Re: [ftpext] Review of FTP HOSTS draft
John C Klensin <john-ietf@jck.com> Tue, 13 March 2012 07:25 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ftpext@ietfa.amsl.com
Delivered-To: ftpext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37FEB11E8089 for <ftpext@ietfa.amsl.com>; Tue, 13 Mar 2012 00:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.765
X-Spam-Level:
X-Spam-Status: No, score=-102.765 tagged_above=-999 required=5 tests=[AWL=-0.166, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2U50F9fSpdLj for <ftpext@ietfa.amsl.com>; Tue, 13 Mar 2012 00:25:37 -0700 (PDT)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) by ietfa.amsl.com (Postfix) with ESMTP id 637FB11E8087 for <ftpext@ietf.org>; Tue, 13 Mar 2012 00:25:37 -0700 (PDT)
Received: from [198.252.137.7] (helo=PST.JCK.COM) by bsa2.jck.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1S7M2J-000Meu-KJ; Tue, 13 Mar 2012 03:20:47 -0400
Date: Tue, 13 Mar 2012 03:25:28 -0400
From: John C Klensin <john-ietf@jck.com>
To: Anthony Bryan <anthonybryan@gmail.com>, Paul Ford-Hutchinson <paulfordh@uk.ibm.com>
Message-ID: <0F02790880FAFEA6FA8D28D4@PST.JCK.COM>
In-Reply-To: <CANqTPehZEv4T96UHo0vvqeqzEbhZrO8prJ7mDt=HHji2NtN-=w@mail.gmail.com>
References: <CANqTPeiid++rpn1H8yELmeQhG=XEwt8q5uTCiuifw82OOu8xjg@mail.gmail.com> <OF9010AA09.3E3DBA43-ON802579B1.0042EAD0-802579B1.0045D2EB@uk.ibm.com> <CANqTPehZEv4T96UHo0vvqeqzEbhZrO8prJ7mDt=HHji2NtN-=w@mail.gmail.c om>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Cc: ftpext@ietf.org
Subject: Re: [ftpext] Review of FTP HOSTS draft
X-BeenThere: ftpext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ftpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ftpext>, <mailto:ftpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ftpext>
List-Post: <mailto:ftpext@ietf.org>
List-Help: <mailto:ftpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ftpext>, <mailto:ftpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2012 07:25:38 -0000
--On Tuesday, March 13, 2012 01:24 -0400 Anthony Bryan <anthonybryan@gmail.com> wrote: >... >>> In Section 4: >>> >>> Section 15.1.1 of [RFC4217] discusses the use of X.509 >>> certificates for server authentication. Taking the >>> information from that document into account, when >>> securing FTP sessions with the security mechanisms that >>> are defined in [RFC4217], client implementations SHOULD >>> verify that the hostname they specify in the parameter >>> for the HOST command matches the identity that is >>> specified in the server's X.509 certificate in order to >>> prevent man-in-the-middle attacks. >>> >>> How can this verification can be achieved? Please either add >>> the text (for example by referencing RFC 6125, I can help >>> with wordsmithing), or add another appropriate reference >>> here. >> >> RFC6125 does not discuss FTP. I do not think that this >> document is a suitable place for making that linkage by the >> back door. (I am not saying that FTP shouldn't be in >> RFC6125 - it probably should - but that the introduction of >> the 'HOST' command is not the way to do it.) > > we could ask Alexey what he thinks it should say, as he > offered help with the text? > > or... > >> Can we push for an update to RFC6125 that does include FTP >> and then reference it in here? > > I'm not sure - asking other to do more work when this WG has > not accomplished anything yet may step on some toes :) > > perhaps filing an erratum with information to be "Held For > Document Update"? that is, if there's a revision, it will > include the info. Hmm. 4217 notwithstanding, it seems to me that, if we are not going to turn FTP into a single-channel protocol through the back door, there is the potential, first, for the server to which the command channel is connected to have a certificate per HOST name (virtual host) or one certificate for the physical host/ host farm. The server to (or from) which the data channel is connected may be yet a different machine, actually one machine per command for those commands that cause data to be transferred (PUT and GET, but also LIST and NLST, etc.). This can be seen as another instance of scenario (iii) in Section 7 of RFC 4217 -- a case that 4217 excludes completely. If one were serious about using PASV in the general case, I think HOST effectively introduces a fourth scenario -- "virtual host/ server farm-friendly client/server data exchange" -- that looks a lot like scenario (ii) but that has most of the nasty properties of scenario (iii), i.e., the control connection proceeds as in scenario (ii) but the host/address specified for the data connection by the (command channel) server is a function of the argument to the HOST command, not just the properties of the server hosting the command channel. If this fourth scenario is excluded, as RFC 4217 excludes Scenario (iii), then the utility of HOST, as specified in this draft, in situations where TLS security is desired goes down considerably: if FTP virtual hosts are supported via one server-PI (control connection server) but multiple content servers/hosts for different collections of virtual host file systems, HOST is not usable with per-content-server certificates. I'd expect that case to be common, for obvious reasons. That is technically known as "a mess". It requires significantly more FTP-specific analysis than one could put into an erratum or try to load onto RFC 6125bis. It can be added to the list of reasons I've been nervous about the possibility that, because of the serial two-stream model, an FTP HOST command opens up problems and unintended consequences that are much broader than those experienced with HTTP 1.1 and its HOST command. At a minimum, I think this document is required to include some discussion of issues that would be encountered if the HOST command/extension were anticipated to be used in conjunction with the RFC 4217 TLS one. Perhaps some of the comments above could be used to start that discussion; feel free to use or adapt them. john
- [ftpext] Review of FTP HOSTS draft Anthony Bryan
- Re: [ftpext] Review of FTP HOSTS draft Paul Ford-Hutchinson
- Re: [ftpext] Review of FTP HOSTS draft Anthony Bryan
- Re: [ftpext] Review of FTP HOSTS draft John C Klensin
- Re: [ftpext] Review of FTP HOSTS draft Robert McMurray