INTERNET-DRAFT M. Rosenau Expires: June 23, 2007 December 27, 2006 Category: Experimental FTP EXTENSION ALLOWING IP FORWARDING (NATs) <draft-rosenau-ftp-single-port-00.txt> Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 23, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The FTP protocol [1] needs two connections. A control and a data connection. Using networks with "port forwarding" (eg. SSH, DSL routers, VPN etc.) there is often only the possibility for the server to listen on only one TCP port. In such networks the traditional FTP protocol cannot be used. This memo describes an extension to the FTP protocol that allows the use of FTP using only one TCP port number for both control connections and passive-mode data connections. Rosenau FTP extension for IP forwarding [Page 1] 1. INTRODUCTION To transfer data via FTP [1] you need two connections: A control connection and a data connection. In traditional FTP there are two methods to establish the data connection: 1) The active method: The server establishes the data connection; the client must send its address to the server and listen on a TCP port. 2) The passive method: The server sends its address (including the TCP port number) to the client, which establishes the connection. The active method requires that the client can listen for incoming connections and that the server can establish a connection to the client. The client must know its own address as it is seen by the server. This is not the case when the client is behind a firewall [3]. The passive method requires the server to be able to listen for incoming TCP connections on a second port and to know its own IP address. If the server is behind a NAT firewall with TCP port forwarding this is often not the case. Both variants do originally only work with IPv4; FTP using other network protocols requires special extensions such as the "EPRT" [4] or the "LPRT" [2] command. These extensions do not work with protocols that do not have a "port" concept. This draft describes an extension to the FTP protocol that allows using FTP with FTP port forwarding (so-called IP forwarding) and any type of stream-oriented network protocol. It also allows the use of protocols that do not have a "port" concept. Rosenau FTP extension for IP forwarding [Page 2] 2. OVERVIEW The reason for the problems described above is the fact that either the server or the client must know its own network address (this includes the port number when using TCP) and tell it to the other side. The server needs a second TCP port if using passive mode what can be a problem when using TCP port forwarding. The extension proposed here allows the server to use the same address and port number for a passive connection as for a control connection. To establish the data connection the client establishes a second connection to the same port that is used for the control connection and tells the server that it desires to establish a data connection. Because the client already knows the address and port number of the control connection (it would not have been able to connect otherwise) neither the server nor the client need to know their own address nor their port number. 3. EXTENSION COMMANDS ADDED USE SINGLE PORT PASSIVE MODE ("SPSV" proposed) This command is sent by the client to indicate that it wants to use the method described in this document to establish a data connection. If the command succeeds the server will reply 227 Any informational text (identifier) The identifier sent in brackets is a string that is used by the client to establish the data connection. The identifier SHOULD only include uppercase letters (A-Z) and digits (0-9). It must not contain brackets or characters above 126 or below 33. The identifier must not be longer than 32 characters. The identifier is necessary because multiple clients can connect to the FTP server at the same time. Without the identifier it is not possible for the FTP server to find out which client establishes a data connection. Rosenau FTP extension for IP forwarding [Page 3] ESTABLISH DATA CONNECTION ("SPDT" proposed) This command is the only command sent over the data connection. It is sent instead of a "USER" command. The server should be prepared to accept the command instead of the "PASS" command or directly after the "PASS" command (see examples). In this case the server should ignore the user name and the password. The argument is the identifier received in the answer to the "use singe port passive mode" command. If the server accepted the command it returns "200", CR, LF to indicate that a data connection is established. The server should not send any text or space character after the "200". If the identifier was not correct the server returns a reply with the code 504 and drops the TCP connection. 4. EXAMPLE TRANSMISSION SCENARIO - The first connection ("--1-->") is established. S--1-->C 220 FTP server ready<CRLF> C--1-->S USER u001<CRLF> S--1-->C 331 Enter password<CRLF> C--1-->S PASS xyz<CRLF> S--1-->C 230 You are logged in<CRLF> C--1-->S SPSV<CRLF> S--1-->C 227 Entering single-port mode (000007D6)<CRLF> - The second connection ("---2->") is established S---2->C 220 FTP server ready<CRLF> C---2->S SPDT 000007D6<CRLF> S---2->C 200<CRLF> C--1-->S RETR contents.txt<CRLF> S--1-->C 150 Transmitting data<CRLF> S---2->C (Contents of contents.txt) - The server closes the second connection S--1-->C 226 Data transferred<CRLF> ... Rosenau FTP extension for IP forwarding [Page 4] Becasue some proxy servers send the user name (and password) when connecting to an FTP server the server should accept the following ways to establish a data connection, too: S---2->C 220 FTP server ready<CRLF> C---2->S USER u001<CRLF> S---2->C 331 Enter password<CRLF> C---2->S SPDT 000007D6<CRLF> S---2->C 200<CRLF> or: S---2->C 220 FTP server ready<CRLF> C---2->S USER u001<CRLF> S---2->C 331 Enter password<CRLF> C---2->S PASS xyz<CRLF> S---2->C 230 You are logged in<CRLF> C---2->S SPDT 000007D6<CRLF> S---2->C 200<CRLF> 5. THE "SERVICE NOT READY" MESSAGE If there are too many control connections open many FTP servers deny new users to connect to the server. The server sends the following message: 120 Too many users connected. Try later.<CRLF> and drops the connection. If a server is waiting for a passive connection it cannot do this because the new connection may be a data connection. In this case the following behaviour is proposed: <--- 220 Too many users; only SPDT allowed<CRLF> ---> USER u001<CRLF> <--- 421 Too many users connected. Try later.<CRLF> Rosenau FTP extension for IP forwarding [Page 5] 6. PROTOCOL ALTERNATIVE It may be to complicated to allow two commands (USER and SPDT) as initial commands of a connection. Therefore the following extension is also imaginable: SPRT returns an answer of the style: 227 Any informational text (pseudo-username:session-id) To establish a data connection the client sends the following commands: USER pseudo-username PASS session-id PASS returns 200<CRLF> to indicate that the connection is a data connection and not a control connection. Example: C--1-->S SPSV<CRLF> S--1-->C 227 Entering single-port mode (DATACONN:000007D6)<CRLF> (Client establishes connection 2) S---2->C 220 FTP server ready<CRLF> C---2->S USER DATACONN<CRLF> S---2->C 331 Please give session ID as password.<CRLF> C---2->S PASS 000007D6<CRLF> S---2->C 200<CRLF> REFERENCES [1] FILE TRANSFER PROTOCOL (FTP), RFC 959 [2] FTP Operation Over Big Address Records, RFC 1545 [3] Firewall-Friendly FTP, RFC 1579 [4] FTP Extensions for IPv6 and NATs, RFC 2428 Rosenau FTP extension for IP forwarding [Page 6] AUTHOR Martin Rosenau Johannes Schuster Weg 14 76185 Karlsruhe Germany Email: martin a t rosenau-ka.de Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Rosenau FTP extension for IP forwarding [Page 7]