> > - Conclusion 2: There is no reason for standards to uphold the > > distinction between <1024 and >1024 any more. > I agree that the requirement on UNIX-like systems to be root in order > to bind to ports < 1024 is, in hindsight, a Bad Idea - but mostly > because of insufficient privilege granularity. If by "insufficient privilege granularity" you mean root confers other access, I agree. But while not critical, it would also be useful to have finer granularity in terms of who gets access to what ports. > I also think that > trusting a source port as an indication of anything is a Bad Idea. You bet. > However, I do think that it's useful for there to be a range of port > numbers that are only bound to a socket if an application specifically > asks for one of those ports, as this would reduce the potential for > accidental conflicts between servers needing to listen to a well-known > port and servers for which any port would do. And it would be > appropriate for standards to respect this convention and assign > well-known ports in the range of ports that would not be bound by > default. This also sounds reasonable. > I also think that it would be reasonable for an OS to require > privileges before it would allow an application to bind to certain > ports. But those ports would need to be explicitly enumerated > somewhere, rather than merely being a range of numbers. Yes, it clearly needs to be fully configurable. Perhaps some of the existing internal firewall configuration mechanisms could be reused here... Ned _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf