见下,英汉混合的,我翻译的,不要见笑
SOCKS Protocol Version 5 (第一部分)
(Socks5协议,摘自RFC1928,翻译:杨浩)
1. Introduction
1.介绍
The use of network firewalls, systems that effectively isolate an organizations internal network structure from an exterior network, such as the INTERNET is becoming increasingly popular.
作为一套隔离外部网和团体内部网的系统,网络防火墙同internet一起已经变得越来越流行
These firewall systems typically act as application-layer gateways between networks, usually offering controlled TELNET, FTP, and SMTP access.
这些防火墙系统代表性的扮演了一种在应用层上的网关的角色,通常提供受约束的telnet,ftp,和smtp连接
With the emergence of more sophisticated application layer protocols designed to facilitate global information discovery,
随着更多能促进全球信息发展的应用层协议的制定
there exists a need to provide a general framework for these protocols to transparently and securely traverse a firewall.
现在有必要为这些协议提供一种通用的方法去有效和安全的穿过防火墙。
There exists, also, a need for strong authentication of such traversal in as fine-grained a manner as is practical.
同时也有必要严密的鉴别在应用中传输的数据。
This requirement stems from the realization that client-server relationships emerge between the networks of various organizations,
这些客户/服务器关系的现实需求在网络和各种团体中出现了,
and that such relationships need to be controlled and often strongly authenticated.
同样这种关系需要控制和严密的鉴别。
The protocol described here is designed to provide a framework for client-server applications in both the TCP and UDP domains to conveniently and securely use the services of a network firewall.
在这里描述的协议是为了提供一种无论是在tcp还是udp的客户/服务器领域中都可以使用的构架来方便的和安全的使用网络防火墙的服务
The protocol is conceptually a "shim-layer" between the application layer and the transport layer, and as such does not provide network-layer gateway services, such as forwarding of ICMP messages.
这个协议可以理解为应用层和传输层中间的一层同时不提供网络层网关服务,如不传递icmp消息。
2. Existing practice
2.现有的应用
There currently exists a protocol, SOCKS Version 4, that provides for unsecured firewall traversal for TCP-based client-server applications, including TELNET, FTP and the popular information-discovery protocols such as HTTP, WAIS and GOPHER.
现有的socks4协议提供了一种不可靠的防火墙传输给基于tcp的客户/服务器应用使用,包括telnet,ftp和一些流行的信息检索协议如http,wais和gopher
This new protocol extends the SOCKS Version 4 model to include UDP, and extends the framework to include provisions for generalized strong authentication schemes, and extends the addressing scheme to encompass domain-name and V6 IP addresses.
新的协议扩展socks4模型使其包括udp协议,扩展了结构去提供了不适应特殊需要的验证方案,并且扩展了地址方案使其能够使用域名和v6 ip地址
The implementation of the SOCKS protocol typically involves the recompilation or relinking of TCP-based client applications to use the appropriate encapsulation routines in the SOCKS library.
Socks协议的执行可以概括的描述为用socks库以合适的封装方法重新编译和连接基于tcp的客户应用
Note:
注:
Unless otherwise noted, the decimal numbers appearing in packet-format diagrams represent the length of the corresponding field, in octets.
除非特别的注明,否则在包装格式表中出现的十进制数表示的是相应的在八位二进制(等于1字节)数据区域的长度,
Where a given octet must take on a specific value, the syntax X'hh' is used to denote the value of the single octet in that field.
当给定的1字节有特定值时,用X'hh'表示这一个字节的确定值
When the word 'Variable' is used, it indicates that the corresponding field has a variable length defined either by an associated (one or two octet) length field, or by a data type field.
当用'变体'时,表明相应的区域有变长的数据,定义为联合长度区域(1或2个字节)或一种数据格式区域。
3. Procedure for TCP-based clients
基于tcp客户的手续
When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall (such determination is left up to the implementation), it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system.
当基于tcp的客户希望建立一个只能经过防火墙才能到达的连接对象时(这个决定需要保留直到执行),就必须建立一个tcp连接到适当的socks服务系统的socks端口
The SOCKS service is conventionally located on TCP port 1080.
Socks服务通常定位在tcp的1080端口
If the connection request succeeds, the client enters a negotiation for the authentication method to be used, authenticates with the chosen method, then sends a relay request.
如果连接请求被通过,那么客户开始依据应用的鉴定方法和服务器开始协商,根据选定的方法,向服务器发送回应的请求。
The SOCKS server evaluates the request, and either establishes the appropriate connection or denies it.
Socks服务器检验这个请求,软后建立适当的连接或是拒绝它。
The client connects to the server, and sends a version identifier/method selection message:
客户端连接服务器,并且发送一个 版本标识/方法选择 消息
VER NMETHODS METHODS
1 1 1 to 255
The VER field is set to X'05' for this version of the protocol.
版本区域应该设置为 X'05' 对应目前版本的协议
The NMETHODS field contains the number of method identifier octets that appear in the METHODS field.
NMETHODS 区域包含了出现在METHODS区域中的方法标识符字节的数量。
The server selects from one of the methods given in METHODS, and sends a METHOD selection message:
服务器从methods区域中选择一种方法,并且返回方法选择的消息
VER METHOD
1 1
If the selected METHOD is X'FF', none of the methods listed by the client are acceptable, and the client MUST close the connection.
如果选择的方法是X'FF',那么在客户所列出的方法中没有一个能被接受,客户必须关闭这个连接
The values currently defined for METHOD are:
目前定义的方法值为
l X'00' NO AUTHENTICATION REQUIRED
X'00'不需验证
l X'01' GSSAPI
X'01'用GSSAPI
l X'02' USERNAME/PASSWORD
X'02'使用用户名/密码
l X'03' to X'7F' IANA ASSIGNED
X'03' 到 X'7F' IANA 指定
l X'80' to X'FE' RESERVED FOR PRIVATE METHODS
X'80' 到 X'FE' 保留为自定义方法
l X'FF' NO ACCEPTABLE METHODS
X'FF'没有能够接受的方法
The client and server then enter a method-specific sub-negotiation.
客户和服务器进入详细的方法商议阶段
Descriptions of the method-dependent sub-negotiations appear in separate memos.
依靠方法的描述在分开的备忘录中
Developers of new METHOD support for this protocol should contact IANA for a METHOD number.
支持本协议的新方法的开发者应该从IANA得到方法号
The ASSIGNED NUMBERS document should be referred to for a current list of METHOD numbers and their corresponding protocols.
指派号码的文档应该指向目前的方法号列表和他们相应的协议
Compliant implementations MUST support GSSAPI and SHOULD support USERNAME / PASSWORD authentication methods.
允许的执行必须支持GSSAPI并且应该支持 用户名/密码 验证方法
4. Requests
4.请求
Once the method-dependent subnegotiation has completed, the client sends the request details.
当基于方法的协商完成后,客户就可以发送请求的详细资料了
If the negotiated method includes encapsulation for purposes of integrity checking and/or confidentiality, these requests MUST be encapsulated in the method-dependent encapsulation.
如果协定的方法包括有有完整性检查 或/和 保证机密性的目的封包方式的话,那么请求必须以方法限定的封包方式封装。
The SOCKS request is formed as follows:
Socks 请求结构如下
VER CMD RSV ATYP DST.ADDR DST.PORT
1 1 |X'00' 1 Variable 2
Where:
在这里:
l VER protocol version: X'05'
版本 协议版本:x'05'
l CMD
连接方法
CONNECT X'01'
连接 x'01'
BIND X'02'
绑定x'02'
UDP ASSOCIATE X'03'
Udp连接 x'03'
l RSV RESERVED
保留 保留
l ATYP address type of following address
地址表示形势
IP V4 address: X'01'
DOMAINNAME: X'03'
IP V6 address: X'04'
l DST.ADDR desired destination address
期望目的地址
l DST.PORT desired destination port in network octet order
期望目的端口(用双字节表示)
The SOCKS server will typically evaluate the request based on source and destination addresses, and return one or more reply messages, as appropriate for the request type.
Socks服务器将依据来源和目标地址代表性的检验请求,并且依照请求的方式返回一或多条回应信息,
5. Addressing
地址
In an address field (DST.ADDR, BND.ADDR), the ATYP field specifies the type of address contained within the field:
在地址区中,ATYP区域指定了本区地址的类型
l X'01'
the address is a version-4 IP address, with a length of 4 octets
这个地址是一个 ip v4地址,长度为4字节
l X'03'
the address field contains a fully-qualified domain name.
地址区包含了一个完整的域名
The first octet of the address field contains the number of octets of name that follow, there is no terminating NUL octet.
第一个字节包含了所包括域名的字节长度,不包括最终的nul字节(在c中为x'00')
l X'04'
the address is a version-6 IP address, with a length of 16 octets.
这个地址是一个 ip v6地址,长度为16字节
6. Replies
应答
The SOCKS request information is sent by the client as soon as it has established a connection to the SOCKS server, and completed the authentication negotiations.
一旦客户确认连接上了socks服务器并且通过了验证,就会马上发出Socks请求信息
The server evaluates the request, and returns a reply formed as follows:
服务器检查请求,并且以如下格式返回请求
VER REP RSV ATYP BND.ADDR BND.PORT
1 1 X'00' 1 Variable 2
Where:
在这里
l VER protocol version: X'05' 协议版本:x'05'
l REP Reply field:应答区
o X'00' succeeded 成功
o X'01' general SOCKS server failure 错误
o X'02' connection not allowed by ruleset 连接不被规则设置所接受
o X'03' Network unreachable 网络不可到达
o X'04' Host unreachable 主机不可到达
o X'05' Connection refused 连接被拒绝
o X'06' TTL expired TTL过期
o X'07' Command not supported 命令不被接受
o X'08' Address type not supported 地址格式不被接受
o X'09' to X'FF' unassigned 没有被指派
o RSV RESERVED 保留
o ATYP address type of following address 地址类型
o IP V4 address: X'01'
o DOMAINNAME: X'03'
o IP V6 address: X'04'
o BND.ADDR server bound address 服务器地址
o BND.PORT server bound port in network octet order 服务器端口
Fields marked RESERVED (RSV) must be set to X'00'.
保留区必须被设置为x'00'
If the chosen method includes encapsulation for purposes of authentication, integrity and/or confidentiality, the replies are encapsulated in the method-dependent encapsulation.
如果被选择的方法包括了完整而机密的验证的封包,回应将依靠方法来封包
CONNECT
连接
In the reply to a CONNECT, BND.PORT contains the port number that the server assigned to connect to the target host, while BND.ADDR contains the associated IP address.
在对于一个连接的回应中,绑定的端口包括了服务器连接目标的端口号,并且绑定地址包含了关联的地址。
The supplied BND.ADDR is often different from the IP address that the client uses to reach the SOCKS server, since such servers are often multi-homed.
被提供的绑定地址通常不同于客户端使用来连接socks服务器的,因为服务器经常是多地址的
It is expected that the SOCKS server will use DST.ADDR and DST.PORT, and the client-side source address and port in evaluating the CONNECT request.
我们期望socks服务器会使用终端地址、终端端口,并且在评测连接请求时使用客户端源地址和端口,
BIND
绑定
The BIND request is used in protocols which require the client to accept connections from the server.
绑定请求在需要客户端接受服务端的连接请求的协议中应用。
FTP is a well-known example, which uses the primary client-to-server connection for commands and status reports, but may use a server-to-client connection for transferring data on demand (e.g. LS, GET, PUT).
FTP是一个很好的例子,它使用一个主要的 客户端到服务端 的连接传输命令和状态报告,但是可以使用一个 服务端到客户端 的连接来依据请求传输数据。
It is expected that the client side of an application protocol will use the BIND request only to establish secondary connections after a primary connection is established using CONNECT.
一般期望客户端应用协议使用绑定请求仅仅建立第二连接在主连接用connect建立之后。
It is expected that a SOCKS server will use DST.ADDR and DST.PORT in evaluating the BIND request.
期望socks服务器在评测绑定请求时使用DST.ADDR 和 DST.PORT
Two replies are sent from the SOCKS server to the client during a BIND operation.
在一个绑定过程中服务器会给客户端两个应答。
The first is sent after the server creates and binds a new socket.
第一个在服务端建立并且绑定了一个新的端口之后。
The BND.PORT field contains the port number that the SOCKS server assigned to listen for an incoming connection.
BND.PORT区包含了服务器指派的监听端口号。
The BND.ADDR field contains the associated IP address.
BND.ADDR区包含了关联的ip地址。
The client will typically use these pieces of information to notify (via the primary or control connection) the application server of the rendezvous address.
客户端将特别的使用这些信息来通知(经过主要或者控制连接)集合地址的应用服务器
The second reply occurs only after the anticipated incoming connection succeeds or fails.
第二个回应只在期望的连接成功或失败之后出现。
In the second reply, the BND.PORT and BND.ADDR fields contain the address and port number of the connecting host.
在第二个回应中,BND.PORT 和 BND.ADDR包含了连接主机的地址和端口号。
