--On Wednesday, July 31, 2024 17:13 -0400 Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote: > I don't really have a significant objection to moving TELNET to > HISTORIC. But I wonder whether an applicability statement would > be the appropriate way to do this. > > Or to put it differently, it seems like it might be useful to not > only advise the public about remaining cases where TELNET is still > useful, but to also advise about security risks associated with > continued use of TELNET. Those risks are not confined to the case > where a TELNET server is operated on a publicly-reachable address, > and can even exist on a supposedly air-gapped network. (because > in practice, no network is air-gapped all the time) Hmm. After reading Geert's note, I had two thoughts. One is that, while I agree that the case he describes is very important, there are also many other involving specialized devices that are either isolated from the public Internet or that have their own, purpose-specific, security mechanisms. They use Telnet (and/or FTP) because it works for them, because getting involved with more of the machinery of the more recent Internet (including the DNS) does not work for them (if only because of lack of connectivity), and/or because much of our more recent work assumes that neither bandwidth nor processing time are scarce resources. In many cases, the relevant protocols are also baked into firmware for which revisions/ updates would be hopelessly expensive or impractical. Because of those applications and environments, the definition of Historic in RFC 2026 to which Rob conveniently pointed us does not work. The problem is not "clearly superior technically" even if we agreed (rather than being able to debate that until the end of time). It is also not that the supposed replacements for Telnet not "Standard specifications" although several people have suggested that is also relevant and we are long overdue for getting them documented and standardized. It is the "for the same function" bit, because Geert's discussion (plus or minus parts of the above and comments made by others) are clear indicates that Telnet is being used for some functions that the newer protocols don't support. Of course, we could rely on "when it is felt for some other reason that an existing standards track specification should be retired", but it seems to me that some of us feeling that anything that old is disgusting and should be put out of its misery (along with anyone using it) is an adequate or appropriate reason. And, of course, for those who believe in the less formal definition of "no one uses that any more", this discussion thread has provided a fairly persuasive argument to the contrary much as some would like it to be otherwise. "It has not been referenced in any recent document" might be evidence that the IETF does not care any more, but that is not justification for Historic either, especially when the reason some more recent proposed updates to FTP never got anywhere was because the IETF (or at least the relevant ADs) declined to process them. Under those circumstances, claiming the absence of recent references proves the protocol should be reclassified as historic comes fairly close to circular reasoning. Perhaps more important, we almost certainly know what would happen if the IETF announced that those protocols are historic. Those who are using them for what they consider good reasons would ignore us and keep doing so. The number of actually new applications that are being developed to depend on Telnet or FTP is probably insignificant today, so the effect of the reclassification (by itself) in preventing new applications from using them would presumably be insignificant as well even if one believed such symbolic actions are useful in other cases. The only likely significant effect would be damage to the IETF's credibility as we made what we intended as a statement about what people should do, most ignored us because they weren't doing it anyway, and others just laughed. The other, more constructive, thought is very much along the lines you suggest above. Rather than continuing this seemingly endless discussion, could those who believe that Something Should Be Done about Telnet (and/or FTP) get together and generate a draft for an Applicability Statement that carefully explains the problems and disadvantages of continued use of those protocols and explores the alternatives for typical cases. I would hope it could also address the cases (starting by drawing on Geert's note) where continued use might still be appropriate and discuss the tradeoffs involved. That would be really helpful for anyone who does not understand the risks and other issues and wants to and for those who are not aware that there are alternatives for many purposes -- both functions that a simple reclassification to Historic would not accomplish. I have neither the time nor motivation to put such a document together but, if it were thorough and balanced, would be delighted to review it and support its publication. I hope that others who have been arguing against reclassification to Historic would feel much the same way. john
