Hi Mohamed, Thanks for your email. I had two reasons:
1- I was not aware of these two documents.. I guess two less activities at IETF. right?! 2- I just skimmed the documents you have referred to . They talk about mechanisms for IP translation and authentication and making the NAT easier. But what I do not know exactly or at least with very quick review could not find, is that socks proxy also works closely with firewall and open the ports if the client socks wants to communicate to any service outside of the network and in general cases the firewall has all its port close unless otherwise the client ask to open a port. I know that NAT has a settings to also work closely with firewall but do not know which one has a better performance. Further the default assumption in those document is that the NAT service is there. that means I do not only need to consider the implementation of NAT but also these documents. While for Socks, only socks standard is enough which works closely with Selinux for firewalling. Now the question is which process is heavier from computation perspective, NAT + this approach or a socks proxy alone that do the replacement of IP? I haven't done any experiment or comparison yet.. One more important point is that, how NAT will handle TCP connections when we have non reliable internet connection that breaks frequently but we cannot establish the TLS every single time where the connection breaks? What I liked about Socks 6 that was not in socks5 is that they handled the unreliable connection, either by purpose or accidentally, very well since they referred to a document such as TCP FAST OPEN. Further, Socks proxy is layer 5 protocol and can handle TLS communication better than NAT. I am of course not talking about the case to use socks as a MITM for my TLS connection. That is not the purpose at all here. But NAT is layer 3 or maximum with some configuration layer 4 which has no flexibility to session layer. Best, Hosnieh this is of course what I also need or expect to use from Socks as a kind of NATing but at the same time the most important thing is its interaction with firewall On 07/06/2017 03:08 PM, [email protected] wrote: > > Hi Hosnieh, > > > > Just out of curiosity, is there any particular reason you want to use > SOCKS? Did you consider other protocols such as: > > · https://tools.ietf.org/html/rfc6887 > > · https://tools.ietf.org/html/rfc7652 > > > > Thank you. > > > > Cheers, > > Med > > > > *De :*Int-area [mailto:[email protected]] *De la part de* > Hosnieh Rafiee > *Envoyé :* mercredi 5 juillet 2017 21:21 > *À :* [email protected] > *Objet :* [Int-area] Review> SOCKS 6 Draft > > > > Hello, > > > I quickly reviewed Socks6 document as I was waiting for any initiation > to improve socks 5. I found it a good document, however, unfortunately > the security is still weak and this document also did not address that > but made it worse. I am looking for new methods of authentication as > what is available in socks5 is just plain text and cannot protect > against active attacker and also passive attacker if and if there is a > fixed value used as a username and password. > > Further, DDoS attack mentioned also in the draft cannot be addressed > as easily as explained, IMHO. since the proxy server supposed to > receive higher size messages and the attacker client can only > overwhelm the socks server easier by less messages from different IP > address that sounds to be a new client. Further, for constrained > devices, there is a limitation in size of the message, therefore, > dissimilar to socks5 that could be used also for such devices, socks 6 > cannot be used otherwise there will be limit in the information > supposed to be sent in one message. > > https://tools.ietf.org/html/draft-intarea-olteanu-socks-6-00.html > > But in general, that is a good effort, keep going on! > > Best, > > Hosnieh > > >
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
