[ftpext] Review of FTP HOSTS draft

Anthony Bryan <anthonybryan@gmail.com> Fri, 24 February 2012 23:20 UTC

Return-Path: <anthonybryan@gmail.com>
X-Original-To: ftpext@ietfa.amsl.com
Delivered-To: ftpext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA88221F86E2 for <ftpext@ietfa.amsl.com>; Fri, 24 Feb 2012 15:20:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jqc-XhYF9qVb for <ftpext@ietfa.amsl.com>; Fri, 24 Feb 2012 15:20:48 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id A863821F86E4 for <ftpext@ietf.org>; Fri, 24 Feb 2012 15:20:48 -0800 (PST)
Received: by ggnq2 with SMTP id q2so1591695ggn.31 for <ftpext@ietf.org>; Fri, 24 Feb 2012 15:20:48 -0800 (PST)
Received-SPF: pass (google.com: domain of anthonybryan@gmail.com designates 10.236.184.8 as permitted sender) client-ip=10.236.184.8;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of anthonybryan@gmail.com designates 10.236.184.8 as permitted sender) smtp.mail=anthonybryan@gmail.com; dkim=pass header.i=anthonybryan@gmail.com
Received: from mr.google.com ([10.236.184.8]) by 10.236.184.8 with SMTP id r8mr8732845yhm.110.1330125648357 (num_hops = 1); Fri, 24 Feb 2012 15:20:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=AEapQW6b4QcQrDW2jCFkxmFXg5WDdcXpJXelKknIJgo=; b=va7lfXn7+hVdcQGae/5kmIj5s1xVjShaOtzCGVevwC+8KoTj2Ihh3f4zaoU8R4RzBO YJ58QuWs/0Z79Px5LadJPcAiTKPV/w8IozsRbavGVaplqw79+J1O9uHAPkArS8hSCNF6 9DSMn814b+1xzWWzWN5EIu6nbQNro7+CXTmV8=
MIME-Version: 1.0
Received: by 10.236.184.8 with SMTP id r8mr6626543yhm.110.1330125648230; Fri, 24 Feb 2012 15:20:48 -0800 (PST)
Received: by 10.147.105.6 with HTTP; Fri, 24 Feb 2012 15:20:48 -0800 (PST)
Date: Fri, 24 Feb 2012 18:20:48 -0500
Message-ID: <CANqTPeiid++rpn1H8yELmeQhG=XEwt8q5uTCiuifw82OOu8xjg@mail.gmail.com>
From: Anthony Bryan <anthonybryan@gmail.com>
To: ftpext@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: [ftpext] Review of FTP HOSTS draft
X-BeenThere: ftpext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ftpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ftpext>, <mailto:ftpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ftpext>
List-Post: <mailto:ftpext@ietf.org>
List-Help: <mailto:ftpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ftpext>, <mailto:ftpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 23:20:49 -0000

Alexey Melnikov was kind enough to review this draft but was not on
the list so I am forwarding it for him.

we need to hear discussion on list about it.

thanks!


---------- Forwarded message ----------
From: Alexey Melnikov <alexey.melnikov@isode.com>
Date: Sat, Feb 11, 2012 at 8:13 AM
Subject: Re: Request to review FTP HOSTS draft
To: Anthony Bryan <anthonybryan@gmail.com>


The document describes how HOST interacts with X.509 certificate checking.
But it should also talk about how the HOST command should interact with
the TLS extension for server name indication (a TLS extension which
works similarly to the HOST command.)

1.  Introduction

  This means that different virtual hosts cannot offer different
  virtual file systems to clients, nor can they offer different
  authentication systems.  Any scheme to overcome this issue needs to
  indicate not only the destination IP address, but also the virtual
  host name that is associated with the desired virtual FTP server.
  Typical user-FTP processes currently use hostnames to perform
  hostname to IP address resolution and then ignore hostnames for the
  rest of the FTP session, therefore any mechanism to overcome this
  issue would require modifications to the user-PI and server-PI.

Minor: You should have references for terms like user-PI/server-PI the first
time you reference them.

In Section 3.2.2:

  This is also true when the HOST command is used with the AUTH and
  ADAT commands that are discussed in [RFC2228] and [RFC4217].  In this
  scenario, the user-PI sends a HOST command which the server-PI uses
  to route activity to the correct virtual host, then the user-PI uses
  the AUTH and ADAT commands to negotiate the security mechanism and
  relevant authentication token(s) with the server-PI, then the user-PI
  sends user credentials using the USER and PASS commands which the
  server-PI validates.  After which the user-PI MAY send an ACCT
  command to specify any additional account information for the
  server-PI implementation.  The following example illustrates a
  sequential series of client commands that specify both a HOST and
  ACCT when used in conjunction with the security commands that are
  discussed in [RFC2228] and [RFC4217], with the server responses
  omitted for brevity:

       C> HOST ftp.example.com
       C> AUTH <mechanism-name>
       C> ADAT <base64data>
       C> USER foo
       C> PASS bar
       C> ACCT project1

Is USER/PASS actually required after ADAT? (Just asking)

In Section 3.2.3:

  When the HOST command is used in combination with the FTP security
  extensions that were introduced in [RFC2228], it SHOULD precede the

Why the SHOULD and not a MUST like for the USER command?
I.e. what are the possible cases when it would be Ok to violate the SHOULD?
(I think MUST is more appropriate here, unless you have a good reason
to have a SHOULD.)

  security handshake.  This allows both user-PI and server-FTP
  processes to map an FTP HOST to security data appropriately.  The
  state diagram in Figure 3 shows a typical sequence of flow of control
  when HOST is used with the AUTH and ADAT commands that are discussed
  in [RFC2228].


3.3.  HOST command errors

  The server-PI SHOULD reply with a 500 or 502 reply if the HOST
  command is unrecognized or unimplemented.

This requirement is strange: you are either making a requirement on an
implementation which doesn't support this specification (and thus you can't
do that), or you are saying that an implementation can recognize but
not implement the HOST command which seems pointless.
I suggest deleting this sentence (or clarify its purpose).


3.4.  FEAT response for HOST command

  When replying to the FEAT command [RFC2389], a server-FTP process
  that supports the HOST command MUST include a line containing the
  single word "HOST".  This word is case insensitive, and MAY be sent
  in any mixture of upper or lower case, however it SHOULD be sent in

The SHOULD without any explanation is either pointless or dangerous,
because it doesn't help interoperability. Note that something like compatibility
with deployed software is an Ok reason for the SHOULD, but that
needs to be explained.

  upper case.  That is, the response SHOULD be:

In Section 4:

  Section 15.1.1 of [RFC4217] discusses the use of X.509 certificates
  for server authentication.  Taking the information from that document
  into account, when securing FTP sessions with the security mechanisms
  that are defined in [RFC4217], client implementations SHOULD verify
  that the hostname they specify in the parameter for the HOST command
  matches the identity that is specified in the server's X.509
  certificate in order to prevent man-in-the-middle attacks.

How can this verification can be achieved? Please either add the text
(for example by referencing RFC 6125, I can help with wordsmithing),
or add another appropriate reference here.