Recommendations on Using Assigned Transport Port Numbers
RFC 7605

Note: This ballot was opened for revision 07 and is now closed.

(Martin Stiemerling; former steering group member) Yes

Yes (2015-02-17 for -07)
No email
send info
Thanks for writing this document! 

Just one nit:

On page 6 in this paragraph:

   As a concept, a service is the combination of ISO Layers 5-7 that
   represents an application protocol capability. For example www (port
   number 80) is a service that uses HTTP as an application protocol
   and provides access to a web server [RFC7230]. However, it is
   possible to use HTTP for other purposes, such as command and
   control. This is why some current service names (HTTP, e.g.) are a
   bit overloaded - they describe not only the application protocol,
   but a particular service.

This paragraph introduces the term „service names“ which has not been used before. It would be good to define the term in contrast to the port numbers for naive readers. The explanation of service names comes later, probably too late (just before the beginning of Section 6). How about introducing service names just before?

(Spencer Dawkins; former steering group member) Yes

Yes ( for -07)
No email
send info

(Ted Lemon; former steering group member) (was Discuss) Yes

Yes (2015-03-23 for -09)
No email
send info
Thanks for addressing my DISCUSS.   This is an excellent document and I support publication.   Thanks for doing this work--it's very complete and should serve as a good guide for working groups designing new protocols.

One additional comment, the new version has a change in section five resulting in the following text:

   This is the primary reason for requesting assigned port	
   numbers assigned by IANA

The double use of "assigned" here is likely to make the RFC editor want to change the text, so it might be nice to add a note explaining why this change was made so that that information isn't forgotten by the time this gets to the top of the editor queue.

(Adrian Farrel; former steering group member) (was Discuss) No Objection

No Objection (2015-03-19 for -08)
No email
send info
The most recent revision addresses the two remaining points from my Discuss. Thanks to the author for the (somewhat lengthy) discussion that resulted in the changes.

I have also reduced my list of Comments according to this most recent revision and our discussions.

[Please recall that Comments are my voiced opinions, but are not mandatory. Please reach agreement with your AD on what needs to be done to the document.]

---

I agree with Ted's Discuss about secure and insecure variants on 
different port numbers.

RFC 6335 says

      Note: At the time of writing of this document, there is no IETF
      consensus on when it is appropriate to use a second port for an
      insecure version of a protocol.

I don't see that Section 7.4 of this document has established that
consensus, and I believe that there are good reasons to distinguish
secure and insecure protocol versions (esepecially with legacy, insecure
protocols) by use of separate port numbers.

---

[This item removed from my Discuss]

I think that the "guiding principle" in 6.1 that says...

      o  Copies of an existing service can be differentiated by using
         different IP addresses, either on different hosts or as
         different real or virtual interfaces (or even operating
         systems) on the same host.

... describes an option, but it is wrong to suggest it as a solution.
The main thrust of the document says that it is wrong to include a 
demultiplex reference at the transport layer when what is being
multiplexed is really at the application layer (or at last at the level
of the payload of the transport protocol). Yet this suggested remedy
actually pushes the demultiplex identifier to the network layer. That
really is not a good thing to recommend.

...Further to email discussion with the author, I think that this is describing
a situation where copies of a host are being made, not copies of a service.
It is not a significant Comment, but I feel that this bullet is distracting from
the main list of suggested solution.

(Alia Atlas; former steering group member) No Objection

No Objection (2015-03-04 for -07)
No email
send info
I agree with Adrian's DISCUSS

(Alissa Cooper; former steering group member) (was Discuss) No Objection

No Objection (2015-04-24)
No email
send info
Thanks for addressing my DISCUSS!

---

I think I may have some overlapping comments with Barry, but I wrote this before I saw his comments, so my apologies.

-- Sec 5:
"Port numbers can also be useful for other purposes."

I would suggest s/useful/used/ because whether the purposes listed in the previous paragraph (e.g., monitoring, blocking, etc. based on port number) are considered "useful" is in the eye of the beholder.

-- Sec 7.4:
The term "security" is really vague. It would help to define what is meant by "security" or "secure service."

-- Sec 7.4 and 7.5:
Both of these sections contain recommendations that are good, but seem out of place in this document unless they could be made more specific to port use. The ones that jumped out at me are:

   >> New services SHOULD support security, either directly or via a
   secure transport such as TLS [RFC5246].

   >> Insecure versions of new or existing secure services SHOULD be
   avoided because of the new vulnerability they create.
   
   >> Version support SHOULD be included in new services.

I would say to either remove these or add in the context of what they have to do with port number assignment (e.g., "Version support SHOULD be included in new services rather than relying on different port number assignments for different versions.")

-- Sec 7.7:
"Deployments that use port numbers before deployment complicate IANA
   management of the port number space."

I think this is supposed to say "before assignment" rather than "before deployment."

-- Sec 7.8:
""Squatting" describes the use of a number from the assigned range in
   deployed software without IANA assignment. It is hazardous because
   IANA cannot track such usage and thus cannot avoid making legitimate
   assignments that conflict with such unauthorized usage.

   Such "squatted" port numbers remain unassigned, and IANA retains the
   right to assign them when requested by applicants."

This is a little confusing -- is the first sentence supposed to say "unassigned range"? If not, what is the assigned range, and why is IANA said to retain the right to assign numbers that are already assigned? I would have thought squatting would be understood as using unassigned numbers in the system and user ranges.

"In
   particular, any unassigned code from the assigned ranges will be
   assigned by IANA, and any conflict will be easily resolved as the
   protocol designer's fault once that happens (because they would not
   be the assignee). This may reflect in the public's judgment on the
   quality of their expertise and cooperation with the Internet
   community."

This seems a little over-the-top to me. I would suggest:

"IANA may assign any code from the system or user ranges to applicants that meet all of the relevant criteria, and is not obligated to take into consideration the existence of squatters when doing so. Squatting is viewed as uncooperative behavior in the Internet community."

(Barry Leiba; former steering group member) (was Discuss) No Objection

No Objection (2015-02-17 for -07)
No email
send info
Thanks for quickly addressing my DISCUSS points, two of which are cleared and two of which are now comments here:

-- Section 7.4 --
   >> New services SHOULD support security, either directly or via a
   secure transport such as TLS [RFC5246].

In this context, "security" is too vague a term: what, exactly, does "SHOULD support security" mean?  Are you talking about authentication?  Access/authorization controls?  Confidentiality?  Specifically, encrypted communication?  I think you mean the last.

<<
Joe Touch responds:
It would be useful to explain.
Security depends on the service being offered; for some, encryption, integrity protection, and source identity are all expected, but for many services only a subset of these might be relevant.
>>

We should add such an explanation.

-- Section 7.4 --
   >> When simultaneously requesting both a secure and an insecure
   port, strong justification MUST be provided for the insecure port.
   Precedent (citing other protocols that use an insecure port) is not
   strong justification by itself.  A strong case for utility of the
   insecure service is REQUIRED for approval of the insecure port.

This seems significantly stronger than what RFC 6335 said, and this point was hotly debated in the development of that document.  RFC 6335, Section 9, says this:

   Services are expected to include support for security, either as
   default or dynamically negotiated in-band.  The use of separate
   service name or port number assignments for secure and insecure
   variants of the same service is to be avoided in order to discourage
   the deployment of insecure services.

As this document does not update 6335, I don't see how the MUST and the REQUIRED are appropriate.  But perhaps I can be convinced by some discussion.

Joe Touch responds:
<<
Again, one doc applies to IANA, the other to protocol designers. RFC6335 explains why IANA should avoid such an assignment; this doc explains that a designer is expected to justify the need in an request to IANA.

It might be useful, as a result, to remove the 2119 language, e.g., to write this from the perspective of advice to the applicant:

     >> When simultaneously requesting both a secure and an insecure
     port, strong justification is expected for the utility and safety
     of a separate insecure port.
     Precedent (citing other protocols that use an insecure port) is not
     strong justification by itself.
>>

The rest of these are non-blocking, but please consider them -- many are meant to clarify the text, and I hope they succeed in that.

In three places:

-- Abstract --
   This document provides recommendations to application and service
   designers on how to use the transport protocol port number space.

-- Section 1 --
   It also provides specific
   recommendations to designers on how to use assigned port numbers.

-- Section 2 --
   In this document, the characters ">>" preceding an indented line(s)
   indicates a compliance requirement statement using the key words
   listed above.

First, recommendations on how to use *port number space* is not the same as recommendations on how to use *assigned port numbers*.  I interpret the former as recommendations about making requests for port numbers, and the latter as recommendations about use of the port numbers after they've been assigned.  These should be worded consistently.

Second, recommendations, whichever type of recommendations they be, are not the same as compliance requirements.  I read the former as suggestions, and the latter as, well, requirements.  If the document is giving requirements that cover port-number requests -- and it is, complete with MUSTs -- it needs to clearly say that up front, and get rid of the "recommendations" stuff (or say both, that there are both requirements and recommendations here).

-- Section 5 --

   Consider a user wanting to run a web server. That service could run
   on any port number, provided that all clients knew what port number
   to use to access that service at that host. Such information can be
   distributed out-of-band, e.g., in the URI:

      http://www.example.com:51509/

It's a fine point, but having the port number in the URI doesn't actually distribute it "out of band" (which doesn't need hyphens in this context).  I would say, "Such information can be explicitly distributed -- for example, by putting it in the URI:".

   IANA assigns port numbers so that Internet endpoints do not need
   pairwise, explicit coordination of the meaning of their port
   numbers. This is the primary reason for requesting assigned port
   numbers with IANA - to have a common agreement between all endpoints
   on the Internet as to the default meaning of a port number.

This only says half of it, and omits a very important piece, I think.  May I suggest this?:

NEW
   IANA assigns port numbers so that Internet endpoints do not need
   pairwise, explicit coordination of the meaning of their port
   numbers. This is the primary reason for requesting assigned port
   numbers with IANA - to have a common agreement between all endpoints
   on the Internet as to the default meaning of a port number, and to
   provide the endpoints with a default port number for a particular
   protocol or service.
END

   >> Each port requested MUST be justified as independently necessary.

This is a fair statement, and yet I worry that including "necessary" may result in arguments between protocol designers and port experts about what is and isn't "necessary", and what the community's consensus is on it.  I'm not sure how to minimize that.  I'd say "MUST be independently justified," which does get the point you want (the independent justification) without using the loaded word "necessary".  I'd prefer that wording, though I admit that it can just as easily result in the same arguments.

-- Section 6.1 --

      o  Copies of an existing service can be differentiated by using
         different IP addresses, either on different hosts or as
         different real or virtual interfaces (or even operating
         systems) on the same host.

As a guiding principle for protocol designers, this worries me: it's an operational point, not a point of protocol design.  I'd have no objection if this were explicitly cast as an operational suggestion.

      o  Services requiring varying performance properties can already
         be supported using separate endpoint associations (connections
         or other associations), each configured to support the desired
         properties.

I can't figure out what you mean here.  Do you have an example, or can you tweak the explanation?

-- Section 7 --

   7. How to Use Assigned Port Numbers

   Port numbers are assigned by IANA by a set of documented procedures
   [RFC6335]. The following section describes the steps users can take
   to help assist with the use of assigned port numbers, and with
   preparing an application for a port number assignment.

In both the title and the paragraph, you refer to the "use" of "assigned port numbers", and yet the entire section talks about getting port assignments, not about using the port numbers after they're assigned.  I suggest this instead:

NEW
   7. Considerations for Requesting Port Number Assignments

   Port numbers are assigned by IANA by a set of documented procedures
   [RFC6335]. The following section describes the steps designers can
   take to help assist with the responsible assignment of port numbers,
   and with preparing an application for a port number assignment.
END

-- Section 7.1 --

      o  Port numbers are not intended for indicating different service
         versions. Version differentiation should be handled in-band,
         e.g., using a version number at the beginning of an
         association (e.g., connection or other transaction). This may
         not be possible with legacy assignments, but all new
         assignments should incorporate support for version indication.

Is this meant to say "but all new protocols should incorporate support for version indication."?  It's not the assignment that does that.

   Some users may not need assigned port numbers at all

Is this meant to say "some uses may not" (or "some protocols", but not "some users")?

-- Section 7.2 --

   There are a
   variety of known ways to reduce port number use. Although some may
   be cumbersome or inefficient, they are always preferable to
   consuming additional port numbers.

1. I think "reduce port number consumption" might be a better way to say what you mean here.

2. I don't think "always preferable" is consistent with the consensus on RFC 6335.  I would accept "usually preferable", but not something as strong as "always".

   Although
   automatic configuration protocols have been proposed and developed
   (e.g., STUN [RFC5389], TURN [RFC5766], and ICE [RFC5245]),
   application and service designers cannot yet rely on their presence.

I wouldn't call STUN, TURN, and ICE "automatic configuration protocols".  I'd refer to them as "NAT traversal protocols".

-- Section 7.3 --

   Would a TCP (or other transport
   protocol) port number assignment be useful by itself?  If so, a TCP
   (UDP) port number can be assigned whose port number is already (or
   can be subsequently) assigned to a different transport protocol.

I'm not sure what you're getting at here.  Are you saying that if you need a TCP port, you might pick one where the UDP port of the same number is (or can be) used for something else, and vice versa?  If so, I don't think it says that at all clearly.  In any case, can you please rephrase this to make it clearer?

   >> Developers SHOULD NOT apply for System port numbers because the
   increased privilege they are intended to provide is not always
   enforced.

Hm.  This sounds odd to me: it seems that it's setting up a feedback loop that's self sustaining.  You might want a system port number to get protection against running on that port by non-root.  But you won't always get that protection.  So you shouldn't ask.  So no one asks, and so no one gets the protection even when it's available.

Do you think this works as well for you?:

NEW
   >> Developers SHOULD request User port numbers, to avoid using
   the more limited System port number space.  Consider that the
   increased protection that System ports are intended to provide
   is not always enforced.
END

I would also move that paragraph down one, so that it's after the "Even when developers" paragraph.

-- Section 7.4 --

   >> Security SHOULD NOT rely on port number distinctions alone; every
   service, whether secure or not, is likely to be attacked.

I find this underspecified.  I don't know what I should be doing about this.  As in the DISCUSS, "security" is a vague term, and I don't know how to determine whether I've met this requirement, nor how to assess whether my situation is suitable one for not following it.

   Optional security can penalize performance, requiring additional
   round-trip exchanges before a connection or other association can be
   established. As discussed earlier, port numbers are a critical
   resource and it is inappropriate to consume assignments to increase
   performance. As a result, the need for separate ports for both
   secure and insecure variants is not justified merely for performance

Where was this discussed earlier?  The only thing I see related to performance that was discussed earlier is that it's not appropriate to have different ports to support different performance levels.  That's not the same thing that you're talking about here.  I agree with the conclusion (in the final sentence I quote).

   - either for the connection or association establishment performance
   or differences in data performance between secure and insecure
   variants.

I can't parse this.  Are there words missing or some such?

   Note however that a new service might not be eligible for IANA
   assignment of both an insecure and a secure variant of the same
   service, and similarly applications requesting assignment for both
   an insecure port number for a secure service might not be
   appropriate.

I'm having trouble with this one also; I can't parse what comes after the comma.  Maybe split the sentence into two, and rephrase?

-- Section 7.5 --
How can this apply retroactively to current assignments?  And "the multiple versions" should probably lose the "the".

-- Section 7.6 --
Spencer has been picking on the use of 793 as a reference for TCP.  Spencer, is 793 an acceptable reference for TCP here?

It would probably be better to attach the references to their protocols, rather than to have them in a group at the end of the list.

   Originally, IANA port number assignments were concurrent for both
   UDP and TCP; other transports were not indicated.

Total nit: I think this sentence doesn't work well with a semicolon, and would prefer changing the ";" to ", and".

   When the services differ, their service names and descriptions
   should reflect that difference.

I had a little trouble with this and the discussion leading up to it, which I think can be fixed by saying explicitly that in this case, it's OK (perhaps even encouraged) to use the same port, but different service names.  Perhaps something like this?:

NEW
   When the services differ, it may be acceptable or preferable
   to use the same port number, but the service names and
   descriptions should be different, reflecting the differences
   in the services.
END

   The following convention has been used by IANA
   for several years to distinguish discovery services, such as are
   used to identify endpoints capable of a given service:

   >> Names of discovery services SHOULD use an identifiable suffix;
   the suggestion is "-disc".

It reads oddly to have "the following convention" point to a normative requirement, and not just to the convention.  Again, a nit, but I think it would read better like this:

NEW
   IANA has, for several years, used the suffix "-disc" in service
   names to distinguish discovery services, such as are used to
   identify endpoints capable of a given service.

   >> Names of discovery services SHOULD use an identifiable suffix;
   the suggestion is "-disc".
END

   because IP routers do not forward "all nodes" (all 1's, i.e.,
   255.255.255.255 for IPv4) broadcasts and have not been required

The phrase << "all nodes" broadcasts >> needs to stay together, and splitting it with the explanation made me trip over it.  I suggest moving the word "broadcasts" before the parenthesized bit.

   >> Services SHOULD NOT use UDP as a performance enhancement over
   TCP, i.e., to circumnavigate TCP's congestion control.

Is circumventing congestion control the only possible performance enhancement here?  This sentence really makes one ask whether "i.e." is correct, or you mean "e.g.", and I think it'd be better done one of these ways:

If you mean to say that congestion control is the only reason:
NEW
   >> Services SHOULD NOT use UDP to enhance performance by
   circumventing TCP's congestion control.
END

If there might be other performance-enhancement reasons:
NEW
   >> Services SHOULD NOT use UDP as a performance enhancement over
   TCP.  For example, do not use UDP to circumvent TCP's congestion
   control.
END

(The right word is "circumvent", not "circumnavigate".)

-- Section 7.7 --

   Applications made through Internet Draft / RFC publication (in any
   stream)
...
   When a document has been approved for
   publication and proceeds to IESG Approval

The first sentence tries to make this stream-independent, but the "IESG Approval" later in the paragraph is specific to the IETF stream.  Because you already say "approved for publication", you can just omit the "and proceeds to IESG Approval" phrase.

-- Section 7.8 --

   Such "squatted" port numbers remain unassigned, and IANA retains the
   right to assign them when requested by applicants.

It might be good to be completely clear and say "requested by other applicants," lest readers think you mean to be talking about when the squatters make an application later.

The last paragraph in this section starts by encouraging squatters to make registrations now, but then shifts to a discouraging tone.  I wonder if you mind changing the tone a little, maybe changing the idea of "not justified" to something more like "unable to accommodate".  Perhaps like this?:

NEW
   Designers who are using such
   port numbers are encouraged to apply for an assignment.  Every
   effort will be made to accommodate such requests, though even with
   widespread de-facto use, if the port number has already been
   assigned to another applicant such accommodation might not be
   possible.  Note also that the application must pass review by the
   IANA Ports Expert Review team, as must any port application.
END

-- Section 8 --

   The port number alone should not be used
   to avoid denial of service or firewall traffic because their use is
   not regulated or validated.

To "avoid ... firewall traffic"?  What's that mean?

I think you mean "to avoid denial-of-service attacks or to manage firewall traffic", yes?  And then what is the "they" in "their use"?

(Brian Haberman; former steering group member) No Objection

No Objection (2015-02-17 for -07)
No email
send info
I have many of the same questions as Barry.

(Jari Arkko; former steering group member) No Objection

No Objection ( for -07)
No email
send info

(Joel Jaeggli; former steering group member) No Objection

No Objection (2015-02-16 for -07)
No email
send info
   At some future date, it might be useful to deprecate the distinction
   between System and User port numbers altogether. Services typically
   require elevated ('root') privileges to bind to a System port
   number, but many such services go to great lengths to immediately
   drop those privileges just after connection or other association
   establishment to reduce the impact of an attack using their
   capabilities. Such services might be more securely operated on User
   port numbers than on System port numbers.

operationaly we already have dropped the distinction. there is not practical distiction for a new service allocated out of the remaining 180 system ports and one allocated out of the user ports so we might as well treat the port space as flat.

(Kathleen Moriarty; former steering group member) (was Discuss, Abstain, Discuss) No Objection

No Objection (2015-03-30 for -10)
No email
send info
Comments:

Thanks for your work on this draft and addressing my and other ADs prior discusses and comments.  I'll just leave the one comment below as Alissa's discuss may not have been addressed yet.  I'll be interested to see any new text on it.

For what it's worth, I read 6.2 as informational background and think the text is helpful.  Alissa has a discuss on this, so if the text is changed, I'd be interested to see what the suggested changes would be so that the draft still conveys the helpful information (which she was not opposed to in the discuss).  I've configured hundreds of firewalls and what is described is what folks need to know when configuring such devices.  Alternate port use can be used to get around rules you put in place and services like FTP in the old days would have used an FTP proxy and today that type of analysis on traffic to open the correct ports is called DPI.

(Pete Resnick; former steering group member) No Objection

No Objection (2015-02-17 for -07)
No email
send info
Mostly for the IESG: I agree that this document does not update 6335. I agree that it is supplemental. And I agree that it's a BCP. So let's make it part of BCP165. This doesn't need a new BCP number. It's part of the same series.

1: A bit of clarification would be useful:

OLD
   Note that this document provides information to potential port
   number applicants that complements the IANA process described in
   BCP165 [RFC6335], but it does not update that document.
NEW
   Note that this document provides information to potential port number
   applicants that complements the IANA process described in BCP165
   [RFC6335], but it does not change any of the port number assignment
   procedures described therein.

I don't think you need to say anything about the "update" status.

2:

   In this document, the characters ">>" preceding an indented line(s)
   indicates a compliance requirement statement using the key words
   listed above. This convention aids reviewers in quickly identifying
   or finding the explicit compliance requirements of this RFC.

Generally, this sort of things simply produces eye-rolling in me and nothing more. 2119 keywords are not about "compliance", and so to claim above that you are using them "as described in RFC-2119" and then go on to include them in "compliance requirements" is bogus. However, most of these "compliance requirements" in the rest of the document are simply summary advice regarding what's going to be useful and what won't, so really what's in the ">>" is not a "compliance requirement", but rather an "Important Summary Note". I'd really prefer you call them that here. That said, one of them in 7.4 actually gave me pause:

   >> When simultaneously requesting both a secure and an insecure
   port, strong justification MUST be provided for the insecure port.
   Precedent (citing other protocols that use an insecure port) is not
   strong justification by itself.  A strong case for utility of the
   insecure service is REQUIRED for approval of the insecure port.

Here it sounds like you *are* imposing a requirement, and it sure sounds to me like you're specifying a registration procedure to be enforced by the Designated Expert or IANA, not giving a piece of advice to the registrant. If it wasn't for the last sentence in the above, I wouldn't have thought twice about it. So my two suggestions are:

- Change the text in section 2 to not call these "compliance requirements". If you don't like "Important Summary Note", choose something else.

- Change or delete the last sentence in the paragraph from 7.4. (I think delete is fine; it's repetitive anyway.)

7.4/7.5: I agree with Alissa's comments regarding the ">>" statements. Either re-word them to be about port assignment or ditch them.

(Richard Barnes; former steering group member) (was Discuss) No Objection

No Objection (2015-03-04 for -08)
No email
send info
I share Alissa's comments that the rationale for conservation is a bit shaky.  Clearly conservation is prudent, but it doesn't seem like there's a crisis here.

Section 3: The values in the "Binary" column are decimal, as indeed they are labelled in RFC 758.

Section 7.4: I agree with Stephen here.  Separate ports and STARTTLS are equivalent from a security/downgrade POV -- either you need to know to use the secure port, or you need to know to require STARTTLS to succeed.  The only difference is that STARTTLS adds latency if you're doing TLS. You can avoid that by starting secure (STOPTLS?), but in either case, there's a loser.  But ISTM that the document addresses this point sufficiently.

(Stephen Farrell; former steering group member) No Objection

No Objection (2015-03-04 for -07)
No email
send info
- I share the concern that this needs to be in-whack with
RFC6335 but sometimes overstates things, e.g. some of the
MUST NOTs in 7.7.  I'm fine that that's being discussed
already.

- The one-port/two-port thing: I don't think there's a real
seurity difference here in general, so that is not a basis on
which to prefer to discourage the registration of two ports,
nor is it a reason to prefer to do that. It is however, also
reasonable to want two ports, one e.g. using TLS and one not,
and it is equally reasonable to use STARTTLS.  Basically,
please move on, there's nothing to see here, find another
argument:-)

- I would like to see a statement that, in allocating a new
port for a "secure" variant of an existing protocol, the port
experts will consider actual deployment, even if it is the
case that some RFC says that one can do security stuff on the
currently assigned port. If we do not allocate such ports,
then we would be getting in the way of improving real
security, and that would be bad.  I'm not sure from the text
what the port experts do in such cases, but as that is not
addressed by the current document, the RFC that results won't
be a block on such allocations (where justified).

- 7.8, "easily resolved" to be the squatter's fault is not
true - in general people will I think consider the most
widely deployed use of a port to be in the right, and most
people won't even go look at the IANA registry. (Some will,
including no doubt the port experts.)