Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Private port numbers?

  • From: Lars Higham
  • Date: Thu Aug 14 01:54:52 2003

It's a good idea, granted, but isn't this covered by IPv6 administrative
scoping?

Lars

-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
David G. Andersen
Sent: Thursday, August 14, 2003 8:33 AM
To: Christopher L. Morrow
Cc: Crist Clark; nanog@merit.edu
Subject: Re: Private port numbers?



On Wed, Aug 13, 2003 at 10:40:30PM +0000, Christopher L. Morrow quacked:
> 
> what about ports that start as 'private' and are eventually 
> ubiquitously used on a public network? (Sean Donelan noted that 
> 137->139 were originally intended to be used in private networks... 
> and they became 'public' over time)

 You run it on a different port. I actually really like this idea,
because it makes shipping a more secure default configuration easier for
vendors without having to coordinate between firewall vendors and
implementors.

The "gotcha" is that it makes life pretty weird for you if you then want
to make your service work in the wide-area... but that's pretty easy to
do with intelligent defaults:

Ports 1-1024:  Well-known-ports
Ports 60001-61024:  Private well-known-port analogues

Applications would try:

 if (!connect(..., public port #))
   connect(..., private port #))

In fact, this (impractically) generalizes to a nice way of signifying
whether or not you want external people to be able to talk to your
service:

   port bit[0] == 0:  Public service, please do not filter
   port bit[0] == 1:  Private service, please filter at
                      organizational boundary

I suddenly wish the port space was 32 bits. :)

People _could_, of course, implement all of this with tcpwrappers and
host-local firewalls.  But experience has shown that they don't.  It
might be easier for them if they could just click "private" when they
configured the service, though experience has shown that services
migrate to the less restrictive mode as debugging and time goes on...

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science
http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.