As per Relevance of the word connection, we have this rfc below:
Network Working Group M.
Request for Comments: 1928 Bell-Northern Research
Category: Standards Track M.
International Business
Y.
NEC Systems
R.
Unify
D.
Independent
L.
Hewlett-Packard
March 1996
SOCKS Protocol Version 5
Status of this
This document specifies an Internet standards track protocol for
Internet community, and requests discussion and suggestions
improvements. Please refer to the current edition of the "
Official Protocol Standards" (STD 1) for the standardization
and status of this protocol. Distribution of this memo is unlimited
This memo describes a protocol that is an evolution of the
version of the protocol, version 4 [1]. This new protocol stems
active discussions and prototype implementations. The
contributors are: Marcus Leech: Bell-Northern Research, David Koblas
Independent Consultant, Ying-Da Lee: NEC Systems Laboratory,
Jones: Hewlett-Packard Company, Ron Kuris: Unify Corporation,
Ganis: International Business Machines
1.
The use of network firewalls, systems that effectively isolate
organizations internal network structure from an exterior network
such as the INTERNET is becoming increasingly popular.
firewall systems typically act as application-layer gateways
networks, usually offering controlled TELNET, FTP, and SMTP access
With the emergence of more sophisticated application layer
designed to facilitate global information discovery, there exists
need to provide a general framework for these protocols
transparently and securely traverse a firewall
Leech, et al Standards Track [Page 1]
RFC 1928 SOCKS Protocol Version 5 March 1996
There exists, also, a need for strong authentication of
traversal in as fine-grained a manner as is practical.
requirement stems from the realization that client-
relationships emerge between the networks of various organizations
and that such relationships need to be controlled and often
authenticated
The protocol described here is designed to provide a framework
client-server applications in both the TCP and UDP domains
conveniently and securely use the services of a network firewall
The protocol is conceptually a "shim-layer" between the
layer and the transport layer, and as such does not provide network
layer gateway services, such as forwarding of ICMP messages
2. Existing
There currently exists a protocol, SOCKS Version 4, that provides
unsecured firewall traversal for TCP-based client-
applications, including TELNET, FTP and the popular information
discovery protocols such as HTTP, WAIS and GOPHER
This new protocol extends the SOCKS Version 4 model to include UDP
and extends the framework to include provisions for
strong authentication schemes, and extends the addressing scheme
encompass domain-name and V6 IP addresses
The implementation of the SOCKS protocol typically involves
recompilation or relinking of TCP-based client applications to
the appropriate encapsulation routines in the SOCKS library
Note
Unless otherwise noted, the decimal numbers appearing in packet
format diagrams represent the length of the corresponding field,
octets. Where a given octet must take on a specific value,
syntax X'hh' is used to denote the value of the single octet in
field. When the word 'Variable' is used, it indicates that
corresponding field has a variable length defined either by
associated (one or two octet) length field, or by a data type field
3. Procedure for TCP-based
When a TCP-based client wishes to establish a connection to an
that is reachable only via a firewall (such determination is left
to the implementation), it must open a TCP connection to
appropriate SOCKS port on the SOCKS server system. The SOCKS
is conventionally located on TCP port 1080. If the
request succeeds, the client enters a negotiation for
Leech, et al Standards Track [Page 2]
RFC 1928 SOCKS Protocol Version 5 March 1996
authentication method to be used, authenticates with the
method, then sends a relay request. The SOCKS server evaluates
request, and either establishes the appropriate connection or
it
Unless otherwise noted, the decimal numbers appearing in packet
format diagrams represent the length of the corresponding field,
octets. Where a given octet must take on a specific value,
syntax X'hh' is used to denote the value of the single octet in
field. When the word 'Variable' is used, it indicates that
corresponding field has a variable length defined either by
associated (one or two octet) length field, or by a data type field
The client connects to the server, and sends a
identifier/method selection message
+----+----------+----------+
|VER | NMETHODS | METHODS |
+----+----------+----------+
| 1 | 1 | 1 to 255 |
+----+----------+----------+
The VER field is set to X'05' for this version of the protocol.
NMETHODS field contains the number of method identifier octets
appear in the METHODS field
The server selects from one of the methods given in METHODS,
sends a METHOD selection message
+----+--------+
|VER | METHOD |
+----+--------+
| 1 | 1 |
+----+--------+
If the selected METHOD is X'FF', none of the methods listed by
client are acceptable, and the client MUST close the connection
The values currently defined for METHOD are
o X'00' NO AUTHENTICATION
o X'01'
o X'02' USERNAME/
o X'03' to X'7F' IANA
o X'80' to X'FE' RESERVED FOR PRIVATE
o X'FF' NO ACCEPTABLE
The client and server then enter a method-specific sub-negotiation
Leech, et al Standards Track [Page 3]
RFC 1928 SOCKS Protocol Version 5 March 1996
Descriptions of the method-dependent sub-negotiations appear
separate memos
Developers of new METHOD support for this protocol should
IANA for a METHOD number. The ASSIGNED NUMBERS document should
referred to for a current list of METHOD numbers and
corresponding protocols
Compliant implementations MUST support GSSAPI and SHOULD
USERNAME/PASSWORD authentication methods
4.
Once the method-dependent subnegotiation has completed, the
sends the request details. If the negotiated method
encapsulation for purposes of integrity checking and/
confidentiality, these requests MUST be encapsulated in the method
dependent encapsulation
The SOCKS request is formed as follows
+----+-----+-------+------+----------+----------+
|VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT |
+----+-----+-------+------+----------+----------+
| 1 | 1 | X'00' | 1 | Variable | 2 |
+----+-----+-------+------+----------+----------+
Where
o VER protocol version: X'05'
o
o CONNECT X'01'
o BIND X'02'
o UDP ASSOCIATE X'03'
o RSV
o ATYP address type of following
o IP V4 address: X'01'
o DOMAINNAME: X'03'
o IP V6 address: X'04'
o DST.ADDR desired destination
o DST.PORT desired destination port in network
The SOCKS server will typically evaluate the request based on
and destination addresses, and return one or more reply messages,
appropriate for the request type
Leech, et al Standards Track [Page 4]
RFC 1928 SOCKS Protocol Version 5 March 1996
5.
In an address field (DST.ADDR, BND.ADDR), the ATYP field
the type of address contained within the field
o X'01'
the address is a version-4 IP address, with a length of 4
o X'03'
the address field contains a fully-qualified domain name. The
octet of the address field contains the number of octets of name
follow, there is no terminating NUL octet
o X'04'
the address is a version-6 IP address, with a length of 16 octets
6.
The SOCKS request information is sent by the client as soon as it
established a connection to the SOCKS server, and completed
authentication negotiations. The server evaluates the request,
returns a reply formed as follows
+----+-----+-------+------+----------+----------+
|VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |
+----+-----+-------+------+----------+----------+
| 1 | 1 | X'00' | 1 | Variable | 2 |
+----+-----+-------+------+----------+----------+
Where
o VER protocol version: X'05'
o REP Reply field
o X'00'
o X'01' general SOCKS server
o X'02' connection not allowed by
o X'03' Network
o X'04' Host
o X'05' Connection
o X'06' TTL
o X'07' Command not
o X'08' Address type not
o X'09' to X'FF'
o RSV
o ATYP address type of following
Leech, et al Standards Track [Page 5]
RFC 1928 SOCKS Protocol Version 5 March 1996
o IP V4 address: X'01'
o DOMAINNAME: X'03'
o IP V6 address: X'04'
o BND.ADDR server bound
o BND.PORT server bound port in network octet
Fields marked RESERVED (RSV) must be set to X'00'.
If the chosen method includes encapsulation for purposes
authentication, integrity and/or confidentiality, the replies
encapsulated in the method-dependent encapsulation
In the reply to a CONNECT, BND.PORT contains the port number that
server assigned to connect to the target host, while BND.
contains the associated IP address. The supplied BND.ADDR is
different from the IP address that the client uses to reach the
server, since such servers are often multi-homed. It is
that the SOCKS server will use DST.ADDR and DST.PORT, and
client-side source address and port in evaluating the
request
The BIND request is used in protocols which require the client
accept connections from the server. FTP is a well-known example
which uses the primary client-to-server connection for commands
status reports, but may use a server-to-client connection
transferring data on demand (e.g. LS, GET, PUT).
It is expected that the client side of an application protocol
use the BIND request only to establish secondary connections after
primary connection is established using CONNECT. In is expected
a SOCKS server will use DST.ADDR and DST.PORT in evaluating the
request
Two replies are sent from the SOCKS server to the client during
BIND operation. The first is sent after the server creates and
a new socket. The BND.PORT field contains the port number that
SOCKS server assigned to listen for an incoming connection.
BND.ADDR field contains the associated IP address. The client
typically use these pieces of information to notify (via the
or control connection) the application server of the
address. The second reply occurs only after the anticipated
connection succeeds or fails
Leech, et al Standards Track [Page 6]
RFC 1928 SOCKS Protocol Version 5 March 1996
In the second reply, the BND.PORT and BND.ADDR fields contain
address and port number of the connecting host
UDP
The UDP ASSOCIATE request is used to establish an association
the UDP relay process to handle UDP datagrams. The DST.ADDR
DST.PORT fields contain the address and port that the client
to use to send UDP datagrams on for the association. The server
use this information to limit access to the association. If
client is not in possesion of the information at the time of the
ASSOCIATE, the client MUST use a port number and address of
zeros
A UDP association terminates when the TCP connection that the
ASSOCIATE request arrived on terminates
In the reply to a UDP ASSOCIATE request, the BND.PORT and BND.
fields indicate the port number/address where the client MUST
UDP request messages to be relayed
Reply
When a reply (REP value other than X'00') indicates a failure,
SOCKS server MUST terminate the TCP connection shortly after
the reply. This must be no more than 10 seconds after detecting
condition that caused a failure
If the reply code (REP value of X'00') indicates a success, and
request was either a BIND or a CONNECT, the client may now
passing data. If the selected authentication method
encapsulation for the purposes of integrity, authentication and/
confidentiality, the data are encapsulated using the method-
encapsulation. Similarly, when data arrives at the SOCKS server
the client, the server MUST encapsulate the data as appropriate
the authentication method in use
7. Procedure for UDP-based
A UDP-based client MUST send its datagrams to the UDP relay server
the UDP port indicated by BND.PORT in the reply to the UDP
request. If the selected authentication method
encapsulation for the purposes of authenticity, integrity, and/
confidentiality, the datagram MUST be encapsulated using
appropriate encapsulation. Each UDP datagram carries a UDP
header with it
Leech, et al Standards Track [Page 7]
RFC 1928 SOCKS Protocol Version 5 March 1996
+----+------+------+----------+----------+----------+
|RSV | FRAG | ATYP | DST.ADDR | DST.PORT | DATA |
+----+------+------+----------+----------+----------+
| 2 | 1 | 1 | Variable | 2 | Variable |
+----+------+------+----------+----------+----------+
The fields in the UDP request header are
o RSV Reserved X'0000'
o FRAG Current fragment
o ATYP address type of following addresses
o IP V4 address: X'01'
o DOMAINNAME: X'03'
o IP V6 address: X'04'
o DST.ADDR desired destination
o DST.PORT desired destination
o DATA user
When a UDP relay server decides to relay a UDP datagram, it does
silently, without any notification to the requesting client
Similarly, it will drop datagrams it cannot or will not relay.
a UDP relay server receives a reply datagram from a remote host,
MUST encapsulate that datagram using the above UDP request header
and any authentication-method-dependent encapsulation
The UDP relay server MUST acquire from the SOCKS server the
IP address of the client that will send datagrams to the BND.
given in the reply to UDP ASSOCIATE. It MUST drop any
arriving from any source IP address other than the one recorded
the particular association
The FRAG field indicates whether or not this datagram is one of
number of fragments. If implemented, the high-order bit
end-of-fragment sequence, while a value of X'00' indicates that
datagram is standalone. Values between 1 and 127 indicate
fragment position within a fragment sequence. Each receiver
have a REASSEMBLY QUEUE and a REASSEMBLY TIMER associated with
fragments. The reassembly queue must be reinitialized and
associated fragments abandoned whenever the REASSEMBLY TIMER expires
or a new datagram arrives carrying a FRAG field whose value is
than the highest FRAG value processed for this fragment sequence
The reassembly timer MUST be no less than 5 seconds. It
recommended that fragmentation be avoided by applications
possible
Implementation of fragmentation is optional; an implementation
does not support fragmentation MUST drop any datagram whose
field is other than X'00'.
Leech, et al Standards Track [Page 8]
RFC 1928 SOCKS Protocol Version 5 March 1996
The programming interface for a SOCKS-aware UDP MUST report
available buffer space for UDP datagrams that is smaller than
actual space provided by the operating system
o if ATYP is X'01' - 10+method_dependent octets
o if ATYP is X'03' - 262+method_dependent octets
o if ATYP is X'04' - 20+method_dependent octets
8. Security
This document describes a protocol for the application-
traversal of IP network firewalls. The security of such traversal
highly dependent on the particular authentication and
methods provided in a particular implementation, and selected
negotiation between SOCKS client and SOCKS server
Careful consideration should be given by the administrator to
selection of authentication methods
9.
[1] Koblas, D., "SOCKS", Proceedings: 1992 Usenix Security Symposium
Author's
Marcus
Bell-Northern Research
P.O. Box 3511, Stn. C
Ottawa,
CANADA K1Y 4H
Phone: (613) 763-9145
EMail: mleech@bnr.
Leech, et al Standards Track [Page 9]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
