Re: Guidance needed on well known ports
On Mon, 2006-03-20 at 12:09 +0100, Stephane Bortzmeyer wrote: Ned Freed [EMAIL PROTECTED] wrote: The privileged port concept has some marginal utility on multiuser systems where you don't Joe-random-user to grab some port for a well known service. had, not has. The concept was invented at a time where multi-users machines were rare and expensive monsters. So, a request coming from source port 513 probably was serious. Today, any highschool student is root on his PC and therefore this protection is almost useless. you shouldn't allow unrestricted access to the network from unmanaged hosts, that's a recipe for disaster. consider rogue DHCP servers, for instance. we still use host based authentication for port 514 (rsh) on strictly managed networks as a supplement to SSH. this requires physical security for network equipment or exposed hosts (not users) doing 802.1x authentication. the protection is not useless in that environment. -- Kjetil T. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Guidance needed on well known ports
On Mon, 2006-03-20 at 11:51 -0500, Keith Moore wrote: you shouldn't allow unrestricted access to the network from unmanaged hosts, that's a recipe for disaster. no, what's a disaster is to use source IP addresses or port numbers as an indication of trustworthiness on any network that extends beyond a single room. the notion that you can manage significant numbers of hosts to ensure their trustworthiness is delusional. I don't see any contradiction in what you and I are saying, although I would extend single to handful. in any case, it's getting off topic for the issue at hand, so please continue discussion in private if you care to respond. -- Kjetil T. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Guidance needed on well known ports
On Sat, 2006-03-18 at 09:38 -0800, Eliot Lear wrote: This therefore leads to two questions for the community: 1. Are well known ports archaic? If so, can we request that the IANA do away with the distinction? 2. If they are not archaic, under what circumstances should they be allocated? new protocols can not rely on the security the priveleged ports provide, but there are still many such protocols in use (e.g. LPD, port 515), and so the distinction is useful for administrators configuring userspace' access to ports on workstations. My own opinion: They are archaic and the distinction should be dropped. Many operating systems do not make the distinction (particularly special purpose ones) and those that do would be better off providing a finer grain control over what processes can bind to ports. in 2006, if there are DOS or other problems with a protocol which can be solved by using priveleged ports, it shouldn't be published. so it should be a don't care which block is used for allocation these days. -- Kjetil T. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Multinational Internet or Balkanization?
On Fri, 2006-03-03 at 13:00 +0100, JFC (Jefsey) Morfin wrote: At 07:32 03/03/2006, Martin Duerst wrote: You mix up technology and policy. Technology-wise, the Chinese are not doing anything else than anybody else (read IDNA/Punycode,...), plus probably some 8-bit stuff based on GB2312 and maybe even UTF-8 for backwards compatibility with earlier experiments. Dear Martin, It would be no use to tell you that you confuse many things. I would only suggest you to test and understand rather than guessing. The Chinese set-up is very simple. But it belongs to a standard (every other global network system) culture which is not (yet?) the IETF culture. well, what Martin writes makes sense to me. I'm afraid I have no idea what you are trying to say, however. (Speaking in Phillip's terms, the IETF has already defined how to add a 'j' key to a telephone, and most telephones already have one, or an equivalent.) I do not understand what Phillips means? a complex number has a real and an imaginary part, and the imaginary part is denoted with a j (well, engineers use j, mathematicians tend to use i). Phillip noted that MIT could use complex telephone numbers for internal use without impacting worldwide telephone routing, since they'd use an orthogonal name space. ICANN did their job. Their IDN list is Two years old. They had an IDN committee in parallel of the WG-IDNA. The list has 2 mails. The committee was lost. We discussed that extensively at the WG-IDNA. The documentation is as confuse as unworkable. Phillip's corporation had invested a lot of money, time and efforts in this. They had the customer base, signed a significant number of registrants, and toured the world to explain and motivate Registrars, ISPs and ccTLDs. They were not alone. They only met scepticism, distinterest and lack of registrant renewal. I don't know the history, but the recent reports http://icann.org/topics/gnso-initial-rpt-new-gtlds-19feb06.pdf and http://www.icann.org/general/idn-guidelines-22feb06.htm seem promising to me. there is wide consensus that new gTLD should be added, and allowing IDNA labels as gTLD will force its way through. adding xn--fiqs8s, xn--55qx5d and xn--io0a7i to the root servers may not happen tomorrow, but I'm sure the process will take us there in reasonable time. but this is an ICANN issue, and not related to the protocols at all. the protocols have all the support we need to implement whatever policy is decided. The problem is in the RFC. Nowhere else. which RFC? -- Kjetil T. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf