1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
|
<pre>Independent Submission R. Hartmann
Request for Comments: 7194 August 2014
Updates: <a href="./rfc1459">1459</a>
Category: Informational
ISSN: 2070-1721
<span class="h1">Default Port for Internet Relay Chat (IRC) via TLS/SSL</span>
Abstract
This document describes the commonly accepted practice of listening
on TCP port 6697 for incoming Internet Relay Chat (IRC) connections
encrypted via TLS/SSL.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7194">http://www.rfc-editor.org/info/rfc7194</a>.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
<span class="grey">Hartmann Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7194">RFC 7194</a> Default Port for IRC via TLS/SSL August 2014</span>
Table of Contents
<a href="#section-1">1</a>. Rationale .......................................................<a href="#page-2">2</a>
<a href="#section-2">2</a>. Technical Details ...............................................<a href="#page-2">2</a>
<a href="#section-2.1">2.1</a>. Connection Establishment ...................................<a href="#page-2">2</a>
<a href="#section-2.2">2.2</a>. Certificate Details ........................................<a href="#page-3">3</a>
<a href="#section-2.2.1">2.2.1</a>. Server Certificate ..................................<a href="#page-3">3</a>
<a href="#section-2.2.2">2.2.2</a>. Client Certificate ..................................<a href="#page-3">3</a>
<a href="#section-3">3</a>. Security Considerations .........................................<a href="#page-3">3</a>
<a href="#section-4">4</a>. IANA Considerations .............................................<a href="#page-4">4</a>
<a href="#section-5">5</a>. Normative References ............................................<a href="#page-4">4</a>
<a href="#section-6">6</a>. Informative References ..........................................<a href="#page-4">4</a>
<a href="#section-7">7</a>. Acknowledgements ................................................<a href="#page-5">5</a>
<a href="#appendix-A">Appendix A</a>. Supporting Data ........................................<a href="#page-6">6</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Rationale</span>
Although system port assignments exist for IRC traffic that is plain
text (TCP/UDP port 194) or TLS/SSL encrypted (TCP/UDP port 994)
[<a href="#ref-IANALIST" title=""Service Name and Transport Protocol Port Number Registry"">IANALIST</a>], it is common practice amongst IRC networks not to use
them for reasons of convenience and general availability on systems
where no root access is granted or desired.
IRC networks have defaulted to listening on TCP port 6667 for plain
text connections for a considerable time now. This is covered by the
IRCU assignment of TCP/UDP ports 6665-6669.
Similar consensus has been reached within the IRC community about
listening on TCP port 6697 for incoming IRC connections encrypted via
TLS/SSL [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Technical Details</span>
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Connection Establishment</span>
An IRC client connects to an IRC server. Immediately after that, a
normal TLS/SSL handshake takes place. Once the TLS/SSL connection
has been established, a normal IRC connection is established via the
tunnel. Optionally, the IRC server may set a specific user mode
(umode) for the client, marking it as using TLS/SSL. Again,
optionally, an IRC server might offer the option to create channels
in such a way that only clients connected via TLS/SSL may join.
For details on how IRC works, see [<a href="./rfc1459" title=""Internet Relay Chat Protocol"">RFC1459</a>], [<a href="./rfc2810" title=""Internet Relay Chat: Architecture"">RFC2810</a>], [<a href="./rfc2811" title=""Internet Relay Chat: Channel Management"">RFC2811</a>],
[<a href="./rfc2812" title=""Internet Relay Chat: Client Protocol"">RFC2812</a>], and [<a href="./rfc2813" title=""Internet Relay Chat: Server Protocol"">RFC2813</a>]. Please note that IRC is extremely
fragmented, and implementation details can vary wildly. Most
implementations regard the latter RFCs as suggestions, not as
binding.
<span class="grey">Hartmann Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7194">RFC 7194</a> Default Port for IRC via TLS/SSL August 2014</span>
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Certificate Details</span>
<span class="h4"><a class="selflink" id="section-2.2.1" href="#section-2.2.1">2.2.1</a>. Server Certificate</span>
The IRC server's certificate should be issued by a commonly trusted
certification authority (CA).
The Common Name should match the Fully Qualified Domain Name (FQDN)
of the IRC server or have appropriate wildcards, if applicable.
The IRC client should verify the certificate.
<span class="h4"><a class="selflink" id="section-2.2.2" href="#section-2.2.2">2.2.2</a>. Client Certificate</span>
If the client is using a certificate as well, it should be issued by
a commonly trusted CA or a CA designated by the IRC network.
The certificate's Common Name should match the main IRC nickname.
If the network offers nick registration, this nick should be used.
If the network offers grouped nicks, the main nick or account name
should be used.
If the network offers nick registration, the client certificate
should be used to identify the user against the nick database. See
[<a href="#ref-CERTFP" title=""OFTC - NickServ/CertFP"">CERTFP</a>] for a possible implementation.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Security Considerations</span>
The lack of a common, well-established listening port for IRC via
TLS/SSL could lead to end users being unaware of their IRC network of
choice supporting TLS/SSL. Thus, they might not use encryption even
if they wanted to.
It should be noted that this document merely describes client-to-
server encryption. There are still other attack vectors like
malicious administrators, compromised servers, insecure server-to-
server communication, channels that do not enforce encryption for all
channel members, malicious clients, or comprised client machines on
which logs are stored.
Those attacks can by their very nature not be addressed by client-to-
server encryption. Additional safeguards are needed if a user fears
any of the threats above.
<span class="grey">Hartmann Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7194">RFC 7194</a> Default Port for IRC via TLS/SSL August 2014</span>
This document does not address server links as there are no commonly
accepted ports or even back-end protocols. Ports and back-end
protocols are normally established in a bilateral agreement. All
operators are encouraged to use strong encryption for back-end
traffic, no matter if they offer IRC via TLS/SSL to end users.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. IANA Considerations</span>
An assignment of TCP port 6697 for IRC via TLS/SSL has been made.
The service name is "ircs-u" and the description "Internet Relay Chat
via TLS/SSL":
ircs-u 6697/tcp Internet Relay Chat via TLS/SSL
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Normative References</span>
[<a id="ref-RFC1459">RFC1459</a>] Oikarinen, J. and D. Reed, "Internet Relay Chat Protocol",
<a href="./rfc1459">RFC 1459</a>, May 1993.
[<a id="ref-RFC2810">RFC2810</a>] Kalt, C., "Internet Relay Chat: Architecture", <a href="./rfc2810">RFC 2810</a>,
April 2000.
[<a id="ref-RFC2811">RFC2811</a>] Kalt, C., "Internet Relay Chat: Channel Management", <a href="./rfc2811">RFC</a>
<a href="./rfc2811">2811</a>, April 2000.
[<a id="ref-RFC2812">RFC2812</a>] Kalt, C., "Internet Relay Chat: Client Protocol", <a href="./rfc2812">RFC</a>
<a href="./rfc2812">2812</a>, April 2000.
[<a id="ref-RFC2813">RFC2813</a>] Kalt, C., "Internet Relay Chat: Server Protocol", <a href="./rfc2813">RFC</a>
<a href="./rfc2813">2813</a>, April 2000.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>, August 2008.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Informative References</span>
[<a id="ref-IANALIST">IANALIST</a>] IANA, "Service Name and Transport Protocol Port Number
Registry", <<a href="http://www.iana.org/assignments/service-names-port-numbers">http://www.iana.org/assignments/</a>
<a href="http://www.iana.org/assignments/service-names-port-numbers">service-names-port-numbers</a>>.
[<a id="ref-TOP100">TOP100</a>] netsplit.de, "IRC Networks - Top 100",
<<a href="http://irc.netsplit.de/networks/top100.php">http://irc.netsplit.de/networks/top100.php</a>>.
[<a id="ref-MAVERICK">MAVERICK</a>] netsplit.de, "IRC Networks - in alphabetical order",
<<a href="http://irc.netsplit.de/networks/lists.php?query=maverick">http://irc.netsplit.de/networks/</a>
<a href="http://irc.netsplit.de/networks/lists.php?query=maverick">lists.php?query=maverick</a>>.
<span class="grey">Hartmann Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7194">RFC 7194</a> Default Port for IRC via TLS/SSL August 2014</span>
[<a id="ref-CERTFP">CERTFP</a>] The Open and Free Technology Community, "OFTC -
NickServ/CertFP",
<<a href="http://www.oftc.net/oftc/NickServ/CertFP">http://www.oftc.net/oftc/NickServ/CertFP</a>>.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgements</span>
Thanks go to the IRC community at large for reaching a consensus.
Special thanks go to the IRC operators who were eager to support port
6697 on their respective networks.
Special thanks also go to Nevil Brownlee and James Schaad for working
on this document in their capacities as Independent Submissions
Editor and Reviewer, respectively.
<span class="grey">Hartmann Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7194">RFC 7194</a> Default Port for IRC via TLS/SSL August 2014</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Supporting Data</span>
As of October 2010, out of the top twenty IRC networks [<a href="#ref-TOP100" title=""IRC Networks - Top 100"">TOP100</a>]
[<a href="#ref-MAVERICK" title=""IRC Networks - in alphabetical order"">MAVERICK</a>], ten support TLS/SSL. Only one of those networks does not
support TLS/SSL via port 6697 and has no plans to support it. All
others supported it already or are supporting it since being
contacted by the author. A more detailed analysis is available but
does not fit within the scope of this document.
Authors' Address
Richard Hartmann
Munich
Germany
EMail: richih.mailinglist@gmail.com
URI: <a href="http://richardhartmann.de">http://richardhartmann.de</a>
Hartmann Informational [Page 6]
</pre>
|
