TWO WEEK LAST CALL: Regularizing Port Numbers for SSL.

This is a two week last call on regularizing port numbers for SSL and for
TLS. If there are no objections, I send this request officially as an
editor for the IETF-TLS working group to the IANA.

The SSL 3.0 protocol has the broadest implementation of any security
standard to date, with both Netscape and Microsoft using it in their
popular servers and browsers. SSL 3.0 has been submitted to the TLS working
group of the IETF, and is is proceeding out of internet-draft status under
a new name, TLS.

Tim Dierks and I are editors for that working group, Win Treese
<> is the working group chair, and Jeff Schiller
<> is the IESG area director over the WG.

Tim are I have two documents undergoing revision:
<draft-ietf-tls-protocol-00.txt> & <draft-ietf-tls-ssl-mods-00.txt>, which
were approved during the last working group meeting in San Jose, and are
being merged into one draft.

One area that I am trying to resolve are the port issues with TLS/SSL.

As a transport layer security standard, TLS/SSL can work transparently with
existing application level protocols (such as http, nntp, nttp) without
*any* change to the protocol other than using a different port number. As
an example, the popular http protocol uses port 40, and the SSL enabled
version of http uses 443.

It is possible for a single port to be used for both unsecure and secure
uses, however, this requires changes in the application level protocols
which are must be separately adopted by each working group over such
protocols. An example of changes that would allow for a single port in the
FTP protocol is covered in <draft-murray-auth-ftp-ssl-00.txt>.

Until each protocol is revised to allow for authenication under a single
port, we will require separate ports for TLS/SSL implementations of the
most popular protocols.

There are a number of ports current registered with the IANA the for use by
the SSL protocol. They are currently:

	https       443/tcp    https
	ssmtp       465/tcp    ssmtp
	snews       563/tcp    snews
	ssl-ldap    636/tcp    ssl-ldap
	spop3       995/tcp    SSL based POP3

As the above registrations are inconsistant, and most don't even mention
SSL or TLS, we would like to get these port assignments regularized in the
listing as follows:

	https       443/tcp    http protocol over TLS/SSL
	ssmtp       465/tcp    smtp protocol over TLS/SSL
	snntp       563/tcp    nntp protocol over TLS/SSL
	sldap       636/tcp    ldap protocol over TLS/SSL
	spop3       995/tcp    pop3 protocol over TLS/SSL

There is also currently a desire among SSL implementors to register two
additional ports mappings for ftp protocol over TLS/SSL and imap4 protocol
over TLS/SSL. We have been told that invididual implementors have attempted
to register ports for these uses of SSL, but as of today they have not
recieved registration for these assignments.

We would like to suggest the following:

	ftps	    990/tcp    ftp protocol over TLS/SSL
	simap       991/tcp    imap4 protocol over TLS/SSL

Under your procedures, you ask for answers to the following questions:

1)  What is the protocol between the user machine and the server

It is the TLS 1.0 or SSL 3.0 protocol as defined in
<draft-ietf-tls-protocol-00.txt> & <draft-ietf-tls-ssl-mods-00.txt>.

2)  What message formats, types, op codes, sequences are used?

It is the TLS 1.0 or SSL 3.0 protocol as defined in
<draft-ietf-tls-protocol-00.txt> & <draft-ietf-tls-ssl-mods-00.txt>.

3)  What functions are performed by this protocol?

Securing and authenticating the transport independently of the application

4)  Is broadcast or multicast used?  If so, how and what for?

No -- TCP only is defined by TLS/SSL at this point, however, we'd like to
at least hold the UDP ports in reserve for the future.

5) Do you want a well-known assigned system port in the range 0-1023,
   or a registered user port in the range 1024-65535 ?

They need to be in a the well known range as they are core system protocols
that are being secured.

6)  What short name (14 character maximum) do you want associated with
    this port number?

	ftps	    990/tcp    ftp protocol over TLS/SSL
	imaps       991/tcp    imap4 protocol over TLS/SSL

If there are any questions as to our authority to request such changes,
these changes have been run by the WG Chair, Win Treese
<>and Jeff Schiller <> is the IESG area
director over the TLS WG. In addition, these requests were run by Netscape,
Microsoft, the SSL-Talk mailing list and the IETF-TLS working group mailing
list before being sent to you. There are also currently multiple SSL
implementations of each of the applications protocols being requested above.

If you have any questions, please feel free to give me a call at
510/559-1500 or email me at Christopher Allen <>.

..Christopher Allen                  Consensus Development Corporation..
..<>                 1563 Solano Avenue #355..
..                                             Berkeley, CA 94707-2116..
..Home of "SSL Plus:                      o510/559-1500  f510/559-1505..
..  SSL 3.0 Integration Suite(tm)" <>..

Received on Tuesday, 4 February 1997 12:50:22 UTC