idnits 2.17.1 draft-ietf-tsvwg-port-use-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 17, 2014) is 3501 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) -- Obsolete informational reference (is this intentional?): RFC 61 (Obsoleted by RFC 62) -- Obsolete informational reference (is this intentional?): RFC 739 (Obsoleted by RFC 750) -- Obsolete informational reference (is this intentional?): RFC 758 (Obsoleted by RFC 762) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 820 (Obsoleted by RFC 870) -- Obsolete informational reference (is this intentional?): RFC 900 (Obsoleted by RFC 923) -- Obsolete informational reference (is this intentional?): RFC 1340 (Obsoleted by RFC 1700) -- Obsolete informational reference (is this intentional?): RFC 1700 (Obsoleted by RFC 3232) -- Obsolete informational reference (is this intentional?): RFC 2543 (Obsoleted by RFC 3261, RFC 3262, RFC 3263, RFC 3264, RFC 3265) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 3546 (Obsoleted by RFC 4366) -- Obsolete informational reference (is this intentional?): RFC 4020 (Obsoleted by RFC 7120) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) -- Obsolete informational reference (is this intentional?): RFC 5245 (Obsoleted by RFC 8445, RFC 8839) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 5389 (Obsoleted by RFC 8489) -- Obsolete informational reference (is this intentional?): RFC 5766 (Obsoleted by RFC 8656) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 18 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 TSVWG J. Touch 2 Internet Draft USC/ISI 3 Intended status: Best Current Practice September 17, 2014 4 Expires: March 2015 6 Recommendations for Transport Port Number Uses 7 draft-ietf-tsvwg-port-use-05.txt 9 Status of this Memo 11 This Internet-Draft is submitted in full conformance with the 12 provisions of BCP 78 and BCP 79. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six 20 months and may be updated, replaced, or obsoleted by other documents 21 at any time. It is inappropriate to use Internet-Drafts as 22 reference material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html 30 This Internet-Draft will expire on March 17, 2015. 32 Copyright Notice 34 Copyright (c) 2014 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents 39 (http://trustee.ietf.org/license-info) in effect on the date of 40 publication of this document. Please review these documents 41 carefully, as they describe your rights and restrictions with 42 respect to this document. Code Components extracted from this 43 document must include Simplified BSD License text as described in 44 Section 4.e of the Trust Legal Provisions and are provided without 45 warranty as described in the Simplified BSD License. 47 Abstract 49 This document provides recommendations to application and service 50 designers on how to use the transport protocol port number space. IT 51 complements (but does not update) RFC6335, which focuses on IANA 52 process. 54 Table of Contents 56 1. Introduction...................................................2 57 2. Conventions used in this document..............................3 58 3. History........................................................3 59 4. Current Port Number Use........................................4 60 5. What is a Port Number?.........................................5 61 6. Conservation...................................................7 62 6.1. Guiding Principles........................................7 63 6.2. Firewall and NAT Considerations...........................8 64 7. How to Use Assigned Port Numbers...............................9 65 7.1. Is a port number assignment necessary?....................9 66 7.2. How Many Port Numbers?...................................11 67 7.3. Picking a Port Number....................................11 68 7.4. Support for Security.....................................13 69 7.5. Support for Future Versions..............................14 70 7.6. Transport Protocols......................................14 71 7.7. When to Request an Assignment............................15 72 7.8. Squatting................................................17 73 7.9. Other Considerations.....................................17 74 8. Security Considerations.......................................17 75 9. IANA Considerations...........................................18 76 10. References...................................................18 77 10.1. Normative References....................................18 78 10.2. Informative References..................................19 79 11. Acknowledgments..............................................21 81 1. Introduction 83 This document provides information and advice to system designers on 84 the use of transport port numbers. It provides a detailed historical 85 background of the evolution of transport port numbers and their 86 multiple meanings. It also provides specific recommendations to 87 system designers on how to use assigned port numbers. Note that this 88 document provides information to potential port number applicants 89 that complements the IANA process described in BCP165 [RFC6335], but 90 it does not update that document. 92 2. Conventions used in this document 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in RFC-2119 [RFC2119]. 98 In this document, these words will appear with that interpretation 99 only when in ALL CAPS. Lower case uses of these words are not to be 100 interpreted as carrying RFC-2119 significance. 102 In this document, the characters ">>" preceding an indented line(s) 103 indicates a compliance requirement statement using the key words 104 listed above. This convention aids reviewers in quickly identifying 105 or finding the explicit compliance requirements of this RFC. 107 3. History 109 The term 'port' was first used in [RFC33] to indicate a simplex 110 communication path from an individual process and originally applied 111 to only the Network Control Program (NCP) connection-oriented 112 protocol. At a meeting described in [RFC37], an idea was presented 113 to decouple connections between processes and links that they use as 114 paths, and thus to include numeric source and destination socket 115 identifiers in packets. [RFC38] provides further detail, describing 116 how processes might have more than one of these paths and that more 117 than one path may be active at a time. As a result, there was the 118 need to add a process identifier to the header of each message so 119 that incoming messages could be demultiplexed to the appropriate 120 process. [RFC38] further suggested that 32 bit numbers would be used 121 for these identifiers. [RFC48] discusses the current notion of 122 listening on a specific port number, but does not discuss the issue 123 of port number determination. [RFC61] notes that the challenge of 124 knowing the appropriate port numbers is "left to the processes" in 125 general, but introduces the concept of a "well-known" port number 126 for common services. 128 [RFC76] proposed a "telephone book" by which an index would allow 129 port numbers to be used by name, but still assumed that both source 130 and destination port numbers are fixed by such a system. [RFC333] 131 proposed that a port number pair, rather than an individual port 132 number, would be used on both sides of the connection for 133 demultiplexing messages. This is the final view in [RFC793] (and its 134 predecessors, including [IEN112]), and brings us to their current 135 meaning. [RFC739] introduced the notion of generic reserved port 136 numbers for groups of protocols, such as "any private RJE server" 137 [RFC739]. Although the overall range of such port numbers was (and 138 remains) 16 bits, only the first 256 (high 8 bits cleared) in the 139 range were considered assigned. 141 [RFC758] is the first to describe port numbers as being used for TCP 142 (previous RFCs all refer to only NCP). It includes a list of such 143 well-known port numbers, as well as describing ranges used for 144 different purposes: 146 Binary Octal 148 ----------------------------------------------------------- 150 0-63 0-77 Network Wide Standard Function 152 64-127 100-177 Hosts Specific Functions 154 128-223 200-337 Reserved for Future Use 156 224-255 340-377 Any Experimental Function 158 In [RFC820] those range meanings disappeared, and a single list of 159 number assignments is presented. This is also the first time that 160 port numbers are described as applying to a connectionless transport 161 (UDP) rather than only connection-oriented transports. 163 By [RFC900] the ranges appeared as decimal numbers rather than the 164 octal ranges used previously. [RFC1340] increased this range from 165 0..255 to 0..1023, and began to list TCP and UDP port number 166 assignments individually (although the assumption was that once 167 assigned a port number applies to all transport protocols, including 168 TCP, UDP, recently SCTP and DCCP, as well as ISO-TP4 for a brief 169 period in the early 1990s). [RFC1340] also established the 170 Registered range of 1024-59151, though it notes that it is not 171 controlled by the IANA at that point. The list provided by [RFC1700] 172 in 1994 remained the standard until it was declared replaced by an 173 on-line version, as of [RFC3232] in 2002. 175 4. Current Port Number Use 177 RFC6335 indicates three ranges of port number assignments: 179 Binary Hex 181 ----------------------------------------------------------- 183 0-1023 0x03FF System (also Well-Known) 185 1024-49151 0x0400-0xBFFF User (also Registered) 187 49152-65535 0xC000-0xFFFF Dynamic (also Private) 189 System (also Well-Known) encompasses the range 0..1023. On some 190 systems, use of these port numbers requires privileged access, e.g., 191 that the process run as 'root' (i.e., as a privileged user), which 192 is why these are referred to as System port numbers. The port 193 numbers from 1024..49151 denotes non-privileged services, known as 194 User (also Registered), because these port numbers do not run with 195 special privileges. Dynamic (also Private) port numbers are not 196 assigned. 198 Both System and User port numbers are assigned through IANA, so both 199 are sometimes called 'registered port numbers'. As a result, the 200 term 'registered' is ambiguous, referring either to the entire range 201 0-49151 or to the User port numbers. Complicating matters further, 202 System port numbers do not always require special (i.e., 'root') 203 privilege. For clarity, the remainder of this document refers to the 204 port number ranges as System, User, and Dynamic, to be consistent 205 with IANA process [RFC6335]. 207 5. What is a Port Number? 209 A port number is a 16-bit number used for two distinct purposes: 211 o Demultiplexing transport endpoint associations within an end 212 host 214 o Identifying a service 216 The first purpose requires that each transport endpoint association 217 (e.g., TCP connection or UDP pairwise association) using a given 218 transport between a given pair of IP addresses use a different pair 219 of port numbers, but does not require either coordination or 220 registration of port number use. It is the second purpose that 221 drives the need for a common registry. 223 Consider a user wanting to run a web server. That service could run 224 on any port number, provided that all clients knew what port number 225 to use to access that service at that host. Such information can be 226 distributed out-of-band, e.g., in the URI: 228 http://www.example.com:51509/ 230 Ultimately, the correlation of a service with a port number is an 231 agreement between just the two endpoints of the association. A web 232 server can run on port number 53, which might appear as DNS traffic 233 to others but will connect to browsers that know to use port number 234 53 rather than 80. 236 As a concept, a service is the combination of ISO Layers 5-7 that 237 represents an application protocol capability. For example www (port 238 number 80) is a service that uses HTTP as an application protocol 239 and provides access to a web server [RFC2616]. However, it is 240 possible to use HTTP for other purposes, such as command and 241 control. This is why some current service names (HTTP, e.g.) are a 242 bit overloaded - they describe not only the application protocol, 243 but a particular service. 245 IANA assigns port numbers so that Internet endpoints do not need 246 pairwise, explicit coordination of the meaning of their port 247 numbers. This is the primary reason for requesting assigned port 248 numbers with IANA - to have a common agreement between all endpoints 249 on the Internet as to the default meaning of a port number. 251 Port numbers are sometimes used by intermediate devices on a network 252 path, either to monitor available services, to monitor traffic 253 (e.g., to indicate the data contents), or to intercept traffic (to 254 block, proxy, relay, aggregate, or otherwise process it). In each 255 case, the intermediate device interprets traffic based on the port 256 number. It is important to recognize that any interpretation of port 257 numbers - except at the endpoints - may be incorrect, because port 258 numbers are meaningful only at the endpoints. Further, port numbers 259 may not be visible to these intermediate devices, such as when the 260 transport protocol is encrypted (as in network- or link-layer 261 tunnels), or when a packet is fragmented (in which case only the 262 first fragment has the port number information). Such port number 263 invisibility may interfere with these in-network port number-based 264 capabilities. 266 Port numbers can also be useful for other purposes. Assigned port 267 numbers can simplify end system configuration, so that individual 268 installations do not need to coordinate their use of arbitrary port 269 numbers. Such assignments can also simplify firewall management, so 270 that a single, fixed firewall configuration can either permit or 271 deny a service. 273 It is useful to differentiate a port number from a service name. The 274 former is a numeric value that is used directly in transport 275 protocol headers as a demultiplexing and service identifier. The 276 latter is primarily a user convenience, where the default map 277 between the two is considered static and resolved using a cached 278 index. This document focuses on the former because it is the 279 fundamental network resource. Dynamic maps between the two, i.e., 280 using DNS SRV records, are discussed further in Section 7.1. 282 6. Conservation 284 Assigned port numbers are a limited resource that is globally shared 285 by the entire Internet community. As of 2014, approximately 5850 TCP 286 and 5570 UDP port numbers have been assigned out of a total range of 287 49151. As a result of past conservation, current port use is small 288 and the current rate of assignment avoids the need for transition to 289 larger number spaces. This conservation also helps avoid the need 290 for IANA to rely on port number reclamation, which is practically 291 impossible even though procedurally permitted [RFC6335]. 293 IANA aims to assign only one port number per service, including 294 variants [RFC6335], but there are other benefits to using fewer port 295 numbers for a given service. Use of multiple port numbers can make 296 applications more fragile, especially when firewalls block a subset 297 of those port numbers or use ports numbers to route or prioritize 298 traffic differently. As a result: 300 >> Each port requested MUST be justified as independently necessary. 302 6.1. Guiding Principles 304 This document provides recommendations for users that also help 305 conserve port number space. Again, this document does not update 306 BCP165 [RFC6335], which describes the IANA procedures for managing 307 transport port numbers and services. Port number conservation is 308 based on a number of basic principles: 310 o A single assigned port number can support different functions 311 over separate endpoint associations, determined using in-band 312 information. An FTP data connection can transfer binary or 313 text files, the latter translating line-terminators, as 314 indicated in-band over the control port number [RFC959]. 316 o A single assigned port number can indicate the Dynamic port 317 number(s) on which different capabilities are supported, as 318 with passive-mode FTP [RFC959]. 320 o Several existing services can indicate the Dynamic port 321 number(s) on which other services are supported, such as with 322 mDNS and portmapper [RFC1833] [RFC6762] [RFC6763]. 324 o Copies of an existing service can be differentiated by using 325 different IP addresses, either on different hosts or as 326 different real or virtual interfaces (or even operating 327 systems) on the same host. 329 o Copies of some existing services can be differentiated using 330 in-band information (e.g., URIs in HTTP Host field and TLS 331 Server Name Indication extension) [RFC2616] [RFC3546]. 333 o Services requiring varying performance properties can already 334 be supported using separate endpoint associations (connections 335 or other associations), each configured to support the desired 336 properties. 338 Port numbers are intended to differentiate services, not variations 339 of performance, replicas, pairwise endpoint associations, or payload 340 types. Port numbers are also a small space compared to other 341 Internet number spaces; it is never appropriate to consume port 342 numbers to conserve larger spaces such as IP addresses. 344 6.2. Firewall and NAT Considerations 346 Assigned port numbers are useful for configuring firewalls and other 347 port-based systems for access control. Ultimately, these port 348 numbers indicate services only to the endpoints, and any 349 intermediate device that assigns meaning to a value can be 350 incorrect. End systems might agree to run web services (HTTP) over 351 port number 53 (typically used for DNS) rather than port number 80, 352 at which point a firewall that blocks port number 80 but permits 353 port number 53 would not have the desired effect. However, assigned 354 port numbers often are important in helping configure firewalls. 356 Using Dynamic port numbers, or explicitly-indicated port numbers 357 indicated in-band over another service (such as with FTP) often 358 complicates firewall and NAT interactions [RFC959]. FTP over 359 firewalls often requires direct support for deep-packet inspection 360 (to snoop for the Dynamic port number for the NAT to correctly map) 361 or passive-mode FTP (in which both connections are opened from the 362 client side). 364 7. How to Use Assigned Port Numbers 366 Port numbers are assigned by IANA by a set of documented procedures 367 [RFC6335]. The following section describes the steps users can take 368 to help assist with the use of assigned port numbers, and with 369 preparing an application for a port number assignment. 371 7.1. Is a port number assignment necessary? 373 First, it is useful to consider whether a port number assignment is 374 required. In many cases, a new number assignment may not be needed, 375 for example: 377 o Is this really a new service, or can an existing service 378 suffice? 380 o Is this an experimental service [RFC3692]? If so, consider 381 using the current experimental ports [RFC2780]. 383 o Is this service independently useful? Some systems are 384 composed from collections of different service capabilities, 385 but not all component functions are useful as independent 386 services. Port numbers are typically shared among the smallest 387 independently-useful set of functions. Different service uses 388 or properties can be supported in separate pairwise endpoint 389 associations after an initial negotiation, e.g., to support 390 software decomposition. 392 o Can this service use a Dynamic port number that is coordinated 393 out-of-band, e.g.: 395 o By explicit configuration of both endpoints. 397 o By shared information within the same host (e.g., a 398 configuration file or indicated within a URI). 400 o Using information exchanged on a related service: FTP, SIP, 401 etc. [RFC959] [RFC2543]. 403 o Using an existing port discovery service: portmapper, mDNS, 404 etc. [RFC1833] [RFC6762] [RFC6763]. 406 There are a few good examples of reasons that more directly suggest 407 that not only is a port number not necessary, but it is directly 408 counter-indicated: 410 o Port numbers are not intended to differentiate performance 411 variations within the same service, e.g., high-speed vs. 412 ordinary speed. Performance variations can be supported within 413 a single port number in context of separate pairwise endpoint 414 associations. 416 o Additional port numbers are not intended to replicate an 417 existing service. For example, if a device is configured to 418 use a typical web browser then it the port number used for 419 that service is a copy of the http service that is already 420 assigned to port number 80 and does not warrant a new 421 assignment. However, an automated system that happens to use 422 HTTP framing - but cannot be accessed by a browser - might be 423 a new service. A good way to tell is "can an unmodified client 424 of the existing service interact with the proposed service"? 425 If so, that service would be a copy of an existing service and 426 does not merit a new assignment. 428 o Separate port numbers are not intended for insecure versions 429 of existing (or new) secure services. A service that already 430 requires security would be made more vulnerable by having the 431 same capability accessible without security. 433 Note that the converse is different, i.e., it can be useful to 434 create a new, secure service that replicates an existing 435 insecure service on a new port number assignment. This can be 436 necessary when the existing service is not backward-compatible 437 with security enhancements, such as the use of TLS [RFC5246]. 439 o Port numbers are not intended for indicating different service 440 versions. Version differentiation should be handled in-band, 441 e.g., using a version number at the beginning of an 442 association (e.g., connection or other transaction). This may 443 not be possible with legacy assignments, but all new 444 assignments should incorporate support for version indication. 446 Some users may not need assigned port numbers at all, e.g., SIP 447 allows voice calls to use Dynamic ports [RFC2543]. Some systems can 448 register services in the DNS, using SRV entries. These services can 449 be discovered by a variety of means, including mDNS, or via direct 450 query [RFC6762] [RFC6763]. In such cases, users can more easily 451 request a SRV name, which are assigned first-come, first-served from 452 a much larger namespace. 454 IANA assigns port numbers, but this assignment is typically used 455 only for servers, i.e., the host that listens for incoming 456 connections or other associations. Clients, i.e., hosts that 457 initiate connections or other associations, typically refer to those 458 assigned port numbers but do not need port number assignments for 459 their endpoint. 461 Finally, an assigned port number is not a guarantee of exclusive 462 use. Traffic for any service might appear on any port number, due to 463 misconfiguration or deliberate misuse. Service designers are 464 encouraged to validate traffic based on its content. 466 7.2. How Many Port Numbers? 468 As noted earlier, systems might require a single port number 469 assignment, but rarely require multiple port numbers. There are a 470 variety of known ways to reduce port number use. Although some may 471 be cumbersome or inefficient, they are always preferable to 472 consuming additional port numbers. 474 Such techniques include: 476 o Use of a discovery service, either a shared service (mDNS), or 477 a discovery service for a given system [RFC6762] [RFC6763]. 479 o Multiplex packet types using in-band information, either on a 480 per-message or per-connection basis. Such demultiplexing can 481 even hand-off different messages and connections among 482 different processes, such as is done with FTP [RFC959]. 484 There are some cases where it is still important to have assigned 485 port numbers, largely to traverse either NATs or firewalls. Although 486 automatic configuration protocols have been proposed and developed 487 (e.g., STUN [RFC5389], TURN [RFC5766], and ICE [RFC5245]), system 488 designers cannot yet rely on their presence. 490 In the past, some services were assigned multiple port numbers or 491 sometimes fairly large port ranges (e.g., X11). This occurred for a 492 variety of reasons: port number conservation was not as widely 493 appreciated, assignments were not as ardently reviewed, etc. This no 494 longer reflects current practice and such assignments are not 495 considered to constitute a precedent for future assignments. 497 7.3. Picking a Port Number 499 Given a demonstrated need for a port number assignment, the next 500 question is how to pick the desired port number. An application for 501 a port number assignment does not need to include a desired port 502 number; in that case, IANA will select from those currently 503 available. 505 Users should consider whether the requested port number is 506 important. For example, would an assignment be acceptable if IANA 507 picked the port number value? Would a TCP (or other transport 508 protocol) port number assignment be useful by itself? If so, a TCP 509 (UDP) port number can be assigned whose port number is already (or 510 can be subsequently) assigned to a different transport protocol. 512 The most critical issue in picking a number is selecting the desired 513 range, i.e., System vs. User port numbers. The distinction was 514 intended to indicate a difference in privilege; originally, System 515 port numbers required privileged ('root') access, while User port 516 numbers did not. That distinction has since blurred because some 517 current systems do not limit access control to System port numbers 518 and because some System services have been replicated on User 519 numbers (e.g., IRC). Even so, System port number assignments have 520 continued at an average rate of 3-4 per year over the past 7 years 521 (2007-2013), indicating that the desire to keep this distinction 522 continues. 524 As a result, the difference between System and User port numbers 525 needs to be treated with caution. Developers are advised to treat 526 services as if they are always run without privilege. As a result: 528 >> Developers SHOULD NOT apply for System port numbers because the 529 increased privilege they are intended to provide is not always 530 enforced. 532 Even when developers seek a System port number, it may be very 533 difficult to obtain. System port number assignment requires IETF 534 Review or IESG Approval and justification that both User and Dynamic 535 port number ranges are insufficient [RFC6335]. 537 >> System implementers SHOULD enforce the need for privilege for 538 processes to listen on System port numbers. 540 At some future date, it might be useful to deprecate the distinction 541 between System and User port numbers altogether. Services typically 542 require elevated ('root') privileges to bind to a System port 543 number, but many such services go to great lengths to immediately 544 drop those privileges just after connection or other association 545 establishment to reduce the impact of an attack using their 546 capabilities. Such services might be more securely operated on User 547 port numbers than on System port numbers. Further, if System port 548 numbers were no longer assigned, as of 2014 it would cost only 180 549 of the 1024 System values (17%), or 180 of the overall 49152 550 assigned (System and User) values (<0.04%). 552 7.4. Support for Security 554 Just as a service is a way to obtain information or processing from 555 a host over a network, a service can also be the opening through 556 which to attack that host. This vulnerability can be mitigated a 557 number of ways: 559 >> New services SHOULD support security, either directly or via a 560 secure transport such as TLS [RFC5246]. 562 >> Insecure versions of new or existing secure services SHOULD be 563 avoided because of the new vulnerability they create. 565 >> When simultaneously requesting both a secure and an insecure 566 port, strong justification MUST be provided for the insecure port. 567 Precedent (citing other protocols that use an insecure port) is not 568 strong justification by itself. A strong case for utility of the 569 insecure service is REQUIRED for approval of the insecure port. 571 >> Security SHOULD NOT rely on port number distinctions alone; every 572 service, whether secure or not, is likely to be attacked. 574 There is debate as to how to secure legacy insecure services 575 [RFC6335]. Some argue that secure variants should share the existing 576 port number assignment, such that security is enabled on a per- 577 connection or other association basis [RFC2817]. Others argue that 578 security should be supported on a new port number assignment and be 579 enabled by default. IANA currently permits either approach, although 580 use of a single port number is consistent with port number 581 conservation. A separate port number might be important for security 582 coordination (e.g., firewall management), but this might further 583 argue for deprecation of the insecure variant. 585 Optional security can penalize performance, requiring additional 586 round-trip exchanges before a connection or other association can be 587 established. As discussed earlier, port numbers are a critical 588 resource and it is inappropriate to consume assignments to increase 589 performance. As a result, the need for separate ports for both 590 secure and insecure variants is not justified merely for performance 591 - either for the connection or association establishment performance 592 or differences in data performance between secure and insecure 593 variants. 595 Note however that a new service might not be eligible for IANA 596 assignment of both an insecure and a secure variant of the same 597 service, and similarly IANA might be skeptical of an assignment for 598 an insecure port number for a secure service. In both cases, 599 security of the service is compromised by adding the insecure port 600 number assignment. 602 7.5. Support for Future Versions 604 Current IANA assignments are expected to support the multiple 605 versions on the same assigned port number [RFC6335]. Versions are 606 typically indicated in-band, either at the beginning of a connection 607 or other association, or in each protocol message. 609 >> Version support SHOULD be included in new services. 611 >> Version numbers SHOULD NOT be included in either the service name 612 or service description. 614 Again, the port number space is far too limited to be used as an 615 indicator of protocol version or message type. Although this has 616 happened in the past (e.g., for NFS), it should be avoided in new 617 requests. 619 7.6. Transport Protocols 621 IANA assigns port numbers specific to one or more transport 622 protocols, typically UDP and TCP, but also SCTP, DCCP, and any other 623 standard transport protocol [RFC768] [RFC793] [RFC4340] [RFC4960]. 624 Originally, IANA port number assignments were concurrent for both 625 UDP and TCP; other transports were not indicated. However, to 626 conserve space and to reflect increasing use of other transports, 627 assignments are now specific only to the transport being used. 629 In general, a service should request assignments for multiple 630 transports using the same service name and description on the same 631 port number only when they all reflect essentially the same service. 632 Good examples of such use are DNS and NFS, where the difference 633 between the UDP and TCP services are specific to supporting each 634 transport. E.g., the UDP variant of a service might add sequence 635 numbers and the TCP variant of the same service might add in-band 636 message delimiters. This document does not describe the appropriate 637 selection of a transport protocol for a service. 639 >> Service names and descriptions for multiple transport port number 640 assignments SHOULD match only when they describe the same service, 641 excepting only enhancements for each supported transport. 643 When the services differ, their service names and descriptions 644 should reflect that difference. E.g., if TCP is used for the basic 645 control protocol and UDP for an alarm protocol, then the services 646 might be "name-ctl" and "name-alarm". A common example is when TCP 647 is used for a service and UDP is used to determine whether that 648 service is active (e.g., via a unicast, broadcast, or multicast test 649 message) [RFC1122]. The following convention has been used by IANA 650 for several years to distinguish discovery services, such as are 651 used to identify endpoints capable of a given service: 653 >> Names of discovery services SHOULD use an identifiable suffix; 654 the suggestion is "-disc". 656 Some services are used for discovery, either in conjunction with a 657 TCP service or as a stand-alone capability. Such services will be 658 more reliable when using multicast rather than broadcast (over IPv4) 659 because IP routers do not forward "all nodes" (all 1's, i.e., 660 255.255.255.255 for IPv4) broadcasts and have not been required to 661 support subnet-directed broadcasts since 1999 [RFC1812] [RFC2644]. 662 This issue is relevant only for IPv4 because IPv6 does not support 663 broadcast. 665 >> UDP over IPv4 multi-host services SHOULD use multicast rather 666 than broadcast. 668 Designers should be very careful in creating services over 669 transports that do not support congestion control or error recovery, 670 notably UDP. There are several issues that should be considered in 671 such cases, as summarized in Table 1 in [RFC5405]. In addition, the 672 following recommendations apply to service design: 674 >> Services that use multipoint communication SHOULD be scalable, 675 and SHOULD NOT rely solely on the efficiency of multicast 676 transmission for scalability. 678 >> Services SHOULD NOT use UDP as a performance enhancement over 679 TCP, i.e., to circumnavigate TCP's congestion control. 681 7.7. When to Request an Assignment 683 Assignments are typically requested when a user has enough 684 information to reasonably answer the questions in the IANA 685 application. IANA applications typically take up to a few weeks to 686 process, with some complex cases taking up to a month. The process 687 typically involves a few exchanges between the IANA Ports Expert 688 Review team and the applicant. 690 An application needs to include a description of the service, as 691 well as to address key questions designed to help IANA determine 692 whether the assignment is justified. The application should be 693 complete and not refer solely to the Internet Draft, RFC, a website, 694 or any other external documentation. 696 Services that are independently developed can be requested at any 697 time, but are typically best requested in the last stages of design 698 and initial experimentation, before any deployment has occurred that 699 cannot easily be updated. 701 >> Users MUST NOT deploy implementations that use assigned port 702 numbers prior their assignment by IANA. 704 >> Users MUST NOT deploy implementations that default to using the 705 experimental System port numbers (1021 and 1022 [RFC4727]) outside a 706 controlled environment where they can be updated with a subsequent 707 assigned port [RFC3692]. 709 Deployments that use port numbers before deployment complicate IANA 710 management of the port number space. Keep in mind that this 711 recommendation protects existing assignees, users of current 712 services, and applicants for new assignments; it helps ensure that a 713 desired number and service name are available when assigned. The 714 list of currently unassigned numbers is just that - *currently* 715 unassigned. It does not reflect pending applications. Waiting for an 716 official IANA assignment reduces the chance that an assignment 717 request will conflict with another deployed service. 719 Applications made through Internet Draft / RFC publication (in an 720 stream) typically use a placeholder ("PORTNUM") in the text, and 721 implementations use an experimental port number until a final 722 assignment has been made [RFC6335]. That assignment is initially 723 indicated in the IANA Considerations section of the document, which 724 is tracked by the RFC Editor. When a document has been approved for 725 publication and proceeds to IESG Approval, that request is forwarded 726 to IANA for handling. IANA will make the new assignment accordingly. 727 At that time, IANA may also request that the applicant fill out the 728 application form on their website, e.g., when the RFC does not 729 directly address the information expected as per [RFC6335]. "Early" 730 assignments can be made when justified, e.g., for early 731 interoperability testing, according to existing process [RFC4020] 732 [RFC6335]. 734 >> Users writing specifications SHOULD use symbolic names for port 735 numbers and service names until an IANA assignment has been 736 completed. Implementations SHOULD use experimental port numbers 737 during this time, but those numbers MUST NOT be cited in 738 documentation except as interim. 740 7.8. Squatting 742 "Squatting" describes the use of a number from the assigned range in 743 deployed software without IANA assignment. It is hazardous because 744 IANA cannot track such usage and thus cannot avoid making legitimate 745 assignments that conflict with such unauthorized usage. 747 Such "squatted" port numbers remain unassigned, and IANA retains the 748 right to assign them when requested by applicants. Protocol 749 designers are reminded that is never appropriate to use port numbers 750 that have not been directly assigned [RFC6335]. In particular, any 751 unassigned code from the assigned ranges will be assigned by IANA, 752 and any conflict will be easily resolved as the protocol designer's 753 fault once that happens (because they would not be the assignee). 754 This may reflect in the public's judgment on the quality of their 755 expertise and cooperation with the Internet community. 757 Regardless, there are numerous services that have squatted on such 758 numbers that are in widespread use. Designers who are using such 759 port numbers are encouraged to apply for an assignment. Note that 760 even widespread de-facto use may not justify a later IANA assignment 761 of that value, especially if either the value has already been 762 assigned to a legitimate applicant or if the service would not 763 qualify for an assignment of its own accord. 765 7.9. Other Considerations 767 As noted earlier, System port numbers should be used sparingly, and 768 it is better to avoid them altogether. This avoids the potentially 769 incorrect assumption that the service on such port numbers run in a 770 privileged mode. 772 Port numbers are not intended to be changed; this includes the 773 corresponding service name. Once deployed, it can be very difficult 774 to recall every implementation, so the assignment should be 775 retained. However, in cases where the current assignee of a name or 776 number has reasonable knowledge of the impact on such uses, and is 777 willing to accept that impact, the name or number of an assignment 778 can be changed [RFC6335] 780 Aliases, or multiple service names for the same port number, are no 781 longer considered appropriate [RFC6335]. 783 8. Security Considerations 785 This document discusses ways to conserve port numbers, notably 786 through encouraging demultiplexing within a single port number. As 787 such, there may be cases where two variants of a protocol - insecure 788 and secure (such as using optional TLS) or different versions - are 789 suggested to share the same port number. 791 This document reminds protocol designers that port numbers do not 792 protect against denial of service overload or guarantee that traffic 793 should be trusted. Using assigned numbers for port filtering isn't a 794 substitute for authentication, encryption, and integrity protection. 795 The port number alone should not be used to avoid denial of service 796 or firewall traffic because their use is not regulated or validated. 798 9. IANA Considerations 800 The entirety of this document focuses on IANA issues, notably 801 suggestions that help ensure the conservation of port numbers and 802 provide useful hints for issuing informative requests thereof. 804 10. References 806 10.1. Normative References 808 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 809 Requirement Levels", BCP 14, RFC 2119, March 1997. 811 [RFC2780] Bradner, S., and V. Paxson, "IANA Allocation Guidelines 812 For Values In the Internet Protocol and Related Headers", 813 BCP 37, RFC 2780, March 2000. 815 [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers 816 Considered Useful", BCP 82, RFC 3962, Jan. 2004. 818 [RFC4727] Fenner, B., "Experimental Values in IPv4, IPv6, ICMPv4, 819 ICMPv6, UDP, and TCP Headers", RFC 4727, November 2006. 821 [RFC5405] Eggert, L., and G. Fairhurst, "Unicast UDP Usage 822 Guidelines for Application Designers", BCP 145, RFC 5405, 823 Nov. 2008. 825 [RFC6335] Cotton, M., L. Eggert, J. Touch, M. Westerlund, and S. 826 Cheshire, "Internet Assigned Numbers Authority (IANA) 827 Procedures for the Management of the Service Name and 828 Transport Protocol Port Number Registry", BCP 165, RFC 829 6335, August 2011. 831 10.2. Informative References 833 [IEN112] Postel, J., "Transmission Control Protocol", IEN 112, 834 August 1979. 836 [RFC33] Crocker, S., "New Host-Host Protocol", RFC 33 February 837 1970. 839 [RFC37] Crocker, S., "Network Meeting Epilogue", RFC 37, March 840 1970. 842 [RFC38] Wolfe, S., "Comments on Network Protocol from NWG/RFC 843 #36", RFC 38, March 1970. 845 [RFC48] Postel, J., and S. Crocker, "Possible protocol plateau", 846 RFC 48, April 1970. 848 [RFC61] Walden, D., "Note on Interprocess Communication in a 849 Resource Sharing Computer Network", RFC 61, July 1970. 851 [RFC76] Bouknight, J., J. Madden, and G. Grossman, "Connection by 852 name: User oriented protocol", RFC 76, October 1970. 854 [RFC333] Bressler, R., D. Murphy, and D. Walden. "Proposed 855 experiment with a Message Switching Protocol", RFC 333, 856 May 1972. 858 [RFC739] Postel, J., "Assigned numbers", RFC 739, November 1977. 860 [RFC758] Postel, J., "Assigned numbers", RFC 758, August 1979. 862 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 863 1980. 865 [RFC793] Postel, J., "Transmission Control Protocol" RFC 793, 866 September 1981 868 [RFC820] Postel, J., "Assigned numbers", RFC 820, August 1982. 870 [RFC900] Reynolds, J., and J. Postel, "Assigned numbers", RFC 900, 871 June 1984. 873 [RFC959] Postel, J., and J. Reynolds, "FILE TRANSFER PROTOCOL 874 (FTP)", RFC 959, October 1985. 876 [RFC1122] Braden, B. (Ed.), "Requirements for Internet Hosts -- 877 Communication Layers", RFC 1122, October 1989. 879 [RFC1340] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1340, 880 July 1992. 882 [RFC1700] Reynolds, J., and J. Postel, "Assigned numbers", RFC 1700, 883 October 1994. 885 [RFC1812] Baker, F. (Ed.), "Requirements for IP Version 4 Routers", 886 RFC 1812, June 1995. 888 [RFC1833] Srinivasan, R., "Binding Protocols for ONC RPC Version 2", 889 RFC 1833, August 1995. 891 [RFC2543] Handley, M., H. Schulzrinne, E. Schooler, and J. 892 Rosenberg, "SIP: Session Initiation Protocol", RFC 2543, 893 March 1999. 895 [RFC2616] Fielding, R., J. Gettys, J. Mogul, H. Frystyk, L. 896 Masinter, P. Leach, and T. Berners-Lee, "Hypertext 897 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 899 [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts 900 in Routers", RFC 2644, August 1999. 902 [RFC2817] Khare, R., and S. Lawrence, "Upgrading to TLS Within 903 HTTP/1.1", RFC 2817, May 2000. 905 [RFC3232] Reynolds, J. (Ed.), "Assigned Numbers: RFC 1700 is 906 Replaced by an On-line Database", RFC 3232, January 2002. 908 [RFC3546] Blake-Wilson, S., D. Hopwood, and T. Wright, "Transport 909 Layer Security (TLS) Extensions", RFC 3546, June 2003. 911 [RFC4020] Kompella, K. and A. Zinin, "Early IANA Allocation of 912 Standards Track Code Points", BCP 100, RFC 4020, February 913 2005. 915 [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion 916 Control Protocol (DCCP)", RFC 4340, March 2006. 918 [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", 919 RFC 4960, September 2007. 921 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 922 (ICE): A Protocol for Network Address Translator (NAT) 923 Traversal for Offer/Answer Protocols", RFC 5245, April 924 2010. 926 [RFC5246] Dierks, T., and E. Rescorla, "The Transport Layer Security 927 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 929 [RFC5389] Rosenberg, J., R. Mahy, P. Matthews, and D. Wing, "Session 930 Traversal Utilities for NAT", RFC 5389, October 2008. 932 [RFC5766] Mahy, R., P. Matthews, and J. Rosenberg, "Traversal Using 933 Relays around NAT (TURN): Relay Extensions to Session 934 Traversal Utilities for NAT (STUN)", RFC 5766, April 2010. 936 [RFC6762] Cheshire, S., and M. Krochmal, "Multicast DNS", RFC 6762, 937 February 2013. 939 [RFC6763] Cheshire, S., and M. Krochmal, "DNS-Based Service 940 Discovery", RFC 6763, February 2013. 942 11. Acknowledgments 944 This work benefitted from the feedback from Lars Eggert, Gorry 945 Fairhurst, and Eliot Lear, as well as discussions of the IETF TSVWG 946 WG. 948 This document was prepared using 2-Word-v2.0.template.dot. 950 Authors' Addresses 952 Joe Touch 953 USC/ISI 954 4676 Admiralty Way 955 Marina del Rey, CA 90292-6695 956 U.S.A. 958 Phone: +1 (310) 448-9151 959 EMail: touch@isi.edu