There are a few good examples of reasons that more directly suggest There are a few good examples of reasons that more directly suggest
that not only is a port number not necessary, but it is directly that not only is a port number assignment not necessary, but it is
counter-indicated: directly counter-indicated:
o Port numbers are not intended to differentiate performance o Assigned port numbers are not intended to differentiate
variations within the same service, e.g., high-speed vs. performance variations within the same service, e.g., high-
ordinary speed. Performance variations can be supported within speed vs. ordinary speed. Performance variations can be
a single port number in context of separate pairwise endpoint supported within a single assigned port number in context of
associations. separate pairwise endpoint associations.
o Additional port numbers are not intended to replicate an o Additional assigned port numbers are not intended to replicate
existing service. For example, if a device is configured to an existing service. For example, if a device is configured to
use a typical web browser then it the port number used for use a typical web browser then it the port number used for
that service is a copy of the http service that is already that service is a copy of the http service that is already
assigned to port number 80 and does not warrant a new assigned to port number 80 and does not warrant a new
assignment. However, an automated system that happens to use assignment. However, an automated system that happens to use
HTTP framing - but is not primarily accessed by a browser - HTTP framing - but is not primarily accessed by a browser -
might be a new service. A good way to tell is "can an might be a new service. A good way to tell is "can an
unmodified client of the existing service interact with the unmodified client of the existing service interact with the
proposed service"? If so, that service would be a copy of an proposed service"? If so, that service would be a copy of an
existing service and would not merit a new assignment. existing service and would not merit a new assignment.
o Port numbers not intended for intra-machine communication. o Assigned port numbers not intended for intra-machine
Such communication can already be supported by internal communication. Such communication can already be supported by
mechanisms (interprocess communication, shared memory, shared internal mechanisms (interprocess communication, shared
files, etc.). When Internet communication within a host is memory, shared files, etc.). When Internet communication
desired, the server can bind to a Dynamic port that is within a host is desired, the server can bind to a Dynamic
indicated to the client using these internal mechanisms. port that is indicated to the client using these internal
mechanisms.
o Separate port numbers are not intended for insecure versions o Separate assigned port numbers are not intended for insecure
of existing (or new) secure services. A service that already versions of existing (or new) secure services. A service that
requires security would be made more vulnerable by having the already requires security would be made more vulnerable by
same capability accessible without security. having the same capability accessible without security.
Note that the converse is different, i.e., it can be useful to Note that the converse is different, i.e., it can be useful to
create a new, secure service that replicates an existing create a new, secure service that replicates an existing
insecure service on a new port number assignment. This can be insecure service on a new port number assignment. This can be
necessary when the existing service is not backward-compatible necessary when the existing service is not backward-compatible
with security enhancements, such as the use of TLS [RFC5246]. with security enhancements, such as the use of TLS [RFC5246]
or DTLS [RFC6347].
o Port numbers are not intended for indicating different service o Assigned port numbers are not intended for indicating
versions. Version differentiation should be handled in-band, different service versions. Version differentiation should be
e.g., using a version number at the beginning of an handled in-band, e.g., using a version number at the beginning
association (e.g., connection or other transaction). This may of an association (e.g., connection or other transaction).
not be possible with legacy assignments, but all new This may not be possible with legacy assignments, but all new
assignments should incorporate support for version indication. services should incorporate support for version indication.
Some users may not need assigned port numbers at all, e.g., SIP Some services may not need assigned port numbers at all, e.g., SIP
allows voice calls to use Dynamic ports [RFC3261]. Some systems can allows voice calls to use Dynamic ports [RFC3261]. Some systems can
register services in the DNS, using SRV entries. These services can register services in the DNS, using SRV entries. These services can
be discovered by a variety of means, including mDNS, or via direct be discovered by a variety of means, including mDNS, or via direct
query [RFC6762] [RFC6763]. In such cases, users can more easily query [RFC6762] [RFC6763]. In such cases, users can more easily
request a SRV name, which are assigned first-come, first-served from request a SRV name, which are assigned first-come, first-served from
a much larger namespace. a much larger namespace.
IANA assigns port numbers, but this assignment is typically used IANA assigns port numbers, but this assignment is typically used
only for servers, i.e., the host that listens for incoming only for servers, i.e., the host that listens for incoming
connections or other associations. Clients, i.e., hosts that connections or other associations. Clients, i.e., hosts that
initiate connections or other associations, typically refer to those initiate connections or other associations, typically refer to those
assigned port numbers but do not need port number assignments for assigned port numbers but do not need port number assignments for
their endpoint. their endpoint.
Finally, an assigned port number is not a guarantee of exclusive Finally, an assigned port number is not a guarantee of exclusive
use. Traffic for any service might appear on any port number, due to use. Traffic for any service might appear on any port number, due to
misconfiguration or deliberate misuse. Application and service misconfiguration or deliberate misuse. Application and service
designers are encouraged to validate traffic based on its content. designers are encouraged to validate traffic based on its content.
7.2. How Many Port Numbers? 7.2. How Many Assigned Port Numbers?
As noted earlier, systems might require a single port number As noted earlier, systems might require a single port number
assignment, but rarely require multiple port numbers. There are a assignment, but rarely require multiple port numbers. There are a
variety of known ways to reduce port number use. Although some may variety of known ways to reduce assigned port number consumption.
be cumbersome or inefficient, they are always preferable to Although some may be cumbersome or inefficient, they are nearly
consuming additional port numbers. always preferable to consuming additional port number assignments.
Such techniques include: Such techniques include:
o Use of a discovery service, either a shared service (mDNS), or o Use of a discovery service, either a shared service (mDNS), or
a discovery service for a given system [RFC6762] [RFC6763]. a discovery service for a given system [RFC6762] [RFC6763].
o Multiplex packet types using in-band information, either on a o Multiplex packet types using in-band information, either on a
per-message or per-connection basis. Such demultiplexing can per-message or per-connection basis. Such demultiplexing can
even hand-off different messages and connections among even hand-off different messages and connections among
different processes, such as is done with FTP [RFC959]. different processes, such as is done with FTP [RFC959].
There are some cases where it is still important to have assigned There are some cases where it is still important to have assigned
port numbers, largely to traverse either NATs or firewalls. Although port numbers, largely to traverse either NATs or firewalls. Although
automatic configuration protocols have been proposed and developed NAT traversal protocols supporting automatic configuration have been
(e.g., STUN [RFC5389], TURN [RFC5766], and ICE [RFC5245]), proposed and developed (e.g., STUN [RFC5389], TURN [RFC5766], and
application and service designers cannot yet rely on their presence. ICE [RFC5245]), application and service designers cannot yet rely on
their presence.
In the past, some services were assigned multiple port numbers or In the past, some services were assigned multiple port numbers or
sometimes fairly large port ranges (e.g., X11). This occurred for a sometimes fairly large port ranges (e.g., X11). This occurred for a
variety of reasons: port number conservation was not as widely variety of reasons: port number conservation was not as widely
appreciated, assignments were not as ardently reviewed, etc. This no appreciated, assignments were not as ardently reviewed, etc. This no
longer reflects current practice and such assignments are not longer reflects current practice and such assignments are not
considered to constitute a precedent for future assignments. considered to constitute a precedent for future assignments.
7.3. Picking a Port Number 7.3. Picking an Assigned Port Number
Given a demonstrated need for a port number assignment, the next Given a demonstrated need for a port number assignment, the next
question is how to pick the desired port number. An application for question is how to pick the desired port number. An application for
a port number assignment does not need to include a desired port a port number assignment does not need to include a desired port
number; in that case, IANA will select from those currently number; in that case, IANA will select from those currently
available. available.
Users should consider whether the requested port number is Users should consider whether the requested port number is
important. For example, would an assignment be acceptable if IANA important. For example, would an assignment be acceptable if IANA
picked the port number value? Would a TCP (or other transport picked the port number value? Would a TCP (or other transport
protocol) port number assignment be useful by itself? If so, a TCP protocol) port number assignment be useful by itself? If so, a port
(UDP) port number can be assigned whose port number is already (or number can be assigned to a service for one transport protocol where
can be subsequently) assigned to a different transport protocol. it is already (or can be subsequently) assigned to a different
service for other transport protocols.
The most critical issue in picking a number is selecting the desired The most critical issue in picking a number is selecting the desired
range, i.e., System vs. User port numbers. The distinction was range, i.e., System vs. User port numbers. The distinction was
intended to indicate a difference in privilege; originally, System intended to indicate a difference in privilege; originally, System
port numbers required privileged ('root') access, while User port port numbers required privileged ('root') access, while User port
numbers did not. That distinction has since blurred because some numbers did not. That distinction has since blurred because some
current systems do not limit access control to System port numbers current systems do not limit access control to System port numbers
and because some System services have been replicated on User and because some System services have been replicated on User
numbers (e.g., IRC). Even so, System port number assignments have numbers (e.g., IRC). Even so, System port number assignments have
continued at an average rate of 3-4 per year over the past 7 years continued at an average rate of 3-4 per year over the past 7 years
(2007-2013), indicating that the desire to keep this distinction (2007-2013), indicating that the desire to keep this distinction
continues. continues.
As a result, the difference between System and User port numbers As a result, the difference between System and User port numbers
needs to be treated with caution. Developers are advised to treat needs to be treated with caution. Developers are advised to treat
services as if they are always run without privilege. As a result: services as if they are always run without privilege.
>> Developers SHOULD NOT apply for System port numbers because the Even when developers seek a System port number assignment, it may be
increased privilege they are intended to provide is not always very difficult to obtain. System port number assignment requires
enforced. IETF Review or IESG Approval and justification that both User and
Dynamic port number ranges are insufficient [RFC6335]. Thus this
document recommends both:
Even when developers seek a System port number, it may be very >> Developers SHOULD NOT apply for System port number assignments
difficult to obtain. System port number assignment requires IETF because the increased privilege they are intended to provide is not
Review or IESG Approval and justification that both User and Dynamic always enforced.
port number ranges are insufficient [RFC6335].
>> System implementers SHOULD enforce the need for privilege for >> System implementers SHOULD enforce the need for privilege for
processes to listen on System port numbers. processes to listen on System port numbers.
At some future date, it might be useful to deprecate the distinction At some future date, it might be useful to deprecate the distinction
between System and User port numbers altogether. Services typically between System and User port numbers altogether. Services typically
require elevated ('root') privileges to bind to a System port require elevated ('root') privileges to bind to a System port
number, but many such services go to great lengths to immediately number, but many such services go to great lengths to immediately
drop those privileges just after connection or other association drop those privileges just after connection or other association
establishment to reduce the impact of an attack using their establishment to reduce the impact of an attack using their
capabilities. Such services might be more securely operated on User capabilities. Such services might be more securely operated on User
port numbers than on System port numbers. Further, if System port port numbers than on System port numbers. Further, if System port
numbers were no longer assigned, as of 2014 it would cost only 180 numbers were no longer assigned, as of 2014 it would cost only 180
of the 1024 System values (17%), or 180 of the overall 49152 of the 1024 System values (17%), or 180 of the overall 49152
assigned (System and User) values (<0.04%). assigned (System and User) values (<0.04%).
7.4. Support for Security 7.4. Support for Security
Just as a service is a way to obtain information or processing from Just as a service is a way to obtain information or processing from
a host over a network, a service can also be the opening through a host over a network, a service can also be the opening through
which to attack that host. This vulnerability can be mitigated a which to compromise that host. Protecting a service involves
number of ways: security, which includes integrity protection, source
authentication, privacy, or any combination of these capabilities.
Security can be provided in a number of ways:
>> New services SHOULD support security, either directly or via a >> New services SHOULD support security capabilities, either
secure transport such as TLS [RFC5246]. directly or via a content protection such as TLS [RFC5246] or DTLS
[RFC6347] or transport protection such as TCP-AO [RFC5925]. Insecure
versions of new or existing secure services SHOULD be avoided
because of the new vulnerability they create.
>> Insecure versions of new or existing secure services SHOULD be >> When simultaneously requesting both secure and insecure port
avoided because of the new vulnerability they create. assignments for the same service, strong justification is expected
for the utility and safety of a separate insecure assigned port
[RFC2595]. Precedent (citing other protocols that use an insecure
port) is not strong justification by itself.
>> When simultaneously requesting both a secure and an insecure It's also important to recognize that port number assignment is not
port, strong justification MUST be provided for the insecure port. itself a guarantee that traffic using that number provides the
Precedent (citing other protocols that use an insecure port) is not corresponding service, or that a given service is always offered
strong justification by itself. A strong case for utility of the only on its assigned port number. Port numbers are ultimately
insecure service is REQUIRED for approval of the insecure port. meaningful only between endpoints and any service can be run on any
port. Thus:
>> Security SHOULD NOT rely on port number distinctions alone; every >> Security SHOULD NOT rely on assigned port number distinctions
service, whether secure or not, is likely to be attacked. alone; every service, whether secure or not, is likely to be
attacked.
There is debate as to how to secure legacy insecure services There is debate as to how to secure legacy insecure services
[RFC6335]. Some argue that secure variants should share the existing [RFC6335]. Some argue that secure variants should share the existing
port number assignment, such that security is enabled on a per- port number assignment, such that security is enabled on a per-
connection or other association basis [RFC2817]. Others argue that connection or other association basis [RFC2595] [RFC2817]. Others
security should be supported on a new port number assignment and be argue that security should be supported on a new port number
enabled by default. Either approach is currently permitted, although assignment and be enabled by default. Either approach is currently
use of a single port number is consistent with port number permitted. A separate port number might be important for security
conservation. A separate port number might be important for security
coordination (e.g., firewall management), but this might further coordination (e.g., firewall management), but this might further
argue for deprecation of the insecure variant. argue for deprecation of the insecure variant.
Optional security can penalize performance, requiring additional Optional security can penalize performance, requiring additional
round-trip exchanges before a connection or other association can be round-trip exchanges before a connection or other association can be
established. As discussed earlier, port numbers are a critical established. As discussed earlier, assigned port numbers are a
resource and it is inappropriate to consume assignments to increase critical resource and it is inappropriate to consume assignments to
performance. As a result, the need for separate ports for both increase performance. As a result, the need for separate port
secure and insecure variants is not justified merely for performance assignments for both secure and insecure variants is not justified
- either for the connection or association establishment performance merely for performance - either for the performance of connection
or differences in data performance between secure and insecure establishment or association establishment, or for differences in
variants. data performance between secure and insecure variants.
Note however that a new service might not be eligible for IANA Note however that a new service might not be eligible for IANA
assignment of both an insecure and a secure variant of the same assignment of both an insecure and a secure variant of the same
service, and similarly applications requesting assignment for both service. In a similar way, applications requesting assignment for an
an insecure port number for a secure service might not be insecure port number for a secure service might not be appropriate.
appropriate. In both cases, security of the service is compromised In both cases, security of the service is compromised by adding the
by adding the insecure port number assignment. insecure port number assignment.
7.5. Support for Future Versions 7.5. Support for Future Versions
Current IANA assignments are expected to support the multiple Requests for assigned port numbers are expected to support multiple
versions on the same assigned port number [RFC6335]. Versions are versions on the same assigned port number [RFC6335]. Versions are
typically indicated in-band, either at the beginning of a connection typically indicated in-band, either at the beginning of a connection
or other association, or in each protocol message. or other association, or in each protocol message.
>> Version support SHOULD be included in new services. >> Version support SHOULD be included in new services rather than
relying on different port number assignments for different versions.
>> Version numbers SHOULD NOT be included in either the service name >> Version numbers SHOULD NOT be included in either the service name
or service description. or service description, to avoid the need to make additional port
number assignments for future variants of a service.
Again, the port number space is far too limited to be used as an Again, the assigned port number space is far too limited to be used
indicator of protocol version or message type. Although this has as an indicator of protocol version or message type. Although this
happened in the past (e.g., for NFS), it should be avoided in new has happened in the past (e.g., for NFS), it should be avoided in
requests. new requests.
7.6. Transport Protocols 7.6. Transport Protocols
IANA assigns port numbers specific to one or more transport IANA assigns port numbers specific to one or more transport
protocols, typically UDP and TCP, but also SCTP, DCCP, and any other protocols, typically UDP [RFC768] and TCP [RFC793], but also SCTP
standard transport protocol [RFC768] [RFC793] [RFC4340] [RFC4960]. [RFC4960], DCCP [RFC4340], and any other standard transport
Originally, IANA port number assignments were concurrent for both protocol. Originally, IANA port number assignments were concurrent
UDP and TCP; other transports were not indicated. However, to for both UDP and TCP, and other transports were not indicated.
conserve space and to reflect increasing use of other transports, However, to conserve the assigned port number space and to reflect
assignments are now specific only to the transport being used. increasing use of other transports, assignments are now specific
only to the transport being used.
In general, a service should request assignments for multiple In general, a service should request assignments for multiple
transports using the same service name and description on the same transports using the same service name and description on the same
port number only when they all reflect essentially the same service. port number only when they all reflect essentially the same service.
Good examples of such use are DNS and NFS, where the difference Good examples of such use are DNS and NFS, where the difference
between the UDP and TCP services are specific to supporting each between the UDP and TCP services are specific to supporting each
transport. E.g., the UDP variant of a service might add sequence transport. E.g., the UDP variant of a service might add sequence
numbers and the TCP variant of the same service might add in-band numbers and the TCP variant of the same service might add in-band
message delimiters. This document does not describe the appropriate message delimiters. This document does not describe the appropriate
selection of a transport protocol for a service. selection of a transport protocol for a service.
>> Service names and descriptions for multiple transport port number >> Service names and descriptions for multiple transport port number
assignments SHOULD match only when they describe the same service, assignments SHOULD match only when they describe the same service,
excepting only enhancements for each supported transport. excepting only enhancements for each supported transport.
When the services differ, their service names and descriptions When the services differ, it may be acceptable or preferable to use
should reflect that difference. E.g., if TCP is used for the basic the same port number, but the service names and descriptions should
be different for each transport/service pair, reflecting the
differences in the services. E.g., if TCP is used for the basic
control protocol and UDP for an alarm protocol, then the services control protocol and UDP for an alarm protocol, then the services
might be "name-ctl" and "name-alarm". A common example is when TCP might be "name-ctl" and "name-alarm". A common example is when TCP
is used for a service and UDP is used to determine whether that is used for a service and UDP is used to determine whether that
service is active (e.g., via a unicast, broadcast, or multicast test service is active (e.g., via a unicast, broadcast, or multicast test
message) [RFC1122]. The following convention has been used by IANA message) [RFC1122]. IANA has, for several years, used the suffix "-
for several years to distinguish discovery services, such as are disc" in service names to distinguish discovery services, such as
used to identify endpoints capable of a given service: are used to identify endpoints capable of a given service:
>> Names of discovery services SHOULD use an identifiable suffix; >> Names of discovery services SHOULD use an identifiable suffix;
the suggestion is "-disc". the suggestion is "-disc".
Some services are used for discovery, either in conjunction with a Some services are used for discovery, either in conjunction with a
TCP service or as a stand-alone capability. Such services will be TCP service or as a stand-alone capability. Such services will be
more reliable when using multicast rather than broadcast (over IPv4) more reliable when using multicast rather than broadcast (over IPv4)
because IP routers do not forward "all nodes" (all 1's, i.e., because IP routers do not forward "all nodes" broadcasts (all 1's,
255.255.255.255 for IPv4) broadcasts and have not been required to i.e., 255.255.255.255 for IPv4) and have not been required to
support subnet-directed broadcasts since 1999 [RFC1812] [RFC2644]. support subnet-directed broadcasts since 1999 [RFC1812] [RFC2644].
This issue is relevant only for IPv4 because IPv6 does not support This issue is relevant only for IPv4 because IPv6 does not support
broadcast. broadcast.
>> UDP over IPv4 multi-host services SHOULD use multicast rather >> UDP over IPv4 multi-host services SHOULD use multicast rather
than broadcast. than broadcast.
Designers should be very careful in creating services over Designers should be very careful in creating services over
transports that do not support congestion control or error recovery, transports that do not support congestion control or error recovery,
notably UDP. There are several issues that should be considered in notably UDP. There are several issues that should be considered in
such cases, as summarized in Table 1 in [RFC5405]. In addition, the such cases, as summarized in Table 1 in [RFC5405]. In addition, the
following recommendations apply to service design: following recommendations apply to service design:
>> Services that use multipoint communication SHOULD be scalable, >> Services that use multipoint communication SHOULD be scalable,
and SHOULD NOT rely solely on the efficiency of multicast and SHOULD NOT rely solely on the efficiency of multicast
transmission for scalability. transmission for scalability.
>> Services SHOULD NOT use UDP as a performance enhancement over >> Services SHOULD NOT use UDP as a performance enhancement over
TCP, i.e., to circumnavigate TCP's congestion control. TCP, e.g., to circumnavigate TCP's congestion control.
7.7. When to Request an Assignment 7.7. When to Request an Assignment
Assignments are typically requested when a user has enough Assignments are typically requested when a user has enough
information to reasonably answer the questions in the IANA information to reasonably answer the questions in the IANA
application. IANA applications typically take up to a few weeks to application. IANA applications typically take up to a few weeks to
process, with some complex cases taking up to a month. The process process, with some complex cases taking up to a month. The process
typically involves a few exchanges between the IANA Ports Expert typically involves a few exchanges between the IANA Ports Expert
Review team and the applicant. Review team and the applicant.
skipping to change at page 16, line 27 skipping to change at page 17, line 10
cannot easily be updated. cannot easily be updated.
>> Users MUST NOT deploy implementations that use assigned port >> Users MUST NOT deploy implementations that use assigned port
numbers prior their assignment by IANA. numbers prior their assignment by IANA.
>> Users MUST NOT deploy implementations that default to using the >> Users MUST NOT deploy implementations that default to using the
experimental System port numbers (1021 and 1022 [RFC4727]) outside a experimental System port numbers (1021 and 1022 [RFC4727]) outside a
controlled environment where they can be updated with a subsequent controlled environment where they can be updated with a subsequent
assigned port [RFC3692]. assigned port [RFC3692].
Deployments that use port numbers before deployment complicate IANA Deployments that use unassigned port numbers before assignment
management of the port number space. Keep in mind that this complicate IANA management of the port number space. Keep in mind
recommendation protects existing assignees, users of current that this recommendation protects existing assignees, users of
services, and applicants for new assignments; it helps ensure that a current services, and applicants for new assignments; it helps
desired number and service name are available when assigned. The ensure that a desired number and service name are available when
list of currently unassigned numbers is just that - *currently* assigned. The list of currently unassigned numbers is just that -
unassigned. It does not reflect pending applications. Waiting for an *currently* unassigned. It does not reflect pending applications.
official IANA assignment reduces the chance that an assignment Waiting for an official IANA assignment reduces the chance that an
request will conflict with another deployed service. assignment request will conflict with another deployed service.
Applications made through Internet Draft / RFC publication (in any Applications made through Internet Draft / RFC publication (in any
stream) typically use a placeholder ("PORTNUM") in the text, and stream) typically use a placeholder ("PORTNUM") in the text, and
implementations use an experimental port number until a final implementations use an experimental port number until a final
assignment has been made [RFC6335]. That assignment is initially assignment has been made [RFC6335]. That assignment is initially
indicated in the IANA Considerations section of the document, which indicated in the IANA Considerations section of the document, which
is tracked by the RFC Editor. When a document has been approved for is tracked by the RFC Editor. When a document has been approved for
publication and proceeds to IESG Approval, that request is forwarded publication, that request is forwarded to IANA for handling. IANA
to IANA for handling. IANA will make the new assignment accordingly. will make the new assignment accordingly. At that time, IANA may
At that time, IANA may also request that the applicant fill out the also request that the applicant fill out the application form on
application form on their website, e.g., when the RFC does not their website, e.g., when the RFC does not directly address the
directly address the information expected as per [RFC6335]. "Early" information expected as per [RFC6335]. "Early" assignments can be
assignments can be made when justified, e.g., for early made when justified, e.g., for early interoperability testing,
interoperability testing, according to existing process [RFC7120] according to existing process [RFC7120] [RFC6335].
[RFC6335].
>> Users writing specifications SHOULD use symbolic names for port >> Users writing specifications SHOULD use symbolic names for port
numbers and service names until an IANA assignment has been numbers and service names until an IANA assignment has been
completed. Implementations SHOULD use experimental port numbers completed. Implementations SHOULD use experimental port numbers
during this time, but those numbers MUST NOT be cited in during this time, but those numbers MUST NOT be cited in
documentation except as interim. documentation except as interim.
7.8. Squatting 7.8. Squatting
"Squatting" describes the use of a number from the assigned range in "Squatting" describes the use of a number from the assignable range
deployed software without IANA assignment. It is hazardous because in deployed software without IANA assignment for that use,
IANA cannot track such usage and thus cannot avoid making legitimate regardless of whether the number has been assigned or remains
assignments that conflict with such unauthorized usage. available for assignment. It is hazardous because IANA cannot track
such usage and thus cannot avoid making legitimate assignments that
conflict with such unauthorized usage.
Such "squatted" port numbers remain unassigned, and IANA retains the Such "squatted" port numbers remain unassigned, and IANA retains the
right to assign them when requested by applicants. Application and right to assign them when requested by other applicants. Application
service designers are reminded that is never appropriate to use port and service designers are reminded that is never appropriate to use
numbers that have not been directly assigned [RFC6335]. In port numbers that have not been directly assigned [RFC6335]. In
particular, any unassigned code from the assigned ranges will be particular, any unassigned code from the assigned ranges will be
assigned by IANA, and any conflict will be easily resolved as the assigned by IANA, and any conflict will be easily resolved as the
protocol designer's fault once that happens (because they would not protocol designer's fault once that happens (because they would not
be the assignee). This may reflect in the public's judgment on the be the assignee). This may reflect in the public's judgment on the
quality of their expertise and cooperation with the Internet quality of their expertise and cooperation with the Internet
community. community.
Regardless, there are numerous services that have squatted on such Regardless, there are numerous services that have squatted on such
numbers that are in widespread use. Designers who are using such numbers that are in widespread use. Designers who are using such
port numbers are encouraged to apply for an assignment. Note that port numbers are encouraged to apply for an assignment. Note that
skipping to change at page 17, line 44 skipping to change at page 18, line 27
assigned to a legitimate applicant or if the service would not assigned to a legitimate applicant or if the service would not
qualify for an assignment of its own accord. qualify for an assignment of its own accord.
7.9. Other Considerations 7.9. Other Considerations
As noted earlier, System port numbers should be used sparingly, and As noted earlier, System port numbers should be used sparingly, and
it is better to avoid them altogether. This avoids the potentially it is better to avoid them altogether. This avoids the potentially
incorrect assumption that the service on such port numbers run in a incorrect assumption that the service on such port numbers run in a
privileged mode. privileged mode.
Port numbers are not intended to be changed; this includes the Assigned port numbers are not intended to be changed; this includes
corresponding service name. Once deployed, it can be very difficult the corresponding service name. Once deployed, it can be very
to recall every implementation, so the assignment should be difficult to recall every implementation, so the assignment should
retained. However, in cases where the current assignee of a name or be retained. However, in cases where the current assignee of a name
number has reasonable knowledge of the impact on such uses, and is or number has reasonable knowledge of the impact on such uses, and
willing to accept that impact, the name or number of an assignment is willing to accept that impact, the name or number of an
can be changed [RFC6335] assignment can be changed [RFC6335]
Aliases, or multiple service names for the same port number, are no
longer considered appropriate [RFC6335]. Aliases, or multiple service names for the same assigned port
number, are no longer considered appropriate [RFC6335].
8. Security Considerations 8. Security Considerations
This document discusses ways to conserve port numbers, notably This document discusses ways to conserve assigned port numbers,
through encouraging demultiplexing within a single port number. As notably through encouraging demultiplexing within a single port
such, there may be cases where two variants of a protocol - insecure number. As such, there may be cases where two variants of a
and secure (such as using optional TLS) or different versions - are protocol - insecure and secure (such as using optional TLS or DTLS)
suggested to share the same port number. or different versions - are suggested to share the same assigned
port number.
The use of TLS [RFC5246], DTLS [RFC6347], or TCP-AO [RFC5925] that
protect transport protocols or their contents is encouraged. It may
not be possible to use IPsec [RFC4301] in similar ways because of
the different relationship between IPsec and port numbers and
because applications may not be aware of IPsec protections.
This document reminds application and service designers that port This document reminds application and service designers that port
numbers do not protect against denial of service overload or numbers do not protect against denial of service attack or guarantee
guarantee that traffic should be trusted. Using assigned numbers for that traffic should be trusted. Using assigned numbers for port
port filtering isn't a substitute for authentication, encryption, filtering isn't a substitute for authentication, encryption, and
and integrity protection. The port number alone should not be used integrity protection. The port number alone should not be used to
to avoid denial of service or firewall traffic because their use is avoid denial of service attacks or to manage firewall traffic
not regulated or validated. because the use of port numbers is not regulated or validated.
The use of assigned port numbers is the antithesis of privacy The use of assigned port numbers is the antithesis of privacy
because they are intended to explicitly indicate the desired because they are intended to explicitly indicate the desired
application or service. Strictly, port numbers are meaningful only application or service. Strictly, port numbers are meaningful only
at the endpoints, so any interpretation elsewhere in the network can at the endpoints, so any interpretation elsewhere in the network can
be arbitrarily incorrect. However, those numbers can also expose be arbitrarily incorrect. However, those numbers can also expose
information about available services on a given host. This information about available services on a given host. This
information can be used by intermediate devices to monitor and information can be used by intermediate devices to monitor and
intercept traffic as well as to potentially identify key endpoint intercept traffic as well as to potentially identify key endpoint
software properties ("fingerprinting"), which can be used to direct software properties ("fingerprinting"), which can be used to direct
skipping to change at page 19, line 11 skipping to change at page 19, line 49
[RFC2780] Bradner, S., and V. Paxson, "IANA Allocation Guidelines [RFC2780] Bradner, S., and V. Paxson, "IANA Allocation Guidelines
For Values In the Internet Protocol and Related Headers", For Values In the Internet Protocol and Related Headers",
BCP 37, RFC 2780, March 2000. BCP 37, RFC 2780, March 2000.
[RFC3692] Narten, T., "Assigning Experimental and Testing Numbers [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
Considered Useful", BCP 82, RFC 3962, Jan. 2004. Considered Useful", BCP 82, RFC 3962, Jan. 2004.
[RFC4727] Fenner, B., "Experimental Values in IPv4, IPv6, ICMPv4, [RFC4727] Fenner, B., "Experimental Values in IPv4, IPv6, ICMPv4,
ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006. ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006.
[RFC5246] Dierks, T., and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5405] Eggert, L., and G. Fairhurst, "Unicast UDP Usage [RFC5405] Eggert, L., and G. Fairhurst, "Unicast UDP Usage
Guidelines for Application Designers", BCP 145, RFC 5405, Guidelines for Application Designers", BCP 145, RFC 5405,
Nov. 2008. Nov. 2008.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010.
[RFC6335] Cotton, M., L. Eggert, J. Touch, M. Westerlund, and S. [RFC6335] Cotton, M., L. Eggert, J. Touch, M. Westerlund, and S.
Cheshire, "Internet Assigned Numbers Authority (IANA) Cheshire, "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Service Name and Procedures for the Management of the Service Name and
Transport Protocol Port Number Registry", BCP 165, RFC Transport Protocol Port Number Registry", BCP 165, RFC
6335, August 2011. 6335, August 2011.
[RFC6347] Rescorla, E., and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
10.2. Informative References 10.2. Informative References
[IEN112] Postel, J., "Transmission Control Protocol", IEN 112, [IEN112] Postel, J., "Transmission Control Protocol", IEN 112,
August 1979. August 1979.
[RFC33] Crocker, S., "New Host-Host Protocol", RFC 33 February [RFC33] Crocker, S., "New Host-Host Protocol", RFC 33 February
1970. 1970.
[RFC37] Crocker, S., "Network Meeting Epilogue", RFC 37, March [RFC37] Crocker, S., "Network Meeting Epilogue", RFC 37, March
1970. 1970.
skipping to change at page 20, line 34 skipping to change at page 21, line 34
[RFC1700] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1700, [RFC1700] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1700,
October 1994. October 1994.
[RFC1812] Baker, F. (Ed.), "Requirements for IP Version 4 Routers", [RFC1812] Baker, F. (Ed.), "Requirements for IP Version 4 Routers",
RFC 1812, June 1995. RFC 1812, June 1995.
[RFC1833] Srinivasan, R., "Binding Protocols for ONC RPC Version 2", [RFC1833] Srinivasan, R., "Binding Protocols for ONC RPC Version 2",
RFC 1833, August 1995. RFC 1833, August 1995.
[RFC2595] Newman, C., "Using TLS with IMAP, POP3 and ACAP", RFC
2595, June 1999.
[RFC2644] Senie, D., "Changing the Default for Directed Broadcasts [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts
in Routers", RFC 2644, August 1999. in Routers", RFC 2644, August 1999.
[RFC2817] Khare, R., and S. Lawrence, "Upgrading to TLS Within [RFC2817] Khare, R., and S. Lawrence, "Upgrading to TLS Within
HTTP/1.1", RFC 2817, May 2000. HTTP/1.1", RFC 2817, May 2000.
[RFC3232] Reynolds, J. (Ed.), "Assigned Numbers: RFC 1700 is [RFC3232] Reynolds, J. (Ed.), "Assigned Numbers: RFC 1700 is
Replaced by an On-line Database", RFC 3232, January 2002. Replaced by an On-line Database", RFC 3232, January 2002.
[RFC3261] Rosenberg, J., H. Schulzrinne, G. Camarillo, A. Johnston, [RFC3261] Rosenberg, J., H. Schulzrinne, G. Camarillo, A. Johnston,
J. Peterson, R. Sparks, M. Handley, and E. Schooler, "SIP: J. Peterson, R. Sparks, M. Handley, and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002. Session Initiation Protocol", RFC 3261, June 2002.
[RFC4301] Kent, S., and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion
Control Protocol (DCCP)", RFC 4340, March 2006. Control Protocol (DCCP)", RFC 4340, March 2006.
[RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol",
RFC 4960, September 2007. RFC 4960, September 2007.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT) (ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245, April Traversal for Offer/Answer Protocols", RFC 5245, April
2010. 2010.
[RFC5246] Dierks, T., and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5389] Rosenberg, J., R. Mahy, P. Matthews, and D. Wing, "Session [RFC5389] Rosenberg, J., R. Mahy, P. Matthews, and D. Wing, "Session
Traversal Utilities for NAT", RFC 5389, October 2008. Traversal Utilities for NAT", RFC 5389, October 2008.
[RFC5766] Mahy, R., P. Matthews, and J. Rosenberg, "Traversal Using [RFC5766] Mahy, R., P. Matthews, and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766, April 2010. Traversal Utilities for NAT (STUN)", RFC 5766, April 2010.
[RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS)
Extensions: Extension Definitions", RFC 6066, January Extensions: Extension Definitions", RFC 6066, January
2011. 2011.
 End of changes. 73 change blocks. 
211 lines changed or deleted 269 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/