A recognized agreement.
Abstract: This document describes an application layer for protocols that cross the IP network firewall. This safety is highly relied on the effective package provided by regular authentication and formal implementation methods, as well as the security selected by the SOCKS client and the SOCKS server, and the administrator carefully carefully carefully consider.
-------------------------------------------------- ------------------------------ Text:
SOCKS 5 protocol details
In actual learning, because some software used SOCKS5 (such as OICQ, ICQ, etc.), I don't know much about it, I believe that many friends don't know very well, so I studied RFC1928 carefully, I think it is necessary to translate For reference.
1. Introduction:
The use of firewalls, effectively isolates the internal network and external network of the organization, which becomes more and more popular. Most of these firewall systems act as the role of the application layer gateway between the network, usually provide controlled Telnet, FTP, and SMTP access. In order to promote the exchange of global information, more new application layer protocols have been launched. This is necessary to provide a general architecture to pass through the firewall more obvious and safer. It is also necessary to provide a stronger authentication mechanism for them through the firewall. This requirement is derived from the implementation between the client-server contact between different organizational networks, and this contact needs to be controlled and largely authenticated. This protocol is described as an architecture that is conveniently and securely facing the client-server application under TCP and UDP domains. The protocol is conceptually described as a "isolation layer" between the application layer and the transport layer, but such services do not provide network layer gateway services, such as the transmission of ICMP packets.
2. status quo:
SOCKS 4 provides an unsafe through the firewall-based client-server application, including Telnet, FTP, and current most popular information discovery protocols such as HTTP, WAIS, and Gopher. The new protocol is extended to include UDP extensions. SOCKS 4, in order to extend the protocol architecture for the support of the overall authentication mechanism, in order to include the domain name and IPv6 address support to extend the address set. The most representative execution of the SOCKS protocol is to include TCP-based client-based client-based client-based clients.
Note: Unless otherwise mentioned, the decimal number of encapsulated in the package format is indicated by the length of the communication domain (represented by an eight-bit group OCTECT). A given eight-bit group must have a specified value, the format X'HH 'is used to represent a single eight-bit group in this domain. When the word "variable variable" is used, it indicates that the communication domain has a variable length, which is defined by a federated (one or two eight-bit group) length domain, or by a data type field definition.
3. TCP client-based procedure
When a TCP-based client wants to establish a connection with the target host, this target host can only reach the firewall (this situation? Opening when it is executed), it must be appropriate at the SOCKS server The SOCKS port opens a TCP link. The SOCKS service is positioned in TCP port 1080 by conventional examples. If the connection request is successful, the client will conduct a negotiation for the upcoming authentication method, and the selected manner is authenticated, and then send a forwarding request. The SOCKS server evaluates the request and decides whether the requested forwarding is established. The client is connected to the server and sends a version identity / method to select packets:
-- ---------- -------- | Ver | NMETHODS | METHODS | ---- ------- - ---------- | 1 | 1 | 1 to 255 | ---- -------- ---------- Ver (version) is set to X'05 'in this protocol version. NMETHODS (Method Selection) is included in the Methods (Method) to identify the number of eight groups. The server selects one in the method given from Methods, send a Method Selection message:
-- -------- | Ver | Method | ---- -------- | 1 | 1 | ---- ---- ----
If the value of the selected Method is X'FF ', the method listed by the client is that the client must turn off the connection.
The value of the currently defined method is: >> X'00 'No Validation Demand >> X'01' Universal Security Service Application Interface (GSSAPI >> X'02 'User Name / Password (UserName / Password) >> X'803 'to X'7f' IANA Assign >> RESERVED for private methods >> X'FF 'Unacceptable method (no acceptable methods) *** IANA is a sub-discivalent organization responsible for numbered IP addresses on the global Internet (translator) ***. Method Select Substances are also described in separate documents. Developers who want to get the new Method support for this agreement can contact IANA to obtain the Method number. Documents with allocated numbers need to refer to the current list of Method numbers and their communication protocols. If you want to go smoothly, you must support GSSAPI and support username / password authentication methods.
4. demand
Once the method selects the end of the sub-negotiation, the client sends the request details. If the discussion method includes the purpose and / or confidential package of integrity checks, request inevitably seal in the method selected.
The SOCKS request is as shown in the following table:
-- ----- ----- ------ -------- -------- | Ver | cmd | rsv | atyp | dst.addr | dst.port | ---- ---- ------- ---- ----- - ---------- | 1 | 1 | X'00 '| 1 | Variable | 2 | ---- ----- ----- ---- ---------- ----------
Among them: o Ver protocol version: X'05'o cmd o connection x'01 'o bind x'02' o UDP Associate X'03'o RSV Reservedo Atyp Address Type of Following Address O IP V4 Address: X'01 ' o DomainName: X'03 'o ip v6 address: x'04'o dst.addr Desired Destination Addresso Dst.Port Desired Destination Port in Network OcTet ORDER5. address
In the address domain (Dst.Addr, Bnd.Addr), the ATYP domain details the type of address included in this domain: o X'01 '
This address is an IPv4 address and a length of 4 eight groups. O X'03 '
This address contains a complete domain name. The first eight-bit group contains the number of eight-bit groups of the back name, and there is no empty eight-bit group. O X'04 '
This address is an IPv6 address, 168 groups long.
6. Respond
Once the connection to the SOCKS server is established, the client will send SOCKS request information, and complete the authentication negotiation. Server evaluation request, return a response as shown in the following table:
-- ----- ----- ------ -------- -------- | Ver | rep | rsv | atyp | BND.Addr | Bnd.port | ---- --- ------- ---- ------- - ---------- | 1 | 1 | X'00 '| 1 | Variable | 2 | ---- ----- ----- ---- ---------- ----------
among them:
O Ver Protocol version: X'05'o rep Reed Field: o x'00 'succeeded O X'01' General Socks Server Failure O X'02 'Connection Not ALLOW by RuleSet O X'03' Network Unreachable O X'04 'Host unreachable o X'05' Connection refused o X'06 'TTL expired o X'07' Command not supported o X'08 'address type not supported o X'09' to X'FF 'unassignedo RSV RESERVEDo ATYP address type Of Following Address O IP V4 Address: X'01 'o DomainName: X'03' O ip v6 address: X'04'o Bnd.Addr Server Bound Addresso Bnd.Port Server Bound Port in Network Octet Order Sign RESERVED (RSV) The place must be set to X'00 '. If the selected method includes an inspection of the authentication destination package, integrity, and / or confidentiality, the response is in the package set package in the method selected.
Connect
In the response of Connect, Bnd.Port includes a port number connected to the target host, while Bnd.Addr contains associated IP addresses. The Bnd.Addr provided here is often different from the IP address used by the client to connect to the SOCKS server because these servers are often multi-homed. It is expected that the SOCKS host can use Dst.Addr and DST.Port, the connection request evaluation client source address and port.
Bind
Bind requests are used in protocols that require clients to receive server connections. FTP is a well-known example that creates the most basic client-server connection by using commands and status reports, follows the server-client connection to transfer data. (For example, LS, GET, PUT) expects to establish a second connection using the BIND request after using the Connect to establish the first connection using the application protocol. It is expected that the SOCKS host can use dst.addr and dst.port when evaluating BIND requests. Two responses are sent from the SOCKS server to the client during the Bind operation. The first time is to send after the server creates and binds a new socket. The bind.port domain contains the SOCKS host allocation and listen for a port number of access connections. The Bnd.Addr domain contains associated IP addresses. The client has a representative that uses this information to notify the application that the application is connected to the specified address. The second response is only after the expected access connection is successful or failed. In the second response, the Bnd.Port and Bnd.Addr domains contain addresses and port numbers to connect the host.
UDP ASSOCIATE (connection?)
The UDP connection request is used to create a connection to the UDP datagram during the UDP delay. Dst.addr and DST.Port domains contain addresses and ports that the client expects to send UDP datagrams on this connection. The server can utilize this information to limit access to this connection. If the client does not hold information when the client is connected, the client must use a full port number and address.
The UDP connection is interrupted when a TCP connection is interrupted by a UDP connection request.
In the response of the UDP connection request, the Bnd.Port and Bnd.Addr fields refer to the port number / address of the client needs to be sent UDP request messages.
Response process
When a response (REP value is not x'00 ') indicates failure, the SOCKS host must interrupt the TCP connection immediately after sending. This process time must be no more than 10 seconds after detecting the cause of failure. If the response code (the REP value is X'00 '), the logo is successful, requested, or BIND or Connect, the client can now transfer data. If the selected authentication method supports integrity, authentication mechanisms, and / or confidential packages, the data is selected to select a package to package. Similarly, when the data arrives at the SOCKS host from the client, the host must use the appropriate authentication method to encapsulate data. 7. UDP client-based procedure
A UDP-based client must be used