mirror of
git://git.acid.vegas/archive.git
synced 2024-11-25 01:26:40 +00:00
340 lines
9.3 KiB
Plaintext
340 lines
9.3 KiB
Plaintext
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Independent Submission R. Hartmann
|
|||
|
Request for Comments: 7194 August 2014
|
|||
|
Updates: 1459
|
|||
|
Category: Informational
|
|||
|
ISSN: 2070-1721
|
|||
|
|
|||
|
|
|||
|
Default Port for Internet Relay Chat (IRC) via TLS/SSL
|
|||
|
|
|||
|
Abstract
|
|||
|
|
|||
|
This document describes the commonly accepted practice of listening
|
|||
|
on TCP port 6697 for incoming Internet Relay Chat (IRC) connections
|
|||
|
encrypted via TLS/SSL.
|
|||
|
|
|||
|
Status of This Memo
|
|||
|
|
|||
|
This document is not an Internet Standards Track specification; it is
|
|||
|
published for informational purposes.
|
|||
|
|
|||
|
This is a contribution to the RFC Series, independently of any other
|
|||
|
RFC stream. The RFC Editor has chosen to publish this document at
|
|||
|
its discretion and makes no statement about its value for
|
|||
|
implementation or deployment. Documents approved for publication by
|
|||
|
the RFC Editor are not a candidate for any level of Internet
|
|||
|
Standard; see Section 2 of RFC 5741.
|
|||
|
|
|||
|
Information about the current status of this document, any errata,
|
|||
|
and how to provide feedback on it may be obtained at
|
|||
|
http://www.rfc-editor.org/info/rfc7194.
|
|||
|
|
|||
|
Copyright Notice
|
|||
|
|
|||
|
Copyright (c) 2014 IETF Trust and the persons identified as the
|
|||
|
document authors. All rights reserved.
|
|||
|
|
|||
|
This document is subject to BCP 78 and the IETF Trust's Legal
|
|||
|
Provisions Relating to IETF Documents
|
|||
|
(http://trustee.ietf.org/license-info) in effect on the date of
|
|||
|
publication of this document. Please review these documents
|
|||
|
carefully, as they describe your rights and restrictions with respect
|
|||
|
to this document.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Hartmann Informational [Page 1]
|
|||
|
|
|||
|
RFC 7194 Default Port for IRC via TLS/SSL August 2014
|
|||
|
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
1. Rationale .......................................................2
|
|||
|
2. Technical Details ...............................................2
|
|||
|
2.1. Connection Establishment ...................................2
|
|||
|
2.2. Certificate Details ........................................3
|
|||
|
2.2.1. Server Certificate ..................................3
|
|||
|
2.2.2. Client Certificate ..................................3
|
|||
|
3. Security Considerations .........................................3
|
|||
|
4. IANA Considerations .............................................4
|
|||
|
5. Normative References ............................................4
|
|||
|
6. Informative References ..........................................4
|
|||
|
7. Acknowledgements ................................................5
|
|||
|
Appendix A. Supporting Data ........................................6
|
|||
|
|
|||
|
1. Rationale
|
|||
|
|
|||
|
Although system port assignments exist for IRC traffic that is plain
|
|||
|
text (TCP/UDP port 194) or TLS/SSL encrypted (TCP/UDP port 994)
|
|||
|
[IANALIST], it is common practice amongst IRC networks not to use
|
|||
|
them for reasons of convenience and general availability on systems
|
|||
|
where no root access is granted or desired.
|
|||
|
|
|||
|
IRC networks have defaulted to listening on TCP port 6667 for plain
|
|||
|
text connections for a considerable time now. This is covered by the
|
|||
|
IRCU assignment of TCP/UDP ports 6665-6669.
|
|||
|
|
|||
|
Similar consensus has been reached within the IRC community about
|
|||
|
listening on TCP port 6697 for incoming IRC connections encrypted via
|
|||
|
TLS/SSL [RFC5246].
|
|||
|
|
|||
|
2. Technical Details
|
|||
|
|
|||
|
2.1. Connection Establishment
|
|||
|
|
|||
|
An IRC client connects to an IRC server. Immediately after that, a
|
|||
|
normal TLS/SSL handshake takes place. Once the TLS/SSL connection
|
|||
|
has been established, a normal IRC connection is established via the
|
|||
|
tunnel. Optionally, the IRC server may set a specific user mode
|
|||
|
(umode) for the client, marking it as using TLS/SSL. Again,
|
|||
|
optionally, an IRC server might offer the option to create channels
|
|||
|
in such a way that only clients connected via TLS/SSL may join.
|
|||
|
|
|||
|
For details on how IRC works, see [RFC1459], [RFC2810], [RFC2811],
|
|||
|
[RFC2812], and [RFC2813]. Please note that IRC is extremely
|
|||
|
fragmented, and implementation details can vary wildly. Most
|
|||
|
implementations regard the latter RFCs as suggestions, not as
|
|||
|
binding.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Hartmann Informational [Page 2]
|
|||
|
|
|||
|
RFC 7194 Default Port for IRC via TLS/SSL August 2014
|
|||
|
|
|||
|
|
|||
|
2.2. Certificate Details
|
|||
|
|
|||
|
2.2.1. Server Certificate
|
|||
|
|
|||
|
The IRC server's certificate should be issued by a commonly trusted
|
|||
|
certification authority (CA).
|
|||
|
|
|||
|
The Common Name should match the Fully Qualified Domain Name (FQDN)
|
|||
|
of the IRC server or have appropriate wildcards, if applicable.
|
|||
|
|
|||
|
The IRC client should verify the certificate.
|
|||
|
|
|||
|
2.2.2. Client Certificate
|
|||
|
|
|||
|
If the client is using a certificate as well, it should be issued by
|
|||
|
a commonly trusted CA or a CA designated by the IRC network.
|
|||
|
|
|||
|
The certificate's Common Name should match the main IRC nickname.
|
|||
|
|
|||
|
If the network offers nick registration, this nick should be used.
|
|||
|
|
|||
|
If the network offers grouped nicks, the main nick or account name
|
|||
|
should be used.
|
|||
|
|
|||
|
If the network offers nick registration, the client certificate
|
|||
|
should be used to identify the user against the nick database. See
|
|||
|
[CERTFP] for a possible implementation.
|
|||
|
|
|||
|
3. Security Considerations
|
|||
|
|
|||
|
The lack of a common, well-established listening port for IRC via
|
|||
|
TLS/SSL could lead to end users being unaware of their IRC network of
|
|||
|
choice supporting TLS/SSL. Thus, they might not use encryption even
|
|||
|
if they wanted to.
|
|||
|
|
|||
|
It should be noted that this document merely describes client-to-
|
|||
|
server encryption. There are still other attack vectors like
|
|||
|
malicious administrators, compromised servers, insecure server-to-
|
|||
|
server communication, channels that do not enforce encryption for all
|
|||
|
channel members, malicious clients, or comprised client machines on
|
|||
|
which logs are stored.
|
|||
|
|
|||
|
Those attacks can by their very nature not be addressed by client-to-
|
|||
|
server encryption. Additional safeguards are needed if a user fears
|
|||
|
any of the threats above.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Hartmann Informational [Page 3]
|
|||
|
|
|||
|
RFC 7194 Default Port for IRC via TLS/SSL August 2014
|
|||
|
|
|||
|
|
|||
|
This document does not address server links as there are no commonly
|
|||
|
accepted ports or even back-end protocols. Ports and back-end
|
|||
|
protocols are normally established in a bilateral agreement. All
|
|||
|
operators are encouraged to use strong encryption for back-end
|
|||
|
traffic, no matter if they offer IRC via TLS/SSL to end users.
|
|||
|
|
|||
|
4. IANA Considerations
|
|||
|
|
|||
|
An assignment of TCP port 6697 for IRC via TLS/SSL has been made.
|
|||
|
The service name is "ircs-u" and the description "Internet Relay Chat
|
|||
|
via TLS/SSL":
|
|||
|
|
|||
|
ircs-u 6697/tcp Internet Relay Chat via TLS/SSL
|
|||
|
|
|||
|
5. Normative References
|
|||
|
|
|||
|
[RFC1459] Oikarinen, J. and D. Reed, "Internet Relay Chat Protocol",
|
|||
|
RFC 1459, May 1993.
|
|||
|
|
|||
|
[RFC2810] Kalt, C., "Internet Relay Chat: Architecture", RFC 2810,
|
|||
|
April 2000.
|
|||
|
|
|||
|
[RFC2811] Kalt, C., "Internet Relay Chat: Channel Management", RFC
|
|||
|
2811, April 2000.
|
|||
|
|
|||
|
[RFC2812] Kalt, C., "Internet Relay Chat: Client Protocol", RFC
|
|||
|
2812, April 2000.
|
|||
|
|
|||
|
[RFC2813] Kalt, C., "Internet Relay Chat: Server Protocol", RFC
|
|||
|
2813, April 2000.
|
|||
|
|
|||
|
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
|
|||
|
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
|
|||
|
|
|||
|
6. Informative References
|
|||
|
|
|||
|
[IANALIST] IANA, "Service Name and Transport Protocol Port Number
|
|||
|
Registry", <http://www.iana.org/assignments/
|
|||
|
service-names-port-numbers>.
|
|||
|
|
|||
|
[TOP100] netsplit.de, "IRC Networks - Top 100",
|
|||
|
<http://irc.netsplit.de/networks/top100.php>.
|
|||
|
|
|||
|
[MAVERICK] netsplit.de, "IRC Networks - in alphabetical order",
|
|||
|
<http://irc.netsplit.de/networks/
|
|||
|
lists.php?query=maverick>.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Hartmann Informational [Page 4]
|
|||
|
|
|||
|
RFC 7194 Default Port for IRC via TLS/SSL August 2014
|
|||
|
|
|||
|
|
|||
|
[CERTFP] The Open and Free Technology Community, "OFTC -
|
|||
|
NickServ/CertFP",
|
|||
|
<http://www.oftc.net/oftc/NickServ/CertFP>.
|
|||
|
|
|||
|
7. Acknowledgements
|
|||
|
|
|||
|
Thanks go to the IRC community at large for reaching a consensus.
|
|||
|
|
|||
|
Special thanks go to the IRC operators who were eager to support port
|
|||
|
6697 on their respective networks.
|
|||
|
|
|||
|
Special thanks also go to Nevil Brownlee and James Schaad for working
|
|||
|
on this document in their capacities as Independent Submissions
|
|||
|
Editor and Reviewer, respectively.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Hartmann Informational [Page 5]
|
|||
|
|
|||
|
RFC 7194 Default Port for IRC via TLS/SSL August 2014
|
|||
|
|
|||
|
|
|||
|
Appendix A. Supporting Data
|
|||
|
|
|||
|
As of October 2010, out of the top twenty IRC networks [TOP100]
|
|||
|
[MAVERICK], ten support TLS/SSL. Only one of those networks does not
|
|||
|
support TLS/SSL via port 6697 and has no plans to support it. All
|
|||
|
others supported it already or are supporting it since being
|
|||
|
contacted by the author. A more detailed analysis is available but
|
|||
|
does not fit within the scope of this document.
|
|||
|
|
|||
|
Authors' Address
|
|||
|
|
|||
|
Richard Hartmann
|
|||
|
Munich
|
|||
|
Germany
|
|||
|
|
|||
|
EMail: richih.mailinglist@gmail.com
|
|||
|
URI: http://richardhartmann.de
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Hartmann Informational [Page 6]
|
|||
|
|