[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Feedback requested:FTP ALG for IPv6-to-IPv4 translation

To: Rémi Denis-Courmont <remi@remlab.net>
Subject: Re: Feedback requested:FTP ALG for IPv6-to-IPv4 translation
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Mon, 27 Apr 2009 15:06:21 +0200
Cc: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
In-reply-to: <be5a6e6614ae6d501486092f039553e9@chewa.net>
References: <20090427084757.ED90228C0D0@core3.amsl.com> <92C2C957-ED8F-47F9-B0D5-28B58A1E29A4@muada.com> <be5a6e6614ae6d501486092f039553e9@chewa.net>

[CC to behave list, trim behave or v6ops as required]

On 27 apr 2009, at 13:31, Rémi Denis-Courmont wrote:

This does not say how "EPSV ALL" is translated... You cannot letEPSV ALL
go through if you translate later EPSV requests, as it would break
EPSV-capable FTP IPv4 servers. As such, I guess the ALG shouldaccept the
request and not forward it to the FTP server.

Not sure if issuing EPSV ALL would actually cause trouble if then PASVis issued, but just to be on the safe side and to avoid servers (ormiddleboxes) reacting badly to EPSV in general it's probably best tofilter these out. Need to think about EPSV <protocol>, too.

|  If the server's 227 response contains an IPv4 address that doesn't
| match the destination of the control channel, the FTP ALG SHOULDsend
|  the following response to the client:

|  425 Can't open data connection.

How common is this case? Shouldn't the ALG succeed, as it can do IPv4
address translation anyway?

It should be rare, because in this case the server asks to connect toa different host (or different address on the same host) to get thedata than the address we're talking to for the control channel.

The problem is that the 229 response doesn't allow for an address. Itwould be possible to put it in there anyway, but I have no idea whatthe result of that would be. Alternatively, it would be possible tocreate a mapping from pref64::10.0.0.1 port 1234 to 10.0.0.2 port 1234as a way to solve this, but that's very ugly and this way EPSVtranslation can't happen on just the control channel anymore.

One thing that would be good to know is whether ALL IPv6 FTP clients
do EPSV or if there are also ones that do EPRT or, worse, active FTP
without issuing EPRT.

Not that I know. However, as the author of one popular piece ofsoftware
that does include FTP functionality, I would like to mention that some
users explicitly requested active mode be added.

Right. Active mode with EPRT would work if that part is alsoimplemented as described in the draft (EPRT is MAY, EPSV is SHOULD),but:

Their rationale was that
it's better/easier for their client-side firewall to allow inboundtraffic
from TCP port 20 (ftp-data)

If port 20 is assumed and no EPSV or EPRT is issued, then there is noobvious way to correlate the incoming session on the v4 side to the v6host, especially if multiple clients are talking to the same server atthe same time. I think this is too nasty to bother with.

References:
- Feedback requested:FTP ALG for IPv6-to-IPv4 translation
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Feedback requested:FTP ALG for IPv6-to-IPv4 translation
  - From: Rémi Denis-Courmont <remi@remlab.net>

Prev by Date: Re: Feedback requested:FTP ALG for IPv6-to-IPv4 translation
Next by Date: RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC
Previous by thread: Re: Feedback requested:FTP ALG for IPv6-to-IPv4 translation
Index(es):
- Date
- Thread