]> An FTP Application Layer Gateway (ALG) for IPv4-to-IPv6 Translation Huawei Technologies (USA)
2330 Central Expressway Santa Clara CA 95050 USA +1 408 330 4424 tina.tsou.zouting@huawei.com
Viagenie
246 Aberdeen Quebec QC G1R 2E1 Canada +1 418 656 9254 simon.perreault@viagenie.ca http://viagenie.ca
Huawei Technologies
Huawei Area F, Bantian, Longgang District Shenzhen 518129 China James.huang@huawei.com
INT Internet Engineering Task Force An FTP ALG for NAT64 was defined in RFC 6384. Its scope was limited to an IPv6 client connecting to an IPv4 server. This memo supports the case of an IPv4 client connecting to an IPv6 server.
During the transition from IPv4 to IPv6, some operators need to deploy NAT in their network. Some subscribers have the need to run IPv4 based FTP servers at home, and some of the FTP control messages carry IP address and port number in the payload, which will cause a NAT traversal problem. defines FTP ALG for NAT64, but only for the case where the FTP client is on the inside of the NAT64. The case where an FTP server is on the inside of the NAT64 is not covered. When the FTP server is behind NAT, it can publish its service address via a HTTP redirect server and a DDNS system which needs to support both IP address and port rather than IP address only, or other possible methods. The FTP server can listen on any possible ports, not just port 21; FTP server can get it external IP address and port via some technology like UPnP, and then publish the acquired IP address and port as its URI, ftp://203.0.113.1:1200, port 1200 is allocated by NAT.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
There can be several scenarios if NAT is involved in the network. a) In this scenario, the FTP client is behind NAT, FTP ALG needs to handle the EPRT / PORT command in FTP active mode, translating the IP address and port. This scenario has been covered by , but only for NAT64. This scenario for other kinds of NAT has not been covered.
+--------+ +---------+ +-------+ +---------+ +--------+ | FTP | | | | | | | | FTP | | Client +----+ IPv6 +----+ NAT64 +----+ IPv4 +----+ Server + | | | Network | | | | Network | | | | IPv6 | | | | | | | | IPv4 | +--------+ +---------+ +-------+ +---------+ +--------+
b) If the FTP server is behind a NAT, FTP passive mode will be the only working mode, the EPSV / PASV command and the response will be processed by FTP ALG. This memo covers this scenario.
+--------+ +---------+ +-------+ +---------+ +--------+ | FTP | | | | | | | | FTP | | Server +----+ IPv6 +----+ NAT64 +----+ IPv4 +----+ Client + | | | Network | | | | Network | | | | IPv6 | | | | | | | | IPv4 | +--------+ +---------+ +-------+ +---------+ +--------+
If FTP client issues PASV command to FTP server, FTP ALG translates PASV command into EPSV command , setting the "net-prt" field to 2 (IPv6). The response of EPSV command is translated into PASV response. FTP ALG allocates an IPv4 address and port for the EPSV response message, and builds a NAT mapping entry if the NAT is stateful. The source address of the EPSV response message and the "tcp-port" in the payload are used for the NAT mapping. The allocated IPv4 address and port are put into the PASV response message. For instance, in the IPv4 side of NAT64, FTP server's address is 203.0.113.1. FTP client issues a PASV command to FTP server, and it is translated into EPSV command by FTP AGL, as shown below: PASV command: PASV EPSV command: EPSV 2 When FTP server returns a success response of EPSV containing tcp-port 3000, FTP AGL allocates an IPv4 address 203.0.113.1 and tcp-port 2000 corresponding to the tcp-port 3000 in the EPSV response message, and puts the allocated IP address and port into PASV response message, as shown below: EPSV success response: 229 Entering Passive Mode (|||3000|) PASV success response: 227 Entering Passive Mode (203,0,113,1,7,208)
If FTP client issues EPSV command to FTP server, FTP ALG modifies the "net-prt", change the value from 1 (IPv4) to 2 (IPv6). The response of IPv6 EPSV command is also translated. FTP ALG allocates an IPv4 address and port for the EPSV response message. requires that "the network address used to establish the data connection will be the same network address used for the control connection", so NAT MUST to make sure that IPv4 address for control connection and IPv4 address for data connection for a FTP server must be the same, which means all the mappings for an IPv6 address MUST have the same external IPv4 address. For instance, in the IPv4 side of NAT64, FTP server's address is 203.0.113.1. The FTP client issues an IPv4 EPSV command to FTP server, and it is translated into IPv6 EPSV command by FTP AGL, as shown below: EPSV (IPv4) command: EPSV 1 EPSV (IPv6) command: EPSV 2 When FTP server returns a success response of EPSV containing port 3000, FTP AGL will allocate an IPv4 address 203.0.113.1 and port 2000 corresponding to the port 3000 in the EPSV response message, and put the allocated port into PASV response message, as shown below: EPSV (IPv6) success response: 229 Entering Passive Mode (|||3000|) EPSV (IPv4) success response: 229 Entering Passive Mode (|||2000|)
Command ALGS defined in is extended, three more possible arguments are added: to return the EPSV and EPRT translation status. to enable translation. to disable translation.
This memo includes no request to IANA.
RFC6384's security considerations applies to this document.
&RFC0959; &RFC2119; &RFC2428; &RFC6384;