[ftpext] Firewalls & FTP over TLS.
"Alun Jones" <alun@wftpd.com> Fri, 24 December 2010 03:53 UTC
Return-Path: <alun@texis.com>
X-Original-To: ftpext@core3.amsl.com
Delivered-To: ftpext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F212E3A68CB for <ftpext@core3.amsl.com>; Thu, 23 Dec 2010 19:53:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.968
X-Spam-Level:
X-Spam-Status: No, score=-0.968 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_PROLOSTOCK_SYM3=1.63]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odITyK5+BSEW for <ftpext@core3.amsl.com>; Thu, 23 Dec 2010 19:53:07 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id 1D87A3A68E1 for <ftpext@ietf.org>; Thu, 23 Dec 2010 19:53:07 -0800 (PST)
Received: from Parnassus (c-67-183-209-87.hsd1.wa.comcast.net [67.183.209.87]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0LoEfR-1Q3MTw0nzF-00fsRz; Thu, 23 Dec 2010 22:55:06 -0500
From: Alun Jones <alun@wftpd.com>
Sender: Alun Jones <alun@texis.com>
To: ftpext@ietf.org
Date: Thu, 23 Dec 2010 19:55:04 -0800
Organization: Texas Imperial Software
Message-ID: <001501cba31e$5a3dd860$0eb98920$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_01CBA2DB.4C1A9860"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcuZoeFcOCqOYAVqT2imeP5Sg9U8QQ==
Content-Language: en-us
X-Provags-ID: V02:K0:0a4mI4eWgTYMZEDOYmt+nMOyk8nm5gqLc4YVUxzSUGp FEk2PXRJa5Lg/d8ojjZzqxVoRDt7N1XOa6JjtuhLAUATiQ1oxu P9b2SxRRbnSLt45+ai0ifYlX1XYupAjxfyXfM5llgz1EhIgZn/ OjGWLGj3W6yJM34EMzIOhMSsERuYz6g6GxJwzRcNLRcvHbm4Sl B8J8kM/fgFRqh4ydzvuSw==
Subject: [ftpext] Firewalls & FTP over TLS.
X-BeenThere: ftpext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: alun@texis.com
List-Id: <ftpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ftpext>, <mailto:ftpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ftpext>
List-Post: <mailto:ftpext@ietf.org>
List-Help: <mailto:ftpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ftpext>, <mailto:ftpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Dec 2010 03:53:16 -0000
I frequently find I have a hard time selling my FTP server into environments that are looking for a secure and standard file transfer server. Not because it's not a good and standard implementation of FTP over TLS - I've found it to work very well with numerous clients. The failure is twofold - one, because the perceived "standard" for this is SFTP, and two, because of the headache of getting FTP (and particularly FTP over TLS) to work through a firewall. The "SFTP is a standard" complaint is galling, because of course, SFTP is not a documented standard, and pretty much requires reverse engineering in order to make it work. I've been trying to push this message - that SFTP is flakey compared to FTP over TLS simply because SFTP essentially relies on each server / client author making tweaks to have it work with those they test with, rather than coding to a unified standard like FTP over TLS. Maybe that's not a problem for those of you with SFTP capabilities in your servers, but personally, I don't find that I want to implement an undocumented standard. The "Can't make FTP over TLS work through a NAT / firewall" is irritating too, partly because it seems to be mostly true. In MODE S, TYPE I transfers, the PORT command or PASV response have to be filtered and altered to open a port and/or change the IP address to make the connection work. The alternative is to open a wide swath of ports at the firewall, which security teams shy away from, and in many companies, outright prohibit. Again, SFTP wins out here, because it works over one port, and one port only - although opening up port 22 (SSH) essentially says "allow anything", because SSH is used as a tunnel for multiple random protocols as well as SSH and SFTP. It would be really nice if FTP could work over predictable port numbers, especially if they were already opened by the firewall's usual operation. Well, I've said it before, and got absolutely no response, so I'm asking again - why don't we use the default port as defined in RFC 959 and before? An FTP (or FTP over TLS) client connecting from port U to port L and sending a RETR or STOR command (or equivalent) without a PORT or PASV (or EPRT, EPSV, etc) command will cause the server to connect from server port L-1 to client port U, and because of the nature of firewalls, they will generally have opened a hole (server:any => client:U) already. Great, that works for the first transfer, because in MODE S, you close the TCP data connection to indicate the end of a transfer, and can't open a new socket (server:L-1 => client:U) for another two to four minutes. Again, there's already an RFC 959 way of getting around this - instead of using MODE S, use MODE B. Then, although there's a slight penalty in terms of the chunk markers and restart markers, there's no issue with closing and re-opening connections in rapid-fire transfers of small files or directory listings, and it gets through a firewall and a NAT quite happily without having to provide external IP address mappings, UPNP, or large firewall holes. While I've been able to test this with my own crappy test client (WFTPD Client hasn't had enough work put into it to be really good), it would be great to see this supported across multiple FTP clients and servers. IIS FTP server already supports MODE B, but I don't really have any idea as to how wide-spread support for MODE B is, or what features clients and servers expect to see, or get confused by. I know that one failing in my own server is a lack of support for restart markers (although it currently works if you specify byte counts, as if it was in MODE S). Another thing that needs discussing for MODE B support is how ABOR should work - that's not exactly clear, either. So, who else supports MODE B for firewall / NAT traversal? Alun. ~~~~
- [ftpext] Firewalls & FTP over TLS. Alun Jones
- Re: [ftpext] Firewalls & FTP over TLS. Mark P. Peterson