The FTP64 (or service FTP) application-level gateway (ALG) helps stateful Network Address Translation 64 (NAT64) to operate
on Layer 7 data. FTP64 ALG translates IP addresses and the TCP port information embedded in the payload of an FTP control
NAT translates any TCP/UDP traffic that does not carry source and destination IP addresses in the application data stream.
Protocols that embed the IP address information within the payload (or in the application data stream) require the support
of an ALG. ALGs handle application data stream (Layer 7) protocol-specific services, such as translating embedded IP addresses
and port numbers in the packet payload and extracting new connection or session information from control channels.
FTP64 is automatically enabled when Stateful NAT64 is enabled. Use the
no nat64 service ftp command to disable the NAT64 FTP service.
The FTP64 ALG is not supported in Stateless NAT64 translation.
The FTP64 ALG does not support IPv4-compatible IPv6 addresses.
Based on IPv6-to-IPv4 translation FTP considerations draft-ietf-behave-ftp64-02 and RFC 2228, the FTP64 ALG must switch to transparent mode (a device in a transparent mode is invisible in the network;
however, this device can act as a bridge and inspect or filter packets), when commands and responses flow between the FTP
client and the FTP server. When a client issues the FTP AUTH command, the FTP64 ALG transparently forwards all data on the
control channel in both (ingress and egress) directions, until the end of the control channel session. Similarly, during an
AUTH negotiation, the ALG must be in transparent mode, whether the negotiation is successful or not.
Based on RFC 6384, the behavior of the FTP64 ALG during a client-server communication is different. During an IPv6-to-IPv4
translation, the FTP64 ALG must transparently copy data transmitted over the control channel so that the transport layer security
(TLS) session works correctly. However, the client commands and server responses are hidden from the FTP64 ALG. To ensure
a consistent behavior, as soon as the initial FTP AUTH command is issued by a client, the FTP64 ALG must stop translating
commands and responses and start transparently copying TCP data that is sent by the server to the client and vice versa. The
FTP64 ALG must ignore the AUTH command and not go into transparent mode if the server response is in the 4xx or 5xx ranges, which comprise FTP error/warning messages.
Prior to CSCtu37975, when an IPv6 FTP client issues an FTP AUTH command, irrespective of whether the IPv4 FTP server accepts
or rejects that authorization negotiation, the FTP64 ALG moves the AUTH session to transparent mode (or bypass mode). When
a session is in transparent mode, NAT cannot perform translation on the packets within the session. With CSCtu37975, during
a client-server communication, the FTP64 ALG’s behavior is compliant with RFC 6384.