[NNTP] Registering NNTP and NNSP as ALPN identifiers
Julien ÉLIE
julien at trigofacile.com
Sun Sep 19 03:35:06 PDT 2021
Hi all,
The UTA WG (Using TLS in Applications) is currently revising RFC 7525
about TLS recommendations.
https://datatracker.ietf.org/doc/draft-ietf-uta-rfc7525bis/
In its last -02 draft, they added:
Protocol developers are strongly encouraged to register an ALPN
identifier for their protocols. This applies to new protocols, as
well as well-established protocols such as SMTP.
And also in -01:
TLS implementations (both client- and server-side) MUST support the
Application-Layer Protocol Negotiation (ALPN) extension [RFC7301].
In order to prevent "cross-protocol" attacks resulting from failure
to ensure that a message intended for use in one protocol cannot be
mistaken for a message for use in another protocol, servers should
strictly enforce the behavior prescribed in Section 3.2 of [RFC7301]:
"In the event that the server supports no protocols that the client
advertises, then the server SHALL respond with a fatal
"no_application_protocol" alert." It is also RECOMMENDED that
clients abort the handshake if the server acknowledges the ALPN
extension, but does not select a protocol from the client list.
Failure to do so can result in attacks such those described in
[ALPACA].
It refers to RFC 7301 and the following IANA registry:
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
APLN permits multi-protocols for instance on the HTTPS port.
I've seen that sslh (a ssl/ssh multiplexer) makes use of ALPN, so it
could make sense for sharing an NNTP connection on the same port as
other services.
Would you be OK for the registration of our IDs?
I can send the request for "nntp" and "nnsp".
P.-S.: Note that we also have "netnews" on port 532 reserved for us but
not used nowadays. Not worth registering it I believe.
--
Julien ÉLIE
« Vous savez, les idées, elles sont dans l'air. Il suffit que quelqu'un
vous en parle de trop près, pour que vous les attrapiez ! » (Raymond
Devos)
More information about the ietf-nntp
mailing list