Socks

Socks: a protocol for TCP Proxy Across FireWalls

Ying-da Lee

Principal MEMBER TECHNICAL STAFF

NEC SYSTEMS LABORATORY, CSTC

Ylee@syl.dl.nec.com

Socks Was Originally Developed by David Koblas and Subsequently Modified

And Extended by me to its current running version - version 4. IT IS A

Protocol That Relays TCP Sessions At A FireWall Host To ALLOW Application

Users Transparent Access Across The FireWall. Because The Protocol IS

Independent Of Application Protocols, IT CAN Be (and Has Been) Used for

Many Different Services, Such As Telnet, FTP, Finger, WHOIS, GOPHER, WWW,

Etc. Access Control Can Be Applied At The Beginning of Each TCP Session;

Thereafter the Server Simply Relays The Data Between The Client and The Client and The

Application Server, Incurring Minimum Processing Overhead. Since Socks

Never Has To Know Anything About The Application Protocol, IT Should Also

Be Easy for It To Accommodate Applications Which Uses Encryption To Protect

Their traffic from nosey snoopers.

TWO Operations Are Defined: Connect and Bind.

1) Connect

The Client Connects To The Socks Server and Sends a Connect Request When

It wants to establish a connection to an application server. The client

Includeds in the request packet the ip address and the port number of the

Destination Host, And Userid, in The Following Format.

-- ---- -- -- ---- -- ---- - ---- ---- .... --

| VN | CD | DSTPORT | DSTIP | Userid & Brvbarnull|

-- ---- -- -- ---- -- ---- - ---- ---- .... --

# of bytes: 1 1 2 4 Variable 1

VN Is The Socks Protocol Version Number and Should Be 4. CD IS SHESOCKS Command Code and Should Be 1 for Connect Request. Null Is A Byte

Of all zero bits.

The Socks Server Checks To See WHether Such a Request Should Be Grand

Based on Any Combination of Source IP Address, Destination IP Address,

Destination Port Number, The Userid, And Information It May Obtain By

Consulting Ident, CF. RFC 1413. IF The Request Is Grand, The Socks

Server Makes a connection to the specified port of the destination host.

A reply packet is sample to the client when this connection is established,

Or when the request is rejected or the operation fails.

-- ---- ---- - -- -- ---- -

| VN | CD | DSTPORT | DSTIP |

-- ---- ---- - -- -- ---- -

# of bytes: 1 1 2 4

Vn is the version of the reply code and shop be 0. CD is the result

Code with One of the Following Values:

90: Request granted

91: Request REIECTED or FAILED

92: Request Rejected Becasue Socks Server Cannot connect To

Identd on the client

93: Request Rejected Because The Client Program and Identd

Report Different User-IDS

The Remaining Fields Are Ignored.

The Socks Server Closes ITS Connection Immediately After Notifying

The client of a failed or request. for a successful request,

The Socks Server Gets Ready To Relay Traffic On Both Directions. this

Enables the client to do I / o on ITS Connection As if it were directly

Connected to the Application Server.

2) bind

The Client Connects to The Socks Server and Sends a Bind Request When

It wants to prepare for an inbound connection from an application server.

THIS SHOULD INLY HAPPEN AFTER A Primary Connection To The ApplicationServer Has Been Established With A Connect. Typically, this is part of

The Sequence of Actions:

-bind (): Obtain A Socket

-getsockname (): Get the ip address and port number of the socket

-Listen (): Ready to Accept Call from the Application Server

-Use The Primary Connection To Inform The Application Server of

The IP Address and The Port Number That It Should Connect TO.

-Accept (): Accept A Connection from the Application Server

The Purpose of Socks Bind Operation Is To Support Such a Sequence

But use a socket on the socks server rather tour.

The Client Includes in The Request Packet The IP Address of Tore

Application Server, The Destination Port Used in The Primary Connection,

And the userid.

-- ---- -- -- ---- -- ---- - ---- ---- .... --

| VN | CD | DSTPORT | DSTIP | Userid & Brvbarnull|

-- ---- -- -- ---- -- ---- - ---- ---- .... --

# of bytes: 1 1 2 4 Variable 1

VN is again 4 for the socks protocol version number. CD Must Be 2 To

Indicate Bind Request.

The Socks Server Uses The Client Information To Decide WHether To

Request is to be granted. The reply it sends back to the client HAS

The Same Format As The Reply for Connect Request, I.E.,

-- ---- ---- - -- -- ---- -

| VN | CD | DSTPORT | DSTIP |

-- ---- ---- - -- -- ---- -

# of bytes: 1 1 2 4

VN is The Version of the reply code and shop be 0. CD is The resultcode with one of the folly value:

90: Request granted

91: Request REIECTED or FAILED

92: Request Rejected Becasue Socks Server Cannot connect To

Identd on the client

93: Request Rejected Because The Client Program and Identd

Report Different User-IDS.

However, for a granted request (CD IS 90), The Dstport and Dstip Fields

Are Meaningful. In That Case, The Socks Server Obtains a socket to wait

For An Incoming Connection and Sends The Port Number and The IP Address

Of That Socket To The Client in Dstport and Dstip, Respectiveness. if The

Dstip in the reply is 0 (the value of constant inaddr_any), THE

Client SHOULD Replace It by The IP Address of The Socks Server to which

(this happens if the socks server is not a

Multi-homed host. in The Typical Scenario, There Two Numbers Are

Made Available to the Application Client Prgram Via the Result of The

Subsequent getSockName () Call. The Application Protocol Must Provide A

Way for these Two Pieces of Information To Be Sent from The Client To

The Application Server So That Can Initiate The Connection, Which

Connects it to the socks server rather Than Directly to the application

Client as it Normally Would.

The Socks Server Sends a Second Reply Packet To The Client When THE

Anticipated Connection from the Application Server is Established.

The Socks Server Checks The IP Address of The Originating Host Against

The value of dstip specified in the client's bind request. if a mismatch

Is Found, THE CD Field in The Second Reply Is Set To 91 and The Socks

Server Closes Both Connections. if The Two match, cd in the second

Reply is set to 90 and the socks server gets ready to relay the trafficon its two connections. from then on the client does I / O on ITS Connection

To the Socks Server As if it were directly connection to the application

Server.

For Both Connect and Bind Operations, The Server Sets a Time Limit

(2 minutes in current cstc importation) for the Establishment of ITS

Connection with the application server. if the connection is still not

ESTABLICHED WHEN THE LIMIT EXPIRES, The Server Closes ITS Connection

To The Client and Gives Up.

============================================================================================================================================================================================================= ============================

SOCKS 4A: A Simple Extension to Socks 4 Protocol

Ying-da Lee

Yingda@best.com or yingda@esd.sgi.com

Please read socks4.protocol first for an Description of the Version 4

Protocol. this extension is intended to allow the use of socks on hosts

Which Are Not Capable of Resolving All Domain Names.

In Version 4, The Client Sends The Following Packet To The Socks Server

To Request a connection: Bind Operation:

-- ---- -- -- ---- -- ---- - ---- ---- .... --

| VN | CD | DSTPORT | DSTIP | Userid & Brvbarnull|

-- ---- -- -- ---- -- ---- - ---- ---- .... --

# of bytes: 1 1 2 4 Variable 1

VN Is The Socks Protocol Version Number and Should Be 4. CD is TheSocks Command Code and Should Be 1 for Connect OR 2 for Bind. Null

Is a byte of all zero bits.

For Version 4A, IF The Client Cannot Resolve The Destination Host's

Domain name to Find ITS IP Address, IT Should Set The First Three Bytes

Of dstip to null and the last byte to a non-zero value. (this Corresponds)

To IP Address 0.0.0.x, with x Nonzero. As Decreed by Iana - The

Internet Assigned Numbers Authority - Such An Address Is Inadmissible

AS A Destination IP Address and Thus Should Never Occur iF The Client

Following the null byte terminating

Userid, The Client Must Sends The Destination Domain Name and Termiantes

IT with Another Null Byte. this is buy for Both Connect and Bind Requests.

A Server Using Protocol 4a Must Check The Dstip in The Request Packet.

If IT Repesent Address 0.0.0.x with Nonzero X, The Server Must Read

In The Domain Name That The Client Sends in The Packet. The Server

SHOULD resolve the domain name and make connections to the destination

Host if it can.

Socksified Sockd May Pass Domain Names That It Cannot Resolve To

The next-hop socks server.