From owner-freebsd-stable@freebsd.org Mon Apr 5 14:00:14 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5FAE95BA05B for ; Mon, 5 Apr 2021 14:00:14 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "plan-b.pwste.edu.pl", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FDXNY0thYz4bvG for ; Mon, 5 Apr 2021 14:00:12 +0000 (UTC) (envelope-from zarychtam@plan-b.pwste.edu.pl) Received: from fomalhaut.potoki.eu (dom.potoki.eu [62.133.140.50]) (authenticated bits=0) by plan-b.pwste.edu.pl (8.16.1/8.16.1) with ESMTPSA id 135E03R8072046 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 5 Apr 2021 16:00:03 +0200 (CEST) (envelope-from zarychtam@plan-b.pwste.edu.pl) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl; s=plan-b-mailer; t=1617631203; bh=OJcLlIBLmA2DBcTXKYfUSMGPgTmOYkVLpoWvKHCXDrU=; h=To:References:From:Subject:Date:In-Reply-To; b=L+Gthqi9o0zWuayT+NcSFzOuUmaMkFPfsRqgmVdn20mNw3Z1SQe9bIHO0FHCZhoPN OlmQ0zP/H8xYe4h0kcC3+YWlz9oNy1GDuH2LTcL7rYgKrLSdyxt8HKvudYIQglVKyI uFJZwco8XCafK5HVy+3p+gdQBMRGdXNpoVvzrPGbglW4RfNOGcGhLoaT/uE79/nKMp b0Dys9YATuFnuREgvYVHylWOd0Zty6S2zJPLZPuQkIEhHxLOlmQzAkGVwZz/C0dYOo hqZxWTIThOU0WbtszSDFK0ExOZu5LZUm0XoNC3VNQwFBpjNlO2YphC6Y0fA/WMrvmg dXRo3lwp8152w== X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be fomalhaut.potoki.eu To: Ruben van Staveren , freebsd-stable stable References: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> From: Marek Zarychta Subject: Re: Deprecating base system ftpd? Message-ID: <500f2fa0-87cc-07cc-30c1-e006f035bd30@plan-b.pwste.edu.pl> Date: Mon, 5 Apr 2021 16:00:01 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK" X-Rspamd-Queue-Id: 4FDXNY0thYz4bvG X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=L+Gthqi9; dmarc=pass (policy=none) header.from=plan-b.pwste.edu.pl; spf=none (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl has no SPF policy when checking 2001:678:618::40) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl X-Spamd-Result: default: False [-6.90 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_ATTACHMENT(0.00)[]; HAS_XAW(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:678:618::40:from]; ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; DWL_DNSWL_MED(-2.00)[pwste.edu.pl:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; SPAMHAUS_ZRD(0.00)[2001:678:618::40:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-stable] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2021 14:00:14 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK Content-Type: multipart/mixed; boundary="1NYJNEiHC7z25xUw5ogBTW4YdBp1WKUpM"; protected-headers="v1" From: Marek Zarychta To: Ruben van Staveren , freebsd-stable stable Message-ID: <500f2fa0-87cc-07cc-30c1-e006f035bd30@plan-b.pwste.edu.pl> Subject: Re: Deprecating base system ftpd? References: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> In-Reply-To: <38DE0531-1572-43DD-BA53-ECB3EF52FA3F@verweg.com> --1NYJNEiHC7z25xUw5ogBTW4YdBp1WKUpM Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable W dniu 05.04.2021 o=C2=A014:10, Ruben van Staveren via freebsd-stable pis= ze: >=20 >=20 >> On 3 Apr 2021, at 22:39, Ed Maste wrote: >> >> I propose deprecating the ftpd currently included in the base system >> before FreeBSD 14, and opened review D26447 >> (https://reviews.freebsd.org/D26447) to add a notice to the man page. >> I had originally planned to try to do this before 13.0, but it dropped= >> off my list. FTP is not nearly as relevant now as it once was, and it >> had a security vulnerability that secteam had to address. >> >> I'm happy to make a port for it if anyone needs it. Comments? >=20 > Make it a port >=20 >=20 > It is time to deprecate ftp altogether, and any other protocols that em= bed protocol information in layer 7, thus hurting any #IPv6 migration and=20 deployment technology (SIIT-DC e.g). How would FTP protocol hurt IPv6 deployment? Some transition IPv4 --> IPv6 techniques will not be able to support it the same way NAT does hardly cope with FTP protocol. The whole problem looks completely different. FTP is an ancient protocol where the active mode works fine only when both ends are directly reachable, so the IPv6 protocol used on both ends can make the FTP protocol working in active mode again. > Hopefully the IETF can put up a deprecation notice, just as was done fo= r e.g. TLS 1.0. > Then we move onward to the self regulating capacity of the community, w= arning each other on =E2=80=9Cyou have ftp=E2=80=9D running. >=20 TLS was to provide security, but TLS 1.0 became considered not secure enough at some point, the same happened to SSH1 which is no more trusted. Ancient protocols _do_ exist and probably neither GOPHER nor FTP will become deprecated as network protocols. > ftp, a protocol not using TLS protection but by adding it a netadmin ne= eds to manage the port range in their firewalls too because clients behin= d nat can=E2=80=99t use passive mode with TLS as NAT can=E2=80=99t map th= ings around =C2=AF\_(=E3=83=84)_/=C2=AF >=20 > It is not worth the time and the hassle. Keep FTP(s) for legacy and int= ernal, serve anyone else with https There are _many_ devices, which can download files only with FTP or TFTP protocols. Uploading files with HTTP or HTTPS is impossible, only SCP sometimes work, but older network equipment usually doesn't support new ciphers and using SSH/SCP seems to be painful sometimes. Some protocols are insecure and simplistic from the early design. Forcing FTP, TFTP or TELNET ban would lead to more frustration of sysadmins only. 16 years ago insecure from the design DNS gained security support via DNSSEC. Please consider why DNSSEC is not and likely will soon not be widely deployed. This was an off-topic note, but probably in place. With kind regards, --=20 Marek Zarychta --1NYJNEiHC7z25xUw5ogBTW4YdBp1WKUpM-- --3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEMOqvKm6wKvS1/ZeCdZ/s//1SjSwFAmBrF+EFAwAAAAAACgkQdZ/s//1SjSzQ dAf+KjTkKdRSVRcsSXkqqJ/vrYuFpGfiyzqVZla5zSzm9ZkM2qMeJUDBl6bArt1jetIPbNSEUTYO aN0gZFWRIpM2xmFsm3eHvprqlOeV1i2hUGDbaucWMiMmqnrKqj146i2Co5mXx+LIX/UNJ00KoaBG XYoQwb8fot7YSALRa38b2l/aSAAIm72ZDGickg7ZviN2F948YGhpR3aUV9MwMhemUpHt6sUgdAIf 6SNpDQhdGZb9dhaObltDD9IslcuNalYWxMBT+neVub+uJh/BZfJG1nyRaKe+CqQhL2whqfSEryEZ jPFOYbI0S/uLBo+8OMpx1c0tDGNMLhe+SSx+g4MIRw== =ZS2S -----END PGP SIGNATURE----- --3dA5w5GrmbYCdVG5dbgwxjmCEXcXBdTIK--