Re: Application for port-number (system-klensin) (revised) (fwd)

["Steven M. Bellovin" <smb@research.att.com>]

In message <200311061315.hA6DFhZ04071@cichlid.raleigh.ibm.com>, Thomas Narten w
rites:
>> I see no reason why this needs to be a system port,
>
>I wonder about that too. If the request was for a regular port, would
>we even be having this discussion?
>
>But I'm also wondering of the utility in distinguishing between system
>ports and regular ports these days, so I'm not so sure we should care
>that much. Russ/Steve: can you comment on whether system ports are
>meaningful anymore in this day and age? They correspond to the ports
>that one needs to run as "root" on some systems in order to use.

They never were meaningful...  The original Berkeley man pages for rshd 
and rlogind noted that the authentication method was insecure, and 
Morris the Younger demonstrated that in practice in 1985.

More seriously...  I can think of only two reasons why a server needs a 
"system" port:  to prevent accidental or intentional collisions with 
user processes that might be assigned that port, and to make it easier 
to firewall if you're using a simple packet filter.  I don't think 
either really applies here -- there's no major reason to firewall it 
(and stateful packet filters won't have problems in any event with a 
simple "block all incoming unless the ftp proxy thinks otherwise" 
rule), and any real server for this thing will start before any user 
processes that might collide with it.



		--Steve Bellovin, http://www.research.att.com/~smb