SOAP port number from Mark Baker on 2002-01-07 (xml-dist-app@w3.org from January 2002)

From: Mark Baker <distobj@acm.org>
Date: Sun, 6 Jan 2002 21:08:35 -0500 (EST)
To: ksankar@cisco.com (Krishna Sankar)
Cc: jacek@systinet.com (Jacek Kopecky), xml-dist-app@w3.org
Message-Id: <200201070208.VAA26971@markbaker.ca>

Krishna,

> 	IMHO, it is not a question of whether you can or cannot. But
> architecturally what do we do as an answer to the overused port 80 problem.
> 
> 	Referring to use of http as a substrate
> http://www.ietf.org/internet-drafts/draft-moore-using-http-01.txt, I view
> the "application/soap+xml" as a "substantially new service", thus requiring
> a new port.

I don't think it's correct to say that in the general case.  It's up to
the developer of the SOAP service whether it could be considered
substantially new or not.  I agree that the vast majority of SOAP apps
out there today could be considered as such (namely, the tunneled use
of SOAP).  But the non-tunneled use of SOAP, is most definitely not
substantially new by any reasonable definition.

For example, the app I describe in [1] (after SOAP is added) is not a
"substantially new service", as it uses HTTP as it was designed to be
used.

 [1] http://www.markbaker.ca/2001/07/SoapUses/

> 	a)	SOAP is a different animal than HTML,
> 	b)	it would be used by separate server processes and
> 	c)	most importantly there is a need for distinguishing this traffic
> separate from others.
>
> 	Talking about a port number in the media type might be unconventional, may
> be not. IMHO, I would like to RECOMMEND Port 90 used for SOAP traffic. Now
> if we are using SOAP over ftp or SOAP/SMTP we might not. But the most common
> use, SOAP/HTTP, should be on 90.

I would support some advisory text as part of the binding specification
that suggests that a developer using SOAP for RPC or tunneling a new
protocol with it, should not use port 80.  I would also support
registering a SOAP specific port for those that want to heed this
advice.

I would support both these things because 1) RPC & tunneling is a misuse
of HTTP that threatens security (as I've described), and 2) firewalls
don't generally filter HTTP on all (or even many) ports, they look for
it on port 80.

I am confident that this advise will be ignored, because most developers
think it's a *good* thing to be able to tunnel over a firewall.  But if
even a few people choose to follow it, then I think it will be worth it.

BTW, port 90 is taken; http://www.iana.org/assignments/port-numbers

MB
-- 
Mark Baker, Chief Science Officer, Planetfred, Inc.
Ottawa, Ontario, CANADA.      mbaker@planetfred.com
http://www.markbaker.ca   http://www.planetfred.com

Received on Sunday, 6 January 2002 21:08:13 UTC