FILE TRANSFER PROTOCOL

FTP
File Transfer Protocol (FTP)
• FTP uses TCP as a transport protocol to provide reliable end-to-end
connections and implements two types of connections in managing data
transfers.
• The FTP client initiates the first connection, referred to as the control
connection, to well-known port 21 (the client’s port is typically ephemeral).
It is on this port that an FTP server listens for and accepts new connections.
• The control connection is used for all of the control commands a client user
uses to log on to the server, manipulate files, and terminate a session. This
is also the connection across which the FTP server will send messages to
the client in response to these control commands.
• The second connection used by FTP is referred to as the data connection.
Typically, the data connection is established on server port 20.
• However, depending on how the data connection is established, both the
client and server might use ephemeral ports. It is across this connection
that FTP transfers the data.
• FTP only opens a data connection when a client issues a command
requiring a data transfer, such as a request to retrieve a file, or to view a list
of the files available.
• Therefore, it is possible for an entire FTP session to open and close without
a data connection ever having been opened.
• Unlike the control connection, in which commands and replies can flow
both from the client to the server and from the server to the client, the
data connection is unidirectional. FTP can transfer data only from the client
to the server, or from the server to the client, but not both. Also, unlike the
control connection, the data connection can be initiated from either the
client or the server.
• Data connections initiated by the server are active, while those initiated by
the client are passive.
FTP Model:
• The client FTP application is built with a protocol interpreter (PI), a data
transfer process (DTP), and a user interface. The server FTP application
typically only consists of a PI and DTP.
• The FTP client’s user interface communicates with the protocol interpreter,
which manages the control connection. This protocol interpreter translates
any application-specific commands to the RFC architected FTP commands,
and then communicates these control commands to the FTP server.
• The FTP server’s PI receives these commands, and then initiates the
appropriate processes to service the client’s requests. If the requests
require the transfer of data, data management is performed by the DTPS
on both the client and server applications. Following the completion of the
data transfer, the data connection is closed, and control is returned to the
PIs of the client and server applications.
Note: Only one data transfer can occur for each
data connection. If multiple data transfers are
required for a single FTP session, one distinct
control connection will be opened for each
transfer
FTP Operations
• When using FTP, the user performs some or all of the following
operations:
• Connect to a remote host
• Navigate and manipulate the directory structure.
• List files available for transfer.
• Define the transfer mode, transfer type, and data structure.
• Transfer data to or from the remote host.
• Disconnect from the remote host.
Connecting to a remote host
• To execute a file transfer, the user begins by logging in to the remote
host. This is only the primary method of implementing security within
the FTP model. Additional security can be provided using SSL and TLS.
• There are four commands that are used:
• open Selects the remote host and initiates the login session.
• user Identifies the remote user ID.
• pass Authenticates the user.
• site Sends information to the foreign host that is used to provide
services specific to that host.
Navigating the directory structure
• After a user has been authenticated and logged on to the server, that user
can navigate through the directory structure of the remote host in order to
locate the file desired for retrieval, or locate the directory into which a local
file will be transferred. The user can also navigate the directory structure of
the client’s host. After the correct local and remote directories have been
accessed, users can display the contents of the remote directory.
• The subcommands that perform these functions are as follows:
• cd Changes the directory on the remote host: A path name can be
specified, but must conform to the directory structure of the remote host.
In most implementations, cd .. will move one directory up within the
directory structure.
• lcd Changes the directory on the local host. Similar to the cd command, a
path name can be specified but must conform to the directory structure of
the local host.
• ls Lists the contents of the remote directory. The list generated by this
command is treated as data, and therefore, this command requires the use
of a data connection. This command is intended to create output readable
by human users.
• dir Lists the contents of the remote directory. Similar to the ls command,
the list generated by dir is treated as data and requires the use of a data
connection. This command is intended to create output readable by
programs.
Controlling how the data is transferred
• Transferring data between dissimilar systems often requires
transformations of the data as part of the transfer process. The user has to
decide on three aspects of the data handling:
• The way the bits will be moved from one place to another
• The different representations of data on the system's architecture
• The file structure in which the data is to be stored
• Each of these is controlled by a subcommand:
• mode Specifies whether the file is treated as having a record structure in a
byte stream format:
• B This specifies block mode is to be used. This indicates that the logical record
boundaries of the file are preserved.
• S This specifies that stream mode is to be used, meaning that the file is
treated as a byte stream. This is the default and provides more efficient
transfer but might not produce the desired results when working with a
record-based file system.
• type Specifies the character sets used in translating and representing the
data:
• A Indicates that both hosts are ASCII-based, or that if one is ASCII-based and
the other is EBCDIC-based, that ASCII-EBCDIC translation must be performed.
On many implementations, this can be invoked by issuing the ASCII command,
which the PI translates into the type a command.
• E Indicates that both hosts use an EBCDIC data representation. On many
implementations, this can be invoked by issuing the EBCDIC command, which
the PI translates into the type E command.
• I Indicates that no translation is to be done on the data. On many
implementations, this can be invoked by using the BINARY command, which
the PI translates into the type I command.
• structure Specifies the structure of the file to be transferred:
• file Indicates that the file has no internal structure, and is considered to be a
continuous sequence of data bytes.
• record Indicates that the file is made up of sequential records.
• page Indicates that the file is made up of independent indexed pages.
• Note: RFC 959 minimum FTP implementation includes only the file and
record options for the structure command. Therefore, not all
implementations will include the page option.
• Because these subcommands do not cover all possible differences between
systems, the site subcommand is available to issue implementation-
dependent and platform-specific commands. The syntax of this command
will vary by implementation.
Transferring files
• The following commands can be used to copy files between FTP clients and
servers:
• get Copies a file from the remote host to the local host. The PI translates get
into a RETR command.
• mget Copies multiple files from the remote to the local host. The PI translates
mget into a series of RETR commands.
• put Copies a file from the local host to the remote host. The PI translates put
into a STOR command.
• mput Copies multiple files from the local host to the remote host. The PI
translates mput into a series of STOR commands.
Terminating the FTP session
• The following commands are used to end an FTP session:
• quit Disconnects from the remote host and terminates FTP. Some
implementations use the BYE subcommand.
• close Disconnects from the remote host but leaves the FTP client running. An
open command can be issued to establish a new control connection.
Using proxy transfer
• FTP provides the ability for a client to have data transferred from one FTP
server to another FTP server. Several justifications for such a transfer exist,
including:
• To transfer data from one host to another when direct access to the two hosts
are not possible
• To bypass a slow client connection
• To bypass a firewall restriction
• To reduce the amount of traffic within the client’s network
• The process of setting up a proxy transfer begins with the use of a proxy
open command. Any FTP command can then be sent to the proxy server by
preceding the command with proxy.
• For example, executing the dir command lists the files on the primary FTP
server. Executing the proxy dir command lists the files on the proxy server.
The proxy get and proxy put commands can then be used to transfer data
between the two hosts.
• In Figure 14-5:
• 1. The FTP client opens a connection and logs on to the FTP server A.
• 2. The FTP client issues a proxy open command, and a new control
connection is established with FTP server B.
• 3. The FTP client then issues a proxy get command (though this can also be
a proxy put).
• 4. A data connection is established between server A and server B.
Following data connection establishment, the data flows from server B to
server A.
Reply Codes
• In order to manage these operations, the client and server conduct a dialog using
the Telnet convention. The client issues commands, and the server responds with
reply codes. The responses also include comments for the benefit of the user, but
the client application uses only the codes. Reply codes are three digits long, with
the first two digits having specific meanings.
• For each user command, shown as this, the FTP server responds with a 3-digit
reply and message, shown as this:
• FTP foreignhost
• 220 service ready
• USERNAME
• cms01 331 user name okay
• PASSWORD xyxyx
• 230 user logged in
• TYPE Image
• 200 command okay
Anonymous FTP
• Many TCP/IP sites implement what is known as anonymous FTP, which
means that these sites allow public access to some file directories. The
remote user only needs to use the login name anonymous and password
guest or some other common password conventions (for example, the
user's Internet e-mail ID). The password convention used on a system is
explained to the user during the login process. Because this method of
logon is available to anyone with Internet access to the system, most hosts
restrict the folders accessible to anonymous users.
Securing FTP sessions
• FTP provides security through user authentication, but it only prevents
unauthorized access to the system itself.
• During data transfer, the content of FTP packets is sent in plain text, making
it susceptible to interception by network tools like packet traces and sniffer
devices.
• User IDs and passwords used to log onto the server can also be captured in
these traces, potentially giving malicious users access to the system.
• To address these security concerns, FTP has been enhanced with Transport
Layer Security (TLS) to encrypt data during transfer.
• TLS is defined in RFC 4366 and operates at the transport layer, making it
easy for applications, such as FTP, to implement secure data transfer.
• The configuration and implementation of TLS varies by platform.
• TLS-related commands:
• AUTH Specifies the authentication method to be used in securing the FTP
connection.
• ADAT Passes Base64-encoded security data, specific to the mechanism
specified on the AUTH command, used to in the security negotiation
between the client and server.
• PBSZ Specifies the largest buffer size in which encrypted data can be
passed between the client and server.
• PROT Specifies the data channel protection level. The argument passed
must be one of the following:
• C Clear: Neither authentication nor encryption is used.
• S Safe: Authentication is performed, but no encryption is implemented.
• E Confidential: Encryption is performed, but no authentication is
implemented.
• P Private: Both encryption and authentication are performed.
• MIC Provides a Base64-encoded message used to integrity protect
commands sent on the control connection.
• CONF Provides a Base64-encoded message used to confidentially protect
commands sent on the control connection.
• ENC Provides a Base64-encoded message used to privately protect
commands sent on the control connection.
• CCC Instructs the FTP server that integrity-protected commands are no
longer required for the FTP session.

• Most FTP client and server implementations provide configuration options

to automate the security negotiation using the previous commands. This
makes the implementation of secure FTP easier for the user because users
do not need to understand or implement the details of the security during
the FTP session itself, and only are prompted for a user ID and possibly a
password.