RE: [BEHAVE] Re: CPE equipments and stateful filters

["Dan Wing" <dwing@cisco.com>]

> -----Original Message-----
> From: Gert Doering [mailto:gert@Space.Net] 
> Sent: Monday, July 30, 2007 12:33 PM
> To: Dan Wing
> Cc: 'james woodyatt'; 'IPv6 Operations'; 'Behave WG'
> Subject: Re: [BEHAVE] Re: CPE equipments and stateful filters
> 
> Hi,
> 
> On Mon, Jul 30, 2007 at 12:15:11PM -0700, Dan Wing wrote:
> > Passive-mode FTP (using the "PASV" verb) has been supported on 
> > all modern FTP clients and FTP servers for a long time (going on a 
> > decade for most FTP clients and FTP servers).  Passive-mode FTP 
> > causes the TCP data connection to be initiated by the FTP 
> > client (as 
> > is the TCP control connection), which eliminates the need 
> > for any ALG 
> > or ALG-like function in NATs and in firewalls.  Is there a reason 
> > passive FTP can't simply be mandated for v6, so we can 
> > avoid FTP-aware ALGs?
> 
> Correct me if I'm wrong - but you'll need "firewall support" for 
> PASV / EPSV ftp as well, just on the other side of the connection.
> 
> If you run your server behind a firewall (which is a pretty 
> common thing
> to do), and want to offer FTP services, the firewall needs to 
> know which port to open for PASV connections.

You are certainly right that such a firewall protecting the 
FTP server needs to open pinholes for the incoming TCP data 
connection when using PASV.

(We could argue about the commonality of such a configuration,
but there isn't much point in such an argument; the need 
for hosts to communicate the desire for incoming connections
to the firewall is what's important.)

-d


> Gert Doering
>         -- NetMaster
> -- 
> Total number of prefixes smaller than registry allocations:  113403
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. 
> Grundner-Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279