Re: Telnet and FTP to Historic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




--On Wednesday, December 2, 2020 23:28 +0000 Stephen Farrell
<stephen.farrell@xxxxxxxxx> wrote:

> 
> Hiya,
> 
> On 02/12/2020 23:19, Scott O. Bradner wrote:
>> I fully agree with John
>> 
>> I see no justification to move telnet &/or FTP to historic
>> since they are in use (even if some people would rather that
>> not be the case) and neither presents a clear danger to the
>> proper functioning of the Internet
> 
> I gotta wonder about that last. Wouldn't it be credible to
> argue that telnet is in fact a real danger, if one looks at
> all the CVEs that've reported on ports with admin/admin
> access? I'm not sure if it'd be the right thing to do, but
> I do think one can credibly argue that deprecating telnet
> might be worthwhile.

Stephen,

First, at least from my point of view, if you (or anyone else)
want to make that argument, go for it.  Write the document
outlining the pros and cons, point out the risks and damage you
have seen, and then let's see if it is still possible to have a
mature and intelligent discussion in the IETF about tradeoffs
rather than arguments and discussion about these things that
seem more to do with passions and biases than reality on the
Internet.  

Two suggestions to think about as you (or others) are
contemplating that:

(1) Reread Section 3.3 of RFC 2026.  While I'm not convinced
either would be desirable, it seems to me that reclassifying
telnet (or FTP) as "Limited Use" by describing the risks and
identifying the characteristics of circumstances under which use
might be desirable anyway would be far more plausible that
trying to make it "not recommended".    That might be true of
whatever else is a candidate for someone's "I have a way to do
that on the web and therefore the original protocol is
hopelessly outdated" list [1] as well as some things we have
done/specified already.   

For example, I have worked with several enterprises who think
that they need to have the ability to inspect email traffic
going in or, especially, out.  Some even write employment
contracts in which employees are required to explicitly agree to
that or not work there.    Many of them also believe in the
quality of their firewalls, VPNs, and SSH-based tunnels.  So, to
them, RFC 8314 is unnecessary, a demand for additional overhead,
and, to quote one of the relevant people "just plain arrogant".


And that brings me to...

(2)  People use IETF standards, voluntarily, because they are
the only game in town (or think we are - often for something
new), because they believe the IETF gives good advice, or both.
When we say "do X" to someone who is doing something else or
"don't do Y anymore" to someone who is doing Y, knows it, and
thinks they have perfectly good reasons (or who doesn't know
they are dependent on it until we tell them, the odds of our
being ignored are rather high.  (Scott's question about telnet
and IoT and Jared's application fit in nicely here.)   Perhaps
more important, we invite that person or organization to say,
the next time a proposal to do someone according to IETF
standards or advice comes up, "They didn't consider our
situation, got the previous advice wrong, and were arrogant
about it.  Why on earth should we trust them with this issue."
If we say "to accomplish this task, don't use our Standard, use
this think we haven't bothered to standardize and for which
there are only a couple of implementations instead", the effects
might be even worse.  I've already heard rumblings like that and
assume I'm not the only one.

So, again, if someone wants to write a carefully thought-out
document explaining why, under circumstances you can describe,
there are better alternatives than telnet, FTP, finger, whois,
SMTP, etc.; why they are better; and so on, that might be very
helpful.  It would be especially so if avoided making claims
that those are all possible circumstances.   But the only good
justification for deprecating telnet or FTP -- or even making a
public claim that no one, at least no one in their right minds,
is using them any more -- may involve having a death wish for
the IETF.

   john


[1] I know you don't feel that way and apologize if I've
misstated that, but many of the recent discussions (more in
other threads than this one) have felt more like a culture war
than like reasoned technical arguments.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux