How about after throwing firewalls in to the mix? FTP's dual port architecture is simply a nightmare.
Kirk Wolf Dovetailed Technologies http://dovetail.com On Fri, Jun 12, 2020 at 1:01 PM Charles Mills <charl...@mcn.org> wrote: > X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both > urgent for us and perhaps a little obscure. > > With Passive FTP, the server uses a PORT command to say to the client "open > the data connection on this IP address." Unfortunately with NAT that is an > internal address that is meaningless at the client. Many firewalls or > routers that support NAT are apparently smart enough to translate that PORT > command from an internal to an external address, and everything works > wonderfully. > > The wrinkle comes with TLS: the control connection is encrypted and > inaccessible to the firewall or router. > > Enter CCC: > > https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha > lz001/ftpcastlsrfclevel.htm > <https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.halz001/ftpcastlsrfclevel.htm> > https://tools.ietf.org/html/rfc4217#page-19 > > CCC says "stop encrypting the control connection (so the router or firewall > can see and translate it). > > Apparently -- and this is where my knowledge gets fuzzy -- the RFC now > requires that the partners close the control connection at that point, but > z/OS FTP perhaps does not support that (?). > > CCC has security red flags all over it, which is understandable, and it > looks like we may be encountering a firewall or router that does not > support > it, or perhaps does not support the non-RFC version of it. > > I am asking here "what is the 'right' answer?" How is passive FTP supposed > to work over a TLS session with NAT in effect? > > Charles > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
