bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] Active FTP Issue with Inetutils 1.5-4


From: Curt Gran (crazykz)
Subject: Re: [bug-inetutils] Active FTP Issue with Inetutils 1.5-4
Date: Fri, 6 Mar 2009 15:40:02 -0600

Sergey wrote:
>Can you point to an RFC which requires this? STD 9 (RFC 959) tells nothing 
>about it. Neither does RFC 2228.

Hi Sergey,

Ok, I gave this another shot and went through the RFC again.  To state
the issue again:  FTP data connections from the server in inetutils
1.5 are sourcing from a high order port.  This differs from previous
releases where the FTP data connection from the server source from the
default data port, 20.  The question is if it is a violation of the
RFC to initiate a data connection from the server on another port
besides port 20.

Summary of research:
It does not state port 20 specifically in the RFC.  It states the port
as L-1 (sections 3.2 and 5.2).  It later defines L=21 (section 8).  So
the interpretation then is if L=21 then L-1=20.  This is just a
synopsis of what is in the RFC.  I've listed out quotes from the RFC
below to support my case and tried to keep them in context.  It's
important to read all of this because it builds the case piece by
piece as your read through the RFC.

Please don't flame me on this.  It could be that this has been
superseded or my interpretation is off but I'm trying to present a
case here and I'm hoping someone will just hear me out.  This is very
important to us, where I work, and it would be a great help if we
could determine/understand if sourcing a data connection from the
server-DTP on a high order port is allowed or not.

Below are the instances from the RFC.  After each instance I give my
interpretation of the paragraph and try to clarify points.  There are
terms in the RFC that are defined in section 2.2 (Terminology).  It's
important to understand these.  There are also places in the RFC where
they overload the words passive and active so you need to be careful
when reading parts that use these terms.  Sometimes they are talking
about the connection mode and other times they are using those terms
as who is the one listening (passive) and who is the one initiating
(active).

An example of active/passive in the later definition can be seen in section 2.2:

data port

         The passive data transfer process "listens" on the data port
         for a connection from the active transfer process in order to
         open the data connection.

The above definition does not mean passive or active mode.  It is
talking about the role of each end of the connection.  The passive
role is the end that is listening and the active role is the end that
is initiating the connection.  This is relevant but it's a poor choice
of terms.

>From RFC959:  http://www.ietf.org/rfc/rfc959.txt

FIRST CASE:

3.2.  ESTABLISHING DATA CONNECTIONS

      The mechanics of transferring data consists of setting up the data
      connection to the appropriate ports and choosing the parameters
      for transfer.  Both the user and the server-DTPs have a default
      data port.  The user-process default data port is the same as the
      control connection port (i.e., U).  The server-process default
      data port is the port adjacent to the control connection port
      (i.e., L-1).

and

3.2 Paragraph 4
      Every FTP implementation must support the use of the default data
      ports, and only the USER-PI can initiate a change to non-default
      ports.

Explanation:
The literal interpretation of i.e. is "that is" according to Wikipedia
from the last sentence of paragraph one which states the servers
default data port is... (i.e. L-1)
http://en.wikipedia.org/wiki/IE

The user-DTP and server-DTP are defined in the RFC (Section 2.2) as
the processes (Data Transfer Processes) on each side (client and
server) that are responsible for the data connection.  The user-PI and
server-PI are the processes on each side that are in charge of the
control channel.  DTP, data transfer process.  PI, Protocol
Interpretor.

The last sentence in the paragraph seems to say that only port L-1 can
be used to initiate the data connection from the server-DTP.  The 4th
paragraph seems to reinforce this point.

The funny thing is that "L" is not defined until later in the document
so please keep reading.


SECOND CASE:

In section 5.2, second paragraph, is the following:

The user-DTP must "listen" on the specified data port; this may be
      the default user port (U) or a port specified in the PORT command.
      The server shall initiate the data connection from his own default
      data port (L-1) using the specified user data port.  The direction
      of the transfer and the port used will be determined by the FTP
      service command.

Explanation:
Again this states the the server shall initiate the data connection
from his own default port (L-1).  The document still has not defined
"L" up to this point.  "U" indicates the port that the user sent in
the PORT command.  This indicates the user will be listening for a
connection from the server on port "U" when doing a data connection in
active mode.

The word "shall" comes up in this paragraph which may leave room to
interpretation.  However, BCP 14 (RFC 2119) defines SHALL to be
equivalent to MUST:
1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
definition is an absolute requirement of the specification.

So from this it seems like the paragraph states the server must
initiate the data connection from it's own default port (L-1).

THIRD CASE:

8.  CONNECTION ESTABLISHMENT

   The FTP control connection is established via TCP between the user
   process port U and the server process port L.  This protocol is
   assigned the service port 21 (25 octal), that is L=21.

This is where they finally define L=21.  So again L-1 would be 20.

So this is what I interpret the case to be where the data connection
must be initiated from port 20.  I'm hoping someone will see if they
agree or disagree.  If there is a disagreement please try to provide
some evidence that can support it.

Thanks and sorry for the confusing email.  Please remember I'm not
trying to prove what's right or wrong at this point.  I'm trying to
give my interpretation of the RFC to see if my understanding is
correct or if I have missed something in my research.  All of this
research is so we can try to determine if we need to accept
implementations that do this or have a way to justify that they should
not.

Thanks for any help on this.

Curt


On Fri, Mar 6, 2009 at 3:49 AM, Sergey Poznyakoff <address@hidden> wrote:
> Curt Gran (crazykz) <address@hidden> ha escrit:
>
>> Synopsis:
>> Active FTP data connections are NOT being sourced from port 20 as
>> stated in the RFC.
>
> Can you point to an RFC which requires this? STD 9 (RFC 959) tells
> nothing about it. Neither does RFC 2228.
>
> Regards,
> Sergey
>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]