Last Call Review of draft-hethmon-mcmurray-ftp-hosts-
review-hethmon-mcmurray-ftp-hosts-secdir-lc-orman-2010-05-03-00

Request Review of draft-hethmon-mcmurray-ftp-hosts
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-05-10
Requested 2010-04-15
Authors Paul Hethmon, Robert McMurray
Draft last updated 2010-05-03
Completed reviews Secdir Last Call review of -?? by Hilarie Orman
Assignment Reviewer Hilarie Orman
State Completed
Review review-hethmon-mcmurray-ftp-hosts-secdir-lc-orman-2010-05-03
Review completed: 2010-05-03

Review
review-hethmon-mcmurray-ftp-hosts-secdir-lc-orman-2010-05-03

Security review of 
File Transfer Protocol HOST Command
draft-hethmon-mcmurray-ftp-hosts-11

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

This protocol modification adds a command ("HOST") by which the client
designates a virtual host.  The server will then use an authentication
method suitable for that host, much as though a separate FTP server
were running for each virtual host.

There is a small area of concern surrounding the information
contained in the "HOST" command.  If the name of the virtual host is
sensitive information, then clients should protect it by using
encryption when first connecting to the server.  Although the
document anticipates host names as being publicly available DNS
names, that is not necessary, and some organizations will probably
use private names.

Hilarie