From owner-freebsd-net@FreeBSD.ORG Mon Dec 17 10:38:08 2007 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A79316A418 for ; Mon, 17 Dec 2007 10:38:08 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: from grupposervizi.it (mail1.tagetik.com [85.18.71.243]) by mx1.freebsd.org (Postfix) with SMTP id E2F0A13C4D3 for ; Mon, 17 Dec 2007 10:38:07 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: (qmail 3459 invoked by uid 453); 17 Dec 2007 10:11:24 -0000 Received: from [192.9.210.26] (HELO noel.grupposervizi.it) (192.9.210.26) by grupposervizi.it (qpsmtpd/0.31.1) with ESMTP; Mon, 17 Dec 2007 11:11:24 +0100 Message-ID: <47664B4B.4050805@libero.it> Date: Mon, 17 Dec 2007 11:11:23 +0100 From: Raffaele De Lorenzo User-Agent: Thunderbird 2.0.0.9 (X11/20071204) MIME-Version: 1.0 To: John E Hein References: <4759022A.4020105@libero.it> <47599AE1.6060805@elischer.org> <475D2185.3090405@libero.it> <868x4291ap.fsf@ds4.des.no> <475D417D.5020303@libero.it> <18273.25559.26231.178154@gromit.timing.com> In-Reply-To: <18273.25559.26231.178154@gromit.timing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-arch@freebsd.org, "raffaele.delorenzo" , net@freebsd.org, Julian Elischer , security@freebsd.org Subject: Re: Added native socks support to libc in FreeBSD 7 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 10:38:08 -0000 John E Hein wrote: > Raffaele De Lorenzo wrote at 14:39 +0100 on Dec 10, 2007: > > You can see in the port-tree my project "csocks" and > > http://csocks.altervista.org. > > Thanks for lettings us know about your project. Here are > just a few comments. > > Why don't you provide the source code in the port? > > For an open source, security sensitive project such as this, I think > that's important for users to gain confidence in it. > > > As far as putting the code in the base FreeBSD, that's a pretty large > hurdle. The FreeBSD maintainers tend to put something in base only > after a significant part of the user base uses it, and it has become > the [or a] de facto preferred implementation of some industry > standard. > > SOCKS is a standard, but the csocks implementation is not (yet). > Continue to adhere to RFCs and grow your user base, and perhaps > inclusion in FreeBSD's base system will happen organically. > > For things to go into the base system ... > > 1) The software (and its developers) need a proven track record > (which you can gain by getting a large user base in ports). > Personally, I hadn't heard about your SOCKS implementation until > this week. > > 2) A significant number of FreeBSD users can't do without it. Now, > this is quite subjective. In some sense, people can't do without > a web browser in this day and age, but there's no browser in the > FreeBSD base system. Of course, comparing firefox to csocks is > not fair. Maybe grep is a better comparison. Web browsers are > monstrous. > > 3) There is a significant benefit to having it tightly integrated > with the base system (as opposed to a more loose integration in > the ports tree). Wireless LAN is perhaps a good example here (and > for #2 for that matter). Not everyone needs it, but when you do > it is good to have it in the base system where it is given > system level architecture love and care. > > 4) You need someone with commit privs to shepherd this thing along > _and_ agreement from lots of other people (including FreeBSD's > core). Hint: the freebsd-arch list is often a good place to > discuss additions to the FreeBSD base. > > 5) Lots of other criteria (both implied and explicitly documented) > that I'll not go into further (everyone together: "Hear, Hear"). > > Note that the larger the base system becomes, the harder it is to > maintain it well as a core, well integrated body of work. And once it > is in the base, more people are now automatically signed on to > maintain it (indirectly)... not just you anymore. When someone makes > a change to the base tcp implementation, for instance, they have to > make sure it also doesn't break the shiny new socks code now in the > base system as well. This probably won't be a significant burden in > this particular case, but it's something that people have to consider. > > > As far as your specific patch to add socks support to libc ... > > Why not just make a patch that puts it in src/lib/libsocks? And a > binary in src/usr.bin/csocks (that does the LD_PRELOAD dance to > preload libsocks)? Why does it have to be in libc? > > I don't speak for the FreeBSD project, but that's a few of my thoughts > after looking at your implementation... which I did since it tickled > my curiosity. Keep up the good work. > . > > Hi, many tanks for your interested. Socks is a protocol used (for my experience) a lot in some banks for security reasons, so it has a large impact for the network security. Recently versions of IBM AIX OS introduced a native socks support. The IBM socks implementation is inside the AIX libc (AIX 4 has socks5 library in libc.a already), in fact, there are not externally socks libraries preloaded, and for socksify scope you must insert a socks rule in a particulary configuration file (default is "/etc/socks5c.conf"). The AIX native socks mode is very appreciated by the users, so my idea to add native socks support inside the libc in FreeBSD (that i think is a very good secure OS! ) is motivated by these considerations. This is a comparative table "AIX SOCKS" VS "CSOCKS": The IBM AIX Socks implementation: 1) doesn't support Socks V4 2) doesn't support GSS-API Authentication 3) Support IPv6 4) doesn't support Socks v5 User Authentication. 5) doesn't support Socks under UDP 6) Support sample Socks V5 connect and bind 7) The configuration file doesn't support detailed rules (you cannot specify the port an the protocol to socksify... for details you can see http://www.ncsa.uiuc.edu/UserInfo/Resources/Hardware/IBMp690/IBM/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/socks5c.conf.htm) The CSOCKS Socks implementation: 1) Support Socks V4 Connect and Bind 2) Support Socks V5 Connect and Bind 3) Support Socks V5 Sample User Authentication method 4) Support Socks V5 Under UDP 5) The configuration file support detailed rules (you can see: http://csocks.altervista.org/doc.htm) 6) doesn't support IPv6 (under development) 7) doesn't support GSS-API Authentication (under development) The source code of "csocks/port version" is practically the same of the source code for the FreeBSD native support (the link is: http://csocks.altervista.org/download/FreeBSD_libc.tar.gz). Now i posted this discussion in FreeBSD arch mailing list (tanks for your advice). Raffaele