Guidance for port number use #26
Labels
Comments
|
this kind-of-but-not-really-duplicates #10, which I'll go ahead and close. |
|
Actually, it's an exact duplicate, given that it points to the same issue. ;-) My bad. |
|
@MikeBishop can you check if PR #43 addresses this issue sufficiently? At least for the applicability doc... |
Merged
|
Now also PR #44 for the manageability statement. |
|
created new issue #79 for ALPN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Copying from quicwg/base-drafts#495
There's no requirement that servers use a particular UDP port for HTTP/QUIC or any other QUIC traffic. Using Alt-Svc, the server is able to pick and advertise any port number and a compliant client will handle it just fine. That's already the case, and isn't part of this issue. #424 updates the HTTP draft to highlight this, increasing the odds that implementations will test and support that case.
This issue is to track that it might actually be desirable from a privacy standpoint for servers to pick arbitrary port numbers and perhaps even rotate them periodically (though that requires coordination with their Alt-Svc advertisements and lifetimes, which could be challenging) in order to make it more difficult for a network observer to classify traffic (and therefore more difficult to ossify).
On the other hand, as we're wrestling with in each of these privacy/manageability debates, removing easy network visibility into the likely protocol by using arbitrary port numbers means that middleboxes will probably resort to other means of attempting to identify protocols and potentially doing it badly, which could result in even worse ossification. (E.g. indexing into the TLS ClientHello to find the ALPN list, then panicking on a different handshake protocol.)
There's further discussion on the original issue, but this belongs in the ops drafts, not the protocol drafts.
The text was updated successfully, but these errors were encountered: