Re: SOCKS5 and UDP

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Jan 17, 2017, at 1:37 AM, Darren Tucker <dtucker@xxxxxxxxxx> wrote:
> On Tue, Jan 17, 2017 at 8:05 PM, Romain Vimont <rom@xxxxxxxxx> wrote:
> [..]
>> So if I understand correctly, making "ssh -D" create a "full" SOCKS5
>> server, including UDP relay¹, would require to add a new SSH request
>> type (like "relay-udp")?
> 
> Right.  SSH has an extension mechanism: message types with an
> @somedomain.com are "vendor extensions" that do not require IETF
> standardization so it'd be relay-udp@$something.  It'd need some kind
> of association tracking for UDP host/port pairs to replace the stuff
> the kernel does for us with TCP, so it'd probably more complicated to
> implement than the existing SOCKS/direct-tcpip support.


One thing that makes UDP over SOCKS more complicated for SSH is that SOCKS normally keeps the UDP packets it forwards as UDPl, just adding a small header to each packet. If you want to get the benefit of the SSH encryption here, though, you’d need to open an SSH channel to carry these packets, converting them from UDP to being carried within the existing SSH TCP connection (much like what SSH already does in the SOCKS TCP case) and then converting back to UDP on the other side.

It might be worth looking into where SSH tunnel device forwarding would be helpful here (the “-w” option in OpenSSH). It’s already designed to tunnel datagrams, and should have no trouble carrying UDP packets. It doesn’t use SOCKS as the way to get the data to the SSH client, though. Instead, it relies on the ability to create a network tunnel device. See the “SSH-BASED VIRTUAL PRIVATE NETWORKS” section of the SSH man page for details.
-- 
Ron Frederick
ronf@xxxxxxxxxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux