SOCKS5 and UDP

Ron Frederick ronf at timeheart.net
Wed Jan 18 02:42:50 AEDT 2017


On Jan 17, 2017, at 1:37 AM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Jan 17, 2017 at 8:05 PM, Romain Vimont <rom at rom1v.com> wrote:
> [..]
>> So if I understand correctly, making "ssh -D" create a "full" SOCKS5
>> server, including UDP relay¹, would require to add a new SSH request
>> type (like "relay-udp")?
> 
> Right.  SSH has an extension mechanism: message types with an
> @somedomain.com are "vendor extensions" that do not require IETF
> standardization so it'd be relay-udp@$something.  It'd need some kind
> of association tracking for UDP host/port pairs to replace the stuff
> the kernel does for us with TCP, so it'd probably more complicated to
> implement than the existing SOCKS/direct-tcpip support.


One thing that makes UDP over SOCKS more complicated for SSH is that SOCKS normally keeps the UDP packets it forwards as UDPl, just adding a small header to each packet. If you want to get the benefit of the SSH encryption here, though, you’d need to open an SSH channel to carry these packets, converting them from UDP to being carried within the existing SSH TCP connection (much like what SSH already does in the SOCKS TCP case) and then converting back to UDP on the other side.

It might be worth looking into where SSH tunnel device forwarding would be helpful here (the “-w” option in OpenSSH). It’s already designed to tunnel datagrams, and should have no trouble carrying UDP packets. It doesn’t use SOCKS as the way to get the data to the SSH client, though. Instead, it relies on the ability to create a network tunnel device. See the “SSH-BASED VIRTUAL PRIVATE NETWORKS” section of the SSH man page for details.
-- 
Ron Frederick
ronf at timeheart.net





More information about the openssh-unix-dev mailing list