7
Network Working Group M. Leech
8
Request for Comments: 1928 Bell-Northern Research Ltd
9
Category: Standards Track M. Ganis
10
International Business Machines
12
NEC Systems Laboratory
16
Independent Consultant
18
Hewlett-Packard Company
22
SOCKS Protocol Version 5
26
This document specifies an Internet standards track protocol for the
27
Internet community, and requests discussion and suggestions for
28
improvements. Please refer to the current edition of the "Internet
29
Official Protocol Standards" (STD 1) for the standardization state
30
and status of this protocol. Distribution of this memo is unlimited.
34
This memo describes a protocol that is an evolution of the previous
35
version of the protocol, version 4 [1]. This new protocol stems from
36
active discussions and prototype implementations. The key
37
contributors are: Marcus Leech: Bell-Northern Research, David Koblas:
38
Independent Consultant, Ying-Da Lee: NEC Systems Laboratory, LaMont
39
Jones: Hewlett-Packard Company, Ron Kuris: Unify Corporation, Matt
40
Ganis: International Business Machines.
44
The use of network firewalls, systems that effectively isolate an
45
organizations internal network structure from an exterior network,
46
such as the INTERNET is becoming increasingly popular. These
47
firewall systems typically act as application-layer gateways between
48
networks, usually offering controlled TELNET, FTP, and SMTP access.
49
With the emergence of more sophisticated application layer protocols
50
designed to facilitate global information discovery, there exists a
51
need to provide a general framework for these protocols to
52
transparently and securely traverse a firewall.
58
Leech, et al Standards Track [Page 1]
60
RFC 1928 SOCKS Protocol Version 5 March 1996
63
There exists, also, a need for strong authentication of such
64
traversal in as fine-grained a manner as is practical. This
65
requirement stems from the realization that client-server
66
relationships emerge between the networks of various organizations,
67
and that such relationships need to be controlled and often strongly
70
The protocol described here is designed to provide a framework for
71
client-server applications in both the TCP and UDP domains to
72
conveniently and securely use the services of a network firewall.
73
The protocol is conceptually a "shim-layer" between the application
74
layer and the transport layer, and as such does not provide network-
75
layer gateway services, such as forwarding of ICMP messages.
79
There currently exists a protocol, SOCKS Version 4, that provides for
80
unsecured firewall traversal for TCP-based client-server
81
applications, including TELNET, FTP and the popular information-
82
discovery protocols such as HTTP, WAIS and GOPHER.
84
This new protocol extends the SOCKS Version 4 model to include UDP,
85
and extends the framework to include provisions for generalized
86
strong authentication schemes, and extends the addressing scheme to
87
encompass domain-name and V6 IP addresses.
89
The implementation of the SOCKS protocol typically involves the
90
recompilation or relinking of TCP-based client applications to use
91
the appropriate encapsulation routines in the SOCKS library.
95
Unless otherwise noted, the decimal numbers appearing in packet-
96
format diagrams represent the length of the corresponding field, in
97
octets. Where a given octet must take on a specific value, the
98
syntax X'hh' is used to denote the value of the single octet in that
99
field. When the word 'Variable' is used, it indicates that the
100
corresponding field has a variable length defined either by an
101
associated (one or two octet) length field, or by a data type field.
103
3. Procedure for TCP-based clients
105
When a TCP-based client wishes to establish a connection to an object
106
that is reachable only via a firewall (such determination is left up
107
to the implementation), it must open a TCP connection to the
108
appropriate SOCKS port on the SOCKS server system. The SOCKS service
109
is conventionally located on TCP port 1080. If the connection
110
request succeeds, the client enters a negotiation for the
114
Leech, et al Standards Track [Page 2]
116
RFC 1928 SOCKS Protocol Version 5 March 1996
119
authentication method to be used, authenticates with the chosen
120
method, then sends a relay request. The SOCKS server evaluates the
121
request, and either establishes the appropriate connection or denies
124
Unless otherwise noted, the decimal numbers appearing in packet-
125
format diagrams represent the length of the corresponding field, in
126
octets. Where a given octet must take on a specific value, the
127
syntax X'hh' is used to denote the value of the single octet in that
128
field. When the word 'Variable' is used, it indicates that the
129
corresponding field has a variable length defined either by an
130
associated (one or two octet) length field, or by a data type field.
132
The client connects to the server, and sends a version
133
identifier/method selection message:
135
+----+----------+----------+
136
|VER | NMETHODS | METHODS |
137
+----+----------+----------+
139
+----+----------+----------+
141
The VER field is set to X'05' for this version of the protocol. The
142
NMETHODS field contains the number of method identifier octets that
143
appear in the METHODS field.
145
The server selects from one of the methods given in METHODS, and
146
sends a METHOD selection message:
154
If the selected METHOD is X'FF', none of the methods listed by the
155
client are acceptable, and the client MUST close the connection.
157
The values currently defined for METHOD are:
159
o X'00' NO AUTHENTICATION REQUIRED
161
o X'02' USERNAME/PASSWORD
162
o X'03' to X'7F' IANA ASSIGNED
163
o X'80' to X'FE' RESERVED FOR PRIVATE METHODS
164
o X'FF' NO ACCEPTABLE METHODS
166
The client and server then enter a method-specific sub-negotiation.
170
Leech, et al Standards Track [Page 3]
172
RFC 1928 SOCKS Protocol Version 5 March 1996
175
Descriptions of the method-dependent sub-negotiations appear in
178
Developers of new METHOD support for this protocol should contact
179
IANA for a METHOD number. The ASSIGNED NUMBERS document should be
180
referred to for a current list of METHOD numbers and their
181
corresponding protocols.
183
Compliant implementations MUST support GSSAPI and SHOULD support
184
USERNAME/PASSWORD authentication methods.
188
Once the method-dependent subnegotiation has completed, the client
189
sends the request details. If the negotiated method includes
190
encapsulation for purposes of integrity checking and/or
191
confidentiality, these requests MUST be encapsulated in the method-
192
dependent encapsulation.
194
The SOCKS request is formed as follows:
196
+----+-----+-------+------+----------+----------+
197
|VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT |
198
+----+-----+-------+------+----------+----------+
199
| 1 | 1 | X'00' | 1 | Variable | 2 |
200
+----+-----+-------+------+----------+----------+
204
o VER protocol version: X'05'
208
o UDP ASSOCIATE X'03'
210
o ATYP address type of following address
211
o IP V4 address: X'01'
213
o IP V6 address: X'04'
214
o DST.ADDR desired destination address
215
o DST.PORT desired destination port in network octet
218
The SOCKS server will typically evaluate the request based on source
219
and destination addresses, and return one or more reply messages, as
220
appropriate for the request type.
226
Leech, et al Standards Track [Page 4]
228
RFC 1928 SOCKS Protocol Version 5 March 1996
233
In an address field (DST.ADDR, BND.ADDR), the ATYP field specifies
234
the type of address contained within the field:
238
the address is a version-4 IP address, with a length of 4 octets
242
the address field contains a fully-qualified domain name. The first
243
octet of the address field contains the number of octets of name that
244
follow, there is no terminating NUL octet.
248
the address is a version-6 IP address, with a length of 16 octets.
252
The SOCKS request information is sent by the client as soon as it has
253
established a connection to the SOCKS server, and completed the
254
authentication negotiations. The server evaluates the request, and
255
returns a reply formed as follows:
257
+----+-----+-------+------+----------+----------+
258
|VER | REP | RSV | ATYP | BND.ADDR | BND.PORT |
259
+----+-----+-------+------+----------+----------+
260
| 1 | 1 | X'00' | 1 | Variable | 2 |
261
+----+-----+-------+------+----------+----------+
265
o VER protocol version: X'05'
268
o X'01' general SOCKS server failure
269
o X'02' connection not allowed by ruleset
270
o X'03' Network unreachable
271
o X'04' Host unreachable
272
o X'05' Connection refused
274
o X'07' Command not supported
275
o X'08' Address type not supported
276
o X'09' to X'FF' unassigned
278
o ATYP address type of following address
282
Leech, et al Standards Track [Page 5]
284
RFC 1928 SOCKS Protocol Version 5 March 1996
287
o IP V4 address: X'01'
289
o IP V6 address: X'04'
290
o BND.ADDR server bound address
291
o BND.PORT server bound port in network octet order
293
Fields marked RESERVED (RSV) must be set to X'00'.
295
If the chosen method includes encapsulation for purposes of
296
authentication, integrity and/or confidentiality, the replies are
297
encapsulated in the method-dependent encapsulation.
301
In the reply to a CONNECT, BND.PORT contains the port number that the
302
server assigned to connect to the target host, while BND.ADDR
303
contains the associated IP address. The supplied BND.ADDR is often
304
different from the IP address that the client uses to reach the SOCKS
305
server, since such servers are often multi-homed. It is expected
306
that the SOCKS server will use DST.ADDR and DST.PORT, and the
307
client-side source address and port in evaluating the CONNECT
312
The BIND request is used in protocols which require the client to
313
accept connections from the server. FTP is a well-known example,
314
which uses the primary client-to-server connection for commands and
315
status reports, but may use a server-to-client connection for
316
transferring data on demand (e.g. LS, GET, PUT).
318
It is expected that the client side of an application protocol will
319
use the BIND request only to establish secondary connections after a
320
primary connection is established using CONNECT. In is expected that
321
a SOCKS server will use DST.ADDR and DST.PORT in evaluating the BIND
324
Two replies are sent from the SOCKS server to the client during a
325
BIND operation. The first is sent after the server creates and binds
326
a new socket. The BND.PORT field contains the port number that the
327
SOCKS server assigned to listen for an incoming connection. The
328
BND.ADDR field contains the associated IP address. The client will
329
typically use these pieces of information to notify (via the primary
330
or control connection) the application server of the rendezvous
331
address. The second reply occurs only after the anticipated incoming
332
connection succeeds or fails.
338
Leech, et al Standards Track [Page 6]
340
RFC 1928 SOCKS Protocol Version 5 March 1996
343
In the second reply, the BND.PORT and BND.ADDR fields contain the
344
address and port number of the connecting host.
348
The UDP ASSOCIATE request is used to establish an association within
349
the UDP relay process to handle UDP datagrams. The DST.ADDR and
350
DST.PORT fields contain the address and port that the client expects
351
to use to send UDP datagrams on for the association. The server MAY
352
use this information to limit access to the association. If the
353
client is not in possesion of the information at the time of the UDP
354
ASSOCIATE, the client MUST use a port number and address of all
357
A UDP association terminates when the TCP connection that the UDP
358
ASSOCIATE request arrived on terminates.
360
In the reply to a UDP ASSOCIATE request, the BND.PORT and BND.ADDR
361
fields indicate the port number/address where the client MUST send
362
UDP request messages to be relayed.
366
When a reply (REP value other than X'00') indicates a failure, the
367
SOCKS server MUST terminate the TCP connection shortly after sending
368
the reply. This must be no more than 10 seconds after detecting the
369
condition that caused a failure.
371
If the reply code (REP value of X'00') indicates a success, and the
372
request was either a BIND or a CONNECT, the client may now start
373
passing data. If the selected authentication method supports
374
encapsulation for the purposes of integrity, authentication and/or
375
confidentiality, the data are encapsulated using the method-dependent
376
encapsulation. Similarly, when data arrives at the SOCKS server for
377
the client, the server MUST encapsulate the data as appropriate for
378
the authentication method in use.
380
7. Procedure for UDP-based clients
382
A UDP-based client MUST send its datagrams to the UDP relay server at
383
the UDP port indicated by BND.PORT in the reply to the UDP ASSOCIATE
384
request. If the selected authentication method provides
385
encapsulation for the purposes of authenticity, integrity, and/or
386
confidentiality, the datagram MUST be encapsulated using the
387
appropriate encapsulation. Each UDP datagram carries a UDP request
394
Leech, et al Standards Track [Page 7]
396
RFC 1928 SOCKS Protocol Version 5 March 1996
399
+----+------+------+----------+----------+----------+
400
|RSV | FRAG | ATYP | DST.ADDR | DST.PORT | DATA |
401
+----+------+------+----------+----------+----------+
402
| 2 | 1 | 1 | Variable | 2 | Variable |
403
+----+------+------+----------+----------+----------+
405
The fields in the UDP request header are:
407
o RSV Reserved X'0000'
408
o FRAG Current fragment number
409
o ATYP address type of following addresses:
410
o IP V4 address: X'01'
412
o IP V6 address: X'04'
413
o DST.ADDR desired destination address
414
o DST.PORT desired destination port
417
When a UDP relay server decides to relay a UDP datagram, it does so
418
silently, without any notification to the requesting client.
419
Similarly, it will drop datagrams it cannot or will not relay. When
420
a UDP relay server receives a reply datagram from a remote host, it
421
MUST encapsulate that datagram using the above UDP request header,
422
and any authentication-method-dependent encapsulation.
424
The UDP relay server MUST acquire from the SOCKS server the expected
425
IP address of the client that will send datagrams to the BND.PORT
426
given in the reply to UDP ASSOCIATE. It MUST drop any datagrams
427
arriving from any source IP address other than the one recorded for
428
the particular association.
430
The FRAG field indicates whether or not this datagram is one of a
431
number of fragments. If implemented, the high-order bit indicates
432
end-of-fragment sequence, while a value of X'00' indicates that this
433
datagram is standalone. Values between 1 and 127 indicate the
434
fragment position within a fragment sequence. Each receiver will
435
have a REASSEMBLY QUEUE and a REASSEMBLY TIMER associated with these
436
fragments. The reassembly queue must be reinitialized and the
437
associated fragments abandoned whenever the REASSEMBLY TIMER expires,
438
or a new datagram arrives carrying a FRAG field whose value is less
439
than the highest FRAG value processed for this fragment sequence.
440
The reassembly timer MUST be no less than 5 seconds. It is
441
recommended that fragmentation be avoided by applications wherever
444
Implementation of fragmentation is optional; an implementation that
445
does not support fragmentation MUST drop any datagram whose FRAG
446
field is other than X'00'.
450
Leech, et al Standards Track [Page 8]
452
RFC 1928 SOCKS Protocol Version 5 March 1996
455
The programming interface for a SOCKS-aware UDP MUST report an
456
available buffer space for UDP datagrams that is smaller than the
457
actual space provided by the operating system:
459
o if ATYP is X'01' - 10+method_dependent octets smaller
460
o if ATYP is X'03' - 262+method_dependent octets smaller
461
o if ATYP is X'04' - 20+method_dependent octets smaller
463
8. Security Considerations
465
This document describes a protocol for the application-layer
466
traversal of IP network firewalls. The security of such traversal is
467
highly dependent on the particular authentication and encapsulation
468
methods provided in a particular implementation, and selected during
469
negotiation between SOCKS client and SOCKS server.
471
Careful consideration should be given by the administrator to the
472
selection of authentication methods.
476
[1] Koblas, D., "SOCKS", Proceedings: 1992 Usenix Security Symposium.
481
Bell-Northern Research Ltd
482
P.O. Box 3511, Stn. C,
486
Phone: (613) 763-9145
506
Leech, et al Standards Track [Page 9]