home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
newsgroups
/
misc.20010306-20010921
/
000035_news@columbia.edu _Tue Mar 20 08:51:38 2001.msg
< prev
next >
Wrap
Internet Message Format
|
2001-09-20
|
6KB
Return-Path: <news@columbia.edu>
Received: from newsmaster.cc.columbia.edu (newsmaster.cc.columbia.edu [128.59.59.30])
by monire.cc.columbia.edu (8.9.3/8.9.3) with ESMTP id IAA16953
for <kermit.misc@cpunix.cc.columbia.edu>; Tue, 20 Mar 2001 08:51:37 -0500 (EST)
Received: (from news@localhost)
by newsmaster.cc.columbia.edu (8.9.3/8.9.3) id IAA11080
for kermit.misc@watsun.cc.columbia.edu; Tue, 20 Mar 2001 08:49:41 -0500 (EST)
X-Authentication-Warning: newsmaster.cc.columbia.edu: news set sender to <news> using -f
From: jaltman@columbia.edu (Jeffrey Altman)
Subject: Re: Kermit Protocol basic questions
Date: 20 Mar 2001 13:49:40 GMT
Organization: Columbia University
Message-ID: <997n5k$aq6$1@newsmaster.cc.columbia.edu>
To: kermit.misc@columbia.edu
In article <3ab4edcb$1@news.iprimus.com.au>,
--abc-- <ima_devo@hotmail.com> wrote:
: Hi All,
:
: I am currently doing a comparison of the Kermit and FTP protocols and have
: some questions:
I realize Frank already responded to this post, but I have a slightly
different perspective on some of the issues. In particular, this
should not be a comparison of Kermit protocol and FTP. It should be a
comparison of the Internet Kermit Service and FTP.
: 1) Does Kermits use of a single multiplexed channel have implications for
: simultaneous transfer of commands while data transfer is in progress? (ie.
: In FTP there is the 2 channels available)
The answer to this is 'no'. Even though FTP uses separate channels
for commands and data, there should not be any communication on the
command channel while a data channel is in use. The reason for the
use of the data channel is to provide a clean separation of the data
and to be able to provide a clearly understood "end of file" mark, the
closing of the data channel.
FTP clients or servers that do send data on the command channel while
data transfers are in progress can both confuse their peers and
prevent secure sessions from being used when both the command and data
channels are protected by the same streaming cipher.
The Internet Kermit Service by using Kermit protocol over a single
channel provides all of the necessary functionality to perform data
and command exchanges with a well defined set of rules. By using a
single channel the connection is both easier to secure as well as more
flexible since the use of multiple channels requires an end to end IP
connection as well as specially configured firewalls when more than
one is in use for any given transfer.
: 2) Is the error recovery/Restart functionality available regardless
: of the mode of transfer? (In FTP crash recovery not avaialble using
: stream mode).
Restart functionality is difficult to perform in Text mode transfers
because of two features of the Kermit protocol:
. end of line transformation
. character set translation
both of which make it difficult to determine where the sender is to
begin from based upon what data the receiver currently has. When
transfering data over a network it is necessary for the data to be
placed on the wire in a portable format. So the sender does not know
what form the receiver is storing the data. In fact, even if the
sender was given the information, it might not support that data
representation itself.
: 3) When using FTP, user may set up a connection between 2 other
: servers/machines, and use the users host to control the session. Is this
: capability available in Kermit?
This mode is called "FTP Proxy mode". A client makes connections to
two FTP servers at the same time and then instructs Server A to make a
connection with Server B (which is in passive mode) instead of with
the client. There are several problems with this feature that have
resulted in many FTP server vendors refusing to implement it:
. the ability to instruct Server A to connect to some other host
on an arbitrary port allows the server to be used for denial of
service attacks. Imagine I want to attack your machine without
you knowing who I am. I can establish an anonymous ftp session
with a ftp server and then have that server connect to your
machine on my behalf.
. the data connection between the two FTP servers can not be
authenticated and therefore not secured. There is no command
channel between the two servers. Therefore, there is no mechanism
for the two servers to determine that they are communicating with
the correct partner.
The IKS does not implement this feature to prevent the first problem.
Although, if it did implement the ability to establish outgoing
connections to a third host it would not suffer from the second
problem due to its single channel.
In fact, if you want this functionality you can simply use C-Kermit
over a secure Telnet daemon. Telnet to Server A, start C-Kermit and
establish a secure connection to the IKS on Server B, and instruct
Server A and B to exchange files.
: Also, if u feel OK about some offtopic FTP questions :) :
:
: 1) Does FTP encrypt the login info for start of session, or are plain text
: passwords sent? Or does the TELNET client encrypt the login info?
Both FTP and Telnet protocols provide for strong authentication and
encryption of the TCP/IP connections. Authentication is mutual and
encryption and integrity protection are provided in both directions
for both command and file data. In Telnet, the request for security
can be initiated by either client or the server. In FTP, the request
must be initiated by the client.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.