W dniu 05.04.2021 o 14:10, Ruben van Staveren via freebsd-stable pisze: > > >> On 3 Apr 2021, at 22:39, Ed Maste <ema...@freebsd.org> wrote: >> >> I propose deprecating the ftpd currently included in the base system >> before FreeBSD 14, and opened review D26447 >> (https://reviews.freebsd.org/D26447) to add a notice to the man page. >> I had originally planned to try to do this before 13.0, but it dropped >> off my list. FTP is not nearly as relevant now as it once was, and it >> had a security vulnerability that secteam had to address. >> >> I'm happy to make a port for it if anyone needs it. Comments? > > Make it a port > > > It is time to deprecate ftp altogether, and any other protocols that embed > protocol information in layer 7, thus hurting any #IPv6 migration and deployment technology (SIIT-DC e.g).
How would FTP protocol hurt IPv6 deployment? Some transition IPv4 --> IPv6 techniques will not be able to support it the same way NAT does hardly cope with FTP protocol. The whole problem looks completely different. FTP is an ancient protocol where the active mode works fine only when both ends are directly reachable, so the IPv6 protocol used on both ends can make the FTP protocol working in active mode again. > Hopefully the IETF can put up a deprecation notice, just as was done for e.g. > TLS 1.0. > Then we move onward to the self regulating capacity of the community, warning > each other on “you have ftp” running. > TLS was to provide security, but TLS 1.0 became considered not secure enough at some point, the same happened to SSH1 which is no more trusted. Ancient protocols _do_ exist and probably neither GOPHER nor FTP will become deprecated as network protocols. > ftp, a protocol not using TLS protection but by adding it a netadmin needs to > manage the port range in their firewalls too because clients behind nat can’t > use passive mode with TLS as NAT can’t map things around ¯\_(ツ)_/¯ > > It is not worth the time and the hassle. Keep FTP(s) for legacy and internal, > serve anyone else with https There are _many_ devices, which can download files only with FTP or TFTP protocols. Uploading files with HTTP or HTTPS is impossible, only SCP sometimes work, but older network equipment usually doesn't support new ciphers and using SSH/SCP seems to be painful sometimes. Some protocols are insecure and simplistic from the early design. Forcing FTP, TFTP or TELNET ban would lead to more frustration of sysadmins only. 16 years ago insecure from the design DNS gained security support via DNSSEC. Please consider why DNSSEC is not and likely will soon not be widely deployed. This was an off-topic note, but probably in place. With kind regards, -- Marek Zarychta
OpenPGP_signature
Description: OpenPGP digital signature
