On Tuesday, 10 March 2020 13:30:53 UTC Patrick McManus wrote: > another positive feature of ports in this record is that it provides some > address space independent of the origin security model of the URI. By this > I mean that https://www.foo.com(implicit :443) and https://www.foo.com:555 > are different origins with different web security boundaries. While two > different httpssvc records for 443 and 555 (both for https:// www.foo.com) > are in the same origin.. this level of indirection can be used for A/B > testing or even for encoding load balancing information in a IP constrained > space. Just like the address is distinct from the URL, the port separates > the 'what' from the 'how' and that's good.
your reply above precisely demonstrates the risk offered by allowing a service operator to select a non-default port. please read my down-thread response to erik nygren and consider the non-reachability impacts of such selection on far edge managed private networks, who will only build NAT, AGM, or firewall flow state for permitted (in-policy) flows. there's a separate problem on retermination, but i'll address that in quic-wg. -- Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
