W3C home > Mailing lists > Public > ietf-discuss@w3.org > August 2001

Re: Use ofHTTP to pass firewalls

From: Mark Nottingham <mnot@akamai.com>
Date: Fri, 10 Aug 2001 20:36:17 -0700
To: Patrik Fältström <paf@cisco.com>
Cc: Keith Moore <moore@cs.utk.edu>, "Roy T. Fielding" <fielding@ebuilt.com>, Jacob Palme <jptest@dsv.su.se>, discuss@apps.ietf.org, Kristine Andersen <kristineandersen@hotmail.com>, Christer Backman <asphalt_world@hotmail.com>, Fredrik Björck <bjorck@dsv.su.se>, Mats Wiklund <matsw@dsv.su.se>, Sead Muftic <sead@dsv.su.se>
Message-ID: <20010810203607.C6881@akamai.com>
On Fri, Aug 10, 2001 at 07:53:58AM +0100, Patrik Fältström wrote:
> --On 08/09/2001 3:29 PM -0400 Keith Moore <moore@cs.utk.edu> wrote:
> >> Right.  Port 80 is reserved for the Web, not HTTP.
> > 
> > well, I'm assuming that they're using something that resembles HTTP.
> > 
> > I don't think it's reasonable to use port 80 for arbitrary protocols,
> > whether or not you can consider such protocols part of "the web".
> > 
> > p.s. does "the web" have a definition?  In my mind "the web" includes
> > anything that can be named with a URI, which is most of the Internet...
> Hmmm....I only use the wording "the web" is only used for the subset of
> what is transported over the http protocol, can be named with a http URI,
> and accessed with a "web browser" -- PLUS "embedded content" in the
> webpages which the user is accessing -- PLUS accompanying things like
> WEBDAV abilities to edit that data documents.
> I.e. "the web" is for me a subset of what you think is the web.

The Web is an information space, not limited to any protocol or
format (so, URI is closer to the definition than HTTP). As I
understand it, this is more or less the W3C definition.

I know that wiser heads than mine will consider this incorrect, but
my belief is that a port allocation's semantics are limited to a
reasonable expectation that a particular wire protocol will be

It may be operationally convenient to make assumptions about what
services are used over a particular protocol, but imposing policy,
applying heuristics or inferring security based on port is unwise at
best, as has been noted.

This, IMHO, is especially true for generalised transfer protocols
(*TPs). Do we consider valid users of the FTP ports to only be
human-driven FTP clients? May only MUAs or MTAs acting on their
behalf use port 25?

It's certainly true that people do impose policy, apply heuristics
and infer security from port 80, but I don't think this should be
encouraged or codified. If we went down that path, it would restrict
the 'valid' uses of HTTP, somewhat paradoxically (based on the
definition above) limiting the uses of the Web as well.

(Note the fine line being walked - I agree with Kieth's motivation to
warn people about the possibility of these things when they use HTTP
as a substrate).

Now to catch up on the jetlag...

Mark Nottingham, Research Scientist
Akamai Technologies (San Mateo, CA USA)
Received on Friday, 10 August 2001 23:47:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:38:01 UTC