FTP communication (active mode/passive mode)

FTP communication (active mode/passive mode)

FTP communication (active mode)

 FTP communication has PORT mode (active mode) and PASV mode (passive mode). Here, we will explain the active mode.

Active mode is the default transfer mode for most FTP software.

 In this mode, unlike the control connection, the data connection is established from port 20 on the FTP server side to any port on the client.

 In order to make a connection from the FTP server side, the server needs to know the IP address and port number of the client. These are notified to the FTP server by the PORT command at the time of control connection.

FTPの通信(アクティブモード・パッシブモード)

 A word of caution here. The direction of the data connection is from the FTP server side to the client side. This means that the connection is established from the FTP server side regardless of whether the file is downloaded or uploaded.

When uploading a file, doesn't communication start from the client?

You may wonder, but uploading also starts a connection from the FTP server.

The direction of this data connection causes some problems.

First, there is the issue of firewall security.

 Since the port number of the client is arbitrary (1,024 or more), it is necessary to open the port of the data connection from the FTP server side in the firewall in order to communicate with FTP. Opening all 1,024 or more ports is extremely risky.

Another problem arises when establishing a data connection from the server to the client.

 In active mode, a connection is established from the FTP server side as shown below, regardless of file download or upload.

 When transferring data, the client tells the FTP server the IP address and port number on which it listens for connections with the PORT command.

Command supplement

The PORT command is designed to be specified as follows.

 PORT aaa, bbb, ccc, ddd, ee, ff

 aaa,bbb,ccc,ddd ・・・ Indicates the standby IP address of the client.
 ee,ff ・・・ Indicates the listening port number of the client.

The PORT command for the port numbers in the diagram above would be:

 PORT 192,168,1,1,11,185

A question arises here. Why is the port number "3001" changed to "11" and "185"?

The trick is like this.

Converting the decimal number 3001 to hexadecimal results in the following.

 (3001) 10 = (0BB9) 16

Split hexadecimal (0BB9) 16 into octets and convert each of them to decimal.

 (0B) 16 = (11) 10

 (B9) 16 = (185) 10

Also, (11) 10 is 8-bit shifted, so the following holds.

 3001=11×256+185

 Looking at the active mode data transfer in a little more detail, the client and server sequences are shown in the table below.

clientcontentserver
Any--> PORT aaa, bbb, ccc, ddd, ee, ff -->twenty one
Any<-- PORT command successfull <--twenty one
Any--> RETR filename -->twenty one
ee*256+ff<-- ( SYN ) <--20
ee*256+ff--> ( SYN , ACK ) -->20
ee*256+ff<-- ( ACK ) <--20
Any<-- Opening ASCII mode data connection <--twenty one
ee*256+ff(file download)・・・

20
Any<-- Transfer complete. <--twenty one

Active mode data transfer

Active mode is incompatible with firewall and NAT

 Active mode FTP will most likely fail if the client is behind a firewall. Because many firewalls are set up to deny her SYN from the outside for security reasons.

It also becomes a problem if the client is behind a NAT router.

 NAT and IP Masquerade translate IP addresses and port numbers. Therefore, the value passed in the PORT command also needs to be rewritten.

 The reason is that the IP address and port number notified by the PORT command cannot communicate with the client. It is not possible to communicate using the internal IP address and port number before conversion. You need to communicate with IP addresses and port numbers that are translated by NAT.

 Therefore, we need to rewrite the argument of the PORT command. Since the argument of the PORT command is in decimal notation and the string length of the IP address and port number values ​​varies, it is also necessary to rewrite the checksum.

 Since such complicated processing is required, some NAT routers do not support rewriting of the PORT command, and if there is a client under the NAT router, there is a problem that FTP communication cannot be performed.

FTP communication (passive mode)

In passive mode, both control and data connections all originate from the client.

 In active mode, there were problems with FW and NAT. Passive mode is a mode prepared to allow communication even if the client is under her FW or NAT router.

 In active mode, a data connection is established from the FTP server, but in passive mode data connection, contrary to active mode, a connection is established from any port on the client side to the listening port of the FTP server.

 This mode uses the PASV command on the control connection from the client to the FTP server. The FTP server notifies the client of its response including its own IP address and listening port number.

 The client establishes a data connection to the FTP server for the IP address and port notified from the FTP server.

 In passive mode, both control and data connections are established from the client side.

 Although the IP address and listening port number of the FTP server are described in the response to the PASV command, this is not a problem because it is not subject to conversion by NAT or IP masquerade.

 Passive mode seems to solve the NAT problem at first glance, but the same problem occurs when the FTP server is under the NAT router.

 In passive mode, a connection is established from the client side as shown in the figure below, regardless of whether files are downloaded or uploaded.

The client and server sequence for passive mode data transfer is shown in the table below.

clientcontentserver
Any--> PASV -->twenty one
Any<-- Entering Passive mode (aaa,bbb,ccc,ddd,ee,ff) <--
*See supplementary command
twenty one
Any--> ( SYN ) -->ee*256+ff
Any<-- ( SYN , ACK ) <--ee*256+ff
Any--> ( ACK ) -->ee*256+ff
Any--> RETR filename -->twenty one
Any<-- Opening ASCII mode data connection <--twenty one
Any(file download)・・・

ee*256+ff
Any<-- Transfer complete. <--twenty one

Passive mode data transfer

 The client sends a PASV command to the server requesting it to transfer data in passive mode. In response, the server sends the server-side port number to use for data transfer. Upon receiving this response, the client establishes a connection from any port on the client to the specified port on the server.

Command supplement

 aaa,bbb,ccc,ddd ・・・ Indicates the standby IP address of the client.
 ee,ff ・・・ Indicates the listening port number of the client.

If the port number in the above figure is "3001", ee is "11" and ff is "185".

The trick is like this.

Converting the decimal number 3001 to hexadecimal results in the following.

 (3001) 10 = (0BB9) 16

Split hexadecimal (0BB9) 16 into octets and convert each of them to decimal.

 (0B) 16 = (11) 10

 (B9) 16 = (185) 10

Compatibility of passive mode with firewall and NAT

 Passive mode sends SYNs from the inside to establish the connection, so they can't be blocked by a firewall configured to deny SYNs from the outside.

 Also, the source IP address and source port number are written in the same way as active mode, but since this is a packet from the server side to the inside, there is no need to rewrite the source IP address and source port number. . So you won't have problems with NAT or IP Masquerade.

 Communication in passive mode eliminates troubles with firewalls and NATs, but there are some points to be aware of. In passive mode, the firewall must be configured to allow the server's source port number (1024 or higher).

 Since the source port number of the server is random, it is necessary to specify a fairly wide range, and the hole in the firewall becomes large. Static-filtering firewalls are always open and open to intrusion from the outside, making them vulnerable.