Deprecating base system ftpd?

Marek Zarychta zarychtam at plan-b.pwste.edu.pl
Mon Apr 5 14:00:14 UTC 2021 

W dniu 05.04.2021 o 14:10, Ruben van Staveren via freebsd-stable pisze:
> 
> 
>> On 3 Apr 2021, at 22:39, Ed Maste <emaste at freebsd.org> wrote:
>>
>> I propose deprecating the ftpd currently included in the base system
>> before FreeBSD 14, and opened review D26447
>> (https://reviews.freebsd.org/D26447) to add a notice to the man page.
>> I had originally planned to try to do this before 13.0, but it dropped
>> off my list. FTP is not nearly as relevant now as it once was, and it
>> had a security vulnerability that secteam had to address.
>>
>> I'm happy to make a port for it if anyone needs it. Comments?
> 
> Make it a port
> 
> 
> It is time to deprecate ftp altogether, and any other protocols that embed protocol information in layer 7, thus hurting any #IPv6 migration and 
deployment technology (SIIT-DC e.g).

How would FTP protocol hurt IPv6 deployment? Some transition IPv4 -->
IPv6 techniques will not be able to support it the same way NAT does
hardly cope with FTP protocol. The whole problem looks completely
different. FTP is an ancient protocol where the active mode works fine
only when both ends are directly reachable, so the IPv6 protocol used on
both ends can make the FTP protocol working in active mode again.

> Hopefully the IETF can put up a deprecation notice, just as was done for e.g. TLS 1.0.
> Then we move onward to the self regulating capacity of the community, warning each other on “you have ftp” running.
> 
TLS was to provide security, but TLS 1.0 became considered not secure
enough at some point, the same happened to SSH1 which is no more
trusted. Ancient protocols _do_ exist and probably neither GOPHER nor
FTP will become deprecated as network protocols.

> ftp, a protocol not using TLS protection but by adding it a netadmin needs to manage the port range in their firewalls too because clients behind nat can’t use passive mode with TLS as NAT can’t map things around ¯\_(ツ)_/¯
> 
> It is not worth the time and the hassle. Keep FTP(s) for legacy and internal, serve anyone else with https

There are _many_ devices, which can download files only with FTP or TFTP
protocols. Uploading files with HTTP or HTTPS is impossible, only SCP
sometimes work, but older network equipment usually doesn't support new
ciphers and using SSH/SCP seems to be painful sometimes.

Some protocols are insecure and simplistic from the early design.
Forcing FTP, TFTP or TELNET ban would lead to more frustration of
sysadmins only.
16 years ago insecure from the design DNS gained security support via
DNSSEC. Please consider why DNSSEC is not and likely will soon not be
widely deployed. This was an off-topic note, but probably in place.

With kind regards,

-- 
Marek Zarychta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210405/aa28c5dc/attachment.sig>

More information about the freebsd-stable mailing list