-
Notifications
You must be signed in to change notification settings - Fork 0
/
uftpproxyd.1
497 lines (451 loc) · 25.3 KB
/
uftpproxyd.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
.TH uftpproxyd 1 "28 February 2016" "UFTP 4.9"
.SH NAME
uftpproxyd \- Encrypted UDP based ftp with multicast \- proxy daemon
.SH SYNOPSIS
uftpproxyd { -s { dest | fp=fingerprint } | -c | -r }
[ -d ] [ -p port ] [ -t ttl ] [ -Q dscp ]
[ -N priority ] [ -O out_multi_interface ]
[ -U UID ] [ -q dest_port ] [ -m ] [ -x log_level ]
[ -H hb_server[:port][,hb_server[:port]...] ]
[ -g max_log_size ] [ -n max_log_count ]
[ -h hb_interval ] [ -B udp_buf_size ] [ -L logfile ]
[ -P pidfile ] [ -C clientlist_file ]
[ -S serverlist_file ] [ -k keyfile[,keyfile...] ]
[ -K rsa:key_len | ec:curve[,rsa:key_len | ec:curve...]]
[ -e ecdh_curve ] [ -I interface[,interface...] ]
[ -M pub_mcast_addr[,pub_mcast_addr...] ]
.SH DESCRIPTION
.P
.B uftpproxyd
is the proxy daemon of the UFTP suite.
It performs multicast tunneling, NAT traversal, and client response aggregation.
It is used in one of two scenarios.
The first is when the server and one or more clients are on separate networks and cannot be reached directly via multicast, and/or one or both sides are behind a firewall or NAT\(aqed.
This allows applications to function when there is little to no access to routers.
The second is when the server can contact clients directly but there are too many of them to directly handle the responses.
This allows greater scalability.
The proxy can run in one of three modes: a server proxy, a client proxy, or response proxy.
A server proxy is typically local to a server and acts as the upstream end of a multicast tunnel.
It listens on the public multicast address (and private multicast address when specified) and forwards downstream packets to a specific address downstream.
Upstream packets are forwarded back where the announcement originated from.
A client proxy is typically local to one or more clients and forms the downstream end of a multicast tunnel.
It receives unicast data from one or more server proxies and forwards downstream traffic to the multicast address specified in the packet header.
Upstream traffic from clients is gathered and forwarded back where the announcement came from as an aggregated response.
If a client proxy is behind a firewall, the proxy can send a heartbeat message to the upstream proxy to make a pinhole in the firewall that the upstream server proxy can connect to.
If the client proxy is also NATed, the upstream server proxy may not know the IP/port of the client proxy, so the server proxy can be configured to wait for a heartbeat message, and use the IP/port the heartbeat came from as its downstream address.
If the server proxy is also behind a firewall or NAT, a second server proxy on a machine with a publicly accessible IP can be inserted between the first server proxy and the client proxy.
In this case, the first server proxy is set up to use the second as its downstream address, and the second server proxy is set up to use the first heartbeat it receives from a client proxy as its downstream address.
A response proxy functions as a response aggregator in situations where the server has direct multicast accessibility to clients but the number of clients are too high for the server to handle itself.
It listens on the public multicast address (and private multicast address when specified), but does not forward packets from the server since those packets reach clients directly.
It does however send some messages directly to clients in the process of establishing encryption keys.
Upstream traffic from clients is gathered and forwarded back where the announcement came from as an aggregated response.
Clients in this environment are configured to send all responses to a specific response proxy.
Messages sent directly from response proxies to clients use multicast (either the primary public address, or the private address, depending on the message).
.SH EXAMPLES
.SS Server / Client Proxies
.nf
Figure 1
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x Network A x
x ---------- x
x | Server | x
x ---------- x
x | x
x | multicast x
x | x
x |----------------------------------------- x
x | | | x
x v v v x
x ---------------- ---------------- ---------- x
x | Server Proxy | | Server Proxy | | Client | x
x ---------------- ---------------- ---------- x
x | | x
x | unicast | unicast x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| |
| ------------
| |
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x | Network B x x | Network C x
x v x x v x
x ---------------- x x ---------------- x
x | Client Proxy | x x | Client Proxy | x
x ---------------- x x ---------------- x
x | x x | x
x | multicast x x | multicast x
x | x x | x
x |------------- x x |------------ x
x | | x x | | x
x v v x x v v x
x ---------- ---------- x x ---------- ---------- x
x | Client | | Client | x x | Client | | Client | x
x ---------- ---------- x x ---------- ---------- x
x x x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
.fi
.P
In Figure 1 above there are a server and five clients.
The server and one client are on network A, two clients are on network B, and two clients are on network C.
There is one client proxy on network B and one on network C.
On network A are two server proxies, one configured to send to the client proxy on network B and the other configured to send to the client proxy on network C.
Client proxies normally should NOT run on the same machine as a client.
Doing so can result in the server getting confused when it sees messages coming from a proxy and a client with the same IP and therefore cannot tell the difference.
This can only work if the machine has multiple IPs and the client proxy and client listen on different IPs.
NOTE: When using proxies in environments where private IP addresses are in use (10.x.x.x, 172.16-31.x.x, 192.168.x.x), it is strongly recommended to assign a unique ID to each client and client proxy, and for servers to call out clients by unique ID instead of name/IP.
This prevents IP address collisions at the server between two clients with the same local IP.
.SS Response Proxies
.nf
Figure 2
----------
|-->| Server |
| ----------
| |
| | multicast
| |
| |--------------------------------------
| | | | |
| | v | v
| | ------------------ | ------------------
| | | Response Proxy | | | Response Proxy |
| v ------------------ v ------------------
| ---------- ^ | ---------- ^ |
| | Client | | | | Client | | |
| ---------- | | ---------- | |
| | | | | | |
| | | | | | |
| ----------- | ------------ |
| client response | client response |
| | |
| proxy response | |
-----------------------------------------------------
.fi
.P
Figure 2 shows a simplified setup involving a server, two clients, and two response proxies, all on the same network segment.
In this environment, multicast messages from each proxy reaches both clients, not just the client it serves.
.nf
Figure 3
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x Network A x
x ---------- x
x ->| Server |<---------------------------------- x
x | ---------- | x
x | | | x
x | | multicast | x
x | | | x
x | | | x
x | ------------------------------------------ | x
x | | | | | | x
x | | v | v | x
x | | ------------------ | ------------------ x
x | | | Response Proxy | | | Response Proxy | x
x | | ------------------ | ------------------ x
x | | | ^ | ^ x
x |/|\\---- | | | x
x | | ----/|\\----------- x
x | | | | x
x | | | | x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx|xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
| | | |
| ------------|| |
xxxxxxxxxxxxxxxxxxxxxxxxxxxx || xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x | Network B x || x | Network C x
x | x || x | x
x | x || x | x
x ------------------ x || x ------------------ x
x | | x || x | | x
x v v x || x v v x
x ---------- ---------- x || x ---------- ---------- x
x | Client | | Client | x || x | Client | | Client | x
x ---------- ---------- x || x ---------- ---------- x
x | | x || x | | x
x -------------------x-||-x-------------------- x
x x x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
.fi
.P
In Figure 3, there are two response proxies local to the server and four clients in two remote networks, with each response proxy handling the clients from one network.
Multicast messages from each proxy would reach all clients, not just the clients it serves.
Even though the proxies are offloading work from the server in handling client responses, the server\(aqs network still has to handle responses from all clients since the proxies are on the server\(aqs network.
As a result, this setup has limited scalability.
.nf
Figure 4
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x Network A x
x ---------- x
x ->| Server |<--------------x----------------
x | ---------- x |
x | | x |
x | | multicast x |
x | | x |
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| | |
| |-------------------------- |
| | | |
xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x | | Network B1 x x | | Network C1 x
x | ------- x x |------- | x
x | | | x x | | | x
x | | v x x | v | x
x | | ------------------ x x | ------------------ x
x | | | Response Proxy | x x | | Response Proxy | x
x | | ------------------ x x | ------------------ x
x | | | ^ x x | ^ x
x |/|\\---- | x x | | x
x | | x --x-/|\\----------- x
x | | x | x | x
x | | x | x | x
xxxxxxxxxxxxxxxxxxxxxxxxxxxx | xxxxxxxxxxxxxxxxxxxxxxxxxxxx
| | | |
| ------------|| |
xxxxxxxxxxxxxxxxxxxxxxxxxxxx || xxxxxxxxxxxxxxxxxxxxxxxxxxxx
x | Network B2 x || x | Network C2 x
x | x || x | x
x | x || x | x
x ------------------ x || x ------------------ x
x | | x || x | | x
x v v x || x v v x
x ---------- ---------- x || x ---------- ---------- x
x | Client | | Client | x || x | Client | | Client | x
x ---------- ---------- x || x ---------- ---------- x
x | | x || x | | x
x -------------------x-||-x-------------------- x
x x x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx
.fi
.P
In Figure 4, each proxy is at least one hop away from the clients it serves, and at least one hop away from the server.
In this case, multicast messages from each proxy only go to the clients it serves.
Also, since the proxies are not on the same network as the server, messages coming from the client don\(aqt have any effect on the server\(aqs local network.
A setup like this is the most scalabile, and is the most flexible since another server on a different network can utilize the response proxies in the same way.
.SH OPTIONS
.P
The following options are supported:
.TP
\fB\-s\fP { \fIdest\fP | \fBfp=\fP\fIfingerprint\fP }
Sets up the proxy as a server proxy.
If dest is specified, this is the name/IP of the downstream client proxy.
If fingerprint is specified, this designates the public key signature of the downstream proxy.
When this proxy gets a heartbeat message signed with the matching key, it will use the source IP:port of the heartbeat for its downstream address.
Exactly one of \fB\-s\fP, \fB\-c\fP, or\fB \fP\-r must be specified.
.TP
.B \-c
Sets up the proxy as a client proxy.
Exactly one of \fB\-s\fP, \fB\-c\fP, or\fB \fP\-r must be specified.
.TP
\fB\-r\fP[\fB:\fP\fIcurve\fP]
Sets up the proxy as a response proxy.
If "\fIcurve\fP" is given, specifies the EC curve to use for ECDH key exchange (see \fB\-k\fP and \fB\-K\fP for details), otherwise no ECDH key is generated.
Exactly one of \fB\-s\fP, \fB\-c\fP, or \fB\-r\fP must be specified.
.TP
.B \-d
Enable debug mode.
The process will run in the foreground and all output will go to stderr.
If specified, the \fB\-L\fP option is ignored.
.TP
.BI \-p \ port
The UDP port number to listen on.
Default is \fB1044\fP.
.TP
.BI \-t \ ttl
Specifies the time-to-live for multicast packets.
Default is \fB1\fP.
.TP
.BI \-N \ priority
Sets the process priority.
On Windows systems, valid values are from \fB\-2\fP to \fB2\fP, with a default of \fB0\fP.
These correspond to the following priorities:
.nf
-2 High
-1 Above Normal
0 Normal
1 Below Normal
2 Low
.fi
On all other systems, this is the "nice" value.
Valid values are from \fB\-20\fP to \fB19\fPp where \fB\-20\fP is the highest priority and 19 is the lowest priority.
Default is \fB0\fP.
.TP
.BI \-O \ out_multi_interface
The interface to send the data from.
Can be specified either by interface name, by hostname, or by IP.
If not specified, the default system interface is used.
Applies only to client proxies.
.TP
.BI \-U \ UID
The unique ID for this proxy, specified as an 8 digit hexadecimal number (0xnnnnnnnn).
The default value is based on the IP address of the first listed multicast capable interface on the system.
If this address is IPv4, the UID is the address.
If it is IPv6, the UID is the last 4 bytes of the address.
.TP
.BI \-q \ dest_port
The port number of the downstream proxy (for server proxies) or clients (for client proxies).
.TP
.B \-m
For Windows systems using CryptoAPI or CNG, private keys are normally stored in the key container of the running user.
Specifying this option stores keys in the system key container.
Useful when running as a service.
On non-Windows systems, this option has no effect.
.TP
.BI \-x \ log_level
Specifies current logging level.
Valid values are 0-5, with \fB0\fP being the least verbose and \fB5\fP being the most verbose.
Default is \fB2\fP, which is consistent with logging prior to version 3.5.
.TP
\fB\-H\fP \fIhb_server\fP[\fB:\fP\fIport\fP][\fB,\fP\fIhb_server\fP[\fB:\fP\fIport\fP]...]
Lists one or more proxies to send heartbeat messages to.
When sending a signed heartbeat message, the first key listed under \fB\-k\fP is used to sign the message.
If port is not specified for a given proxy, the default port of \fB1044\fP is assumed.
.TP
.BI \-h \ hb_interval
The time in seconds between sending heartbeat messages.
Ignored if \fB\-H\fP is not specified.
.TP
.BI \-g \ max_log_size
Specifies the maximum log file size in MB.
Once the log file reaches this size, the file is renamed with a .1 extension and a new log file is opened.
For example, if the log file is \fI/tmp/uftpproxyd.log\fP, it will be renamed \fI/tmp/uftpproxyd.log.1\fP and a new \fI/tmp/uftpproxyd.log\fP will be created.
Ignored if \fB\-d\fP is specified.
Valid values are 1-1024.
Default is no log rolling.
.TP
.BI \-n \ max_log_count
Specifies the maximum number of archive log files to keep when log rolling is active.
When the log file rolls, archive logs are renamed with an incrementing numerical extension until the max is reached.
Archive log files beyond the maximum are deleted.
Ignored if \fB\-g\fP is not specified.
Valid values are 1-1000.
Default is \fB5\fP.
.TP
.BI \-B \ buf_size
The size in bytes of the UDP send buffer and receive buffer to use.
Valid values are 65536-104857600 (64KB-100MB).
Defaults to \fB262144\fP.
.TP
.BI \-L \ logfile
Specifies the log file.
Default is \fI/tmp/uftpproxyd.log\fP for UNIX-like systems systems, \fIC:\\uftpproxyd_log.txt\fP for Windows.
.TP
.BI \-Q \ dscp
Specifies the Differentiated Services Code Point (DSCP), formerly Type of Service (TOS), in the IP header for all outgoing packets.
Valid values are 0-63 and may be specified in either decimal or hexadecimal.
Default is \fB0\fP.
On Windows XP systems, the OS doesn\(aqt allow this parameter to be changed by default.
To change this, add/modify the following DWORD registry value, set to 0, and reboot:
.na
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\DisableUserTOSSetting
.ad
Not currently supported on Windows Vista or later.
.TP
.BI \-P \ pidfile
The pidfile to write the daemon\(aqs pid to on startup.
Default is no pidfile.
.TP
.BI \-C \ clientlist_file
A file containing a list of clients the proxy will allow to receive files from.
The file should contain the name/IP of a client followed by the client\(aqs public key fingerprint, with one on each line.
The key specified by the client must match the fingerprint.
Applies only to client proxies.
.nf
Example contents:
0x00001111|66:1E:C9:1D:FC:99:DB:60:B0:1A:F0:8F:CA:F4:28:27:A6:BE:94:BC
0x00002222
.fi
.TP
.BI \-S \ serverlist_file
A file containing a list of servers.
The file should contain the ID of the server, the IP address the proxy expects the server\(aqs request to come from, and optionally the server\(aqs public key fingerprint, with one entry for a server on each line.
For client proxies, this is the list of servers the proxy will allow to connect, and the key specified by the server must match the fingerprint.
For server proxies, if your system supports source specific multicast (SSM), the proxy will subscribe to all public and private multicast addresses using SSM for all servers listed.
Response proxies perform both of the above functions
When this option is specified, the public and private addresses specified by the server must be valid SSM addresses.
Any ANNOUNCE that specifies a private IP that is not a valid SSM address will be rejected.
Valid SSM addresses are in the \fI232/8\fP range for IPv4 and the \fIff30::/96\fP range for IPv6.
.nf
Example contents:
0x11112222|192.168.1.101|66:1E:C9:1D:FC:99:DB:60:B0:1A:F0:8F:CA:F4:28:27:A6:BE:94:BC
0x11113333|fe80::213:72ff:fed6:69ca
.fi
.TP
\fB\-k\fP \fIkeyfile\fP[\fB,\fP\fIkeyfile\fP...]
.TP
\fB\-K\fP "{ \fBrsa:\fP\fIkey_len\fP | \fBec:\fP\fIcurve\fP }[\fB,\fP...]"
These two options are used to read and/or write the proxy\(aqs RSA/ECDSA private keys.
The \-K option creates one or more RSA or ECDSA private keys.
New keys are specified as either \fBrsa:\fP\fIkey_length\fP, which creates an RSA private key \fIkey_length\fP bits wide, or as \fBec:\fP\fIcurve\fP, which creates an EC key using the curve "\fIcurve\fP".
The list of supported EC curves is as follows (availability may vary depending on system settings and crypto library used):
sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1
If only \fB\-K\fP is specified, the keys created are not persisted.
If only \fB\-k\fP is specified, this option reads RSA or ECDSA private keys from each keyfile.
If \fB\-k\fP and \fB\-K\fP are specified, the keys created by \fB\-K\fP are written to the keyfiles listed by \fB\-k\fP.
In this case, \fB\-k\fP and \fB\-K\fP must give the same number of items.
If neither \fB\-k\fP nor \fB\-K\fP are specified, an RSA private key 512 bytes in length is generated and not persisted.
If \fB\-k\fP is specified but not \fB\-K\fP, the RSA or ECDSA private keys are read from each keyfile.
The definition of keyfile is dependent on the crypto library UFTP is compiled to use.
On Windows systems, UFTP can built to use either CNG, which is the new API supported by Windows Vista and Windows 7, or CryptoAPI, which is the legacy API and the only one available to Windows XP.
Under CryptoAPI, all RSA private keys must be stored in a key container (technically only keys used to sign data, but for UFTP\(aqs purposes this is the case).
Key containers are internal to Windows, and each user (and the system) has its own set of key containers.
In this case, key_file is actually the name of the key container.
When \fB\-k\fP is not specified, the generated key is not persisted. Elliptic Curve algorithms are not supported under CryptoAPI.
Under CNG, RSA and ECDSA private keys are also stored in key containers, and RSA keys created by CrypoAPI may be read by CNG.
Like CryptoAPI, key_file also specifies the key container name, and the generated key is not persisted if \fB\-k\fP is not specified.
CNG only supports 3 named EC curves: \fBprime256v1\fP, \fBsecp384r1\fP, and \fBsecp521r1\fP.
All other systems use OpenSSL for the crypto library (although under Windows UFTP can be also be built to use it).
In this case, key_file specifies a file name where the RSA private key is stored unencrypted in PEM format (the OS is expected to protect this file).
When both \fB\-k\fP and \fB\-K\fP are specified, the file is only written to if it does not currently exist.
If the file does exist, an error message will be returned and the server will exit.
When \fB\-k\fP is not specified, the generated key is not persisted.
These PEM files may also be manipulated via the openssl(1) command line tool.
Keys can also be generated and viewed via the
.BR uftp_keymgt (1)
utility.
.TP
.BI \-e \ ecdh_curve
Specifies the EC curve type to use for a response proxy\(aqs ECDH private key.
This option MUST be specified for a response proxy to use an ECDH key exchange scheme.
If unspecified, no ECDH key will be created.
Ignored if \fB\-r\fP is not specified.
.TP
\fB\-I\fP \fIinterface\fP[\fB,\fP\fIinterface\fP...]
For server proxies, lists one or more interfaces to listen to multicast traffic on.
For client proxies, the interface it reports itself as to servers and clients.
Interfaces can be specified either by interface name, by hostname, or by IP.
When receiving a closed group membership request, the client proxy will participate if any of these interfaces matches an IP in the announcement.
The default is to listen on all active non-loopback interfaces.
NOTE: Since Windows doesn\(aqt have named interfaces (not in the sense that UNIX-like systems do), only hostnames or IP addresses are accepted on Windows.
.TP
\fB\-M\fP \fIpub_mcast_addr\fP[\fB,\fP\fIpub_mcast_addr\fP...]
The list of public multicast addresses to listen on.
Used only by server proxies and response proxies.
Default is \fB230.4.4.1\fP.
.SH EXIT STATUS
.P
The following exit values are returned:
.TP
0
The proxy started successfully and is running in the background.
.TP
1
An invalid command line parameter was specified.
.TP
2
An error occurred while attempting to initialize network connections.
.TP
3
An error occurred while reading or generating cryptographic key data.
.TP
4
An error occurred while opening or rolling the log file.
.TP
5
A memory allocation error occurred.
.TP
6
The proxy was interrupted by the user.
.SH SEE ALSO
.BR uftp (1),
.BR uftpd (1),
.BR uftp_keymgt (1).
.SH NOTES
The latest version of UFTP can be found at http://uftp-multicast.sourceforge.net.
UFTP is covered by the GNU General Public License.
Commercial licenses and support are available from Dennis Bush ([email protected]).