Jeffrey N.
Denenberg
jeffrey.denenberg@ieee.org
http://DoctorD.webhop.net
January 19, 2001 (Updated June 8, 2001)
The FTP
Protocol has developed over a long period, predating the World-Wide-Web by more
than 10 years. When its basic functions
were defined there were no Dynamic IPs or NAT Routers.
An IP
currently is a four number code (IP4, planned to be changed in the near future to
the new IP6 standard) where each number ranges from 0 to 255 (e.g.
24.151.13.42). It can be either static
(permanent) or dynamic (temporarily assigned and reused by others). A dynamic IP makes it difficult for others
to reliably find servers you may be running on your computer unless you use a
Dynamic IP Service as described in the next section.
An NAT
Router (e.g. the low cost units from Linksys, Netgear, and Dlink) allows the
sharing of one IP among several computers on a Local Area Network (LAN). It does this by taking ownership of the Wide
Area Network (WAN) IP assigned to you by your Information Service Provider
(ISP), assigning local IP numbers to the computers on your LAN, and forwarding
information packets as appropriate. This has a side benefit of shielding your computers from the
outside world - a firewall, but can and does cause some problems when you
execute some applications (e.g. games, IP telephony, and FTP servers).
Several
organizations operate services to that provide a pseudo Domain Naming Service
(DNS) name to users with a dynamic IP.
You need to register with such a service, create an account (some of
them are at no cost) and set up a HOST name on their domain. Here are two
examples that I use (both are free services, but contributions of cash or
service are appreciated):
http://doctord.dyn.dhs.org:8000/ –
· DoctorD - my Host name
· dyn - stands for dynamic and is a sub
domain at
·
dhs.org -
the domain for Dynamic Host Services - http://www.dhs.org
·
:8000 -
The port that my web server is at.
(Normally defaults to port 80)
http://doctord.dyndns.org:8000/–
· DoctorD - my Host name again (it could have been different)
·
dyndns.org - the domain for Dynamic Domain Name
Services - http://www.dyndns.com
Note: The "DoctorD.webhop.net" DNS at the beginning of this paper is another service of dyndns that redirects you to my web server via my Hostname at their domain.
· :8000 - Again the port that my web server is at.
To automate the update of your IP
at their server, you need to run a client software package on your machine that
can sniff out your current IP number and send them a packet to update their
database whenever it changes. Updates
have to be done carefully so as not to overload a server with unnecessary
updates.
The
Windows Client that I use is DynSite written by Noel Danjou (noeldanjou@bigfoot.com,
http://noeld.com/). DynSite supports most (41 as of January,
2001) of the existing Dynamic IP services.
There are many others for whatever operating system you happen to use.
Most FTP
Servers assume that the IP number of the local machine is known to the world
(an appropriate assumption when the protocol was developed). An NAT router makes this assumption
incorrect. The IP number is sent in
several packet types (eg. the "PORT" packet which sets up
"Passive" transfers) to the FTP Client to tell it how to transfer
data. If the IP number is wrong, the
protocol breaks.
High-end
NAT routers have a feature specifically designed to handle many of these
problems. It is called "Stateful
Packet Inspection". Each and every
outgoing packet is opened up and parsed to find IP and Port (an extension to
the IP number) numbers. If found, the
local IP is translated to the WAN IP and a forwarding entry for that port is
established so that incoming packets to that port are sent to the local
machine. The packet is then closed back
up (redoing the CRC error checksum) and sent out. This feature improves security and allows FTP servers to
function, but is much too much work for a low-cost NAT router so it is
generally not implemented.
CrushFTP
written by Ben Spink (ben@crushftp.com, http://crushftp.com/)
does its part in the solution by allowing the system administrator (you) to
specify a hard_code_ip number in its configuration. Another feature lets it periodically update this by reading a
text file in the application directory (hard_code_ip.txt) that has only the
current WAN IP number in the first line.
DynSite,
the Windows Dynamic IP Client discussed earlier, offers the feature of writing
the current WAN IP in a text file at a designated pathname each time an update
occurs. (If you use a different
operating system, you should be able to modify one of the script-based clients
to perform the same function.)
These two
programs work together to form a complete solution.
CrushFTP
also has a feature (as do several other good FTP Servers) that lets you, the
System Administrator, configure the server to limit the randomly selected
passive ports to stay within a designated contiguous range. This limits the number of forwarded ports to
a reasonable number and reduces the security risk of open ports. Note that you must manually set up the NAT
router to forward these ports (along with ports 21 and 20) to the machine
running your FTP Server.