📄 rfc3089.txt
字号:
RFC 3089 SOCKS-based IPv6/IPv4 Gateway Mechanism April 2001
4. Multiple Chained Relay Mechanism (Advanced usage)
The SOCKS-based gateway mechanism has the flexibility to support
multiple chained relay topologies. With the mechanism, IPv4 and IPv6
mixed various communication topologies are accomplished.
Figure 2 shows the structure of the multiple chained relay mechanism.
Client C Gateway G1 Gateway G2 Destination D
+-----------+ (Server 1) (Server 2)
|Application|
+===========+ +-------------+ +-------------+ +-----------+
|*SOCKS Lib*| | *Gateway1* | | *Gateway2* | |Application|
+===========+ +=====---=====+ +=====---=====+ +-----------+
| Socket DNS| | Socket DNS | | Socket DNS | | Socket DNS|
+-----------+ +-------------+ +-------------+ +-----------+
| [ IPv X ] | |[IPvX]|(IPvY)| |(IPvY)|{IPvZ}| | { IPv Z } |
+-----------+ +-------------+ +-------------+ +-----------+
|Network I/F| | Network I/F | | Network I/F | |Network I/F|
+-----+-----+ +---+-----+---+ +---+-----+---+ +-----+-----+
| | | | | |
+============+ +==========+ +------------+
socksified socksified normal
connection connection connection
(ctrl)+data (ctrl)+data data only
Fig. 2 Multiple Chained Relay Mechanism
In this figure, the source node (Client C) initiates the
communication with the destination (Destination D). Underneath, the
connection is replaced with three connections, and they are relayed
at the two relay servers (Gateway G1 and G2). The *Gateway* includes
the same type of functions of *Socks Lib*. By enabling the *Socks
Lib* functions at the *Gateway1* on the first relay server (Gateway
G1), the multiple chained relay topology is accomplished.
There is no limitation on the number of relay operations between the
source node and the final destination node. It is possible to have
more than two intermediate relay servers. To simplify the
explanation, a twice-relayed topology is shown here.
Since the multiple chained relay is more complex than one-time relay
and causes complexity, it is recommended that the multiple chained
relay communication should be used only when it is necessary for some
reason (e.g., usable protocols or topologies are limited by routers
etc.).
Kitamura Informational [Page 7]
RFC 3089 SOCKS-based IPv6/IPv4 Gateway Mechanism April 2001
5. Applicability statement
The SOCKS-based gateway mechanism requests socksification of
applications (install *Socks Lib*) to accomplish heterogeneous
communications. It is not necessary to modify (change source codes
and recompile them, etc.) the applications, because typical
socksification is done by changing the linking order of dynamic link
libraries (specifically, by linking the SOCKS dynamic link library
before the dynamic link libraries for normal socket and DNS name
resolving APIs).
The mechanism does not request modification of the DNS system,
because the DNS name resolving procedure at the Client C is delegated
to the dual stack node Gateway G.
Other than the socksification, the SOCKS-based gateway mechanism has
the following three types of constraints.
1. Essential constraints:
Constraints are caused by the address length difference between
IPv4 and IPv6.
Functions that request an IP address as one of the return values
(e.g., getpeername() and getsockname() etc.) can not provide the
correct IP address as a return value. However, a suitable port
value can be provided, because IPv4 and IPv6 use the same size
port space and an appropriate port information is transferred by
the SOCKS protocol.
2. Constraints of the SOCKS mechanism:
Since the current SOCKS system can not socksify all of the tricky
applications in which extraordinary manners are used to create
connections, the SOCKS-based gateway mechanism can not be applied
to them.
3. Constraints to deal with the fake address:
The fake address must be dealt with as a temporary value at the
application. It is used as a key value in the mapping table for
the "DNS name resolving delegation" feature. When the application
is finished and the mapping table disappears, the fake address
information must be also released.
Even if it is recorded permanently (e.g., recorded as a bookmark),
serious problems will not occur. The recorded fake address
information will merely become useless, because fake address
Kitamura Informational [Page 8]
RFC 3089 SOCKS-based IPv6/IPv4 Gateway Mechanism April 2001
information is taken from a reserved special IP address space that
is never used in real communications (e.g., 0.0.0.x) and such a
information is useless for the normal communication applications.
Furthermore, such cases will be rare because most applications
usually record FQDN information (not fake IP address information)
to the bookmark, etc.
5.1 Native SOCKS mechanism considerations
The characteristics of the SOCKS-based IPv6/IPv4 gateway mechanism
are inherited from those of the native SOCKS mechanism. Therefore,
consideration issues of the native SOCKS mechanism are discussed in
this section.
The SOCKSv5 protocol is composed of three commands (CONNECT, BIND and
UDP ASSOCIATE). All of three commands can be applied in the SOCKS-
based IPv6/IPv4 gateway mechanism.
This document is described with assuming the usage of the CONNECT
command mainly, because the CONNECT command is the main and most
frequently used command in the SOCKS mechanism. Since the CONNECT
command does not have clear week points, we can use it freely without
considerations.
The other (BIND and UDP ASSOCIATE) commands have the following weak
points. So, we have to consider these points when we use the BIND or
UDP ASSOCIATE commands in the mechanism.
The BIND command is basically designed to support reverse-channel
rendezvous of the FTP type applications. So, general usages of the
BIND command may cause problems.
The UDP ASSOCIATE command is basically designed for simple UDP
applications (e.g., archie). It is not general enough to support a
large class of applications that use both TCP and UDP.
Kitamura Informational [Page 9]
RFC 3089 SOCKS-based IPv6/IPv4 Gateway Mechanism April 2001
6. Security Considerations
Since the SOCKS-based IPv6/IPv4 gateway mechanism is based on SOCKSv5
protocol, the security feature of the mechanism matches that of
SOCKSv5. It is described in the Security Considerations section of
the SOCKS Protocol Version 5 [SOCKSv5].
The mechanism is based on relaying two "terminated" connections at
the "application layer". The end-to-end security is maintained at
each of the relayed connections (i.e., between Client C and Gateway
G, and between Gateway G and Destination D). The mechanism does not
provide total end-to-end security relay between the original source
(Client C) and the final destination (Destination D).
Kitamura Informational [Page 10]
RFC 3089 SOCKS-based IPv6/IPv4 Gateway Mechanism April 2001
Appendix A. Implementations
Currently, there are two independent implementations of the SOCKS-
based IPv6/IPv4 gateway mechanism. Both of them are open to the
public.
One is NEC's implementation. Its source codes are available at the
following URL.
http://www.socks.nec.com/
The other is Fujitsu Lab.'s implementation, which is called
"SOCKS64". Its source codes are available at the following URL.
ftp://ftp.kame.net/pub/kame/misc/socks64-...
References
[SOCKSv5] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D. and
L. Jones, "SOCKS Protocol V5", RFC 1928, April 1996.
[TRANSMECH] Gilligan, R. and E. Nordmark, "Transition Mechanisms for
IPv6 Hosts and Routers", RFC 2893, August 2000.
[IPv6] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[INET99] H. Kitamura, "Entering the IPv6 communication world by
the SOCKS-based IPv6/IPv4 Translator", in Proceedings of
INET99, July 1999.
Author's Address
Hiroshi Kitamura
NEC Corporation
Development Laboratories
(Igarashi Building 4F) 11-5, Shibaura 2-Chome,
Minato-Ku, Tokyo 108-8557, JAPAN
Phone: +81 (3) 5476-1071
Fax: +81 (3) 5476-1005
EMail: kitamura@da.jp.nec.com
Kitamura Informational [Page 11]
RFC 3089 SOCKS-based IPv6/IPv4 Gateway Mechanism April 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Kitamura Informational [Page 12]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -