FTP etc. PDF

File Transfer Tools File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) FTP Secure (FTPS) SSH File Transfer Protocol (SFTP) Industrial Networks II Keith Smyth Motivation We need to be able to transfer files over the Internet securely. Some legacy industrial devices may only support FTP or TFTP We want to be able to configure firewalls as securely as possible. Principles learned here will be used to manage remote devices securely. File Transfer Protocol (FTP) FTP is a standard communication protocol used for the transfer of files over a network. FTP is built on a client–server model architecture * FTP uses separate control and data connections between the client and the server. FTP users may authenticate themselves with a clear- text sign-in protocol, (username and password) Can connect anonymously if the server is configured to allow it. Clients: Command line, GUI, most Web browsers (ftp://) File Transfer Protocol (FTP) Uses TCP at the transport layer The server listens on the well know port 21 Separate Control and data channel – Control channel is used for authentication, listing directories etc, this channel is kept open during the session. (Port 21 server side) – Data Channel supports file transfer, it is closed after each file transfer. (one file per connection) (server side: Port 20 in active mode, any random port >1024 in passive mode) Two modes of operation – Active mode – Passive mode Examples of FTP Commands Commands for authentication USER - specify the user name for login PASS - specify the users password Commands for exploring the files LIST - list the files for the given file specification CWD - change to the given directory (cd) Commands for downloading and uploading files TYPE - set type to ASCII (A) or binary image (I) RETR - retrieve the given file STOR - upload the given file Command for closing the connection QUIT close the FTP connection Examples of FTP Commands There are approximately 60 different FTP commands ABOR - abort a file transfer CWD - change working directory DELE - delete a remote file LIST - list remote files MDTM - return the modification time of a file MKD - make a remote directory NLST - name list of remote directory PASV - enter passive mode > MORE FROM ACTIVE - TO PASSIVE PORT - open a data port PWD – print working directory QUIT - terminate the connection RETR - retrieve a remote file RMD - remove a remote directory RNFR - rename from Examples of FTP Commands RNTO - rename to SITE - site-specific commands SIZE - return the size of a file STOR - store a file on the remote host TYPE - set transfer type The FTP commands depend on the version of FTP and the operating system in use. Typing -help or a ? Lists the commands available to you. In MS Windows: GET - to download a file, PUT – to upload a file Many applications do not need the full functionalities that FTP offers. it may be difficult or impossible on embedded computers that do not have a sophisticated OS. Active Mode (Simplified) Control Channel Commands User Client Pass Port 50,000 Port 60,000 Port 21 Server Port 60,000 List OK Port 20 Data Channel Directory listing Then the data channel connection closes NOTE: Client chooses its port number for the data channel NEED TO KNOW Problem with Active Mode Client machine is behind a Firewall Port 50,000 Control Channel Commands User Client Pass Port 60,000 Port 21 Server Port 60,000 List OK Port 20 Data Channel Firewall will block incoming connection to port 60,000 The incoming port can be in the range 1024 – 65,536 Unless we want to open those ports and leave ourselves vulnerable to attack Passive Mode Control Channel Commands User Pass Client Port 50,000 PASV Port 21 List Server Port 60,000 OK 55,555 Port 55555 Data Channel Directory listing Then the data channel connection closes Commands PASV RETR file_name Port 26,444 OK 26.444 Passive Mode Client machine is behind a Firewall Control Channel Commands User Port 50,000 Pass Client PASV Port 21 List Server Port 60,000 OK 55,555 Port 55555 NOW - Firewall will Data Channel allow an incoming connection to port Directory listing 60,000 (it saw a Then the data channel connection closes source port of 60,00 coming from the client Commands PASV RETR file_name Port 26,444 OK 26.444 Passive Mode server machine is behind a Firewall Control Channel Commands User Port 50,000 Pass Client PASV Port 21 List Server Port 60,000 OK 55,555 Port 55555 Data Channel NOW – Need to open up ports 1024 – 65536 on server side Firewall. Most FTP servers will allow you to specify a range of ports to use for the data channel in passive mode – then configure firewall to only allow ports in that range. (Range mainly depends on max number of concurrent users. Client may spawn multiple data connections for a large file) > RANDOM - AMOUNT Trivial File Transfer Protocol (TFTP) RFC 1350 Trivial File Transfer Protocol (TFTP) is intended to be simple. It is a completely new protocol, not a modification of FTP It restricts operations to simple file transfers and does not provide any form of authentication. (No UserName or Password) Generally only used within a LAN Often used to transfer configuration files and firmware images to networking devices. RRQ READ = VRQ WRITE It can ONLY read or write a file for a client. = DATA = DATA Only uses 5 commands (packets!!) Acc = ACUKNOWLEDGE ERROR ERROR RRQ, WRQ, DATA, ACK and ERROR = It uses UDP at the transport layer. (UDP is connectionless) Trivial File Transfer Protocol (TFTP) Since it is simple, TFTP software tends to be much smaller in size than FTP software. Small in size is big advantage for embedded systems. Embedded system can have a TFTP client in its ROM and use it to obtain an initial memory image when the system is powered on. Since UDP is connectionless and unreliable, TFTP must have a mechanism to ensure all data is transferred. Trivial File Transfer Protocol (TFTP) Unlike FTP, TFTP runs on top of UDP (port 69). UDP is connectionless and unreliable. Since UDP is unreliable, TFTP needs a mechanism to ensure all data is transferred and that there is no duplicate data transferred. * TFTP uses timeout and retransmission to ensure that data arrives NEED and prevent duplicates. TO The sending side transmits a file in fixed size (512 byte) blocks know and waits for an acknowledgement for each block before sending the next. (A form of stop and wait error control) The receiver acknowledges each block upon receipt. Trivial File Transfer Protocol (TFTP) PDU EXCHANGE ↓ The first packet sent requests a file transfer and establishes the interaction between the client and the server. The first packet also specifies a file name and whether the file will be read (transferred to the client) or write (transferred to the server). Blocks of the file are numbered consecutively starting at 1. Each data packet contains a header that specifies the number of the block it carries, and each acknowledgement contains the number of the block being acknowledged. A block of less than 512 bytes signals the end of a file. It is possible to send an error message either in the place of data or an acknowledgement. If an error message is sent, the transfer will be terminated. Trivial File Transfer Protocol (TFTP) TFTP commands (RFC defines them as packets) Read Request 2 byte OP Code N Bytes 1 Byte N Bytes 1 Byte READ REQ (1) FILENAME 0 MODE 0 Write Request 2 byte OP Code N Bytes 1 Byte N Bytes 1 Byte WRITE REQ (2) FILENAME 0 MODE 0 mode : Ascii or Binary Trivial File Transfer Protocol (TFTP) TFTP commands (RFC defines them as packets) - Every PackET HAS 512 Bytes Data packet EXCEPT THE LAST PACKET THIS TERMINATES 2 byte OP Code 2 Bytes Up to 512 Bytes DATA (3) BLOCK No DATA BYTES Acknowledgement packet 2 byte OP Code 2 Bytes ACK (4) BLOCK No Trivial File Transfer Protocol (TFTP) TFTP commands (RFC defines them as packets) ERROR packet 2 byte OP Code 2 Bytes Up to 512 Bytes 1 Byte ERROR (5) ERROR CODE ERROR MESSAGE 0 Error Codes Value Meaning 0 Not defined 1 File not found 2 Access violation 3 Disk full or allocation exceeded 4 Illegal TFTP operation 5 Unknown transfer ID 6 File already exists 7 No such user - NO USERNAME or PASSWORDS Trivial File Transfer Protocol (TFTP) Overview of the protocol Any transfer begins with a request to read or write a file, which also serves to request a connection. If the server grants the request, the connection is opened, and the file is sent in fixed length blocks of 512 bytes. Each data packet contains one block of data and must be acknowledged by an acknowledgment packet before the next packet can be sent. A data packet of less than 512 bytes signals termination of a transfer. If a packet gets lost in the network, the intended recipient will timeout and may retransmit its last packet (which may be data or an acknowledgment) HOW TO RECOVER FROM AN ERROR The sender must keep just one packet on hand for retransmission, since the lock step acknowledgment guarantees that all older packets have been received. STOP WAIT + Trivial File Transfer Protocol (TFTP) Read request (Simplified) WITH Client STARTS Server ↑ Brock 1 Port 50,000 RRQ (Read Request) Transfer is initiated Port 69 Data Block 1 (512 Bytes) TFTP Ack Block 1 Data Block 2 (512 Bytes) Ack Block 2.. Data Block n (0 - 511 Bytes) Ack Block n Transfer completed Trivial File Transfer Protocol (TFTP) Write request (Simplified) Client Server Port 51,000 WRQ (Write Request) Transfer is initiated Port 69 Ack Block 0 > - Good to 60 Data Block 1 (512 Bytes) Ack Block 1 Data Block 2 (512 Bytes) Ack Block 2 Data Block n (0 - 511 Bytes) Ack Block n Transfer completed Trivial File Transfer Protocol (TFTP) If a packet gets lost in the network, the * Lost Ack (Timer operation ) * intended recipient will timeout and may resend his last packet. (RFC 1350) TOKNOW Client NEED Server Port 50,000 RRQ (Read Request) Transfer is initiated Port 69 Data Block 1 (512 Bytes) Ack Block 1 Lost Time out Resend block 1 Data Block 1 (512 Bytes) Ack Block 1 Data Block 2 (512 Bytes) Ack Block 2 Trivial File Transfer Protocol (TFTP) If a packet gets lost in the network, the intended recipient will timeout and may Lost Data block resend his last packet. (RFC 1350) (Timer operation ) NEED TOKNOW Client Server Port 50,000 RRQ (Read Request) Transfer is initiated Port 69 Data Block 1 (512 Bytes) Ack Block 1 Data Block 2 (512 Bytes) Lost (Ethernet frame dropped by a switch) Time out Resend Ack block 1 Ack Block 1 Data Block 2 (512 Bytes) Ack Block 2 Trivial File Transfer Protocol (TFTP) * Sorcerer's Apprentice Syndrome (SAS) ↳ Slowl Down SENDS Client Server EVERYTHING TRANSFER TIME TWIE To DUE A DELAYED Time out PACKET Resend block 11 Delayed Ack Trivial File Transfer Protocol (TFTP) Fix - Sorcerer's Apprentice Syndrome (SAS) - RFC 1123 The bug is caused by the protocol rule that either side, on receiving an old duplicate datagram, may resend the current datagram. If a packet is delayed in the network but later successfully delivered after either side has timed out and retransmitted a packet, a duplicate copy of the response may be generated. If the other side responds to this duplicate with a duplicate of its own, then every datagram will be sent in duplicate for the remainder of the transfer. Notice that once the delayed ACK arrives, the protocol settles down to duplicate all further packets (sequences 11, 12, & 13). The problem is caused not by either side timing out, but by both sides retransmitting the current packet when they receive a duplicate. The fix to SAS involved modifying the TFTP specification to break the loop. Only the first instance of a received acknowledgment should cause the next data block to be sent; further copies of the acknowledgment for a particular data block would be ignored, thus breaking the retransmission loop. In the new version of the protocol, a block would only be retransmitted on timeout. Trivial File Transfer Protocol (TFTP) TFTP protocol refer to port no’s as TID’s (Transfer Identifiers) * Read request (Actual) NEED TU Client TID is 50,000 Server know Port 50,000 RRQ (Read Request) Transfer is initiated Port 69 SERVER PICKS Data Block 1 (512 Bytes) TID-Port A 3,000 Ack Block 1 Port 3,000 Data Block 2 (512 Bytes) Port 3,000 Ack Block 1 Port 3,000.. Data Block n (0 - 511 Bytes) Port 3,000 Ack Block n Port 3,000 Transfer completed Trivial File Transfer Protocol (TFTP) Write request (Simplified) Client Server Port 51,000 WRQ (Write Request) Transfer is initiated Port 69 TI Ack Block 0 (Contains port no instead of block no) > - Port 6,000 Data Block 1 (512 Bytes) Port 6,000 Ack Block 1 Port 6,000 Data Block 2 (512 Bytes) Port 6,000 Ack Block 2 Port 6,000 Data Block n (0 - 511 Bytes) Port 6,000 Ack Block n Port 6,000 Transfer completed Trivial File Transfer Protocol (TFTP) Wireshark trace for READ request Client RRQ (Read Request) Server 192.168.0.253:50618 192.168.0.10:69 IP E Y Port no. socKET TID DATA (Block 1) 192.168.0.253:50618 192.168.0.10:3445 ACK 1 192.168.0.253:50618 192.168.0.10:3445 do time source ip s. Port Destin D. Port WHAT IS INSIDE TIDz Trivial File Transfer Protocol (TFTP) Wireshark trace for WRITE request Client WRQ (Write Request) Server 192.168.0.1:57509 192.168.0.13:69 ACK 0 (Contains port no) 192.168.0.1:57509 192.168.0.13:2087 DATA (Block 1) 192.168.0.1:57509 192.168.0.13:2087 do. TIME Source IP S. PORT BEST IP D. Port T WHAT IS INSIDE TID > - Trivial File Transfer Protocol (TFTP) Wireshark trace for READ request Client RRQ (Read Request) Server 192.168.0.253:50618 192.168.0.10:69 DATA (Block 1) 192.168.0.253:50618 192.168.0.10:3445 ACK 1 192.168.0.253:50618 192.168.0.13:3445 TID-7 Trivial File Transfer Protocol (TFTP) Summary UDP is connectionless and unreliable. Since TFTP uses UDP rather than TCP, there is no explicit concept of a connection as in FTP. A TFTP session uses the concept of a “logical connection”, which is opened when a client sends a request to a server to read or write a file. Communication between the client and server is performed in “lock- step” fashion (stop and wait), one device sends data messages and receives acknowledgments so it knows the data messages were received; the other sends acknowledgments and receives data messages so it knows the acknowledgments were received. Destination Port 69. Slow transfer due to stop and wait (inefficient). Trivial File Transfer Protocol (TFTP) FTP TFTP Authentication Based on login with No authentication username and password Connection Uses TCP, has error control Uses UDP thus no connection. * and flow control. UDP has error detection, no error control or flow control. Luses checksum Layer 4 protocol Transmission of data and TFTP uses a simple lock step control is handled by TCP. protocol (Each data packet needs to be Ack’ed , throughput is limited) Footprint More complex than TFTP, Very simple protocol, very little thus requires more memory. memory required for client software. Control and data Separates user data and Uses only one channel, control channel control data by using two packets (commands) flow in one separate TCP connections direction and data packets flow in the opposite direction. Encryption NO encryption NO encryption Trivial File Transfer Protocol (TFTP) TFTP and FTP throughput comparison TFTP uses UDP with a lock step protocol FTP uses TCP Due to the different transmission methods employed, the maximum achievable throughput for each is different. TFTP theoretical max throughput = 512 bytes / RTT (RTT = Round Trip Time) FTP theoretical max throughput = Ws bytes / RTT (Ws = Window size) Theoretical throughput example Measured RTT = 0.282 ms (with ping) – Ws = 8192 Bytes Assumptions: protocol processing does not consume time. Disregarding the transmission time. TFTP: 512 bytes in 0.282 ms – 1.8MBytes/s FTP: 8192 bytes in 0.282 ms – 29 MBytes/s (~16 times faster) In Reality FTP is about 8 times faster, the longer the link the more FTP out performs TFTP. File Transfer Protocol Secure (FTPs) Two types of FTPS SSL = SECURE SOCKETS LATER FTPES – Explicit FTPS. Typically uses port 21 for the command channel. Unencrypted command channel, the encryption occurs only on the data channel. The SSL handshake occurs after user authentication on the command channel. (NOTE) FTPS – Implicit SSL, Typically uses port 990 for the command channel. SSL handshake occurs when client connects to the command channel FTPS (FTP over SSL – Secure Sockets Layer) is a secure FTP protocol that allows you to encrypt all files exchanged with clients. FTPS uses strong algorithms like AES and triple DES to encrypt the file transfer. For authentication, FTPS uses a combination of User Names and passwords, and/or certificates to verify a user's authenticity. Secure File Transfer Protocol (SFTP) SFTP – (SSH / Secure Shell File Transfer Protocol) is a secure FTP protocol that sends files over SSH providing a high level of protection for file transfers. SFTP is a NEW protocol. It uses TCP port 22 (Only one channel used) SFTP uses strong algorithms like AES and triple DES and other algorithms to encrypt the file transfer. SFTP offers several ways to authenticate a user session User ID and password SSH key Combination of password and SSH key Briefly contrasting SFTP and FTPS FTPS It can be difficult to connect through firewalls that have a high level of security. FTPS uses multiple port numbers for the control and data channels, with a large range of ports required for the data channel SSL certificates can be signed by a Certificate Authority (CA) to validate public keys SFTP It is easier to configure firewalls since it only requires port 22 to be opened. This single port will be used for authentication all commands and data. SSH keys can be shared among trading partners but there are no CA’s to verify a SSH public key. The choice - SFTP or FTPS IT Department The IT Dept may limit the choice to a particular flavour. Customers and/or partners Your customers / partners may dictate as they may want SSL certificates signed by a CA Your customers / partners may only want to open ONE port on their firewall

Document Details

Tags

Related

Summary

Full Transcript