Firewall Wizards mailing list archives
RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U)
From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Sat, 6 Apr 2002 12:37:58 -0500
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com] On Behalf Of Fritz Ames Sent: Friday, April 05, 2002 8:52 PM To: firewall-wizards () nfr com Subject: Re: [fw-wiz] The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) All, I guess that I am with Mr. Kistner. Rant time? (...stepping up on soapbox...) Does that mean that we can criticize the old protocols for not meeting standards based on our current perspective? Is
Well, yes, it does! Just because it's venerable doesn't mean we must accept it. There are clear problems with FTP implementation in the modern network security environment that have not yet been addressed. The same has occurred with ESMTP and IP, along with many other protocols which had rather drastic standards modifications throughout the 80's and 90's.
it important to remember that we are standing on the shoulders of giants? To casually dismiss the tremendous volume of good work that went into the infrastructure that we enjoy today is a shame--and a waste of institutional knowledge. Take a look at http://www.ayukov.com/nftp/ftp-rfc.html for a taste of what went into building the FTP we have today. Then take a look at RFC959 ( http://www.ietf.org/rfc.html ), which is 16 years old, predates many of
Why would you imply that we were critisizing the previous architects? That's thinking like a priest, not like an engineer. Questioning a single design decision in no way invalidates their good work. Especially since their design decision was predicated on valid technical concerns (at the time), which no longer have an impact. No matter how long something takes, and how many man-years of experience are wrapped up in it, it will contain mistakes. It will always take someone brave enough to point at the mistake and say "here" in order to begin working on a solution. Throughout history, the poor schmuck who said "here" was always accused of either: heresy, witchcraft, satanism, inferiority, stupidity, disrespectfulness, or audacity. Cheers, Ben
our group's knowledge of even the existence of the Internet, and is an extensive piece of specification work. More work probably went into just the generation of the ASCII-art block diagrams showing how FTP works than went into most of the criticism that I have seen. Read, completely, RFC2468 and RFC2555 (Really. They're not long.) to see who *some* of these people are whom we are criticizing. (So this sounds like I am on a soapbox... I'll get down now.) Ummm... So I guess that I'll have to sign on to help work on a better spec., to replace the current spec. Where do I go to stand in line? (Why can't I work on a more *fun* one--having meetings in Paris to talk about XML?) [;-)] Thanks, Fritz Tom Kistner wrote:On Wed, Apr 03, 2002 at 01:07:11AM +0200, Mikael Olsson(mikael.olsson () clavister com) wrote:Heck, simply moving the data channel to an in-line channel in the port 21 connection would be by far more preferable, and easier to implement to boot. I can't believe they botched the perfectly good chance of clearing up this old mess when they adapted FTP to IPv6, rather than just extending the "PORT" and "227" messages to handle IPv6 addresses in ASCII format. (But then again, I'm a grumpy security guy whose pet peeve is protocols with dynamic channels, not a stressed-out engineer who needs to get things working yesterday.)Theres a good reason for the data channels to be on separateconnections:Server-to-Server transfers, commonly known as "FXP". That feature was used quite a lot in "the old days". Today, it's used mainly for warez currying. So i'd say it's not an old mess, FTP just stays the way itis even in IPv6.There are umpteen other ways to transfer files, why not useone of those ?/tom
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U), (continued)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Ng Pheng Siong (Apr 06)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Joseph S D Yao (Apr 03)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) R. DuFresne (Apr 04)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Patrick M. Hausen (Apr 04)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Ng Pheng Siong (Apr 05)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Ng Pheng Siong (Apr 05)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Tom Kistner (Apr 05)
- RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Benjamin P. Grubin (Apr 06)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Fritz Ames (Apr 06)
- RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Benjamin P. Grubin (Apr 06)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
- RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Benjamin P. Grubin (Apr 06)
- RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Robert Collins (Apr 04)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Carson Gaspar (Apr 16)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)