archive- Random tools & helpful resources for IRC |
git clone git://git.acid.vegas/archive.git |
Log | Files | Refs | Archive |
rfc7194.txt (9497B)
1 2 3 4 5 6 7 Independent Submission R. Hartmann 8 Request for Comments: 7194 August 2014 9 Updates: 1459 10 Category: Informational 11 ISSN: 2070-1721 12 13 14 Default Port for Internet Relay Chat (IRC) via TLS/SSL 15 16 Abstract 17 18 This document describes the commonly accepted practice of listening 19 on TCP port 6697 for incoming Internet Relay Chat (IRC) connections 20 encrypted via TLS/SSL. 21 22 Status of This Memo 23 24 This document is not an Internet Standards Track specification; it is 25 published for informational purposes. 26 27 This is a contribution to the RFC Series, independently of any other 28 RFC stream. The RFC Editor has chosen to publish this document at 29 its discretion and makes no statement about its value for 30 implementation or deployment. Documents approved for publication by 31 the RFC Editor are not a candidate for any level of Internet 32 Standard; see Section 2 of RFC 5741. 33 34 Information about the current status of this document, any errata, 35 and how to provide feedback on it may be obtained at 36 http://www.rfc-editor.org/info/rfc7194. 37 38 Copyright Notice 39 40 Copyright (c) 2014 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 42 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. 49 50 51 52 53 54 55 56 57 58 Hartmann Informational [Page 1] 59 60 RFC 7194 Default Port for IRC via TLS/SSL August 2014 61 62 63 Table of Contents 64 65 1. Rationale .......................................................2 66 2. Technical Details ...............................................2 67 2.1. Connection Establishment ...................................2 68 2.2. Certificate Details ........................................3 69 2.2.1. Server Certificate ..................................3 70 2.2.2. Client Certificate ..................................3 71 3. Security Considerations .........................................3 72 4. IANA Considerations .............................................4 73 5. Normative References ............................................4 74 6. Informative References ..........................................4 75 7. Acknowledgements ................................................5 76 Appendix A. Supporting Data ........................................6 77 78 1. Rationale 79 80 Although system port assignments exist for IRC traffic that is plain 81 text (TCP/UDP port 194) or TLS/SSL encrypted (TCP/UDP port 994) 82 [IANALIST], it is common practice amongst IRC networks not to use 83 them for reasons of convenience and general availability on systems 84 where no root access is granted or desired. 85 86 IRC networks have defaulted to listening on TCP port 6667 for plain 87 text connections for a considerable time now. This is covered by the 88 IRCU assignment of TCP/UDP ports 6665-6669. 89 90 Similar consensus has been reached within the IRC community about 91 listening on TCP port 6697 for incoming IRC connections encrypted via 92 TLS/SSL [RFC5246]. 93 94 2. Technical Details 95 96 2.1. Connection Establishment 97 98 An IRC client connects to an IRC server. Immediately after that, a 99 normal TLS/SSL handshake takes place. Once the TLS/SSL connection 100 has been established, a normal IRC connection is established via the 101 tunnel. Optionally, the IRC server may set a specific user mode 102 (umode) for the client, marking it as using TLS/SSL. Again, 103 optionally, an IRC server might offer the option to create channels 104 in such a way that only clients connected via TLS/SSL may join. 105 106 For details on how IRC works, see [RFC1459], [RFC2810], [RFC2811], 107 [RFC2812], and [RFC2813]. Please note that IRC is extremely 108 fragmented, and implementation details can vary wildly. Most 109 implementations regard the latter RFCs as suggestions, not as 110 binding. 111 112 113 114 Hartmann Informational [Page 2] 115 116 RFC 7194 Default Port for IRC via TLS/SSL August 2014 117 118 119 2.2. Certificate Details 120 121 2.2.1. Server Certificate 122 123 The IRC server's certificate should be issued by a commonly trusted 124 certification authority (CA). 125 126 The Common Name should match the Fully Qualified Domain Name (FQDN) 127 of the IRC server or have appropriate wildcards, if applicable. 128 129 The IRC client should verify the certificate. 130 131 2.2.2. Client Certificate 132 133 If the client is using a certificate as well, it should be issued by 134 a commonly trusted CA or a CA designated by the IRC network. 135 136 The certificate's Common Name should match the main IRC nickname. 137 138 If the network offers nick registration, this nick should be used. 139 140 If the network offers grouped nicks, the main nick or account name 141 should be used. 142 143 If the network offers nick registration, the client certificate 144 should be used to identify the user against the nick database. See 145 [CERTFP] for a possible implementation. 146 147 3. Security Considerations 148 149 The lack of a common, well-established listening port for IRC via 150 TLS/SSL could lead to end users being unaware of their IRC network of 151 choice supporting TLS/SSL. Thus, they might not use encryption even 152 if they wanted to. 153 154 It should be noted that this document merely describes client-to- 155 server encryption. There are still other attack vectors like 156 malicious administrators, compromised servers, insecure server-to- 157 server communication, channels that do not enforce encryption for all 158 channel members, malicious clients, or comprised client machines on 159 which logs are stored. 160 161 Those attacks can by their very nature not be addressed by client-to- 162 server encryption. Additional safeguards are needed if a user fears 163 any of the threats above. 164 165 166 167 168 169 170 Hartmann Informational [Page 3] 171 172 RFC 7194 Default Port for IRC via TLS/SSL August 2014 173 174 175 This document does not address server links as there are no commonly 176 accepted ports or even back-end protocols. Ports and back-end 177 protocols are normally established in a bilateral agreement. All 178 operators are encouraged to use strong encryption for back-end 179 traffic, no matter if they offer IRC via TLS/SSL to end users. 180 181 4. IANA Considerations 182 183 An assignment of TCP port 6697 for IRC via TLS/SSL has been made. 184 The service name is "ircs-u" and the description "Internet Relay Chat 185 via TLS/SSL": 186 187 ircs-u 6697/tcp Internet Relay Chat via TLS/SSL 188 189 5. Normative References 190 191 [RFC1459] Oikarinen, J. and D. Reed, "Internet Relay Chat Protocol", 192 RFC 1459, May 1993. 193 194 [RFC2810] Kalt, C., "Internet Relay Chat: Architecture", RFC 2810, 195 April 2000. 196 197 [RFC2811] Kalt, C., "Internet Relay Chat: Channel Management", RFC 198 2811, April 2000. 199 200 [RFC2812] Kalt, C., "Internet Relay Chat: Client Protocol", RFC 201 2812, April 2000. 202 203 [RFC2813] Kalt, C., "Internet Relay Chat: Server Protocol", RFC 204 2813, April 2000. 205 206 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 207 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 208 209 6. Informative References 210 211 [IANALIST] IANA, "Service Name and Transport Protocol Port Number 212 Registry", <http://www.iana.org/assignments/ 213 service-names-port-numbers>. 214 215 [TOP100] netsplit.de, "IRC Networks - Top 100", 216 <http://irc.netsplit.de/networks/top100.php>. 217 218 [MAVERICK] netsplit.de, "IRC Networks - in alphabetical order", 219 <http://irc.netsplit.de/networks/ 220 lists.php?query=maverick>. 221 222 223 224 225 226 Hartmann Informational [Page 4] 227 228 RFC 7194 Default Port for IRC via TLS/SSL August 2014 229 230 231 [CERTFP] The Open and Free Technology Community, "OFTC - 232 NickServ/CertFP", 233 <http://www.oftc.net/oftc/NickServ/CertFP>. 234 235 7. Acknowledgements 236 237 Thanks go to the IRC community at large for reaching a consensus. 238 239 Special thanks go to the IRC operators who were eager to support port 240 6697 on their respective networks. 241 242 Special thanks also go to Nevil Brownlee and James Schaad for working 243 on this document in their capacities as Independent Submissions 244 Editor and Reviewer, respectively. 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 Hartmann Informational [Page 5] 283 284 RFC 7194 Default Port for IRC via TLS/SSL August 2014 285 286 287 Appendix A. Supporting Data 288 289 As of October 2010, out of the top twenty IRC networks [TOP100] 290 [MAVERICK], ten support TLS/SSL. Only one of those networks does not 291 support TLS/SSL via port 6697 and has no plans to support it. All 292 others supported it already or are supporting it since being 293 contacted by the author. A more detailed analysis is available but 294 does not fit within the scope of this document. 295 296 Authors' Address 297 298 Richard Hartmann 299 Munich 300 Germany 301 302 EMail: richih.mailinglist@gmail.com 303 URI: http://richardhartmann.de 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 Hartmann Informational [Page 6] 339