Last Call Review of draft-hethmon-mcmurray-ftp-hosts-
review-hethmon-mcmurray-ftp-hosts-secdir-lc-orman-2010-05-03-00
Review
review-hethmon-mcmurray-ftp-hosts-secdir-lc-orman-2010-05-03
Security review of
File Transfer Protocol HOST Command
draft-hethmon-mcmurray-ftp-hosts-11
Do not be alarmed. I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG. These comments were written primarily
for the benefit of the security area directors. Document editors and
WG chairs should treat these comments just like any other last call
comments.
This protocol modification adds a command ("HOST") by which the client
designates a virtual host. The server will then use an authentication
method suitable for that host, much as though a separate FTP server
were running for each virtual host.
There is a small area of concern surrounding the information
contained in the "HOST" command. If the name of the virtual host is
sensitive information, then clients should protect it by using
encryption when first connecting to the server. Although the
document anticipates host names as being publicly available DNS
names, that is not necessary, and some organizations will probably
use private names.
Hilarie