Mailing List Archive

SOCKSv6 and OpenSSH
Hi there,

I'm Vladimir Olteanu (or just Vlad, for short), and I'm working on the
SOCKSv6 protocol. It is being discussed at the IETF
(https://tools.ietf.org/html/draft-olteanu-intarea-socks-6-10). The spec
has matured somewhat and is currently undergoing an adoption call at the
Intarea WG.

I would like to get your opinion on this newer version of the protocol,
in particular on how it would work for OpenSSH and what features and
tweaks you'd like to see included.

Version 6's core functionality is roughly equivalent to v4. It is
extensible and has several optional features, like:

 * 0-RTT authentication

 * A setsockopt()-like mechanism (which can notably be used to request TFO)

 * Full support for hosting TCP services behind the proxy

 * DNS proxy

 * Protection against replays

 * Zero (or even negative!) RTT overhead compared to connecting to the
server directly, assuming the proxy is on path

There's also an implementation available on Github:

 * Message library: https://github.com/45G/libsocks6msg
 * Utility library: https://github.com/45G/libsocks6util
 * TCP proxy and transparent proxifier: https://github.com/45G/sixtysocks

The libraries are written in C++, but also have C bindings, so they
could be used for a potential OpenSSH + SOCKSv6 prototype.

Cheers,

Vlad


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: SOCKSv6 and OpenSSH [ In reply to ]
On Mon, 31 Aug 2020, Vladimir Olteanu wrote:

> Hi there,
>
> I'm Vladimir Olteanu (or just Vlad, for short), and I'm working on the
> SOCKSv6 protocol. It is being discussed at the IETF
> (https://tools.ietf.org/html/draft-olteanu-intarea-socks-6-10). The spec
> has matured somewhat and is currently undergoing an adoption call at the
> Intarea WG.
>
> I would like to get your opinion on this newer version of the protocol,
> in particular on how it would work for OpenSSH and what features and
> tweaks you'd like to see included.
>
> Version 6's core functionality is roughly equivalent to v4. It is
> extensible and has several optional features, like:

OpenSSH currently implements a small subset of SOCKS4, 4A and 5 -
basically just unauthenticated TCP CONNECT and I don't recall any
requests for more protocol features to be implemented.

Looking at the draft, implementing similar basic support for SOCKS6
appears easy. The only parsing needed would be the initial request
message and the only reply would be a synchronous auth success + success
message.

Note that for SOCKS4/SOCKS5 we cheat by not delaying sending the
success message until the onward forwarded connection has successfully
connected. As such we can't propogate failure reasons back to the
client. Adding this would require extending the channels state machine a
little.

Anyway, I don't see any showstoppers preventing feature/bug parity in
OpenSSH for SOCKS6 compared to 4/5.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: SOCKSv6 and OpenSSH [ In reply to ]
On 9/1/20 9:08 AM, Damien Miller wrote:
> On Mon, 31 Aug 2020, Vladimir Olteanu wrote:
>
>> Hi there,
>>
>> I'm Vladimir Olteanu (or just Vlad, for short), and I'm working on the
>> SOCKSv6 protocol. It is being discussed at the IETF
>> (https://tools.ietf.org/html/draft-olteanu-intarea-socks-6-10). The spec
>> has matured somewhat and is currently undergoing an adoption call at the
>> Intarea WG.
>>
>> I would like to get your opinion on this newer version of the protocol,
>> in particular on how it would work for OpenSSH and what features and
>> tweaks you'd like to see included.
>>
>> Version 6's core functionality is roughly equivalent to v4. It is
>> extensible and has several optional features, like:
> OpenSSH currently implements a small subset of SOCKS4, 4A and 5 -
> basically just unauthenticated TCP CONNECT and I don't recall any
> requests for more protocol features to be implemented.
>
> Looking at the draft, implementing similar basic support for SOCKS6
> appears easy. The only parsing needed would be the initial request
> message and the only reply would be a synchronous auth success + success
> message.
>
> Note that for SOCKS4/SOCKS5 we cheat by not delaying sending the
> success message until the onward forwarded connection has successfully
> connected. As such we can't propogate failure reasons back to the
> client. Adding this would require extending the channels state machine a
> little.
>
> Anyway, I don't see any showstoppers preventing feature/bug parity in
> OpenSSH for SOCKS6 compared to 4/5.
>
> -d

That's good to know.

Pertaining your basic use case, the only major difference between v6 and
previous versions is that the client is expected to do false starts
(i.e. start sending application data right after the request, without
waiting for any kind of reply).

Vlad


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev