Re: Guidance needed on well known ports

[Peter Dambier <peter at peter-dambier.de>]

Simon Leinen wrote:
> Stephane Bortzmeyer writes:
>
> > On Sun, Mar 19, 2006 at 12:42:17PM -0800,
> > Ned Freed <ned.freed at mrochek.com> wrote 
> > a message of 35 lines which said:
> >
> > > The privileged port concept has some marginal utility on multiuser
> > > systems where you don't Joe-random-user to grab some port for a
> > > well known service.
>
>
> > "had", not "has". The concept was invented at a time where multi-users
> > machines were rare and expensive monsters. So, a request coming from
> > source port 513 probably was "serious". Today, any highschool student
> > is root on his PC and therefore this protection is almost useless.

It never was a protection against malevolent students but it still is
a protection against silly mistakes.

Just try "accidently" 'cd / ; rm -R *'

You know what I mean with silly mistakes. It makes a difference beeing
root or beeing user joe when you "accidently" execute the shown command.
Mistakes like that do happen.

> Stephane, you are thinking of a different "security mechanism" based
> on ports <1024 - the one used by the infamous Berkeley r* utilities to
> decide whether to trust a client's credentials.  This mechanism
> doesn't use well-known ports, but "ephemeral" ports <1024 on the
> client side.  I think it is fairly much consensus that this kind of
> mechanism has become useless years ago, for the reason you state.

Behind closed doors and on virtual machines they still work remarkebly
well. It would be overkill to run an sshd on each of the virtual machines.
So would be logging in as root to directly access the virtual root
directories.

> What we are collecting input on is for which kinds of use (if any) a
> privileged/well-known (as opposed to just IANA "registered") *server*
> port makes sense.

Some 70% of all server machines run operating systems that have a
notion of multiuser and of privileged user. Only servers are allowed
access to the privileged well-known ports. Allowing non-privileged
programmes access to the privileged ports leads to desaster

Moving the 1K border for well-known ports up to 16K would be nice in
the long run.

I agree, on the client only machines the distinction between well-known
and not so well-known ports does not make much sense. But those clients
cannot live without their servers and the servers would not survive
very long without their well-known ports.


--
Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf