> > - Conclusion 2: There is no reason for standards to uphold the
> > distinction between <1024 and >1024 any more.
> I agree that the requirement on UNIX-like systems to be root in order
> to bind to ports < 1024 is, in hindsight, a Bad Idea - but mostly
> because of insufficient privilege granularity.
If by "insufficient privilege granularity" you mean root confers other access,
I agree. But while not critical, it would also be useful to have finer
granularity in terms of who gets access to what ports.
> I also think that
> trusting a source port as an indication of anything is a Bad Idea.
You bet.
> However, I do think that it's useful for there to be a range of port
> numbers that are only bound to a socket if an application specifically
> asks for one of those ports, as this would reduce the potential for
> accidental conflicts between servers needing to listen to a well-known
> port and servers for which any port would do. And it would be
> appropriate for standards to respect this convention and assign
> well-known ports in the range of ports that would not be bound by
> default.
This also sounds reasonable.
> I also think that it would be reasonable for an OS to require
> privileges before it would allow an application to bind to certain
> ports. But those ports would need to be explicitly enumerated
> somewhere, rather than merely being a range of numbers.
Yes, it clearly needs to be fully configurable. Perhaps some of the existing
internal firewall configuration mechanisms could be reused here...
Ned
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
