Re: Call for Community Feedback: Retiring IETF FTP Service

[Robert Moskowitz <rgm-ietf@htt-consult.com>]

On 11/17/20 10:45 AM, Keith Moore wrote:
> On 11/17/20 9:53 AM, Livingood, Jason wrote:
>
>> Personal views - no hats.
>>
>> Time to retire the FTP service, just as other legacy protocols have 
>> been retired in the past. The IETF does not shy away from 
>> recommending that others encrypt everything, so we should take our 
>> own advice. As well, data clearly show there remains essentially no 
>> demand for FTP - users have adopted the HTTPS alternative.
> I cannot say this often enough:   Traffic volume is not an indicator 
> of importance.
>>
>> More detailed rationale:
>> - Clearly the market has moved on. It does not cross the cost/benefit 
>> threshold to continue maintaining a service for so few connections 
>> (that all appear to be scripted machine-to-machine).
> There is not one "market".   FTP is a different service than the web, 
> with distinct advantages over the web.   And traffic volume is not an 
> indicator of importance.
>> - FTP support has been removed from browser clients. As Mozilla 
>> wrote, "FTP is an insecure protocol and there are no reasons to 
>> prefer it over HTTPS for downloading resources."
> I personally find that unfortunate, but support in browser clients is 
> not an indicator of FTP's utility either.   One reason to use FTP is 
> that browser clients are really poor tools for some kinds of file 
> transfer, especially if you want to transfer multiple files with 
> minimum human interaction.

I find wget a great tool as well.  I have used it on sites with multiple 
documents that do not support other mechanisms.  I have scripts running 
wget for some of these.  I just see rsnyc as a more efficient use of 
resources than a script running wget(s).

>> - It is not encrypted. The IETF & IAB have been aggressive in pushing 
>> for pervasive encryption [1] so it is illogical that we would not 
>> make such a change on our own information resources. Per the IAB, 
>> "The IAB now believes it is important for protocol designers, 
>> developers, and operators to make encryption the norm for Internet 
>> traffic."
>
> "the norm" != "required".   I'd be happy to see a version of FTP that 
> supports encrypted transmission as an option, as long as it were 
> optional.   (Are those web browsers that are deprecating FTP also 
> deprecating HTTP without TLS?)
>
> And as Ned pointed out, there are still reasons to use unencrypted 
> transmission on occasion.
>
> Also, perhaps the IETF and IAB should be a bit less dogmatic, in light 
> of experience.  I keep seeing situations in which deprecation of old 
> TLS versions is breaking systems for which there is no browser that 
> supports the new TLS versions.  IMO this does significant harm.   I 
> realize some people believe in planned obsolescence, but I don't think 
> they have a good case.
>
> Keith
>
>