On 11/14/2013 11:49 PM, Roberto Peon wrote:

When I think about how we got here, I'm fairly certain that there is no MUST we could put into a document or spec, and there is no social engineering that would have prevented us from reaching the state that we're in today w.r.t. middleboxes.

It seems to me that the major employment of firewall rules is to protect from the unknown. We don't know what legitimate traffic would ever be on that port, so we block it.
It is a solvable task to teach that this practice breaks the internet, and to promote better practices. I don't see that it would be impossible to do this with MUST rules in a specification, although that isn't the only means available.

The problem of port 80 traffic being handled incorrectly becomes much less important if other ports are available.