INTERNET-DRAFT                                               M. Rosenau
Expires: June 23, 2007                                December 27, 2006
Category: Experimental

                FTP EXTENSION ALLOWING IP FORWARDING (NATs)
                  <draft-rosenau-ftp-single-port-00.txt>


Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on June 23, 2007.


Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The FTP protocol [1] needs two connections. A control and a data
   connection. Using networks with "port forwarding" (eg. SSH, DSL
   routers, VPN etc.) there is often only the possibility for the
   server to listen on only one TCP port. In such networks the
   traditional FTP protocol cannot be used.

   This memo describes an extension to the FTP protocol that allows
   the use of FTP using only one TCP port number for both control
   connections and passive-mode data connections.



Rosenau            FTP extension for IP forwarding              [Page 1]


1.  INTRODUCTION

   To transfer data via FTP [1] you need two connections: A control
   connection and a data connection.

   In traditional FTP there are two methods to establish the data
   connection:

   1) The active method: The server establishes the data connection;
      the client must send its address to the server and listen on a
      TCP port.

   2) The passive method: The server sends its address (including
      the TCP port number) to the client, which establishes the
      connection.

   The active method requires that the client can listen for incoming
   connections and that the server can establish a connection to the
   client. The client must know its own address as it is seen by the
   server. This is not the case when the client is behind a
   firewall [3].

   The passive method requires the server to be able to listen for
   incoming TCP connections on a second port and to know its own IP
   address. If the server is behind a NAT firewall with TCP port
   forwarding this is often not the case.

   Both variants do originally only work with IPv4; FTP using other
   network protocols requires special extensions such as the "EPRT" [4]
   or the "LPRT" [2] command. These extensions do not work with
   protocols that do not have a "port" concept.

   This draft describes an extension to the FTP protocol that allows
   using FTP with FTP port forwarding (so-called IP forwarding) and
   any type of stream-oriented network protocol. It also allows the use
   of protocols that do not have a "port" concept.

Rosenau            FTP extension for IP forwarding              [Page 2]


2.  OVERVIEW

   The reason for the problems described above is the fact that either
   the server or the client must know its own network address (this
   includes the port number when using TCP) and tell it to the other
   side. The server needs a second TCP port if using passive mode what
   can be a problem when using TCP port forwarding.

   The extension proposed here allows the server to use the same
   address and port number for a passive connection as for a control
   connection.

   To establish the data connection the client establishes a second
   connection to the same port that is used for the control connection
   and tells the server that it desires to establish a data connection.

   Because the client already knows the address and port number of the
   control connection (it would not have been able to connect
   otherwise) neither the server nor the client need to know their
   own address nor their port number.


3.  EXTENSION COMMANDS ADDED

      USE SINGLE PORT PASSIVE MODE ("SPSV" proposed)

         This command is sent by the client to indicate that it wants
         to use the method described in this document to establish a
         data connection.

         If the command succeeds the server will reply

             227 Any informational text (identifier)

         The identifier sent in brackets is a string that is used by
         the client to establish the data connection.

         The identifier SHOULD only include uppercase letters (A-Z) and
         digits (0-9). It must not contain brackets or characters above
         126 or below 33. The identifier must not be longer than 32
         characters.

         The identifier is necessary because multiple clients can
         connect to the FTP server at the same time. Without the
         identifier it is not possible for the FTP server to find out
         which client establishes a data connection.


Rosenau            FTP extension for IP forwarding              [Page 3]


      ESTABLISH DATA CONNECTION ("SPDT" proposed)

         This command is the only command sent over the data
         connection. It is sent instead of a "USER" command. The server
         should be prepared to accept the command instead of the "PASS"
         command or directly after the "PASS" command (see examples).
         In this case the server should ignore the user name and the
         password.

         The argument is the identifier received in the answer to the
         "use singe port passive mode" command.

         If the server accepted the command it returns "200", CR, LF to
         indicate that a data connection is established. The server
         should not send any text or space character after the "200".

         If the identifier was not correct the server returns a reply
         with the code 504 and drops the TCP connection.


4.  EXAMPLE TRANSMISSION SCENARIO

   - The first connection ("--1-->") is established.
     S--1-->C   220 FTP server ready<CRLF>
     C--1-->S   USER u001<CRLF>
     S--1-->C   331 Enter password<CRLF>
     C--1-->S   PASS xyz<CRLF>
     S--1-->C   230 You are logged in<CRLF>
     C--1-->S   SPSV<CRLF>
     S--1-->C   227 Entering single-port mode (000007D6)<CRLF>
   - The second connection ("---2->") is established
     S---2->C   220 FTP server ready<CRLF>
     C---2->S   SPDT 000007D6<CRLF>
     S---2->C   200<CRLF>
     C--1-->S   RETR contents.txt<CRLF>
     S--1-->C   150 Transmitting data<CRLF>
     S---2->C   (Contents of contents.txt)
   - The server closes the second connection
     S--1-->C   226 Data transferred<CRLF>
     ...


Rosenau            FTP extension for IP forwarding              [Page 4]


   Becasue some proxy servers send the user name (and password)
   when connecting to an FTP server the server should accept the
   following ways to establish a data connection, too:
     S---2->C   220 FTP server ready<CRLF>
     C---2->S   USER u001<CRLF>
     S---2->C   331 Enter password<CRLF>
     C---2->S   SPDT 000007D6<CRLF>
     S---2->C   200<CRLF>
   or:
     S---2->C   220 FTP server ready<CRLF>
     C---2->S   USER u001<CRLF>
     S---2->C   331 Enter password<CRLF>
     C---2->S   PASS xyz<CRLF>
     S---2->C   230 You are logged in<CRLF>
     C---2->S   SPDT 000007D6<CRLF>
     S---2->C   200<CRLF>


5.  THE "SERVICE NOT READY" MESSAGE

   If there are too many control connections open many FTP servers deny
   new users to connect to the server. The server sends the following
   message:
       120 Too many users connected. Try later.<CRLF>
   and drops the connection.

   If a server is waiting for a passive connection it cannot do this
   because the new connection may be a data connection. In this case
   the following behaviour is proposed:
      <--- 220 Too many users; only SPDT allowed<CRLF>
      ---> USER u001<CRLF>
      <--- 421 Too many users connected. Try later.<CRLF>


Rosenau            FTP extension for IP forwarding              [Page 5]


6.  PROTOCOL ALTERNATIVE

   It may be to complicated to allow two commands (USER and SPDT) as
   initial commands of a connection. Therefore the following
   extension is also imaginable:

   SPRT returns an answer of the style:

       227 Any informational text (pseudo-username:session-id)

   To establish a data connection the client sends the following
   commands:

       USER pseudo-username
       PASS session-id

   PASS returns 200<CRLF> to indicate that the connection is a data
   connection and not a control connection.

   Example:

     C--1-->S   SPSV<CRLF>
     S--1-->C   227 Entering single-port mode (DATACONN:000007D6)<CRLF>
   (Client establishes connection 2)
     S---2->C   220 FTP server ready<CRLF>
     C---2->S   USER DATACONN<CRLF>
     S---2->C   331 Please give session ID as password.<CRLF>
     C---2->S   PASS 000007D6<CRLF>
     S---2->C   200<CRLF>


REFERENCES

    [1] FILE TRANSFER PROTOCOL (FTP), RFC 959
    [2] FTP Operation Over Big Address Records, RFC 1545
    [3] Firewall-Friendly FTP, RFC 1579
    [4] FTP Extensions for IPv6 and NATs, RFC 2428

Rosenau            FTP extension for IP forwarding              [Page 6]


AUTHOR

   Martin Rosenau
   Johannes Schuster Weg 14
   76185 Karlsruhe
   Germany

   Email: martin  a t  rosenau-ka.de


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.



Rosenau            FTP extension for IP forwarding              [Page 7]