Re: [secdir] SECDIR review of draft-ietf-ftpext2-hosts-02

<> Sat, 25 June 2011 02:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3A76111E808E; Fri, 24 Jun 2011 19:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZD1tvj-dkE5l; Fri, 24 Jun 2011 19:51:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E9A5111E809E; Fri, 24 Jun 2011 19:51:40 -0700 (PDT)
Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id p5P2paTi005499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Jun 2011 22:51:36 -0400
Received: from ( []) by (RSA Interceptor); Fri, 24 Jun 2011 22:51:25 -0400
Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id p5P2nbUg008198; Fri, 24 Jun 2011 22:49:37 -0400
Received: from ([]) by ([]) with mapi; Fri, 24 Jun 2011 22:49:37 -0400
From: <>
To: <>, <>, <>, <>
Date: Fri, 24 Jun 2011 22:49:36 -0400
Thread-Topic: SECDIR review of draft-ietf-ftpext2-hosts-02
Thread-Index: AcwyiBUFO2skqoQCSLqk+KSpXVMV4QADvEhgAAyN90AAAphKUAADsoUw
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [secdir] SECDIR review of draft-ietf-ftpext2-hosts-02
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 25 Jun 2011 02:51:42 -0000

Thanks again, Robert.  The suggested paragraph works for me.  Once that is in, I think we are good on the security review.

Best regards,

-----Original Message-----
From: Robert McMurray [] 
Sent: Friday, June 24, 2011 9:48 PM
To: Moriarty, Kathleen;;;
Subject: RE: SECDIR review of draft-ietf-ftpext2-hosts-02

Thanks, Kathleen.

At the protocol level I am only concerned that the security environment is reset; how the environment is created and reset is implementation-specific. So my intention was to highlight as a security consideration that an implementer should be aware that they might have work to do in this scenario, but the details are up to them. With that in mind, what do you think of this rewording for that section?

"As discussed in section 3.3 of this document, a server implementation MAY treat a HOST command that was sent after a user has been authenticated as though a REIN command was sent. In this scenario, the server implementation SHOULD reset the authentication environment, as that would allow for segregation between the security environments for each virtual host on an FTP server. The implementation details for security environments may vary greatly based on the requirements of each server implementation and operating system, and those details are outside the scope of the protocol itself. For example, a virtual host "" on an FTP server might use a specific username and password list, while the virtual host "" on the same FTP server might use a different username and password list. In such a scenario, resetting the security environment is necessary for the virtual servers to appear to behave independently from a client perspective, while the actual server implementation details are irrelevant at the protocol level."

Thanks again!

-----Original Message-----
From: [] 
Sent: Friday, June 24, 2011 4:53 PM
To: Robert McMurray;;;
Subject: RE: SECDIR review of draft-ietf-ftpext2-hosts-02

Hi, Robert.

Thank you for making the updates.  I think the change for section 3.2 looks good, thanks!

As for the security considerations, the ADs may have an opinion here as well.  My thought process is that if you are concerned about the environment that the user authenticates into, wouldn't the environment itself be a concern as well?  The authentication consideration is to ensure the user gets authenticated into the right environment.  If there is no segregation available between environments, that would be a security consideration.  If that varies between OSes, that would be a consideration as well.  You might not have to detail it out, but it should be stated as a consideration as this may not be a solution possible in a number of use cases.

Thank you,