Supported Platforms
Related Documentation
- J, LN, SRX Series
- IPv6 NAT Overview
- IPv6 NAT PT Overview
- Additional Information
- Flow-Based Processing Feature Guide for Security Devices
IPv6 FTP ALG for Routing
File Transfer Protocol (FTP) is the part of the ALG that handles FTP traffic. The PORT/PASV requests and corresponding 200/227 responses in FTP are used to announce the TCP port, which the host listens to for the FTP data connection.
EPRT/EPSV/229 commands are used for these requests and responses. FTP ALG supports EPRT/EPSV/229 already, but only for IPv4 addresses.
In Junos OS Release 10.4, EPRT/EPSV/229 commands have been updated to support both IPv4 and IPv6 addresses.
FTP ALG uses preallocated objcache to store its session cookies. When both IPv4 and IPv6 addresses are supported on FTP ALG, the session cookie structure will enlarge by 256 bits (32 bytes) to store IPv6 address.
FTP ALG Support for IPv6
The FTP ALG monitors commands and responses on the FTP control channel for syntactical correctness and opens corresponding pinholes to permit data channel connections to be established. In Junos OS Release 10.4, the FTP ALG supported IPv4 routing, IPv6 routing, and NAT mode only. In Junos OS Release 11.2 and later releases, the FTP ALG also supports IPv6 NAT and NAT-PT modes.
EPRT mode
The EPRT command allows for the specification of an extended address for the data connection. The extended address must consist of the network protocol as well as the network and transport addresses.
The format of EPRT is:
EPRT<space><d><net-prt><d><net-addr><d><tcp-port><d>
- <net-prt>: An address family number defined by IANA
- <net-addr>: A protocol specific string of the network address
- <tcp-port>: A TCP port number
The following are sample EPRT commands for IPv6:
EPRT |2|1080::8:800:200C:417A|5282|
In this mode, FTP ALG focuses only on the EPRT command; it extracts the IPv6 address and port from the EPRT command and opens the pinhole.
EPSV mode
The EPSV command requests that a server be listening on a data port and waiting for a connection. The response to this command includes only the TCP port number of the listening connection.
An example response string is follows:
Entering Extended Passive Mode (|||6446|)
 | Note: The response code for entering passive mode using an extended address must be 229. You should extract the TCP port in 229 payloads and use it to open the pinhole. |
Related Documentation
- J, LN, SRX Series
- IPv6 NAT Overview
- IPv6 NAT PT Overview
- Additional Information
- Flow-Based Processing Feature Guide for Security Devices
Published: 2014-10-19
Supported Platforms
Related Documentation
- J, LN, SRX Series
- IPv6 NAT Overview
- IPv6 NAT PT Overview
- Additional Information
- Flow-Based Processing Feature Guide for Security Devices
