Re: [tcpinc] FTP + NAT + tcpinc

Thu, 21 Aug 2014 07:59:23 -0700 

Hi Tiru,
The problem with NAT for protocols like FTP can be solved by using PCP (http://tools.ietf.org/html/rfc6887). 

Sure it can and even should. But the tcpinc charter states that the
solution must not require modifying existing applications, and PCP
is not widely supported nowdays, AFAIK.

Valery.


-Tiru

> Hi Yoav,
>
> > Hi Brian, Valery
> >
> > FTP comes in two varieties: active and passive.
>
> True.
>
> > There is no issue in passive mode FTP with tcpinc, as the client opens
> > all the connections.
>
> Not quite. For an active mode there is an issue if client is behind NAT.
> For a passive mode there is an issue if server is behind NAT.

> (Well, it's true that in passive mode client opens all connections, but 
> server
> still indicates the address and port the client should connect to for 
> data
> transfer in the control connection, and if the server is behind NAT then 
> these
> values need to be adjusted by NAT). I admit that the situation when 
> server is

> behind NAT is more rare, than when client is behind NAT, but it is not
> uncommon. Consider home network connected to the Internet via ISP's NAT
> with FTP server installed that is accessible from the internet.

> Nowdays this setup is supported by most "off shelf" routers and there 
> are
> plenty of free dynamic DNS services that solve the problem of 
> non-staticness

> of IP address of the server.
>
> > For active, there is an issue with using tcpinc on the control
> > connection, but no issue for the data connection.
>

> True. But note. that control connection transmits user name and 
> password,

> that may be of interest for attacker (unless it is anonymous ftp).
>
> > AFAIK (and according to Wikipedia) browsers implement passive FTP so
> > clicking on ftp:// links will work with tcpinc.
>
> Agree. But there are many standalone clients that don't support passive
> mode or don't use it by default. Moreover, some applications use ftp
> internally (for example to get updates) and user often has no means to
> change the way they do it.
>
> Regards,
> Valery.
>
> > Yoav


_______________________________________________
Tcpinc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tcpinc























					Reply via email to