[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Feedback requested:FTP ALG for IPv6-to-IPv4 translation
On Mon, 27 Apr 2009 11:27:18 +0200, Iljitsch van Beijnum
<iljitsch@muada.com> wrote:
> In the BEHAVE wg we're working on IPv6-to-IPv4 translation. One
> prominent protocol that has trouble with this is FTP, so we're
> thinking of making an FTP ALG part of this. I wrote a draft on how to
> do this, and I would very much like some feedback. The draft is only 6
> pages.
This does not say how "EPSV ALL" is translated... You cannot let EPSV ALL
go through if you translate later EPSV requests, as it would break
EPSV-capable FTP IPv4 servers. As such, I guess the ALG should accept the
request and not forward it to the FTP server.
| If the server's 227 response contains an IPv4 address that doesn't
| match the destination of the control channel, the FTP ALG SHOULD send
| the following response to the client:
|
| 425 Can't open data connection.
How common is this case? Shouldn't the ALG succeed, as it can do IPv4
address translation anyway?
> One thing that would be good to know is whether ALL IPv6 FTP clients
> do EPSV or if there are also ones that do EPRT or, worse, active FTP
> without issuing EPRT.
Not that I know. However, as the author of one popular piece of software
that does include FTP functionality, I would like to mention that some
users explicitly requested active mode be added. Their rationale was that
it's better/easier for their client-side firewall to allow inbound traffic
from TCP port 20 (ftp-data) than to allow outbound traffic to all TCP
ports. This makes some sense when the FTP clients have public IP addresses,
which should be more common in IPv6 than in IPv4. As such, I would guess at
least some (other) software does have active mode, though it's probably
disabled by default.
--
Rémi Denis-Courmont