nanog mailing list archives
Re: Private port numbers?
From: "David G. Andersen" <dga () lcs mit edu>
Date: Wed, 13 Aug 2003 23:02:43 -0400
On Wed, Aug 13, 2003 at 10:40:30PM +0000, Christopher L. Morrow quacked:
what about ports that start as 'private' and are eventually ubiquitously used on a public network? (Sean Donelan noted that 137->139 were originally intended to be used in private networks... and they became 'public' over time)
You run it on a different port. I actually really like this idea, because it makes shipping a more secure default configuration easier for vendors without having to coordinate between firewall vendors and implementors. The "gotcha" is that it makes life pretty weird for you if you then want to make your service work in the wide-area... but that's pretty easy to do with intelligent defaults: Ports 1-1024: Well-known-ports Ports 60001-61024: Private well-known-port analogues Applications would try: if (!connect(..., public port #)) connect(..., private port #)) In fact, this (impractically) generalizes to a nice way of signifying whether or not you want external people to be able to talk to your service: port bit[0] == 0: Public service, please do not filter port bit[0] == 1: Private service, please filter at organizational boundary I suddenly wish the port space was 32 bits. :) People _could_, of course, implement all of this with tcpwrappers and host-local firewalls. But experience has shown that they don't. It might be easier for them if they could just click "private" when they configured the service, though experience has shown that services migrate to the less restrictive mode as debugging and time goes on... -Dave -- work: dga () lcs mit edu me: dga () pobox com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
Current thread:
- Private port numbers? Iljitsch van Beijnum (Aug 13)
- Re: Private port numbers? Crist Clark (Aug 13)
- Re: Private port numbers? Iljitsch van Beijnum (Aug 13)
- Re: Private port numbers? Christopher L. Morrow (Aug 13)
- Re: Private port numbers? Christopher L. Morrow (Aug 13)
- Re: Private port numbers? David G. Andersen (Aug 13)
- RE: Private port numbers? Lars Higham (Aug 13)
- Re: Private port numbers? Crist Clark (Aug 14)
- Re: Private port numbers? Mans Nilsson (Aug 14)
- Death of IPv6 Site-Local (was Re: Private port numbers?) Crist Clark (Aug 14)
- Re: Death of IPv6 Site-Local (was Re: Private port numbers?) Jeremy T. Bouse (Aug 14)
- Re: Private port numbers? Iljitsch van Beijnum (Aug 13)
- Re: Private port numbers? Crist Clark (Aug 13)