Protocol: SOCKS ( Protocol for sessions traversal across firewall securely )

SOCKS ( Protocol for sessions traversal across firewall securely )

Update: 2005-11-07 17:31:49 I have words to say about this protocol

On this page

SUMMARY
DESCRIPTION
EXAMPLES
PROTOCOL RELATIONS
GLOSSARY
REFERENCES
OTHER PROTOCOLS

SUMMARY
Protocol	:	Protocol for sessions traversal across firewall securely
Protocol suite	:	TCP/IP
Layer	:	Application Layer
Type	:	Application protocol
Latest Version	:	SOCKSv5
Ports	:	1080£¨TCP£©
Related protocols	:	WAIS, IETF
Working groups	:	Aft, Authenticated Firewall Traversal

DESCRIPTION

SOCKS is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the SOCKS server without requiring direct IP-reachability.

This protocol provides a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall. The protocol is conceptually a "shim-layer" between the application layer and the transport layer, and as such does not provide network layer gateway services, such as forwarding of ICMP messages.

SOCKS includes two components, the SOCKS server and the SOCKS client. The SOCKS server is implemented at the application layer, while the SOCKS client is implemented between the application and transport layers. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server, without requiring direct IP-reachability.

SOCKS Version 4 provides unsecured firewall traversal for TCP-based client-server applications, including TELNET, FTP, and protocols such as HTTP, WAIS and GOPHER. This version of SOCKS extends the SOCKS Version 4 model to include UDP, and extends the framework to include provisions for generalized strong authentication schemes. It also adapts the addressing scheme to encompass domain-name and V6 IP addresses.
The implementation of the SOCKS protocol typically involves the recompilation or relinking of TCP-based client applications to use the appropriate encapsulation routines in the SOCKS library. The difference between SOCKSv4 and SOCKSv5 is SOCKSv4 does not support authentication nor UDP proxy. SOCKSv5 supports a variety of authentication methods and UDP proxy.

Packet Format

Method	Description
0	No Authentication Required.
1	GSSAPI.
2	Username/Password.
3	Challenge-Handshake Authentication Protocol.
4
5	Challenge-Response Authentication Method.
6	Secure Sockets Layer.
7	NDS Authentication.
8	Multi-Authentication Framework.
9 - 127
128 - 254	Private Methods.
255	No Acceptable Methods.

Existing Practice

SOCKSv4

There currently exists a protocol, SOCKS Version 4, that provides for unsecured firewall traversal for TCP-based client-server applications, including TELNET, FTP and the popular information- discovery protocols such as HTTP, WAIS and GOPHER.
This new protocol extends the SOCKS Version 4 model to include UDP, and extends the framework to include provisions for generalized strong authentication schemes, and extends the addressing scheme to encompass domain-name and V6 IP addresses.

SOCKSv5

SOCKSv5 is an IETF (Internet Engineering Task Force) approved standard generic, proxy protocol for TCP/IP-based networking applications. The SOCKS protocol provides a flexible framework for developing secure communications by easily integrating other security technologies.

SOCKSv5 is an IETF (Internet Engineering Task Force) approved standard generic, proxy protocol for TCP/IP-based networking applications. The SOCKS protocol provides a flexible framework for developing secure communications by easily integrating other security technologies.

SOCKSv5 Protocol
The SOCKSv5 protocol, also known as authenticated firewall traversal (AFT), is an open Internet standard for performing network proxies at the transport layer. It resolves several issues that SOCKS version 4 protocol did not fully address or omitted:

Strong authentication.

Authentication method negotiation.

Address resolution proxy.

Proxy for UDP-based applications.

There are two additional SOCKSv5-related standards to support authentication methods:

Username/Password authentication for SOCKSv5.

GSS-API (Generic Security Service Application Programming Interface) authentication for SOCKSv5.

Protocol Structure - Socks version 5

Version identifier/method selection message

1 byte	1 byte	1-225 bytes
Version	NMethods	Methods

Methods

00	No authentication required
01	GSSAPI
02	Username/Password
3	IANA assigned
4 to FE	Reserved for private methods
FF	No acceptable methods

The Socks request message

1 byte	1 byte	Value of 0	1 byte	Variable	2 bytes
Version	CMD	Rsv	ATYP	DST addr	DST Port

CMD

01	CONNECT1
02	BIND
03	UDP ASSOCIATE

ATYP

01	IP V4 address
03	DOMAINNAME
p class="MsoNormal" align="center">04	IP V6 address: X'04'

SOCKs reply message

1 byte	1 byte	Value of 0	1 byte	Variable	2 bytes
Version	REP	RSV	ATYP	BND addr	BND Port

REP

00	Succeeded
01	General SOCKS server failure
02	Connection not allowed by ruleset
03	Network unreachable
04	Host unreachable
05	Connection refused
06	TTL expired
07	Command not supported
08	Address type not supported
09 to FF	Unassigned

Protocol Structure for UDP-based Clients
Each UDP datagram carries a UDP request header with it:
UDP request header

2byte	1 byte	1 byte	Variable	2	Variable
RSV	FRAG	ATYP	DST Addr	DST Port	Data

RSV:
This field is reserved. Its value is 0000.

FRAG:
This field contains the current fragment number, and indicates whether the datagram is one of a number of fragments.

ATYP:
Address type of the following address.

DST addr:
Desired destination address.

DST Port:
Desired destination port.

Data:
User data.

Top of Page

EXAMPLES

Example 1: Procedure for TCP-based clients

 

When a TCP-based client wishes to establish a connection to an object that is 

reachable only via a firewall (such determination is left up to the implementation), 

it must open a TCP connection to the appropriate SOCKS port on the SOCKS 

server system. The SOCKS service is conventionally located on TCP port 1080. If 

the connection request succeeds, the client enters a negotiation for the 

authentication method to be used, authenticates with the chosen method, then 

sends a relay request. The SOCKS server evaluates the request, and either 

establishes the appropriate connection or denies it. 



Unless otherwise noted, the decimal numbers appearing in packet- format diagrams 

represent the length of the corresponding field, in octets. Where a given octet must 

take on a specific value, the syntax X'hh' is used to denote the value of the single 

octet in that field. When the word 'Variable' is used, it indicates that the 

corresponding field has a variable length defined either by an associated (one or 

two octet) length field, or by a data type field. 



The client connects to the server, and sends a version identifier/method selection 

message:



          +----+----------+----------+

          |VER | NMETHODS | METHODS  |

          +----+----------+----------+

          | 1  |    1     | 1 to 255 |

          +----+----------+----------+



The VER field is set to X'05' for this version of the protocol. The NMETHODS field 

contains the number of method identifier octets that appear in the METHODS field. 

The server selects from one of the methods given in METHODS, and sends a METHOD 

selection message: 



          +----+--------+

          |VER | METHOD |

          +----+--------+

          | 1  |   1    |

          +----+--------+



If the selected METHOD is X'FF', none of the methods listed by the client are 

acceptable, and the client MUST close the connection. 

The values currently defined for METHOD are:



          X'00' NO AUTHENTICATION REQUIRED

          X'01' GSSAPI

          X'02' USERNAME/PASSWORD

          X'03' to X'7F' IANA ASSIGNED

          X'80' to X'FE' RESERVED FOR PRIVATE METHODS

          X'FF' NO ACCEPTABLE METHODS



The client and server then enter a method-specific sub-negotiation. Descriptions of 

the method-dependent sub-negotiations appear in separate memos. 

Developers of new METHOD support for this protocol should contact IANA for a 

METHOD number. The ASSIGNED NUMBERS document should be referred to for a 

current list of METHOD numbers and their corresponding protocols. 

Compliant implementations MUST support GSSAPI and SHOULD support 

USERNAME/PASSWORD authentication methods.

Example 2: Requests



Once the method-dependent subnegotiation has completed, the client sends the request 

details. If the negotiated method includes encapsulation for purposes of integrity 

checking and/or confidentiality, these requests MUST be encapsulated in the method-

dependent encapsulation. The SOCKS request is formed as follows:



          +----+-----+-------+------+----------+----------+

          |VER | CMD |  RSV  | ATYP | DST.ADDR | DST.PORT |

          +----+-----+-------+------+----------+----------+

          | 1  |  1  | X'00' |  1   | Variable |    2     |

          +----+-----+-------+------+----------+----------+



    Where:



          VER    protocol version: X'05'

          CMD

             CONNECT X'01'

             BIND X'02'

             UDP ASSOCIATE X'03'

          RSV    RESERVED

          ATYP   address type of following address

             IP V4 address: X'01'

             DOMAINNAME: X'03'

             IP V6 address: X'04'

          DST.ADDR       desired destination address

          DST.PORT desired destination port in network octet

          order



The SOCKS server will typically evaluate the request based on source and destination 

addresses, and return one or more reply messages, as appropriate for the request type.

Example 3: Replies



The SOCKS request information is sent by the client as soon as it has established a 

connection to the SOCKS server, and completed the authentication negotiations. 

The server evaluates the request, and returns a reply formed as follows:



          +----+-----+-------+------+----------+----------+

          |VER | REP |  RSV  | ATYP | BND.ADDR | BND.PORT |

          +----+-----+-------+------+----------+----------+

          | 1  |  1  | X'00' |  1   | Variable |    2     |

          +----+-----+-------+------+----------+----------+



    Where:



          VER    protocol version: X'05'

          REP    Reply field:

             X'00' succeeded

             X'01' general SOCKS server failure

             X'02' connection not allowed by ruleset

             X'03' Network unreachable

             X'04' Host unreachable

             X'05' Connection refused

             X'06' TTL expired

             X'07' Command not supported

             X'08' Address type not supported

             X'09' to X'FF' unassigned

          RSV    RESERVED

          ATYP   address type of following address

             IP V4 address: X'01'

             DOMAINNAME: X'03'

             IP V6 address: X'04'

          BND.ADDR       server bound address

          BND.PORT       server bound port in network octet order



Fields marked RESERVED (RSV) must be set to X'00'. 

If the chosen method includes encapsulation for purposes of authentication, 

integrity and/or confidentiality, the replies are encapsulated in the method-

dependent encapsulation.

Example 4: Procedure for UDP-based clients



A UDP-based client MUST send its datagrams to the UDP relay server at the UDP port 

indicated by BND.PORT in the reply to the UDP ASSOCIATE request. If the selected 

authentication method provides encapsulation for the purposes of authenticity, 

integrity, and/or confidentiality, the datagram MUST be encapsulated using the 

appropriate encapsulation. Each UDP datagram carries a UDP request header with it: 



          +----+------+------+----------+----------+----------+

          |RSV | FRAG | ATYP | DST.ADDR | DST.PORT |   DATA   |

          +----+------+------+----------+----------+----------+

          | 2  |  1   |  1   | Variable |    2     | Variable |

          +----+------+------+----------+----------+----------+



    The fields in the UDP request header are:



          RSV  Reserved X'0000'

          FRAG    Current fragment number

          ATYP    address type of following addresses:

             IP V4 address: X'01'

             DOMAINNAME: X'03'

             IP V6 address: X'04'

          DST.ADDR       desired destination address

          DST.PORT       desired destination port

          DATA     user data



When a UDP relay server decides to relay a UDP datagram, it does so silently, without 

any notification to the requesting client. Similarly, it will drop datagrams it cannot 

or will not relay. When a UDP relay server receives a reply datagram from a remote 

host, it MUST encapsulate that datagram using the above UDP request header, and 

any authentication-method-dependent encapsulation.



Implementation of fragmentation is optional; an implementation that does not support 

fragmentation MUST drop any datagram whose FRAG field is other than X'00'. The 

programming interface for a SOCKS-aware UDP MUST report an available buffer space 

for UDP datagrams that is smaller than the actual space provided by the operating 

system:



         if ATYP is X'01' - 10+method_dependent octets smaller

         if ATYP is X'03' - 262+method_dependent octets smaller

         if ATYP is X'04' - 20+method_dependent octets smaller

Top of Page

PROTOCOL RELATIONS

■ Parent layer
■ Child layer

Top of Page

GLOSSARY

GSS-API
The GSS-API (Generic Security Service Application Program Interface) is a generic API for doing client-server authentication.

A typical GSS-API caller is itself a communications protocol, calling on GSS-API in order to protect its communications with authentication, integrity, and/or confidentiality security services. A GSS-API caller accepts tokens provided to it by its local GSS-API implementation and transfers the tokens to a peer on a remote system; that peer passes the received tokens to its local GSS-API implementation for processing. The security services available through GSS-API in this fashion are implementable (and have been implemented) over a range of underlying mechanisms based on secret-key and public-key cryptographic technologies.

The GSS-API separates the operations of initializing a security context between peers, achieving peer entity authentication (GSS_Init_sec_context() and GSS_Accept_sec_context() calls), from the operations of providing per-message data origin authentication and data integrity protection (GSS_GetMIC() and GSS_VerifyMIC() calls) for messages subsequently transferred in conjunction with that context.

IETF
IETF (Internet Engineering Task Force) is the main standards organization for the Internet. The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual.

WAIS
WAIS (Wide Area Information Server) is an Internet system in which specialized subject databases are created at multiple server locations, kept track of by a directory of servers at one location, and made accessible for searching by users with WAIS client programs. The user of WAIS is provided with or obtains a list of distributed databases. The user enters a search argument for a selected database and the client then accesses all the servers on which the database is distributed. The results provide a description of each text that meets the search requirements. The user can then retrieve the full text.

Top of Page

REFERENCES

RFCs
[RFC 1928] SOCKS Protocol Version 5.
[RFC 1929] Username/Password Authentication for SOCKS V5.
[RFC 1961] GSS-API Authentication Method for SOCKS Version 5.
[RFC 3089] A SOCKS-based IPv6/IPv4 Gateway Mechanism

Top of Page

OTHER PROTOCOLS OF TCP/IP SUITE