Re: Ftp-WG: Comments on FTP Security Extensions draft
William Curtin <curtinw@ftm.disa.mil> Fri, 18 April 1997 23:35 UTC
Received: from cnri by ietf.org id aa15834; 18 Apr 97 19:35 EDT
Received: from pad-thai.cam.ov.com by CNRI.Reston.VA.US id aa17499; 18 Apr 97 19:35 EDT
Received: (daemon@localhost) by pad-thai.cam.ov.com (8.8.5/) id <WAA21186@pad-thai.cam.ov.com>; Fri, 18 Apr 1997 22:05:52 GMT
Date: Fri, 18 Apr 1997 17:24:19 -0500
From: William Curtin <curtinw@ftm.disa.mil>
Message-Id: <9703188614.AA861411912@ftm.disa.mil>
To: cat-ietf@mit.edu, ftp-wg@hops.ag.utk.edu
Subject: Re: Ftp-WG: Comments on FTP Security Extensions draft
Precedence: bulk
I know that this document is out for last call so I hope my comments are not too late. I'm packing to leave for a week long meeting but wanted to get this out before I left. 1. The new command defined for FTP in this document will need to be supported by the FEAT command (currently defined in draft-ietf-ftpext-mlst-00.txt). I guess given that this draft will progress to RFC status before the MLST draft that the definitions for these commands to a FEAT response will have to be done in the MLST or another document. Are there standard formats to define the security mechanisms associated with a AUTH command? 2. Does the priori knowledge of a small set of commands (containing few characters) lend to breaking the algorithm associated with a security mechanism and thus possibly give a false sense of security? For example I can assume that FTP will be sending CWD over the control connection during the session. I recognize that anything is better than sending commands in the clear. 3. Will these commands be mandatory for all clients and servers? 4. I don't think the draft is clear on the use of CCC, MIC, CONF, and ENC commands. That is do I default to CCC even though I may have negotiated a level of confidentiality or are they automatically set? 5. Reference to Section 9 on page 6 should be Section 10. 6. The paragraph in the CCC command section starting "If unprotected commands are ..." seems out of place. This seems more of an introductory paragraph. I would suggest that the commands be broken into 3 sections: 3.1 Security Identification and Negotiation 3.2 Data Port Security 3.3 Command Port Security. 7. Are these two paragraphs from page 8 the same? "If the server has not completed a protection buffer size negotiation with the client, it should respond with a 503 reply code." "The PROT command will be rejected and the server should reply 503 if no previous PBSZ command was issued." bill
- Re: Ftp-WG: Comments on FTP Security Extensions d… William Curtin