RFC 5024
ODETTE File Transfer Protocol 2.0
6. File Services
6.1. Overview
ODETTE-FTP provides services for compressing, encrypting, and signing files. These services should generally be performed off line, outside of the ODETTE-FTP communications session for performance reasons, although this is not a strict requirement. ODETTE-FTP requires that the following steps must be performed in this exact sequence, although any of steps 2, 3, or 4 may be omitted. Step 1 is required only if any of steps 2, 3, or 4 are performed: 1. Insert record length indicators (V format files only; see Section 6.5) 2. Sign 3. Compress 4. Encrypt The cipher suite for the encryption and signing algorithms is assigned by bilateral agreement. Secured and/or compressed files must be enveloped. The envelope contains additional information about the service used that is necessary for a receiving party to fully process the file. The [CMS] content types used are: EnvelopedData - Indicates encrypted data CompressedData - Indicates compressed data SignedData - Indicates signed content Data - Indicates unstructured data For signed or encrypted data, the encapsulated content type (eContentType field) is id-data.6.2. File Signing
Files that are to be signed are enveloped according to the file enveloping format (SFIDENV). Generally, this will be as a [CMS] package. A file may be signed more than once to ease the changeover between old and new certificates.
It is recommended that the envelope does not contain the public certificate of the signer. Where files are sent to the same recipient continuously, it would serve no benefit to repeatedly send the same certificate. Both the original file data and signature are stored within the [CMS] package.6.3. File Encryption
Files that are to be encrypted are enveloped according to the file enveloping format (SFIDENV). Generally, this will be as a [CMS] package. It is recommended that encryption should be performed before the ODETTE-FTP session starts because a large file takes a long time to encrypt and could cause session time outs, even on high-performance machines. Likewise, decryption of the file should occur outside of the session. However, an application may choose to allow in-session encryption and decryption for very small files.6.4. File Compression
Files that are to be compressed are enveloped according to the file enveloping format (SFIDENV). Generally, this will be as a [CMS] package using the [CMS-Compression] data type, which uses the [ZLIB] compression algorithm by default. Unlike the buffer compression method, this method operates on a whole file. Because of the increased levels of compression, file level compression essentially deprecates the older buffer compression inside ODETTE-FTP. The buffer compression is kept for backwards compatibility.6.5. V Format Files - Record Lengths
A file that has been signed, compressed, and/or encrypted will have lost its record structure, so ODETTE-FTP will not be able to insert the End of Record Flag in subrecord headers in Data Exchange Buffers. To preserve the record structure, V format files must have record headers inserted into them prior to signing, compression, or encryption. These 2-byte binary numbers, in network byte order, indicate the length of each record, allowing the receiving system, where appropriate, to recreate the files complete with the original variable-length records. Note that the header bytes hold the number of data bytes in the record and don't include themselves.
This is only applicable to V format files, which themselves are typically only of concern for mainframes.7. ODETTE-FTP Data Exchange Buffer
7.1. Overview
Virtual Files are transmitted by mapping the Virtual File records into Data Exchange Buffers, the maximum length of which was negotiated between the ODETTE-FTP entities via the Start Session (SSID) commands exchanged during the Start Session phase of the protocol. Virtual File records may be of arbitrary length. A simple compression scheme is defined for strings of repeated characters. An example of the use of the Data Exchange Buffer can be found in Appendix A.7.2. Data Exchange Buffer Format
For transmission of Virtual File records, data is divided into subrecords, each of which is preceded by a 1-octet Subrecord Header. The Data Exchange Buffer is made up of the initial Command Character followed by pairs of Subrecord Headers and subrecords, as follows. o-------------------------------------------------------- | C | H | | H | | H | | / | M | D | SUBRECORD | D | SUBRECORD | D | SUBRECORD | /_ | D | R | | R | | R | | / o------------------------------------------------------- CMD The Data Exchange Buffer Command Character, 'D'. HDR A 1-octet Subrecord Header defined as follows: 0 1 2 3 4 5 6 7 o-------------------------------o | E | C | | | o | F | C O U N T | | R | | | o-------------------------------o
Bits
0 End of Record Flag
Set to indicate that the next subrecord is the last
subrecord of the current record.
Unstructured files are transmitted as a single record; in
this case, the flag acts as an end-of-file marker.
1 Compression Flag
Set to indicate that the next subrecord is compressed.
2-7 Subrecord Count
The number of octets in the Virtual File represented by the
next subrecord expressed as a binary value.
For uncompressed data, this is simply the length of the
subrecord.
For compressed data, this is the number of times that the
single octet in the following subrecord must be inserted in
the Virtual File.
As 6 bits are available, the next subrecord may represent
between 0 and 63 octets of the Virtual File.
7.3. Buffer Filling Rules
A Data Exchange Buffer may be any length up to the value negotiated
in the Start Session exchange.
Virtual File records may be concatenated within one Data Exchange
Buffer or split across a number of buffers.
A subrecord is never split between two Exchange Buffers. If the
remaining space in the current Exchange Buffer is insufficient to
contain the next 'complete' subrecord, one of the following
strategies should be used:
1. Truncate the Exchange Buffer, and put the complete subrecord
(preceded by its header octet) in a new Exchange Buffer.
2. Split the subrecord into two, filling the remainder of the
Exchange Buffer with the first new subrecord and starting a new
Exchange Buffer with the second.
A record of length zero may appear anywhere in the Exchange Buffer. A subrecord of length zero may appear anywhere in the record and/or the Exchange Buffer.8. Stream Transmission Buffer
8.1. Introduction
To utilise the TCP stream, a Stream Transmission Buffer (STB) is created by adding a Stream Transmission Header (STH) to the start of all Command and Data Exchange Buffers before they are passed to the TCP transport service. This allows the receiving ODETTE-FTP to recover the original Exchange Buffers. Note: The Stream Transmission Buffer is not used when using ODETTE- FTP over an X.25 network. This is because ODETTE-FTP can rely on the fact that the Network Service will preserve the sequence and boundaries of data units transmitted through the network and that the Network Service will pass the length of the data unit to the receiving ODETTE-FTP. TCP offers a stream-based connection that does not provide these functions. The Stream Transmission Buffer is composed of an STH and an OEB. o-----+-----------------+-----+--------------------+-----+------ | STH | OEB | STH | OEB | STH | OEB/ o-----+-----------------+-----+--------------------+-----+---- STH - Stream Transmission Header OEB - ODETTE-FTP Exchange Buffer8.2. Stream Transmission Header Format
The Stream Transmission Header is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Version| Flags | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Version
Value: 0001 (binary)
Stream Transmission Header version number.
Flags
Value: 0000 (binary)
Reserved for future use.
Length
Range: 5 - 100003 (decimal)
The length of the Stream Transmission Buffer (STH+OEB).
The smallest STB is 5 octets consisting of a 4-octet header
followed by a 1-octet Exchange Buffer such as a Change Direction
(CD) command.
The maximum Exchange Buffer length that can be negotiated is 99999
octets (Section 5.3.2) giving an STB length of 100003.
The length is expressed as a binary number in network byte order.
It is expected that implementations of this protocol will follow the
Internet robustness principle of being conservative in what is sent
and liberal in what is accepted.
9. Protocol State Machine
9.1. ODETTE-FTP State Machine
The operation of an ODETTE-FTP entity is formally defined by the
State Machine presented below. There are five State and Transition
tables, and for each table additional information is given in the
associated Predicate and Action lists.
The response of an ODETTE-FTP entity to the receipt of an event is
defined by a Transition table entry indexed by the Event/State
intersection within the appropriate state table.
Each Transition table entry defines the actions taken, events
generated, and new state entered. Predicates may be used within a
table entry to select the correct response on the basis of local
information held by the entity.
A Transition table contains the following fields:
Index (I) State transition index.
Predicate A list of predicates used to select between different
possible transitions. The predicates are defined in
the Predicate and Action lists.
Actions A list of actions taken by the entity. The actions are
defined in the Predicate and Action lists.
Events Output events generated by the entity.
Next State The new state of the entity.
9.2. Error Handling
The receipt of an event in a given state may be invalid for three
reasons.
1. The case is impossible by design of the state automata, denoted
'X' in the state tables. For example, a timer that has not been
set cannot run out.
2. The event is the result of an error in the Network Service
implementation, also denoted 'X' in the state tables. The
Network Service implementation is considered to be correct.
3. For all other cases, the event is considered to be a User Error,
denoted "U" in the state tables.
The state tables define the conditions under which a User event is
valid, thus preventing the generation of a protocol error by the
ODETTE-FTP entity as a result of a User Monitor error. The reaction
of the entity to such errors is undefined and regarded as a local
implementation issue.
The state tables also allow protocol errors due to the receipt of
invalid Exchange Buffers, to be detected. In such cases, the
reaction of the entity to the error is defined.
9.3. States
The Command Mode is strictly a half-duplex flip-flop mode. A_NC_ONLY Responder, Network Connection opened The Responder has sent its Ready Message (SSRM) and is waiting for Start Session (SSID) from the Initiator. A_WF_CONRS Responder Waiting for F_CONNECT_RS The Responder has received the Initiator's Start Session (SSID) and is waiting for a response (F_CONNECT_RS) from its User Monitor. CDSTWFCD CD_RQ stored in WF_CD state Since the User Monitor doesn't see the WF_CD state, it may send a Change Direction request (F_CD_RQ) before the ODETTE-FTP receives a Change Direction (CD) command. CLIP Close Input Pending The Listener has received an End File (EFID) command and is waiting for the Close File response (F_CLOSE_FILE_RS) from its User Monitor. CLOP Close Out Pending The Speaker has sent an End File (EFID) command and is waiting for an End File Answer (EFPA or EFNA). ERSTWFCD End to End Response stored in WF_CD state Since the User Monitor doesn't see the WF_CD state, it may send F_EERP_RQ, before ODETTE-FTP receives a Change Direction (CD) command. IDLE Connection IDLE IDLELI Idle Listener IDLELICD Idle Listener, F_CD_RQ Received The ODETTE-FTP entity has become the Listener after receiving a Change Direction request (F_CD_RQ) from the User Monitor. The receipt of an End Session (ESID) is valid in this state.
IDLESP Idle Speaker
IDLESPCD Idle Speaker, F_CD_IND Sent
The ODETTE-FTP entity has sent a Change Direction
indication (F_CD_IND) to the User Monitor. A Change
Direction request (F_CD_RQ) is invalid in this state.
I_WF_NC Initiator Waiting for Network Connection
The Initiator has requested a new network connection and
is waiting for a Connection confirmation (N_CON_CF) from
the Network Service.
I_WF_RM Initiator Waiting for Ready Message
Before sending Start Session (SSID), the Initiator must
wait for a Ready Message (SSRM) from the Responder.
I_WF_SSID Initiator Waiting for SSID
The Initiator has sent a Start Session (SSID) command and
is waiting for Start Session from the Responder.
NRSTWFCD Negative End Response stored in WF_CD state
Since the User Monitor doesn't see the WF_CD state, it
may send F_NERP_RQ, before ODETTE-FTP receives a Change
Direction (CD) command.
OPI Open Input (Data Transfer Phase)
The Listener is waiting for the Speaker to send a Data
Exchange Buffer.
OPIP Open Input Pending
The Listener has received a Start File (SFID) command and
is waiting for the Start File response (F_START_FILE_RS)
from its User Monitor.
OPO Open Out (Data Transfer Phase)
The Speaker has received a Start File Positive Answer
(SFPA) and is waiting for a Data (F_DATA_RQ) or Close
File (F_CLOSE_FILE) request from its User Monitor.
OPOP Open Out Pending
The Speaker has sent a Start File (SFID) command and is
waiting for a Start File Answer (SFPA or SFNA).
OPOWFC Open Out Wait for Credit
The Speaker is waiting for a Set Credit (CDT) command
before sending further Data Exchange buffers.
RTRP Ready to Receive (RTR) Pending
The Listener has received an EERP or a NERP and is
waiting for the Ready to Receive response (F_RTR_RS) from
its User Monitor.
SFSTWFCD Start File Request stored in WF_CD state.
Since the User Monitor doesn't see the WF_CD state, it
may send a Start File request (F_START_FILE_RQ) before
the ODETTE-FTP receives a Change Direction (CD) command.
WF_CD Wait for Change Direction
The Listener wishes to become the Speaker and is waiting
for a Change Direction (CD) command after sending an End
File Positive Answer (EFPA) requesting change direction.
WF_RTR Wait for Ready To Receive
The Speaker has sent an End to End Response (EERP) or a
Negative End Response (NERP) command and must wait for
Ready To Receive (RTR) from the Listener.
WF_NDISC Wait for N_DISC_IND
ODETTE-FTP has sent an End Session (ESID) command and is
waiting for a Disconnection indication (N_DISC_IND) from
the Network Service.
WF_SECD Wait for Security Change Direction
The Speaker is expecting a Security Change Direction
(SECD) from the Listener.
WF_AUCH Wait for Authentication Challenge
The Speaker has sent a Security Change Direction (SECD)
command and must wait for Authentication Challenge (AUCH)
from the Listener.
WF_AURP Wait for Authentication Response
The Speaker has sent an Authentication Challenge (AUCH)
command and must wait for Authentication Response (AURP)
from the Listener.
9.4. Input Events
User Monitor Input Events (Section 3)
F_DATA_RQ F_CONNECT_RQ F_START_FILE_RQ F_CLOSE_FILE_RQ
F_EERP_RQ F_CONNECT_RS F_START_FILE_RS(+) F_CLOSE_FILE_RS(+)
F_NERP_RQ F_ABORT_RQ F_START_FILE_RS(-) F_CLOSE_FILE_RS(-)
F_CD_RQ F_RELEASE_RQ F_RTR_RS
Network Input Events (Section 2.2)
N_CON_IND N_CON_CF N_DATA_IND N_DISC_IND N_RST_IND
Peer ODETTE-FTP Input Events (Section 4)
SSID SFID SFPA SFNA EFID EFPA EFNA
DATA ESID EERP RTR CD CDT SSRM
NERP SECD AUCH AURP
Internal Input Events
TIME-OUT - Internal ODETTE-FTP timer expires.
Input event parameters are denoted I.Event-name.Parameter-name within
the state table action and predicate lists. Their value can be
examined but not changed by the ODETTE-FTP entity.
9.5. Output Events
User Monitor Output Events (Section 3)
F_DATA_IND F_CONNECT_IND F_START_FILE_IND F_CLOSE_FILE_IND
F_EERP_IND F_CONNECT_CF F_START_FILE_CF(+) F_CLOSE_FILE_CF(+)
F_CD_IND F_ABORT_IND F_START_FILE_CF(-) F_CLOSE_FILE_CF(-)
F_NERP_IND F_RELEASE_IND F_DATA_CF F_RTR_CF
Network Output Events (Section 2.2) N_CON_RQ N_CON_RS N_DATA_RQ N_DISC_RQ Peer ODETTE-FTP Output Events (Section 4) SSID SFID SFPA SFNA EFID EFPA EFNA DATA ESID EERP RTR CD CDT SSRM NERP SECD AUCH AURP Output event parameters are denoted O.Event-name.Parameter-name within the state table action and predicate lists. Their values can be examined and changed by the ODETTE-FTP entity.9.6. Local Variables
The following variables are maintained by the ODETTE-FTP entity to assist the operation of the protocol. They are denoted V.Variable- name within the state table action and predicate lists. Their value can be examined and changed by the ODETTE-FTP entity. The initial value of each variable is undefined. Variable Type Comments --------------------------------------------------------------------- Buf-size Integer Negotiated Data Exchange Buffer size. Called-addr Address Used to build O.F_CONNECT_IND.Called-addr Calling-addr Address To build O.F_CONNECT_IND.Calling-addr Compression Yes/No Compression in use as agreed. Credit_L Integer Listener's credit counter. Credit_S Integer Speaker's credit counter. Id String Used to build O.SSID.Id Mode Sender-only, Receiver-only, Both. Pswd String Password, used to build O.SSID.Pswd Req-buf Primitive Input event (F_XXX_RQ) stored in WF_CD state. Restart Yes/No Restart in used as agreed. Restart-pos Integer Used only during file opening. Window Integer The credit value negotiated for the session. Caller Yes/No This entity initiated the ODETTE-FTP session. Authentication Yes/No Secure authentication in use as agreed Challenge Binary Random challenge ---------------------------------------------------------------------
9.7. Local Constants
The following constants define the capabilities of a given ODETTE-FTP entity. They are denoted C.Constant-name within the state table action and predicate lists. Their value can be examined but not changed by the ODETTE-FTP entity. Constant Value Comments --------------------------------------------------------------------- Cap-compression Yes/No Compression supported? Cap-init Initiator Must be Initiator. Responder Must be Responder. Both Can be Initiator or Responder. Cap-mode Sender-only Must be sender. Receiver-only Must be receiver. Both Can be sender or receiver. Max-buf-size 127 < Int < 100000 Maximum Data Exchange Buffer size supported. Max-window 0 < Int < 1000 Local maximum credit value. Cap-restart Yes/No Restart supported? Cap-logic 0, 1, 2 0 = does not support special logic 1 = supports special logic 2 = needs special logic ---------------------------------------------------------------------
9.8. Session Connection State Table
9.8.1. State Table
o----------------------------------------------------------o | | Other States | | |--------------------------------------------------o | | | WF_SECD | | | |----------------------------------------------o | | | | WF_AURP | | | | |------------------------------------------o | | | | | WF_AUCH | | | | | |--------------------------------------o | | | | | S | A_WF_CONRS | | | | | | |----------------------------------o | | | | | | T | A_NC_ONLY | | | | | | | |------------------------------o | | | | | | | A | I_WF_SSID | | | | | | | | |--------------------------o | | | | | | | | T | I_WF_RM | | | | | | | | | |----------------------o | | | | | | | | | E | I_WF_NC | | | | | | | | | | |------------------o | | | | | | | | | | | IDLE | | | | | | | | | | |==================o---+---+---+---+---+---+---+---+---+---| | | F_CONNECT_RQ | A | X | X | X | X | X | X | X | X | X | | |--------------+---+---+---+---+---+---+---+---+---+---| | E | N_CON_CF | X | C | X | X | X | X | X | X | X | X | | |--------------+---+---+---+---+---+---+---+---+---+---| | V | SSRM | X | X | H | X | X | X | L | L | L | X | | |--------------+---+---+---+---+---+---+---+---+---+---| | E | SSID | X | X | X | D | E | F | L | L | L | F | | |--------------+---+---+---+---+---+---+---+---+---+---| | N | N_CON_IND | B | X | X | X | X | X | X | X | X | X | | |--------------+---+---+---+---+---+---+---+---+---+---| | T | F_CONNECT_RS | X | U | U | U | U | G | X | X | X | U | | |--------------+---+---+---+---+---+---+---+---+---+---| | | ESID | X | X | X | F | X | X | F | F | F | X | | |--------------+---+---+---+---+---+---+---+---+---+---| | | AUCH | X | X | U | U | X | X | I | L | L | U | | |--------------+---+---+---+---+---+---+---+---+---+---| | | AURP | X | X | U | U | X | X | L | K | L | U | | |--------------+---+---+---+---+---+---+---+---+---+---| | | SECD | X | X | U | U | X | X | L | L | J | U | o----------------------------------------------------------o
9.8.2. Transition Table
I | Predicate Actions Output Events Next State ===o============================================================= A | P1: F_ABORT_IND IDLE | !P1: 1,2 N_CON_RQ I_WF_NC ---+------------------------------------------------------------- B | P3: N_DISC_RQ IDLE | !P3: 2 N_CON_RS | SSRM A_NC_ONLY ---+------------------------------------------------------------- C | 4,2 I_WF_RM ---+------------------------------------------------------------- D | P2 & P8 & P11: 4,2,5 SECD WF_AUCH | P2 & P8 & !P11: 4,2,5 F_CONNECT_CF IDLESP | P2 & !P8: 4,2 ESID(R=12) | F_ABORT_IND(R,AO=L) WF_NDISC | else: 4,2 ESID(R=10) | F_ABORT_IND(R,AO=L) WF_NDISC ---+------------------------------------------------------------- E | P4: 4 N_DISC_RQ IDLE | !P4: 4,2 F_CONNECT_IND A_WF_CONRS ---+------------------------------------------------------------- F | 4 F_ABORT_IND | N_DISC_RQ IDLE ---+------------------------------------------------------------- G | P2 & P9 & P10: 4,2,5 SSID WF_SECD | P2 & !P9 & P10: 4,2,5 SSID IDLELI | !P10: 4,2 ESID(R=12) | F_ABORT_IND(R,AO=L) WF_NDISC | else: 4,2 ESID(R=10) | F_ABORT_IND(R,AO=L) WF_NDISC ---+------------------------------------------------------------- H | 4,2,3 SSID I_WF_SSID ---+------------------------------------------------------------- I | P5: 4,2 AURP WF_SECD | !P5: 4,2 AURP IDLELI ---+------------------------------------------------------------- J | 4,2 AUCH WF_AURP ---+------------------------------------------------------------- K | P6: 4,2 F_CONNECT_CF IDLESP | P7: 4,2 SECD WF_AUCH | else: 4,2 ESID(R=11) | F_ABORT_IND(R,AO=L) WF_NDISC ---+------------------------------------------------------------- L | 4,2 ESID(R=02) | F_ABORT_IND(R,AO=L) WF_NDISC ---+-------------------------------------------------------------
9.8.3. Predicates and Actions
Predicate P1: (No resources available) OR (C.Cap-init = Responder) OR (C.Cap-mode = Sender-only AND I.F_CONNECT_RQ.Mode = Receiver-only) OR (C.Cap-mode = Receiver-only AND I.F_CONNECT_RQ.Mode = Sender-only) Predicate P2: SSID negotiation is successful (for these, Buf-size, Restart, Compression, Mode, Special logic, and Window, compare the inbound SSID with the local constants to set the local variables. Any incompatibilities result in failure of the negotiation.) Predicate P3: C.Cap-init = Initiator Predicate P4: Mode in SSID incompatible with C.Cap-mode Predicate P5: V.Caller = Yes Predicate P6: (V.Caller = Yes) AND (AURP.Signature verifies with V.Challenge) Predicate P7: (V.Caller = No) AND (AURP.Signature verifies with V.Challenge) Predicate P8: V.Authentication = I.SSID.Authentication Predicate P9: I.F_CONNECT_RS.Authentication = Yes Predicate P10: O.F_CONNECT_IND.Authentication = I.F_CONNECT_RS.Authentication Predicate P11: V.Authentication = Yes Action 1: Set V.Mode from (C.Cap-mode, I.F_CONNECT_RQ.Mode) Set V.Pswd, V.Id, V.Restart, and V.Authentication from I.F_CONNECT_RQ Set V.Buf-size = C.Max-buf-size Set V.Compression = C.Cap-compression Set V.Caller = Yes Build O.N_CON_RQ Action 2: Start inactivity timer Action 3: Set parameters in O.SSID = from local variables
Action 4: Stop timer
Action 5: Set V.Mode, V.Restart, V.Compression, V.Buf-size,
V.Window, V.Authentication = from SSID
Action 6: Set V.Challenge = A random number unique to the
session
9.9. Error and Abort State Table
9.9.1. State Table
o--------------------------------------o
| | Other States |
| S |------------------------------o |
| T | WF_NDISC | |
| A |--------------------------o | |
| T | I_WF_NC | | |
| E |----------------------o | | |
| | IDLE | | | |
|======================o---+---+---+---|
| | TIME-OUT | X | X | A | B |
| |------------------+---+---+---+---|
| E | F_ABORT_RQ | X | A | X | C |
| V |------------------+---+---+---+---|
| E | N_RST_IND | X | X | A | D |
| N |------------------+---+---+---+---|
| T | N_DISC_IND | X | E | F | G |
| |------------------+---+---+---+---|
| | Invalid Buffer | X | X | H | I |
o--------------------------------------o
9.9.2. Transition Table
I | Predicate Actions Output Events Next State ===o================================================================= A | N_DISC_RQ IDLE ---+----------------------------------------------------------------- B | F_ABORT_IND | N_DISC_RQ IDLE ---+----------------------------------------------------------------- C | 1 N_DISC_RQ IDLE ---+----------------------------------------------------------------- D | 1 N_DISC_RQ | F_ABORT_IND IDLE ---+----------------------------------------------------------------- E | F_ABORT_IND IDLE ---+----------------------------------------------------------------- F | 1 IDLE ---+----------------------------------------------------------------- G | 1 F_ABORT_IND IDLE ---+----------------------------------------------------------------- H | WF_NDISC ---+----------------------------------------------------------------- I | 1,2 ESID(R=01) | F_ABORT_IND(R,AO=L) WF_NDISC ---------------------------------------------------------------------9.9.3. Predicates and Actions
Action 1: Stop inactivity timer Action 2: Start inactivity timer9.10. Speaker State Table 1
9.10.1. State Table
The following abbreviations are used in the Speaker state table. F_REL_RQ(Ok) - F_RELEASE_RQ Reason = Normal F_REL_RQ(Err) - F_RELEASE_RQ Reason = Error o--------------------------------------------------------------------o | | Other States | | |--------------------------------------------------------------o | | | WF_NDISC | | | |----------------------------------------------------------o | | | | OPOWFC | | |
| |------------------------------------------------------o | | | | | OPO | | | | |S|--------------------------------------------------o | | | | | | OPOP | | | | | |T|----------------------------------------------o | | | | | | | CDSTWFCD | | | | | | |A|------------------------------------------o | | | | | | | | SFSTWFCD | | | | | | | |T|--------------------------------------o | | | | | | | | | NRSTWFCD | | | | | | | | |E|----------------------------------o | | | | | | | | | | ERSTWFCD | | | | | | | | | | |------------------------------o | | | | | | | | | | | WF_CD | | | | | | | | | | | |--------------------------o | | | | | | | | | | | | WF_RTR | | | | | | | | | | | | |----------------------o | | | | | | | | | | | | | IDLESPCD | | | | | | | | | | | | | |------------------o | | | | | | | | | | | | | | IDLESP | | | | | | | | | | | | | |=+==============o---+---+---+---+---+---+---+---+---+---+---+---+---| | | F_EERP_RQ | A | A | W | F | W | W | U | U | U | U | U | U | U | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| | | F_NERP_RQ | Y | Y | W | Z | W | W | U | U | U | U | U | U | U | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| | | F_START_ | B | B | W | G | W | W | U | U | U | U | U | X | U | | | FILE_RQ | | | | | | | | | | | | | | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| | | SFPA | C | C | C | C | C | C | C | C | K | C | C | S | C | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| |E| SFNA | C | C | C | C | C | C | C | C | L | C | C | S | C | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| |V| CD | C | C | C | H | R | Z1| I | J | C | C | C | S | C | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| |E| F_DATA_RQ | U | U | U | U | U | U | U | U | U | M | U | S | U | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| |N| CDT | C | C | C | C | C | C | C | C | C | P | O | S | C | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| |T| F_CD_RQ | D | U | W | T | W | W | U | U | U | U | U | X | U | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| | | F_REL_RQ(Ok) | U | E | U | U | U | U | U | U | U | U | U | X | U | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| | | F_REL_RQ(Err)| Q | Q | Q | Q | Q | Q | Q | Q | Q | Q | Q | S | Q | | |--------------+---+---+---+---+---+---+---+---+---+---+---+---+---| | | RTR | C | C | N | C | C | C | C | C | C | C | C | S | C | o--------------------------------------------------------------------o
9.10.2. Transition Table
I | Predicate Actions Output Events Next State ===o================================================================= A | P5: 1,2,3,18 EERP WF_RTR | !P5: 1,2,3 EERP WF_RTR ---+----------------------------------------------------------------- B | P1: UE | !P1: 1,2,5 SFID OPOP ---+----------------------------------------------------------------- C | 1,2 ESID(R=02) | F_ABORT_IND(R,AO=L) WF_NDISC ---+----------------------------------------------------------------- D | 1,2 CD IDLELICD ---+----------------------------------------------------------------- E | 1,2 ESID(R=00) WF_NDISC ---+----------------------------------------------------------------- F | 4 ERSTWFCD ---+----------------------------------------------------------------- G | P1: UE | !P1: 6 SFSTWFCD ---+----------------------------------------------------------------- H | 1,2 IDLESP ---+----------------------------------------------------------------- I | 1,2,10 SFID OPOP ---+----------------------------------------------------------------- J | 1,2 CD IDLELICD ---+----------------------------------------------------------------- K | P2: 1,2 ESID(R=02) | F_ABORT_IND(R,AO=L) WF_NDISC | !P2: 1,2,7,12 F_START_FILE_CF(+) OPO ---+----------------------------------------------------------------- L | 1,2,8 F_START_FILE_CF(-) IDLESP ---+----------------------------------------------------------------- M | P3: 1,2,11,13 DATA OPOWFC | !P3: 1,2,11,13 DATA | F_DATA_CF OPO ---+----------------------------------------------------------------- N | F_RTR_CF IDLESP ---+----------------------------------------------------------------- O | 12 F_DATA_CF OPO ---+----------------------------------------------------------------- P | Protocol 1,2 ESID(R=02) | Error F_ABORT_IND(R,AO=L) WF_NDISC ---+----------------------------------------------------------------- Q | 1,2 ESID(R) WF_NDISC ---+----------------------------------------------------------------- Continued -->
I | Predicate Actions Output Events Next State
===o=================================================================
R | 1,2,9 EERP WF_RTR
---+-----------------------------------------------------------------
S | WF_NDISC
---+-----------------------------------------------------------------
T | CDSTWFCD
---+-----------------------------------------------------------------
U | User Error UE
---+-----------------------------------------------------------------
W | User Error - Note 1 UE
---+-----------------------------------------------------------------
X | Error
---+-----------------------------------------------------------------
Y | P4 & P5: 1,2,15,18 NERP WF_RTR
| !P4 & !P5: 1,2,15,14 NERP WF_RTR
| P4 & !P5: 1,2,15 NERP WF_RTR
| !P4 & P5: 1,2,15,14,18 NERP WF_RTR
---+-----------------------------------------------------------------
Z | 16 NRSTWFCD
---------------------------------------------------------------------
Z1| P4: 1,2,17 NERP WF_RTR
| !P4: 1,2,17,14 NERP WF_RTR
---------------------------------------------------------------------
9.10.3. Predicates and Actions
Predicate P1: (I.F_START_FILE_RQ.Restart-pos > 0 AND V.Restart = No)
OR (V.Mode = Receiver-only)
Note: Restart requested and not supported for this session.
Predicate P2: I.SFPA.Restart-pos > V.Restart-pos
Note: Protocol error due to the restart position in the SFPA
acknowledgement being greater than the position
requested in the SFID request.
Predicate P3: V.Credit_S - 1 = 0
Note: Speaker's Credit is exhausted.
Predicate P4: No special logic is in use
Predicate P5: Signed EERP/NERP requested
Action 1: Stop inactivity timer
Action 2: Start inactivity timer
Action 3: Build an EERP from F_EERP_RQ
Action 4: Store F_EERP_RQ in V.Req-buf
Action 5: Build SFID from F_START_FILE_RQ
V.Restart-pos = I.F_START_FILE_RQ.Restart-pos
Action 6: Store F_START_FILE_RQ in V.Req-buf
Action 7: Build F_START_FILE_CF(+) from I.SFPA
Action 8: Build F_START_FILE_CF(-) from I.SFNA
Action 9: Build EERP from F_EERP_RQ stored in V.Req-buf
Action 10: Build SFID from F_START_FILE_RQ stored in V.Req-buf
Set V.Restart-pos
Action 11: Build Exchange Buffer
Action 12: V.Credit_S = V.Window
Action 13: V.Credit_S = V.Credit_S - 1
Action 14: Activate CRC-calculus function. Wrap Exchange buffer
in special logic
Action 15: Build a NERP from F_NERP_RQ
Action 16: Store F_NERP_RQ in V.Req-buf
Action 17: Build NERP from F_NERP_RQ stored in V.Req-buf
Action 18: Sign the contents of NERP/EERP
Note 1: Whether to accept this "Request/Event" while in this
state is a matter of local implementation. The ODETTE
state tables are based on the assumption that this
event cannot occur in this state and is considered to
be a user error (UE).
9.11. Speaker State Table 2
9.11.1. State Table
o---------------------------------o | S | CLOP | | T |-------------------------o | | A | OPOWFC | | | T |---------------------o | | | E | OPO | | | |=====================o---+---+---| | E | F_CLOSE_FILE_RQ | A | E | U | | V |-----------------+---+---+---| | E | EFPA | B | B | C | | N |-----------------+---+---+---| | T | EFNA | B | B | D | o---------------------------------o9.11.2. Transition Table
I | Predicate Actions Output Events Next State ===o================================================================= A | 1,2,5,7 EFID CLOP ---+----------------------------------------------------------------- B | 1,2 ESID(R=02) | F_ABORT_IND(R,AO=L) WF_NDISC ---+----------------------------------------------------------------- C | P1: 1,2,3 F_CLOSE_FILE_CF(+,SP=No) | CD IDLELI | !P1: 1,2,4 F_CLOSE_FILE_CF(+,SP=Yes) IDLESP ---+----------------------------------------------------------------- D | 1,2,6 F_CLOSE_FILE_CF(-) IDLESP ---+----------------------------------------------------------------- E | See Note 1 ---+----------------------------------------------------------------- U | User Error UE ---------------------------------------------------------------------9.11.3. Predicates and Actions
Predicate P1: (I.EFPA.CD-Request = Yes) Predicate P2: No special logic is in use Action 1: Stop inactivity timer Action 2: Start inactivity timer
Action 3: O.F_CLOSE_FILE_CF(+).Speaker = No
Action 4: O.F_CLOSE_FILE_CF(+).Speaker = Yes
Action 5: Build EFID from F_CLOSE_FILE_RQ
Action 6: Build F_CLOSE_FILE_CF(-) from EFNA
Action 7: Set V.Credit_S = 0
Action 8: Wrap Exchange buffer in special logic
Note 1: In order to respect the "half duplex" property of
ODETTE-FTP, it is forbidden to send EFID while in the
OPOWFC state. EFID can be sent only in the OPO state.
The ODETTE-FTP implementation must avoid sending EFID
(or receiving F_CLOSE_FILE_RQ) while in the OPOWFC
state.
9.12. Listener State Table
9.12.1. State Table
o---------------------------------------------o | | RTRP | | |-------------------------------------o | | | CLIP | | | |---------------------------------o | | | | OPI | | | | S |-----------------------------o | | | | T | OPIP | | | | | A |-------------------------o | | | | | T | IDLELICD | | | | | | E |---------------------o | | | | | | | IDLELI | | | | | | |=====================o---+---+---+---+---+---+ | | SFID | A | A | B | B | B | B | | |-----------------+---+---+---+---+---+---+ | E | DATA | B | B | B | I | B | B | | V |-----------------+---+---+---+---+---+---+ | E | EFID | B | B | B | J | B | B | | N |-----------------+---+---+---+---+---+---+ | T | F_START_FILE_RS | U | U | H | U | U | U | | |-----------------+---+---+---+---+---+---+ | | F_CLOSE_FILE_RS | U | U | U | U | K | U | | |-----------------+---+---+---+---+---+---+ | | CD | C | B | B | B | B | B | | |-----------------+---+---+---+---+---+---+ | | ESID R=Normal | D | F | D | D | D | D | | |-----------------+---+---+---+---+---+---+ | | ESID R=Error | D | D | D | D | D | D | | |-----------------+---+---+---+---+---+---+ | | EERP | E | E | B | B | B | B | | |-----------------+---+---+---+---+---+---+ | | NERP | L | L | B | B | B | B | | |-----------------+---+---+---+---+---+---+ | | F_RTR_RS | U | U | U | U | U | M | o---------------------------------------------o
9.12.2. Transition Table
I | Predicate Actions Output Events Next State ===o================================================================= A | P1: 1,2 ESID(R=02) | F_ABORT_IND(R,AO=L) WF_NDISC | !P1: 1,2,3 F_START_FILE_IND OPIP ---+----------------------------------------------------------------- B | 1,2 ESID(R=02) | F_ABORT_IND(R,AO=L) WF_NDISC ---+----------------------------------------------------------------- C | 1,2 F_CD_IND IDLESPCD ---+----------------------------------------------------------------- D | 1 F_ABORT_IND(Received | ESID Reason,AO=D) | N_DISC_RQ IDLE ---+----------------------------------------------------------------- E | 1,2,4 F_EERP_IND RTRP ---+----------------------------------------------------------------- F | 1 F_RELEASE_IND | N_DISC_RQ IDLE ---+----------------------------------------------------------------- H | P4: User Error UE | P2 & !P4 & !P5: 1,2,8 SFPA OPI | !P2 & !P4 & !P5: 1,2 SFNA IDLELI | P2 & !P4 & P5: 1,2,5,8 SFPA OPI | !P2 & !P4 & P5: 1,2,5 SFNA IDLELI ---+----------------------------------------------------------------- I | P6: 1,2 ESID(R=02) | F_ABORT_IND(R,A0=L) WF_NDISC | !P5 & !P6 & !P7: 1,2,7 F_DATA_IND (See Note 1) OPI | !P5 & !P6 & P7: 1,2,8 F_DATA_IND | CDT (See Note 1) OPI | P5 & !P6 & P8: 1,2 ESID(R=07) | F_ABORT_IND(R,A0=L) WF_NDISC | P5 & !P6 & !P7 : 1,2,6,7 F_DATA_IND (See Note 1) OPI | & !P8 | P5 & !P6 & P7 : 1,2,5,6,8 F_DATA_IND OPI | & !P8 CDT (See Note 1) ---+----------------------------------------------------------------- J | 1,2 F_CLOSE_FILE_IND CLIP ---+----------------------------------------------------------------- K | P2 & P3 & !P5: 1,2 EFPA(CD-Req) WF_CD | P2 & !P3 & !P5: 1,2 EFPA(no CD) IDLELI | !P2 & !P5: 1,2 EFNA IDLELI | P2 & !P3 & P5: 1,2,5 EFPA(no CD) IDLELI | !P2 & P5: 1,2,5 EFNA IDLELI | P2 & P3 & P5: 1,2,5 EFPA(CD-Req) WF_CD
---+-----------------------------------------------------------------
L | 1,2,10 F_NERP_IND RTRP
---+-----------------------------------------------------------------
M | 1,2 RTR IDLELI
---+-----------------------------------------------------------------
U | User Error UE
---------------------------------------------------------------------
9.12.3. Predicates and Actions
Predicate P1: (I.SFID.Restart-pos > 0 AND V.Restart = No) OR (V.Mode
= Sender-only)
Note: Invalid Start File command.
Predicate P2: Positive Response
Predicate P3: I.F_CLOSE_FILE_RS(+).Speaker = Yes
Predicate P4: I.F_START_FILE_RS(+).Restart-pos > V.Restart
Predicate P5: Special logic is used
Predicate P6: V.Credit_L - 1 < 0
Note: Protocol Error because the Speaker has exceeded its
available transmission credit.
Predicate P7: V.Credit_L - 1 = 0
Note: The Speaker's credit must be reset before it can send
further Data Exchange Buffers.
Predicate P8: The calculus of the received CRC indicates an error
Action 1: Stop inactivity timer
Action 2: Start inactivity timer
Action 3: Build F_START_FILE_IND from I.SFID
V.Restart-pos = I.SFID.Restart-pos
Action 4: Build F_EERP_IND from I.EERP
Action 5: Add special logic header to the command to be sent to
the Speaker
Action 6: Suppress the special logic header from the data buffer
before giving it to the user
Action 7: V.Credit_L = V.Credit_L - 1
Action 8: V.Credit_L = V.Window
Action 10: Build F_NERP_IND from I.NERP
Note 1: Flow control in case of reception.
The ODETTE-FTP Listener must periodically send new
credit to the Speaker. The timing of this operation
will depend on:
1. The User Monitor's capacity to receive data.
2. The number of buffers available to ODETTE-FTP.
3. The Speaker's available credit, which must be
equal to zero.
9.13. Example
Consider an ODETTE-FTP entity that has sent a Start File (SFID)
command and entered the Open Out Pending (OPOP) state. Its response
on receiving a Positive Answer (SFPA) is documented in Speaker State
Table 1, which shows that transition 'K' should be applied and is
interpreted as follows:
if (I.SFPA.Restart-pos > V.Restart-pos) then
begin // invalid restart
Actions: Stop inactivity timer, // reset timer
Start inactivity timer;
Output: ESID(R=02), // to peer ODETTE-FTP
F_ABORT_IND(R,AO=L); // to User Monitor
New State: WF_NDISC;
end
else begin
Actions: Stop inactivity timer, // reset timer
Start inactivity timer;
Build F_START_FILE_CF(+) from I.SFPA
V.Credit_S = V.Window // initialise credit
Output: F_START_FILE_CF(+); // to User Monitor
New State: OPO;
end
ODETTE-FTP checks the restart position in the received Start File Positive Answer (SFPA) command. If it is invalid, it aborts the session by sending an End Session (ESID) command to its peer and an Abort indication (F_ABORT_IND) to its User Monitor. If the restart position is valid, a Start File confirmation (F_START_FILE_CF) is built and sent to the User Monitor, the credit window is initialised, and the Open Out (OPO) state is entered.10. Miscellaneous
10.1. Algorithm Choice
The choice of algorithms to use for security or compression between partners is for bilateral agreement outside of ODETTE-FTP.10.2. Cryptographic Algorithms
The algorithms for symmetric and asymmetric cryptography and hashing are represented by a coded value, the cipher suite: Cipher Suite Symmetric Asymmetric Hashing ------------ ----------------- ------------ ------- 01 3DES_EDE_CBC_3KEY RSA_PKCS1_15 SHA-1 02 AES_256_CBC RSA_PKCS1_15 SHA-1 Support of all cipher suites listed here is mandatory. The certificates used must be [X.509] certificates. TripleDES is using Cipher Block Chaining (CBC) mode for added security and uses the Encryption Decryption Encryption (EDE) process with 3 different 64-bit keys. RSA padding is as defined in [PKCS#1]. AES is using a 256-bit key in CBC mode. An extended list of optional cipher suites may be used (Section 10.3), but there is no guarantee that two communicating ODETTE-FTP entities would both support these optional cipher suites.10.3. Protocol Extensions
The algorithms and file enveloping formats available in ODETTE-FTP may be extended outside of this document.
An up-to-date list of cipher suite values for use in ODETTE-FTP is maintained by ODETTE International, and published on their website at www.odette.org.10.4. Certificate Services
Certificates and certificate revocation lists may be exchanged as [CMS] enveloped files. It is therefore valid to exchange a [CMS] file that is neither encrypted, compressed, nor signed. It is an application implementation issue to determine the correct course of action on receipt of such a file.11. Security Considerations
ODETTE-FTP security requires the use of [X.509] certificates. If no security options are agreed for use, the send and receive passwords are sent in plain text. Whilst this is acceptable over X.25 and ISDN networks, this is a risky practice over insecure public networks such as the Internet. All, some, or none of the security options available in ODETTE-FTP may be used. No recommendations for the use of these options are provided in this specification. Whilst use of the highest-strength encryption algorithms may seem admirable, there is often a performance tradeoff to be made, and signing all files and acknowledgements has potential legal implications that should be considered. It should be noted that whilst the security measures ensure that an ODETTE-FTP partner is authenticated, it does not necessarily mean that the partner is authorised. Having proven the identity of a partner, it is an application issue to decide whether that partner is allowed to connect or exchange files. Extracted from [RFC3850]: "When processing certificates, there are many situations where the processing might fail. Because the processing may be done by a user agent, a security gateway, or other program, there is no single way to handle such failures. Just because the methods to handle the failures have not been listed, however, the reader should not assume that they are not important. The opposite is true: if a certificate is not provably valid and associated with the message, the processing software should take immediate and noticeable steps to inform the end user about it.
Some of the many situations in which signature and certificate
checking might fail include the following:
No certificate chain leads to a trusted CA
No ability to check the Certificate Revocation List (CRL) for a
certificate
An invalid CRL was received
The CRL being checked is expired
The certificate is expired
The certificate has been revoked
There are certainly other instances where a certificate may be
invalid, and it is the responsibility of the processing software to
check them all thoroughly, and to decide what to do if the check
fails. See RFC 3280 for additional information on certificate path
validation."
The push / pull nature of ODETTE-FTP means that a party can make an
outbound connection from behind a firewall to another party and
exchange files in both directions. There is no need for both
partners to open ports on their firewalls to allow incoming
connections; only one party needs to allow incoming connections.
See Section 1.7 for a discussion of the benefits of session security
[TLS] versus file security.
(next page on part 4)
