By the late 1990s, the IETF noticed an alarming pattern: every new application protocol was being layered on top of HTTP. SOAP, WebDAV, XML-RPC, IPP (Internet Printing Protocol), and countless proprietary RPC schemes all chose HTTP as their substrate. The justification was nearly always the same — "port 80 is open through firewalls." RFC 3205, a BCP (Best Current Practice), is Keith Moore's measured but pointed warning about what that habit actually costs.

The problem it diagnoses. Moore enumerates the seductive reasons engineers reach for HTTP: existing libraries, familiar semantics, free authentication via HTTP Basic/Digest, free TLS via HTTPS, and — the big one — firewall traversal. He then patiently dismantles each:

• HTTP is heavyweight for non-document workloads. Headers, chunked encoding, and the request/response model add overhead and latency that a purpose-built protocol can avoid.
• Firewall traversal is a feature you don't want. If a firewall admin could distinguish your protocol from web browsing, they might choose to block it. Hiding inside HTTP defeats the security policy by design — a kind of social engineering against the network operator.
• HTTP's semantics often don't fit. Idempotency rules, caching, redirects, content negotiation, and proxy behavior were designed for hypertext documents. Bolting RPC onto these semantics produces subtle bugs (e.g., a transparent proxy retrying a non-idempotent POST).
• Port reuse is ambiguous. Running multiple distinct protocols on port 80 makes monitoring, diagnostics, and access control harder — the port number stops carrying useful information.

The criteria Moore proposes. If you must use HTTP as a substrate, RFC 3205 lays out conditions: register a distinct URL scheme or media type, use a port other than 80, respect HTTP's caching and idempotency model (or document why you don't), and don't assume intermediaries will cooperate. The document essentially says: use HTTP because its semantics fit, not because its port is open.

Why it's prescient. Read in 2026, RFC 3205 reads like a forecast of every architectural debate of the last twenty years. The rise of REST briefly vindicated HTTP-as-substrate by embracing its semantics rather than fighting them. Then gRPC, GraphQL, WebSockets, and HTTP/2 server push pulled the other way, treating HTTP as a transport tunnel again. Every time someone discovers their POST /rpc endpoint is being retried by a CDN, or their long-polling connection is killed by a corporate proxy, they are re-learning Moore's lesson.

The firewall point especially aged well. Moore's prediction that firewalls would eventually do deep inspection on port 80 came true: modern next-gen firewalls, TLS-intercepting middleboxes, and zero-trust gateways all do exactly the application-layer policing Moore warned could not be evaded forever. The "tunnel through 443" reflex still exists, but it now provokes its own counter-arms-race.

The backstory. Keith Moore was a long-time IETF participant (co-author of MIME extensions, author of much of the email internationalization work) and a notable curmudgeon about layering violations. RFC 3205 came out of repeated IESG frustration at reviewing protocol drafts whose only justification for HTTP was firewall avoidance. It's short — about ten pages — and unusually opinionated for an IETF document. It does not forbid the practice; it just insists you think before reaching for it.