Re: [ftpext] Firewalls & FTP over TLS.

"Mark P. Peterson" <mpp@rhinosoft.com> Fri, 24 December 2010 05:29 UTC

Return-Path: <prvs=19744f556a=mpp@rhinosoft.com>
X-Original-To: ftpext@core3.amsl.com
Delivered-To: ftpext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 922783A68E1 for <ftpext@core3.amsl.com>; Thu, 23 Dec 2010 21:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.784
X-Spam-Level:
X-Spam-Status: No, score=-2.784 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, GB_I_LETTER=-2, HTML_MESSAGE=0.001, SARE_PROLOSTOCK_SYM3=1.63]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGPu0XSQZxy3 for <ftpext@core3.amsl.com>; Thu, 23 Dec 2010 21:29:27 -0800 (PST)
Received: from rhinosoft.com (mail1.rhinosoft.com [97.88.242.106]) by core3.amsl.com (Postfix) with ESMTP id 681D13A68E9 for <ftpext@ietf.org>; Thu, 23 Dec 2010 21:29:27 -0800 (PST)
Received: from MPNOTEBOOK ([209.242.229.18]) (authenticated user mpp@rhinosoft.com) by rhinosoft.com (rhinosoft.com [127.0.0.1]) (MDaemon PRO v11.0.3) with ESMTP id md50009962949.msg for <ftpext@ietf.org>; Thu, 23 Dec 2010 23:31:27 -0600
X-Spam-Processed: rhinosoft.com, Thu, 23 Dec 2010 23:31:27 -0600 (not processed: spam filter heuristic analysis disabled)
X-Authenticated-Sender: mpp@rhinosoft.com
X-MDRemoteIP: 209.242.229.18
X-Return-Path: prvs=19744f556a=mpp@rhinosoft.com
X-Envelope-From: mpp@rhinosoft.com
X-MDaemon-Deliver-To: ftpext@ietf.org
Message-ID: <7E9CC636C5A247FF9B9DA3E9E967E6FB@rhinooffice.net>
From: "Mark P. Peterson" <mpp@rhinosoft.com>
To: <alun@texis.com>, <ftpext@ietf.org>
References: <001501cba31e$5a3dd860$0eb98920$@com>
In-Reply-To: <001501cba31e$5a3dd860$0eb98920$@com>
Date: Thu, 23 Dec 2010 23:31:21 -0600
Organization: Rhino Software, Inc.
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0047_01CBA2F9.81C4DCF0"
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8089.726
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726
Subject: Re: [ftpext] Firewalls & FTP over TLS.
X-BeenThere: ftpext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <ftpext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ftpext>, <mailto:ftpext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ftpext>
List-Post: <mailto:ftpext@ietf.org>
List-Help: <mailto:ftpext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ftpext>, <mailto:ftpext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Dec 2010 05:29:31 -0000

Hi Alun,

I just have a couple comments regarding your SFTP comments.

> The "SFTP is a standard" complaint is galling, because of course, SFTP is
> not a documented standard, and pretty much requires reverse engineering in
> order to make it work.

What are the drafts drafted by J. Galbraith (VanDyke Software) and O. Saarenmaa
(F-Secure)?  I've been able to follow these drafts for each SFTP version from 3-6.
It isn't easy, but it is possible and doesn't require a lot of reverse engineering at
all, just testing just like FTP.

> I've been trying to push this message - that SFTP is flakey compared to FTP
> over TLS simply because SFTP essentially relies on each server / client author
> making tweaks to have it work with those they test with, rather than coding to
> a unified standard like FTP over TLS.

Flakey?  How so?  I've implemented a server which supports SFTP and have had
better compatibility than I've seen with many FTPS clients.  If one follows the
documentation to the letter and tests with several clients, they all seem to work
well.  Many clients base their code on putty, some implement their own, and
others rely on libraries.  Those based on putty usually exhibit the same behavior.

> Maybe that's not a problem for those of you with SFTP capabilities in your
> servers, but personally, I don't find that I want to implement an undocumented
> standard.

It's well documented, just not yet an RFC.  Sure the draft is expired but both
clients and servers have adopted the protocol widely and is in heavy use in the
Linux world.  Each version is documented well, the last that I know of is draft 13
which documents the latest version 6 of the protocol:

http://tools.ietf.org/html/draft-ietf-secsh-filexfer-13

Since it is so widely adapted, why can't it become an RFC?

> The "Can't make FTP over TLS work through a NAT / firewall" is irritating
> too, partly because it seems to be mostly true. ....

Yes, and all the more reason to use a protocol that is easier for end-users to
implement, configure, and to use.  They are the reason we do what we do.

> Again, SFTP wins out here, because it works over one port, and one port only
> - although opening up port 22 (SSH) essentially says "allow anything",
> because SSH is used as a tunnel for multiple random protocols as well as SSH
> and SFTP.

Right, so let end-users make the choice what they want available via port 22 and
SSH2.

> Well, I've said it before, and got absolutely no response, so I'm asking
> again - why don't we use the default port as defined in RFC 959 and before?

IMO it's because FTP has been around so long and because FTP is implemented
on so many platforms, many of which are no longer being developed.  Most
implementations stick with the basics of 959, plain and simple (that goes for both
the client and server).

> So, who else supports MODE B for firewall / NAT traversal?

I am sorry to say I haven't had a chance looking at MODE B.  I can say your
distaste for SFTP, however, is at the very least intriguing.  It is a good
protocol, with some faults, yes, but they can be much more easily
addressed than with FTP.

Mark P. Peterson - President
http://www.RhinoSoft.com
Voice: +1(262) 560-9627
FAX: +1(262) 560-9628  



From: Alun Jones 
Sent: Thursday, December 23, 2010 9:55 PM
To: ftpext@ietf.org 
Subject: [ftpext] Firewalls & FTP over TLS.


I frequently find I have a hard time selling my FTP server into environments that are looking for a secure and standard file transfer server.

 

Not because it's not a good and standard implementation of FTP over TLS - I've found it to work very well with numerous clients.

 

The failure is twofold - one, because the perceived "standard" for this is SFTP, and two, because of the headache of getting FTP (and particularly FTP over TLS) to work through a firewall.

 

The "SFTP is a standard" complaint is galling, because of course, SFTP is not a documented standard, and pretty much requires reverse engineering in order to make it work. I've been trying to push this message - that SFTP is flakey compared to FTP over TLS simply because SFTP essentially relies on each server / client author making tweaks to have it work with those they test with, rather than coding to a unified standard like FTP over TLS. Maybe that's not a problem for those of you with SFTP capabilities in your servers, but personally, I don't find that I want to implement an undocumented standard.

 

The "Can't make FTP over TLS work through a NAT / firewall" is irritating too, partly because it seems to be mostly true. In MODE S, TYPE I transfers, the PORT command or PASV response have to be filtered and altered to open a port and/or change the IP address to make the connection work. The alternative is to open a wide swath of ports at the firewall, which security teams shy away from, and in many companies, outright prohibit.

 

Again, SFTP wins out here, because it works over one port, and one port only - although opening up port 22 (SSH) essentially says "allow anything", because SSH is used as a tunnel for multiple random protocols as well as SSH and SFTP. It would be really nice if FTP could work over predictable port numbers, especially if they were already opened by the firewall's usual operation.

 

Well, I've said it before, and got absolutely no response, so I'm asking again - why don't we use the default port as defined in RFC 959 and before?

 

An FTP (or FTP over TLS) client connecting from port U to port L and sending a RETR or STOR command (or equivalent) without a PORT or PASV (or EPRT, EPSV, etc) command will cause the server to connect from server port L-1 to client port U, and because of the nature of firewalls, they will generally have opened a hole (server:any => client:U) already.

 

Great, that works for the first transfer, because in MODE S, you close the TCP data connection to indicate the end of a transfer, and can't open a new socket (server:L-1 => client:U) for another two to four minutes.

 

Again, there's already an RFC 959 way of getting around this - instead of using MODE S, use MODE B. Then, although there's a slight penalty in terms of the chunk markers and restart markers, there's no issue with closing and re-opening connections in rapid-fire transfers of small files or directory listings, and it gets through a firewall and a NAT quite happily without having to provide external IP address mappings, UPNP, or large firewall holes.

 

While I've been able to test this with my own crappy test client (WFTPD Client hasn't had enough work put into it to be really good), it would be great to see this supported across multiple FTP clients and servers. IIS FTP server already supports MODE B, but I don't really have any idea as to how wide-spread support for MODE B is, or what features clients and servers expect to see, or get confused by. I know that one failing in my own server is a lack of support for restart markers (although it currently works if you specify byte counts, as if it was in MODE S).

 

Another thing that needs discussing for MODE B support is how ABOR should work - that's not exactly clear, either.

 

So, who else supports MODE B for firewall / NAT traversal?

 

Alun.

~~~~



--------------------------------------------------------------------------------


_______________________________________________
ftpext mailing list
ftpext@ietf.org
https://www.ietf.org/mailman/listinfo/ftpext