Securing FTP with TLS
RFC 4217

 
Document Type RFC - Proposed Standard (October 2005; Errata)
Was draft-murray-auth-ftp-ssl (individual in app area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4217 (Proposed Standard)
Telechat date
Responsible AD Ted Hardie
Send notices to <ericm@lne.com>, <pfh@uk.ibm.com>, <tjh@cryptsoft.com>, <mjc@uk.ibm.com>
Network Working Group                                 P. Ford-Hutchinson
Request for Comments: 4217                                    IBM UK Ltd
Category: Standards Track                                   October 2005

                         Securing FTP with TLS

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document describes a mechanism that can be used by FTP clients
   and servers to implement security and authentication using the TLS
   protocol defined by RFC 2246, "The TLS Protocol Version 1.0.", and
   the extensions to the FTP protocol defined by RFC 2228, "FTP Security
   Extensions".  It describes the subset of the extensions that are
   required and the parameters to be used, discusses some of the policy
   issues that clients and servers will need to take, considers some of
   the implications of those policies, and discusses some expected
   behaviours of implementations to allow interoperation.  This document
   is intended to provide TLS support for FTP in a similar way to that
   provided for SMTP in RFC 2487, "SMTP Service Extension for Secure
   SMTP over Transport Layer Security", and HTTP in RFC 2817, "Upgrading
   to TLS Within HTTP/1.1.".

   This specification is in accordance with RFC 959, "File Transfer
   Protocol".  It relies on RFC 2246, "The TLS Protocol Version 1.0.",
   and RFC 2228, "FTP Security Extensions".

Ford-Hutchinson             Standards Track                     [Page 1]
RFC 4217                 Securing FTP with TLS              October 2005

Table of Contents

   1. Introduction ....................................................3
   2. Audience ........................................................5
   3. Overview ........................................................5
   4. Session Negotiation on the Control Port .........................5
      4.1. Client Wants a Secured Session .............................5
      4.2. Server Wants a Secured Session .............................6
   5. Clearing the Control Port .......................................6
   6. Response to the FEAT Command ....................................7
   7. Data Connection Behaviour .......................................8
   8. Mechanisms for the AUTH Command .................................9
   9. Data Connection Security ........................................9
   10. A Discussion of Negotiation Behaviour .........................11
      10.1. The Server's View of the Control Connection ..............11
      10.2. The Server's View of the Data Connection .................12
      10.3. The Client's View of the Control Connection ..............14
      10.4. The Client's View of the Data Connection .................15
   11. Who Negotiates What, Where, and How ...........................15
      11.1. Do we protect at all? ....................................15
      11.2. What level of protection do we use on the Control
            connection? ..............................................15
      11.3. Do we protect data connections in general? ...............16
      11.4. Is protection required for a particular data transfer? ...16
      11.5. What level of protection is required for a
            particular data ..........................................16
   12. Timing Diagrams ...............................................16
      12.1. Establishing a Protected Session .........................17
      12.2. Establishing a Protected Session Without a
            Password Request .........................................18
      12.3. Establishing a Protected Session and then
            Clearing with the CCC ....................................19
      12.4. A Standard Data Transfer Without Protection ..............20
      12.5. A Firewall-Friendly Data Transfer Without Protection .....20
      12.6. A Standard Data Transfer with Protection .................21
      12.7. A Firewall-Friendly Data Transfer with Protection ........21
   13. Discussion of the REIN Command ................................22
   14. Discussion of the STAT and ABOR Commands ......................22
   15. Security Considerations .......................................23
      15.1. Verification of Authentication Tokens ....................23
           15.1.1. Server Certificates ...............................23
           15.1.2. Client Certificates ...............................23
Show full document text