Firewall Wizards mailing list archives

RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U)

From: "Benjamin P. Grubin" <bgrubin () pobox com>
Date: Sat, 6 Apr 2002 12:37:58 -0500

-----Original Message-----
From: firewall-wizards-admin () nfr com 
[mailto:firewall-wizards-admin () nfr com] On Behalf Of Fritz Ames
Sent: Friday, April 05, 2002 8:52 PM
To: firewall-wizards () nfr com
Subject: Re: [fw-wiz] The yearly FTP rant (Was: Re: Passive 
FTP and NAT/PAT with PIX and Serv-U)


All,
    I guess that I am with Mr. Kistner.  Rant time?  
(...stepping up on 
soapbox...)  Does that mean that we can criticize the old 
protocols for 
not meeting standards based on our current perspective?  Is


Well, yes, it does!  Just because it's venerable doesn't mean we must
accept it.  There are clear problems with FTP implementation in the
modern network security environment that have not yet been addressed.
The same has occurred with ESMTP and IP, along with many other protocols
which had rather drastic standards modifications throughout the 80's and
90's.

it important 
to remember that we are standing on the shoulders of giants?  To 
casually dismiss the tremendous volume of good work that went 
into the 
infrastructure that we enjoy today is a shame--and a waste of 
institutional knowledge.  Take a look at 
http://www.ayukov.com/nftp/ftp-rfc.html for a taste of what went into 
building the FTP we have today.  Then take a look at RFC959 ( 
http://www.ietf.org/rfc.html ), which is 16 years old, 
predates many of


Why would you imply that we were critisizing the previous architects?
That's thinking like a priest, not like an engineer.  Questioning a
single design decision in no way invalidates their good work.
Especially since their design decision was predicated on valid technical
concerns (at the time), which no longer have an impact.

No matter how long something takes, and how many man-years of experience
are wrapped up in it, it will contain mistakes.  It will always take
someone brave enough to point at the mistake and say "here" in order to
begin working on a solution.  Throughout history, the poor schmuck who
said "here" was always accused of either: heresy, witchcraft, satanism,
inferiority, stupidity, disrespectfulness, or audacity.

Cheers,
Ben

our group's knowledge of even the existence of the Internet, 
and is an 
extensive piece of specification work.  More work probably went into 
just the generation of the ASCII-art block diagrams showing how FTP 
works than went into most of the criticism that I have seen.  Read, 
completely, RFC2468 and RFC2555 (Really.  They're not long.) 
to see who 
*some* of these people are whom we are criticizing.  (So this sounds 
like I am on a soapbox...  I'll get down now.)  Ummm...  So I 
guess that 
I'll have to sign on to help work on a better spec., to replace the 
current spec.  Where do I go to stand in line?  (Why can't I 
work on a 
more *fun* one--having meetings in Paris to talk about XML?)  [;-)]


Thanks,

Fritz

Tom Kistner wrote:

On Wed, Apr 03, 2002 at 01:07:11AM +0200, Mikael Olsson

(mikael.olsson () clavister com) wrote:

Heck, simply moving the data channel to an in-line channel in
the port 21 connection would be by far more preferable, and easier
to implement to boot. I can't believe they botched the perfectly 
good chance of clearing up this old mess when they adapted FTP to 
IPv6, rather than just extending the "PORT" and "227" messages to 
handle IPv6 addresses in ASCII format. (But then again, I'm a 
grumpy security guy whose pet peeve is protocols with dynamic 
channels, not a stressed-out engineer who needs to get things 
working yesterday.)


Theres a good reason for the data channels to be on separate

connections:

Server-to-Server transfers, commonly known as "FXP".

That feature was used quite a lot in "the old days". Today, it's
used mainly for warez currying.

So i'd say it's not an old mess, FTP just stays the way it

is even in IPv6.


There are umpteen other ways to transfer files, why not use

one of those ?



/tom


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U), (continued)
- - - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Ng Pheng Siong (Apr 06)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Joseph S D Yao (Apr 03)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) R. DuFresne (Apr 04)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Patrick M. Hausen (Apr 04)
    - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Ng Pheng Siong (Apr 05)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Ng Pheng Siong (Apr 05)
- Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Tom Kistner (Apr 05)
  - RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Benjamin P. Grubin (Apr 06)
    - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Fritz Ames (Apr 06)
    - RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Benjamin P. Grubin (Apr 06)
    - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
- RE: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Robert Collins (Apr 04)
  - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Mikael Olsson (Apr 06)
    - Re: The yearly FTP rant (Was: Re: Passive FTP and NAT/PAT with PIX and Serv-U) Carson Gaspar (Apr 16)