I don't really have a significant objection to moving TELNET to
HISTORIC. But I wonder whether an applicability statement would be the
appropriate way to do this.
Or to put it differently, it seems like it might be useful to not only
advise the public about remaining cases where TELNET is still useful,
but to also advise about security risks associated with continued use of
TELNET. Those risks are not confined to the case where a TELNET server
is operated on a publicly-reachable address, and can even exist on a
supposedly air-gapped network. (because in practice, no network is
air-gapped all the time)
On 7/31/24 15:02, John Levine wrote:
It appears that Geert Jan de Groot <GeertJan.deGroot@xxxxxxx> said:
May I ask that if we do "move to historic" action, we qualify this to
the public internet only and explicitly put up a disclaimer that for
embedded environments, requirements may be different and TELNET and FTP
may be appropriate, perhaps more appropriate than "just use SSH" and
hence TELNET/FTP clients and servers have a use in these environments?
Sure, that makes sense. If it's a closed network the security issues
are a lot easier.
The slightly harder part is to allow telnet on closed networks but not
when the same device is on the public Internet.
R's,
John
