Hi there, I'm Vladimir Olteanu (or just Vlad, for short), and I'm working on the SOCKSv6 protocol. It is being discussed at the IETF (https://tools.ietf.org/html/draft-olteanu-intarea-socks-6-10). The spec has matured somewhat and is currently undergoing an adoption call at the Intarea WG. I would like to get your opinion on this newer version of the protocol, in particular on how it would work for OpenSSH and what features and tweaks you'd like to see included. Version 6's core functionality is roughly equivalent to v4. It is extensible and has several optional features, like: ?* 0-RTT authentication ?* A setsockopt()-like mechanism (which can notably be used to request TFO) ?* Full support for hosting TCP services behind the proxy ?* DNS proxy ?* Protection against replays ?* Zero (or even negative!) RTT overhead compared to connecting to the server directly, assuming the proxy is on path There's also an implementation available on Github: ?* Message library: https://github.com/45G/libsocks6msg ?* Utility library: https://github.com/45G/libsocks6util ?* TCP proxy and transparent proxifier: https://github.com/45G/sixtysocks The libraries are written in C++, but also have C bindings, so they could be used for a potential OpenSSH + SOCKSv6 prototype. Cheers, Vlad
On Mon, 31 Aug 2020, Vladimir Olteanu wrote:> Hi there, > > I'm Vladimir Olteanu (or just Vlad, for short), and I'm working on the > SOCKSv6 protocol. It is being discussed at the IETF > (https://tools.ietf.org/html/draft-olteanu-intarea-socks-6-10). The spec > has matured somewhat and is currently undergoing an adoption call at the > Intarea WG. > > I would like to get your opinion on this newer version of the protocol, > in particular on how it would work for OpenSSH and what features and > tweaks you'd like to see included. > > Version 6's core functionality is roughly equivalent to v4. It is > extensible and has several optional features, like:OpenSSH currently implements a small subset of SOCKS4, 4A and 5 - basically just unauthenticated TCP CONNECT and I don't recall any requests for more protocol features to be implemented. Looking at the draft, implementing similar basic support for SOCKS6 appears easy. The only parsing needed would be the initial request message and the only reply would be a synchronous auth success + success message. Note that for SOCKS4/SOCKS5 we cheat by not delaying sending the success message until the onward forwarded connection has successfully connected. As such we can't propogate failure reasons back to the client. Adding this would require extending the channels state machine a little. Anyway, I don't see any showstoppers preventing feature/bug parity in OpenSSH for SOCKS6 compared to 4/5. -d
On 9/1/20 9:08 AM, Damien Miller wrote:> On Mon, 31 Aug 2020, Vladimir Olteanu wrote: > >> Hi there, >> >> I'm Vladimir Olteanu (or just Vlad, for short), and I'm working on the >> SOCKSv6 protocol. It is being discussed at the IETF >> (https://tools.ietf.org/html/draft-olteanu-intarea-socks-6-10). The spec >> has matured somewhat and is currently undergoing an adoption call at the >> Intarea WG. >> >> I would like to get your opinion on this newer version of the protocol, >> in particular on how it would work for OpenSSH and what features and >> tweaks you'd like to see included. >> >> Version 6's core functionality is roughly equivalent to v4. It is >> extensible and has several optional features, like: > OpenSSH currently implements a small subset of SOCKS4, 4A and 5 - > basically just unauthenticated TCP CONNECT and I don't recall any > requests for more protocol features to be implemented. > > Looking at the draft, implementing similar basic support for SOCKS6 > appears easy. The only parsing needed would be the initial request > message and the only reply would be a synchronous auth success + success > message. > > Note that for SOCKS4/SOCKS5 we cheat by not delaying sending the > success message until the onward forwarded connection has successfully > connected. As such we can't propogate failure reasons back to the > client. Adding this would require extending the channels state machine a > little. > > Anyway, I don't see any showstoppers preventing feature/bug parity in > OpenSSH for SOCKS6 compared to 4/5. > > -dThat's good to know. Pertaining your basic use case, the only major difference between v6 and previous versions is that the client is expected to do false starts (i.e. start sending application data right after the request, without waiting for any kind of reply). Vlad