The argument for a scan is not that it will be comprehensive. There's a huge amount of software out there that has started using various ports in standard and non-standard ways; the more software happens to use a given port, the more risk of remote attacks on ACME DV via quirks or bugs in that software. So it would be best do a scan to pick a port that is comparatively unused in the wild.
On Tue, Nov 24, 2015 at 11:37:36AM -0500, Kathleen Moriarty wrote: > I agree with Eliot, I don't think a scan is needed to make a decision > here. Having managed several networks that would not have allowed you > access from some random scanner, I don't think you'll get all the data > you are looking for. In a well managed network, the IDS/IPS should > detect that it is a scan and block all future probes once you hit a > small number of ports/IPs. So you may get a small sample with > everything else failing within an address block. Granted, not all > networks are managed well and you may get a good amount of data. > > If this connection was expected to a few servers, then a network > manager might just allow those only on the assigned port. > > Without any hat on, I agree that a port + 443 as an alternate is a good plan. > > Kathleen > > On Tue, Nov 24, 2015 at 8:11 AM, Randy Bush <ra...@psg.com> wrote: > >> Isn't this precisely what .well-known was meant to address? > > > > fun small research project. what percentage of well-known ports can > > you connect to from the outside to a machine inside cisco? hell, to > > what percentage of well-known ports outside cisco can you reach from > > inside? > > > > well-known does not correlate well with open to access by IT security > > departments. > > > > randy > > > > _______________________________________________ > > Acme mailing list > > Acme@ietf.org > > https://www.ietf.org/mailman/listinfo/acme > > > > -- > > Best regards, > Kathleen > -- Peter Eckersley p...@eff.org Chief Computer Scientist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993 _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
