Date: Mon, 5 Apr 2021 16:00:01 +0200 From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Ruben van Staveren <ruben@verweg.com>, freebsd-stable stable <freebsd-stable@freebsd.org> Subject: Re: Deprecating base system ftpd? Message-ID: <500f2fa0-87cc-07cc-30c1-e006f035bd30@plan-b.pwste.edu.pl> In-Reply-To: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> References: <CAPyFy2AbP2X339zbemZ9Y8edjNKdyygnR9mH48Q78nxwDtOBAg@mail.gmail.com> <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK Content-Type: multipart/mixed; boundary="1NYJNEiHC7z25xUw5ogBTW4YdBp1WKUpM"; protected-headers="v1" From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl> To: Ruben van Staveren <ruben@verweg.com>, freebsd-stable stable <freebsd-stable@freebsd.org> Message-ID: <500f2fa0-87cc-07cc-30c1-e006f035bd30@plan-b.pwste.edu.pl> Subject: Re: Deprecating base system ftpd? References: <CAPyFy2AbP2X339zbemZ9Y8edjNKdyygnR9mH48Q78nxwDtOBAg@mail.gmail.com> <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> In-Reply-To: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> --1NYJNEiHC7z25xUw5ogBTW4YdBp1WKUpM Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable W dniu 05.04.2021 o=C2=A014:10, Ruben van Staveren via freebsd-stable pis= ze: >=20 >=20 >> On 3 Apr 2021, at 22:39, Ed Maste <emaste@freebsd.org> wrote: >> >> I propose deprecating the ftpd currently included in the base system >> before FreeBSD 14, and opened review D26447 >> (https://reviews.freebsd.org/D26447) to add a notice to the man page. >> I had originally planned to try to do this before 13.0, but it dropped= >> off my list. FTP is not nearly as relevant now as it once was, and it >> had a security vulnerability that secteam had to address. >> >> I'm happy to make a port for it if anyone needs it. Comments? >=20 > Make it a port >=20 >=20 > It is time to deprecate ftp altogether, and any other protocols that em= bed protocol information in layer 7, thus hurting any #IPv6 migration and=20 deployment technology (SIIT-DC e.g). How would FTP protocol hurt IPv6 deployment? Some transition IPv4 --> IPv6 techniques will not be able to support it the same way NAT does hardly cope with FTP protocol. The whole problem looks completely different. FTP is an ancient protocol where the active mode works fine only when both ends are directly reachable, so the IPv6 protocol used on both ends can make the FTP protocol working in active mode again. > Hopefully the IETF can put up a deprecation notice, just as was done fo= r e.g. TLS 1.0. > Then we move onward to the self regulating capacity of the community, w= arning each other on =E2=80=9Cyou have ftp=E2=80=9D running. >=20 TLS was to provide security, but TLS 1.0 became considered not secure enough at some point, the same happened to SSH1 which is no more trusted. Ancient protocols _do_ exist and probably neither GOPHER nor FTP will become deprecated as network protocols. > ftp, a protocol not using TLS protection but by adding it a netadmin ne= eds to manage the port range in their firewalls too because clients behin= d nat can=E2=80=99t use passive mode with TLS as NAT can=E2=80=99t map th= ings around =C2=AF\_(=E3=83=84)_/=C2=AF >=20 > It is not worth the time and the hassle. Keep FTP(s) for legacy and int= ernal, serve anyone else with https There are _many_ devices, which can download files only with FTP or TFTP protocols. Uploading files with HTTP or HTTPS is impossible, only SCP sometimes work, but older network equipment usually doesn't support new ciphers and using SSH/SCP seems to be painful sometimes. Some protocols are insecure and simplistic from the early design. Forcing FTP, TFTP or TELNET ban would lead to more frustration of sysadmins only. 16 years ago insecure from the design DNS gained security support via DNSSEC. Please consider why DNSSEC is not and likely will soon not be widely deployed. This was an off-topic note, but probably in place. With kind regards, --=20 Marek Zarychta --1NYJNEiHC7z25xUw5ogBTW4YdBp1WKUpM-- --3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAmBrF+EFAwAAAAAACgkQdZ/s//1SjSzQ dAf+KjTkKdRSVRcsSXkqqJ/vrYuFpGfiyzqVZla5zSzm9ZkM2qMeJUDBl6bArt1jetIPbNSEUTYO aN0gZFWRIpM2xmFsm3eHvprqlOeV1i2hUGDbaucWMiMmqnrKqj146i2Co5mXx+LIX/UNJ00KoaBG XYoQwb8fot7YSALRa38b2l/aSAAIm72ZDGickg7ZviN2F948YGhpR3aUV9MwMhemUpHt6sUgdAIf 6SNpDQhdGZb9dhaObltDD9IslcuNalYWxMBT+neVub+uJh/BZfJG1nyRaKe+CqQhL2whqfSEryEZ jPFOYbI0S/uLBo+8OMpx1c0tDGNMLhe+SSx+g4MIRw== =ZS2S -----END PGP SIGNATURE----- --3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?500f2fa0-87cc-07cc-30c1-e006f035bd30>