Organizational: China Interactive Publishing Network (http://www.china-pub.com/) RFC Document Chinese Translation Plan (http://www.china-pub.com/compters/emook/aboutemook.htm )E-mail: Ouyang@china-pub.com Translator: Radeon (Radeon Bise@cmmail.com) Documentation Published: 2001-6-18 Copyright: Chinese Interactive Publishing Network. Can be used for non-commercial use free reprint, but the translation and copyright information of this document must be retained.
Network Working Group M. LeechRequest for Comments: 1929 Bell-Northern Research LtdCategory: Standard Track M. Ganis International Business Machines Y. Lee NEC Systems Laboratory R. Kuris Unify Corporation D. Koblas Independent Consultant L. Jones Hewlett-Packard Company March 1996
Socks v5
This memo states: This document describes an Internet standard tracking protocol of an Internet community, which requires further discussion and recommendations to improve. Please refer to the latest version of the Internet Formal Protocol Standard (STD1) to get the standardization and status of this protocol. The release of this memo is not restricted. This memo describes a protocol that is developed from the previous version of the same agreement (version 4 [1]). This new protocol originated from some of the current discussion and prototype implementation. The key contribution of people: Marcus Leech: Bell-Northern Research, David Koblas: Independent Consultant, Ying-Da Lee: NEC Systems Laboratory, LaMont Jones: Hewlett-Packard Company, Ron Kuris: Unify Corporation, Matt Ganis: International Business Machines.
table of Contents
1. Introduction 22. Existing protocol 23. Customer 34 based on TCP protocol. Request 35. Address 46. Answer 47. Based on the UDP protocol 68. Security considerations 79. Reference Bibliography 71. Introduction to use the network firewall to effectively isolate the network structure inside the organization, such as the Internet, such as the network, becomes popular in many network systems. Such a firewall system typically operates between two networks in the form of the application layer gateway, providing access to Telnet, FTP, SMTP, etc. As increasingly enables global information to find more and more complex application layer protocols, it is necessary to provide a general framework to make these protocols through the firewall. Moreover, there is also a safe authentication method in practical applications to cross the firewall. This requirement originated from the emergence of client / server relationships in two organizations, this relationship needs to be controlled and required to be authenticated. The protocol framework described here is designed to make the service provided by the network firewall to use the client / server applications that use TCP and UDP. This protocol is conceptually, "SHIM-Layer", which is intermediary between the application layer and the transport layer, so that the service provided by the network layer gateway is not provided.
2. The existing protocol currently has a protocol SOCKS 4, which provides an unsafe firewall for TELNET, FTP, HTTP, WAIS, and GOPHER and other TCP protocols based on TCP protocols. This new protocol expands SOCKS V4 to support the domain name and IPv6 specified in the UDP, framework specified by the security authentication scheme, address resolution scheme (Addressing Scheme). To implement this SOCKS protocol, you typically need to recompile or re-link TCP-based client applications to use the corresponding encryption functions in the SOCKS library. Note: Unless otherwise specified, the decimal numbers that appear in the data packet format diagram represent the length of the corresponding domain in bytes. If a certain domain needs to give a value of one byte, use x'HH 'to represent the value in this byte. If a domain is used in a field 'variable', this means that the length of the domain is variable, and the length is defined in a domain associated with this domain (1 - 2 bytes), or a data type field. in.
3. Customers based on TCP protocol When a TCP-based client wants to establish a connection with a target that can only be reached by the firewall (this is determined by the implementation), it must first create a TCP connection to the SOCKS port on the SOCKS server . Usually this TCP port is 1080. When the connection is established, the client enters the protocol "Handshake" process: the selection of the authentication method, authenticated according to the selected manner, and then send forwarding requirements. The SOCKS server checks this requirement, depending on the results, or establishes a suitable connection, or refuses. Unless otherwise indicated, the decimal numbers that appear in the data packet format map represent the length of the corresponding domain in bytes. If a certain domain needs to give a value of one byte, use x'HH 'to represent the value in this byte. If a domain is used in a field 'variable', this means that the length of the domain is variable, and the length is defined in a domain associated with this domain (1 - 2 bytes), or a data type field. in. After the client is connected to the server, then the request is sent to negotiate version and authentication methods:
VERNMETHODSMETHODS111 TO 255 This version of the Socks protocol is set to X'05 '. The NMETHODS field contains the number of methods indicated in the Methods field (in bytes). The server selects one of these given methods and sends a method selected back to the client: vermethod11 If the selected message is X'FF ', this means that there is no method in the method list listed by the client, the customer The end must be closed. The current definition method is:? X'00 'does not need to authenticate? X'01' gssapi? X'02 'username / password? X'03' - X'7f 'is assigned by IANA? X'80' - X'FE 'is reserved for a private method without an acceptable method and then the client and server enters the sub-negotiation process determined by the selected authentication method (Sub-Negotiation). For a variety of sub-negotiation processes of various methods, please refer to the respective memos. If you want to get a method number for your own method, you can contact IANA. You can refer to the list of all the names that have been assigned to get the current all methods and the corresponding protocols. The SOCKS V5 implementation that meets this document must support GSSAPI and support the username / password authentication method in the future. 4. When the request is completed, the client will send a detailed request information. If the negotiation method has a package with integrity check and / or security, these requests must be encapsulated in the way they are defined in this method. The format of the SOCKS request is as follows: vermdrsv atypdst.addrdst.port11x'00'1variable2 where the Ver protocol version: X'05 '? Cmd? Connect: X'01'? Bind: x'02 '? Udp associate: X'03' • RSV reserved? Add IPv4: X'01 '? Domain Name: X'03'? Ipv6: X'04 '? DST.Addr destination address? Dst.Port The port number appeared in the network byte order. The SOCKS server analyzes the request according to the source address and destination address and then returns one or more answers based on the request type.
5. The address type included in the address field (DST.Addr, Bnd.Addr) is described in the address atyp field: • X'01 'based on IPv4 IP address, 4 bytes long? X'03' based on domain name address, address The first byte in the field is the length of the domain name in bytes, and there is no NUL byte ending. ? X'04 'based on IPv6 IP address, 16 bytes long
6. The response has established a connection to the SOCKS server, and the negotiation process of the authentication method will be completed, the client will send a SOCKS request information to the server. The server will return according to the request in the following format: verreprsvatypbnd.addrbnd.port11x'00'1variable2 where:? Ver protocol version: X'05 '? REP Answer field:? X'00' success? X'01 'ordinary SOCKS Server request failed? X'02 'existing rules are not allowed? X'03' network is not arrogant? X'04 'host is not reached? X'05' connection is rejected? X'06 'TTL timeout? X' 07 'does not support command? X'08' does not support address type? X'09 '- x'ff' undefined? RSV reserves? Atyp's address type? IPv4: X'01 '? Domain Name: X'03 '? Ipv6: x'04'? Bnd.addr server binding address? Bnd.Port The field identified by the server bound by the server binding of the network byte order must be set to X'00 '. If the selected method is packaged in integrity checking and / or security, these responses must be encapsulated in the manner defined in this method. Connect In a response to a connection command, Bnd.Port contains the port number used to connect to the target machine, and Bnd.Addr is the corresponding IP address. Since the SOCKS server usually has multiple IPs, Bnd.Addr is often different from the client to the IP of the SOCKS server. The SOCKS server can use Dst.Addr and Dst.Port, and the client source address and port to analyze a Connect request.
Bindbind requests are usually used on protocols that require clients to accept connections from the server. FTP is a typical example. It establishes a connection from the client to the server to execute the command and the reception status, and uses another connection from the server to the client to receive transmission data (such as LS, GET, PUT). It is recommended that only the second connection can be established using the bind command after using the client command to establish a primary connection after using the connection protocol. It is recommended that the SOCKS server uses dst.addr and dst.port to evaluate bind requests. During a BIND request, the SOCKS server wants to send two answers to the client. Send the first answer when the server is established and binding a new socket. The Bnd.Port field contains the port number used to listen to the entered connection, and the band.addr field contains the corresponding IP address. The client usually uses this information to tell (through the primary connection or control connection) Application server connection. The second response only happened to the desired arrival connection success or failure. In the second response, the Bnd.Port and Bnd.Addr fields contain the IP address and port number of the last host.
UDP Associateudp Associate requests are usually requested to establish a UDP forwarding process to control the UDP datagram. Dst.addr and Dst.Port fields contain the IP address and port number of the client you want to send the UDP datagram. The server can use this information to limit access. If the client does not have address and port information when sending this request, the client must use all 0 to populate. When the TCP connection is interrupted with the UDP, the UDP connection must also be interrupted. When the UDP Associate request, the Bnd.Port and Bnd.Addr fields indicate that the client sends a UDP message to the port and address of the server.
Answering Processing When an answer (the REP value is not equal to 00) indicates an error, the SOCKS server must terminate the TCP connection within a short period of time after sending a reply message. This time should be less than 10 seconds after discovering errors. If a response (REP value is equal to 00) indicates success, and the request is a BIND or Connect, the client can start sending data. If the negotiated authentication method has a package of integrity, authentication, and / or security, these requests must be encapsulated in the way they are defined in this method. Similarly, when the data is reached with the SOCKS server as a server-destination, the SOCKS server must encapsulate these data with the method being used. 7. Customers based on UDP protocols are indicated by Bnd.Port in the UDP Associate response, and a UDP protocol-based customer must send the data to the port of the UDP forwarding server. If the negotiated authentication method has a package with integrity, authentication, and / or security, these dataphers must be encapsulated in the manner defined in this method. Each UDP datagnet has a UDP request head in its head: rsvfragatypdst.addrdst.portData211variable2variable in the UDP request header is:
• RSV reserves the X'0000 '? Frag Current Segmentation Number? Atyp The address type? IPv4: X'01'? Domain Name: X'03 '? Ipv6: X'04'? DST.Addr destination address? DST. Port numbers in the network byte order? DATA user data When a UDP forwarding server forwards a UDP datagram, it will not send any notifications to the client; the same, it will also discard any data that cannot be sent to the far-end host News. When the UDP forwarding server receives a response from the remote server, you must add the above UDP request header and package the datagram. The UDP forwarding server must get the desired client IP address from the SOCKS server and send the datagram to the port number given in the UDP Associate response. If the datagram is arriving from any IP address, the IP address is different from the IP address specified in the particular connection, then the data report is discarded. FRAG field indicates whether the datagon is some of the slice. If the SOCKS server is to implement this feature, the X'00 'indicates that the datagram is independent; the more other, the more the tail of the datagram. The value between 1 and 127 illustrates the position of the fragment in the slice sequence. Each recipient provides a restructuring queue and a reorganized timer for these fractions. This reorganization queue must reinitialize after the restructuring timer is timeout, and discard the corresponding datagram. Or when a newly reached datagon has a largest FRAG value in the currently processed Data report sequence, you must also reinitialize from the team queue. The recombinant timer must be less than 5 seconds. As long as it is possible, the application is best not to use fragmentation. The implementation of the fragment is optional; if a realization does not support shard, all FRAG fields are not 0, and the data reported must be discarded. A SOCKS UDP programming interface (The Programming Interface for A Socks-Aware UDP) must report the actual space that is currently available in the currently available UDP data. ? If ATYP is X'01 '- 10 Method_Dependent Octets Smaller? If ATYP is X'03' - 262 Method_Dependent Octets Smaller? If ATYP is X'04 '- 20 Method_Dependent Octets Smaller
8. Security Consider this document describes an application layer protocol used to pass the IP network firewall. The security of this transmission depends largely, depending on the specific implementation, and special authentication and packages selected by the SOCKS customers and the SOCKS server. System administrators need to carefully consider the selection of user authentication methods. 9. Reference book
[1] Koblas, D., "SOCKS", Proceedings: 1992 Usenix Security Symposium.
Author address Marcus Leechbell-Northern Research Ltd. Box 3511, Station Cottawa, oncanada K1Y 4H7PHONE: (613) 763 - 9145Email: mleech@bnr.carfc1929--sockets V5 Sockets V5RFC Document Chinese Translation Program
