summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc501.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc501.txt')
-rw-r--r--doc/rfc/rfc501.txt283
1 files changed, 283 insertions, 0 deletions
diff --git a/doc/rfc/rfc501.txt b/doc/rfc/rfc501.txt
new file mode 100644
index 0000000..5842bfa
--- /dev/null
+++ b/doc/rfc/rfc501.txt
@@ -0,0 +1,283 @@
+
+
+
+
+
+
+Network Working Group K. Pogran
+Request for Comments: 501 MIT-Multics
+NIC: 15718 11 May 1973
+
+
+ Un-Muddling "Free File Transfer"
+
+ As the ARPA Network begin to mature, we find ourselves addressing
+ issues and concepts deliberately put off and left untouched at
+ earlier stages of Network development. Among the issues now coming
+ to the fore are access control, user authentication, and accounting.
+ These issues arise immediately out of efforts to develop uniform
+ methods for providing limited "free" access to the File Transfer
+ Servers of the host systems, to meet user needs for mail transmission
+ and similar services.
+
+ Several proposals have been made, described by such phrases as
+ "login-less mail", "'free' accounts", "free file transfer", etc.
+ These proposals inevitably have imbedded in them some particular
+ notion of how such things as access control and user authentication
+ are accomplished and these proposals, which knowingly or unknowingly
+ make presumptions about the implementation of such mechanisms,
+ inevitably meet with strong criticism from implementors whose
+ systems' mechanisms are quite different.
+
+ In RFC 467, Bob Bressler proposes ways of helping out users who wish
+ to transfer files to or from "systems which have some flavor of
+ security, but on which the user has no access privileges".
+ Unfortunately, beginning with the first paragraph of the RFC, the
+ notions of access controls on files (examples of protection
+ mechanisms), and control of access to the system (user
+ authentication) are thoroughly muddled. In addition, he makes
+ sweeping assumptions about the nature and use of accounting
+ mechanisms and accounts at server sites. RFC 487 also has buried
+ deep within it assumptions about the nature of the access control and
+ user authentication aspects of File Transfer Server implementations.
+
+ What's needed at this juncture, of course, is a lucid discussion of
+ the general concepts involved in protection mechanisms, and file
+ system access controls in particular. Well, you won't find that in
+ the remainder of this RFC. What you will find is perhaps enough of a
+ discussion to un-muddle that which RFC 487 has muddled; the rest will
+ have to come down the pike at a later time.
+
+ In many systems, mechanisms which control access to the system,
+ mechanism which control access to files, and accounting mechanisms
+ all mesh at the moment at which a prospective user of the system is
+ authenticated: the system has checked his user-name, password,
+
+
+
+Pogran [Page 1]
+
+RFC 501 Un-Muddling "Free File Transfer" 11 May 1973
+
+
+ account, or whatever, and decided that he is, indeed, a valid user of
+ the system. This user, who would like to have some information
+ processing performed on his behalf, is termed a principal in "privacy
+ and protection" parlance. Some number of processes are initially set
+ up for this principal, and some (presumably unforgeable) principal
+ identifier is associated with the process(es), so that their requests
+ for access to files and other system resources may be properly
+ validated. In addition, the identify of the account to be charged
+ for the resources consumed by these processes is associated with the
+ processes at this time [1], although on some systems, a process may
+ change its account identifier at any time.
+
+ The first question is: Whose principal identifier does a File
+ Transfer Server process use? There are at least two possibilities: 1)
+ the File Transfer Server can run as a "system daemon" process, with
+ (usually) a highly privileged principal identifier. When acting on
+ behalf of a user, it must, itself, interpretively evaluate that
+ user's access to a desired file. Also, it must be able to charge
+ that user's account for the resources it uses. 2) A File Transfer
+ Server process can be given the user's own principal identifier.
+ With this implementation, validation of the user's access to files is
+ performed automatically by the usual file system mechanisms.
+
+ Paragraph four of RFC 487 clearly presumes implementation 1): "If a
+ user connects to an FTP server and makes a file request without
+ supplying a user name-password, the server should then examine the
+ file access parameters ..." Systems truly concerned about protection
+ may prefer implementation 2), and for good reason -- it follows the
+ "principle of least privilege", which states that a process should
+ execute with as little access privilege as it requires to perform its
+ tasks properly. Running a File Transfer Server process with a user's
+ principal identifier rather than with that of a system daemon leaves
+ the system far less susceptible to damage caused by incorrect actions
+ of the File Transfer Server. [2]
+
+ The next question is: Whom do you charge for file transfers? Bressler
+ tries to set down some guidelines for determining who to charge for
+ "non-logged-in" (read: "free") file transfer usage: "Clearly, storing
+ a file in a user's directory can be charged to that user." How is the
+ word "storing" used here? Surely, "that user" can be billed for the
+ disk or other storage medium charges incurred by that file which is
+ now taking up space, but is it legitimate to charge "that user" for
+ the I/O and/or CPU resources used by someone else to transfer a file
+ over the Network, and place it into that user's directory? For
+ example, should the recipient of Network mail be charged for the
+ resources consumed by someone else in sending it? (Would you care to
+ pay the postage for all the junk mail that arrives in your home (U.S.
+ Mail) mailbox?).
+
+
+
+Pogran [Page 2]
+
+RFC 501 Un-Muddling "Free File Transfer" 11 May 1973
+
+
+ Over the telephone, Bob explained to me that he desired a mechanism
+ which would, for example, enable me, at his request, to transfer a
+ file from my system to his directory on his system, without requiring
+ that I know his password. All well and good. In this situation, it
+ would make sense to charge Bressler's account for this file transfer.
+ But how does an un-authenticated user tell a server "Charge this to
+ Bressler's account because he says it's OK"? Pitfalls abound. The
+ file Transfer Server process needs to be able to charge an arbitrary
+ user's account; this again presupposes implementation 1) of the File
+ Transfer Server described above (or else any user process in the
+ system would have the capability of charging any user's account; this
+ seems undesirable). A more reasonable approach would be to charge
+ that instance of the File Transfer Server process to a general
+ "Network services" account. Mechanisms for accomplishing this are
+ presented in RFC 491. [3]
+
+ RFC 487 matter-of-factly suggests that retrieval of files in "system"
+ directories should be charged to "overhead". Here too, some broad
+ assumptions are made about the nature of accounting mechanisms and
+ accounts at server sites. In addition, an undesirable loss of
+ generality is imposed upon the File Transfer Server: It is now
+ required to have the capability of distinguishing the pathnames of
+ "system" files from those of "user" files. In a number of systems,
+ there is no syntactic distinction between the two, and the same
+ general mechanisms can be used to manipulate both kinds of files (if
+ a distinction between them can be made at all). The addition of code
+ to the File Transfer Server which examines the pathname given for
+ each request, to determine which sort it is, seems to be antithetical
+ to the goals of uniformity and generality that many of today's
+ systems have achieved.
+
+ The statement that a Network user's file transfer activity can be
+ charged to a system-wide "overhead" account contains two assumptions:
+ Such an account cannot be presumed to exist on all systems;
+ furthermore, if it does exist, in some cases it just isn't the right
+ account to charge. Certainly, a good case can be made that the cost
+ of fostering inter-user communication within the ARPA Network
+ community (which is what "free" file transfer amounts to) should be
+ borne by ARPA, meaning that such activity should be charged to ARPA-
+ funded accounts. If a host system's operation is entirely funded by
+ ARPA (or if its management doesn't care who pays for this activity),
+ then it makes sense to charge "free" file transfer activity to a
+ "system overhead" account. On the other hand, that isn't the correct
+ course of action for a host system whose operation is not funded by
+ ARPA, for charging "free" file transfers to "system overhead" would
+ result in passing the cost along to local customers who may have no
+ interest at all in the ARPA Network.
+
+
+
+
+Pogran [Page 3]
+
+RFC 501 Un-Muddling "Free File Transfer" 11 May 1973
+
+
+ Lastly, Bressler suggests that for file retrieval, CPU charges "may
+ be sufficiently small to not cause a major problem". To believe this
+ is naivete. It may appear to be true for a system which doesn't
+ charge the user for time spent executing supervisor code, or I/O
+ routines, where Network software overhead doesn't show up in the
+ user's bill. In this case, Network software overhead must contribute
+ to "general system overhead", the cost of which must be borne by all
+ users. I don't think many people in the Network community would
+ consider the actual (as opposed to charged) CPU time spent
+ transferring a file to be negligible. Certainly, if a system is a
+ very popular or busy one from a Network standpoint, the cumulative
+ CPU time spent on "free" file transfers, viewed at the end of an
+ accounting period (a week? a month? a year?) will not be negligible!
+
+ In this RFC, I've picked apart Bob Bressler's RFC 487, mostly because
+ of its confusion of several distinct (although related) issues, and
+ the implementation assumptions it contains which conflict with (or
+ badly bend out of shape) mechanisms and design philosophies existing
+ on other systems (in particular, the system I am most familiar with,
+ Multics) [4]. The applicability of the discussions in this RFC, I
+ think goes beyond that: We've got to acknowledge that it's difficult
+ to propose Network-wide mechanisms for providing desirable services
+ without building in assumptions about how they are to be implemented.
+ We're at a point where we're asking for fairly sophisticated
+ services, and proposing correspondingly sophisticated mechanisms.
+ It's time to begin talking about how various systems accomplish such
+ things as user authentication, access control, and so on, so that we
+ can all gain a clearer understanding of such issues, and be able to
+ propose mechanisms with fewer implementation assumptions built into
+ them.
+
+
+ END NOTES:
+
+ [1] On some systems, there is a one-to-one correspondence between
+ principals and accounts.
+
+ [2] It should be noted that systems which choose implementation 2)
+ may require a user authentication sequence (USER, PASS, and possibly
+ ACCT commands) before permitting any file transfers, as explicitly
+ stated on page 17 of RFC 354 (NIC 10596), and page 20 of RFC 4554
+ (NIC 14333). This authentication sequence would be required to
+ ascertain the principal identifier to be associated with the newly-
+ spawned File Transfer Server process; the process is not allowed to
+ proceed until its principal identifier has been established.
+
+
+
+
+
+
+Pogran [Page 4]
+
+RFC 501 Un-Muddling "Free File Transfer" 11 May 1973
+
+
+ [3] Note that there are at least two scenarios for accomplishing the
+ transfer Bressler desires: Either I "push" the file, using my "User
+ FTP" and his system's "FTP Server", or he "pulls" the file, using his
+ "User FTP" and my system's "FTP Server". Bob chose the first
+ scenario; it can be argued that, since it is Bob who wanted the file
+ transferred, the second scenario is the more appropriate one. A
+ forthcoming RFC by Mike Padlipsky expands on these points, as well as
+ an entirely different alternative.
+
+ [4] Padlipsky keeps insisting that I've also shown the superiority of
+ implementation 2) of the File Transfer Server (described above), but
+ I resist that conclusion. Those interested may want to look at his
+ Unified User-Level Protocol specification, which is based on a
+ similar premise.
+
+
+ [ This RFC was put into machine readable form for entry ]
+ [ into the online RFC archives by Via Genie]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Pogran [Page 5]
+