Network Working Group
S. Bellovin
AT&T Bell Laboratories
Request for Comments: 1579
Category: Informational
February 1994
Status of this Memo 本备忘录的状态
This document provides information for the Internet community. This document does not specify an Internet standard of any kind. Distribution of this document is unlimited.
本文档为互联网社区提供信息。本文档并未规定任何类型的互联网标准。本文档的分发不受限制。
Abstract 摘要
This memo describes a suggested change to the behavior of FTP client programs. No protocol modifications are required, though we outline some that might be useful.
本备忘录描述了对FTP客户端程序行为的建议性改变。虽然不需要修改协议,但我们概述了一些可能有用的修改。
Overview and Rational 概述和理由
The FTP protocol [1] uses a secondary TCP connection for actual transmission of files. By default, this connection is set up by an active open from the FTP server to the FTP client. However, this scheme does not work well with packet filter-based firewalls, which in general cannot permit incoming calls to random port numbers.
FTP协议[1]使用一个次要的TCP连接来实际传输文件。默认情况下,这个连接是由FTP服务器主动打开到FTP客户端的。然而,这种方案与基于包过滤的防火墙不太兼容,因为防火墙通常不能允许随机端口号的传入调用。
If, on the other hand, clients use the PASV command, the data channel will be an outgoing call through the firewall. Such calls are more easily handled, and present fewer problems.
The Gory Details 细节
The FTP specification says that by default, all data transfers should be over a single connection. An active open is done by the server, from its port 20 to the same port on the client machine as was used for the control connection. The client does a passive open.
FTP规范指出,默认情况下,所有数据传输应该通过单一连接进行。服务器从其20端口主动打开到客户机上与控制连接相同的端口。客户端进行被动打开。
For better or worse, most current FTP clients do not behave that way. A new connection is used for each transfer; to avoid running afoul of TCP’s TIMEWAIT state, the client picks a new port number each time and sends a PORT command announcing that to the server.
不论好坏,大多数当前的FTP客户端都不是这样做的。每次传输都使用新的连接;为了避免与TCP的TIMEWAIT状态冲突,客户端每次都选择一个新的端口号,并发送PORT命令通知服务器。
Neither scenario is firewall-friendly. If a packet filter is used (as, for example, provided by most modern routers), the data channel requests appear as incoming calls to unknown ports. Most firewalls are constructed to allow incoming calls only to certain believed-to- be-safe ports, such as SMTP. The usual compromise is to block only the “server” area, i.e., port numbers below 1024. But that strategy is risky; dangerous services such as X Windows live at higher- numbered ports.
这两种情况都不利于防火墙。如果使用了数据包过滤(例如,大多数现代路由器提供的),数据通道请求看起来像是对未知端口的传入调用。大多数防火墙都是构建为仅允许对某些认为是安全的端口的传入调用,例如SMTP。通常的妥协是只阻塞“服务器”区域,即1024以下的端口号。但这种策略是有风险的;像X Windows这样的危险服务存在于更高的端口号中。
Outgoing calls, on the other hand, present fewer problems, either for the firewall administrator or for the packet filter. Any TCP packet with the ACK bit set cannot be the packet used to initiate a TCP connection; filters can be configured to pass such packets in the outbound direction only. We thus want to change the behavior of FTP so that the data channel is implemented as a call from the client to the server.
另一方面,出站调用较少问题,无论是对防火墙管理员还是对数据包过滤器而言。任何带有ACK位设置的TCP包都不能用于启动TCP连接;过滤器可以配置为仅在出站方向传递此类包。因此,我们希望改变FTP的行为,使得数据通道作为从客户端到服务器的调用实现。
Fortunately, the necessary mechanisms already exist in the protocol. If the client sends a PASV command, the server will do a passive TCP open on some random port, and inform the client of the port number. The client can then do an active open to establish the connection.
幸运的是,协议中已经存在必要的机制。如果客户端发送PASV命令,服务器将在某个随机端口上进行被动TCP打开,并将端口号通知给客户端。然后客户端可以进行主动打开以建立连接。
There are a few FTP servers in existence that do not honor the PASV command. While this is unfortunate (and in violation of STD 3, RFC 1123 [2]), it does not pose a problem. Non-conforming implementations will return a “500 Command not understood” message; it is a simple matter to fall back to current behavior. While it may not be possible to talk to such sites through a firewall, that would have been the case had PASV not been adopted.
存在一些不遵循PASV命令的FTP服务器。虽然这是不幸的(并且违反了STD 3, RFC 1123[2]),但这不构成问题。不符合规范的实现将返回“500命令不理解”的消息;回退到当前行为是一件简单的事情。虽然可能无法通过防火墙与此类站点通话,但如果没有采用PASV,情况也会如此。
Recommendation 推荐
We recommend that vendors convert their FTP client programs (including FTP proxy agents such as Gopher [3] daemons) to use PASV instead of PORT. There is no reason not to use it even for non- firewall transfers, and adopting it as standard behavior will make the client more useful in a firewall environment.
我们建议供应商将其FTP客户端程序(包括像Gopher[3]守护进程这样的FTP代理代理)转换为使用PASV而不是PORT。即使对于非防火墙传输,也没有理由不使用它,将其作为标准行为将使客户端在防火墙环境中更加有用。
STD 3, RFC 1123 notes that the format of the response to a PASV command is not well-defined. We therefore recommend that FTP clients and servers follow the recommendations of that RFC for solving this problem.
STD 3, RFC 1123指出,对PASV命令的响应格式没有很好定义。因此,我们建议FTP客户端和服务器遵循该RFC的建议来解决这个问题。
Discussion 讨论
Given the behavior of most current FTP clients, the use of PASV does not cause any additional messages to be sent. In all cases, a transfer operation is preceded by an extra exchange between the client and the server; it does not matter if that exchange involves a PORT command or a PASV command.
鉴于大多数当前FTP客户端的行为,使用PASV不会导致发送任何额外的消息。在所有情况下,传输操作之前都会有客户端和服务器之间的额外交换;无论这次交换涉及PORT命令还是PASV命令,都没有关系。
There is some extra overhead with Gopher-style clients; since they transfer exactly one file per control channel connection, they do not need to use PORT commands. If this is a serious concern, the Gopher proxy should be located on the outside of the firewall, so that it is not hampered by the packet filter’s restrictions.
对于Gopher风格的客户端来说,有一些额外的开销;由于它们每个控制通道连接只传输一个文件,因此它们不需要使用PORT命令。如果这是一个严重的问题,Gopher代理应该位于防火墙的外部,这样就不会受到数据包过滤器限制的阻碍。
If we accept that clients should always perform active opens, it might be worthwhile enhancing the FTP protocol to eliminate the extra exchange entirely. At startup time, the client could send a new command APSV (“all passive”); a server that implements this option would always do a passive open. A new reply code 151 would be issued in response to all file transfer requests not preceded by a PORT or PASV command; this message would contain the port number to use for that transfer. A PORT command could still be sent to a server that had previously received APSV; that would override the default behavior for the next transfer operation, thus permitting third-party transfers.
如果我们接受客户端应该始终执行主动打开的话,可能值得增强FTP协议,以完全消除额外的交换。在启动时,客户端可以发送一个新命令APSV(“全部被动”);实现此选项的服务器将始终进行被动打开。对所有未由PORT或PASV命令先行的文件传输请求,新的回复代码151将被发出;此消息将包含用于该传输的端口号。即使之前接收到APSV,仍可以向服务器发送PORT命令;这将覆盖下一次传输操作的默认行为,从而允许第三方传输。
Implementation Status 实施状态
At least two independent implementations of the modified clients exist. Source code to one is freely available. To our knowledge, APSV has not been implemented.
至少存在两个独立实现的修改后的客户端。其中一个的源代码是免费提供的。据我们所知,APSV尚未实施。
Security Considerations 安全考虑
Some people feel that packet filters are dangerous, since they are very hard to configure properly. We agree. But they are quite popular. Another common complaint is that permitting arbitrary outgoing calls is dangerous, since it allows free export of sensitive data through a firewall. Some firewalls impose artificial bandwidth limits to discourage this. While a discussion of the merits of this approach is beyond the scope of this memo, we note that the sort of application-level gateway necessary to implement a bandwidth limiter could be implemented just as easily using PASV as with PORT.
有些人认为数据包过滤器是危险的,因为它们非常难以正确配置。我们同意。但它们非常流行。另一个常见的抱怨是,允许任意的出站调用是危险的,因为它允许敏感数据通过防火墙自由导出。一些防火墙施加人为的带宽限制以阻止这种情况。虽然讨论这种方法的优点超出了本备忘录的范围,但我们注意到,实现带宽限制器所需的应用层网关可以使用PASV和PORT一样容易地实现。
Using PASV does enhances the security of gateway machines, since they no longer need to create ports that an outsider might connect to before the real FTP client. More importantly, the protocol between the client host and the firewall can be simplified, if there is no need to specify a “create” operation.
使用PASV确实增强了网关机器的安全性,因为它们不再需要创建外部可能连接的端口。更重要的是,如果不需要指定“创建”操作,则客户端主机与防火墙之间的协议可以简化。
Concerns have been expressed that this use of PASV just trades one problem for another. With it, the FTP server must accept calls to random ports, which could pose an equal problem for its firewall. We believe that this is not a serious issue, for several reasons.
有人担心,使用PASV只是将一个问题换成了另一个问题。因为这样,FTP服务器必须接受对随机端口的调用,这对其防火墙可能构成同等问题。我们认为这不是一个严重问题,原因有几个。
First, there are many fewer FTP servers than there are clients. It is possible to secure a small number of special-purpose machines, such as gateways and organizational FTP servers. The firewall’s filters can be configured to allow access to just these machines. Further precautions can be taken by modifying the FTP server so that it only uses very high-numbered ports for the data channel. It is comparatively easy to ensure that no dangerous services live in a given port range. Again, this is feasible because of the small number of servers.
首先,FTP服务器比客户端少得多。可以保护少数特殊用途的机器,如网关和组织FTP服务器。防火墙的过滤器可以配置为仅允许访问这些机器。通过修改FTP服务器,以便它只使用非常高编号的端口用于数据通道,可以采取进一步的预防措施。比较容易确保在给定的端口范围内没有危险服务存在。再次,这是可行的,因为服务器数量少。
References 参考文献
- Postel, J., and J. Reynolds, “File Transfer Protocol”, STD 1, RFC 959, USC/Information Sciences Institute, October 1985.
- Braden, R., Editor, “Requirements for Internet Hosts - Application and Support”, STD 3, RFC 1123, USC/Information Sciences Institute, October 1989.
- Anklesaria, F., McCahill, M., Lindner, P., Johnson, D., Torrey, D., and B. Alberti, “The Internet Gopher Protocol (a distributed document search and retrieval protocol)”, RFC 1436, University of Minnesota, March 1993.
Author’s Address
Steven M. Bellovin AT&T Bell Laboratories 600 Mountain Avenue Murray Hill, NJ 07974
Phone: (908) 582-5886 EMail: smb@research.att.com