--On Wednesday, December 2, 2020 23:28 +0000 Stephen Farrell <stephen.farrell@xxxxxxxxx> wrote: > > Hiya, > > On 02/12/2020 23:19, Scott O. Bradner wrote: >> I fully agree with John >> >> I see no justification to move telnet &/or FTP to historic >> since they are in use (even if some people would rather that >> not be the case) and neither presents a clear danger to the >> proper functioning of the Internet > > I gotta wonder about that last. Wouldn't it be credible to > argue that telnet is in fact a real danger, if one looks at > all the CVEs that've reported on ports with admin/admin > access? I'm not sure if it'd be the right thing to do, but > I do think one can credibly argue that deprecating telnet > might be worthwhile. Stephen, First, at least from my point of view, if you (or anyone else) want to make that argument, go for it. Write the document outlining the pros and cons, point out the risks and damage you have seen, and then let's see if it is still possible to have a mature and intelligent discussion in the IETF about tradeoffs rather than arguments and discussion about these things that seem more to do with passions and biases than reality on the Internet. Two suggestions to think about as you (or others) are contemplating that: (1) Reread Section 3.3 of RFC 2026. While I'm not convinced either would be desirable, it seems to me that reclassifying telnet (or FTP) as "Limited Use" by describing the risks and identifying the characteristics of circumstances under which use might be desirable anyway would be far more plausible that trying to make it "not recommended". That might be true of whatever else is a candidate for someone's "I have a way to do that on the web and therefore the original protocol is hopelessly outdated" list [1] as well as some things we have done/specified already. For example, I have worked with several enterprises who think that they need to have the ability to inspect email traffic going in or, especially, out. Some even write employment contracts in which employees are required to explicitly agree to that or not work there. Many of them also believe in the quality of their firewalls, VPNs, and SSH-based tunnels. So, to them, RFC 8314 is unnecessary, a demand for additional overhead, and, to quote one of the relevant people "just plain arrogant". And that brings me to... (2) People use IETF standards, voluntarily, because they are the only game in town (or think we are - often for something new), because they believe the IETF gives good advice, or both. When we say "do X" to someone who is doing something else or "don't do Y anymore" to someone who is doing Y, knows it, and thinks they have perfectly good reasons (or who doesn't know they are dependent on it until we tell them, the odds of our being ignored are rather high. (Scott's question about telnet and IoT and Jared's application fit in nicely here.) Perhaps more important, we invite that person or organization to say, the next time a proposal to do someone according to IETF standards or advice comes up, "They didn't consider our situation, got the previous advice wrong, and were arrogant about it. Why on earth should we trust them with this issue." If we say "to accomplish this task, don't use our Standard, use this think we haven't bothered to standardize and for which there are only a couple of implementations instead", the effects might be even worse. I've already heard rumblings like that and assume I'm not the only one. So, again, if someone wants to write a carefully thought-out document explaining why, under circumstances you can describe, there are better alternatives than telnet, FTP, finger, whois, SMTP, etc.; why they are better; and so on, that might be very helpful. It would be especially so if avoided making claims that those are all possible circumstances. But the only good justification for deprecating telnet or FTP -- or even making a public claim that no one, at least no one in their right minds, is using them any more -- may involve having a death wish for the IETF. john [1] I know you don't feel that way and apologize if I've misstated that, but many of the recent discussions (more in other threads than this one) have felt more like a culture war than like reasoned technical arguments.
