Re: [dhcwg] configuring SOCKS(v5) via DHCP

mohamed.boucadair@orange.com Mon, 28 March 2022 07:06 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C4C3A0BD4 for <dhcwg@ietfa.amsl.com>; Mon, 28 Mar 2022 00:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lB50-SClGzHw for <dhcwg@ietfa.amsl.com>; Mon, 28 Mar 2022 00:06:13 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7B943A0BCA for <dhcwg@ietf.org>; Mon, 28 Mar 2022 00:06:12 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr20.francetelecom.fr (ESMTP service) with ESMTPS id 4KRkJ22Wcrz1yBm; Mon, 28 Mar 2022 09:06:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1648451170; bh=ap+rnRZ+k4ES/MEPa/fsY3vO5cS25nnDKNqFVAU8vhs=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=c/AQ5Ag5xn5vJvFkkDrwS1FRItrBC9VST4RxLnsW66M8KpmvBnCOZjL9jICKJ3ijL IWYGGmXw+7/pDX01BrPi2ztbQLgKMN7bu/zW85QwUnLyfvc3TUhnvOIAnGvLINeM0w FNTi7SsskA3f0YnaWwLwAnag+wULWUeh90rxrFrtR991DJY3YD/osrxRISr6BHpcZ7 6SWt6Cq5j+iejcvoMFoRc6YPbGaPfx/ceIph5JkAmrhLqtojM+2Y3IsyOCSkm98Ntw HemMoCLoVMLYr6Nuw/8kb3XJg9z8787ukr8lI1/4hQHzfr5un3fECbarrETqQPO+G/ mM92wwWa0PKWA==
From: <mohamed.boucadair@orange.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: [dhcwg] configuring SOCKS(v5) via DHCP
Thread-Index: AQHYQTNvDvY5Jza6+UCZCED/AeS68qzUXa0A
Content-Class:
Date: Mon, 28 Mar 2022 07:06:09 +0000
Message-ID: <19651_1648451170_62415E62_19651_399_1_f3c48b5795614a8181164612ae074bce@orange.com>
References: <75372.1648314192@dooku>
In-Reply-To: <75372.1648314192@dooku>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2022-03-28T06:50:09Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ActionId=179a4614-0b57-487e-88fb-21ee701ee02c; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0
x-originating-ip: [10.115.26.50]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/AKMfZPOhWqW8dMi8_jGPop19us4>
Subject: Re: [dhcwg] configuring SOCKS(v5) via DHCP
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2022 07:06:19 -0000

Hi Michael, 

There is no such an option as far as I know.

We published this spec: https://datatracker.ietf.org/doc/html/draft-boucadair-tcpm-dhc-converter-03 to cover the discovery of a "converter". 

A converter is defined as a function that behaves as follows:  

==
      *  Listen for client sessions;
      *  Receive from a client the address of the final target server;
      *  Setup a session to the final server;
      *  Relay control messages and data between the client and the
         server;
      *  Perform access controls according to local policies.
==

SOCKS falls in that category. See rfc8803#section-3 for some more details. 

If SRVs are supported in your case, name discovery may be checked based on the already registered name. 

Cheers,
Med

> -----Message d'origine-----
> De : dhcwg <dhcwg-bounces@ietf.org> De la part de Michael Richardson
> Envoyé : samedi 26 mars 2022 18:03
> À : dhcwg@ietf.org
> Objet : [dhcwg] configuring SOCKS(v5) via DHCP
> 
> 
> As far as I can tell from
>   https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-
> parameters.xhtml#options
> 
> we never allocated a DHCPv4 option for configuring the location of a
> SOCKSv5 proxy.  But a few names allocated are sufficiently unclear to me
> that maybe they were doing something else.
> 
> Or maybe some options point to some other configuration mechanism that
> can include a SOCKSv5 server address.
> 
> Or maybe it's buried in a vendor option?  If so, which one?
> 
> SOCKS is surprisingly still out there in many forms, including that many
> SSH implementations provide for forwarding arbitrary connections via a
> SOCKS server on a local port.
> I'm aware of at least two gc.ca departments whose entire firewall
> mechanism is (STILL) based upon it.
> 
> RFC1928 did not include a discovery mechanism.
> 
> SOCKSv5 is being proposed as a solution to certain IoT challenges, where
> we'd like to declare the ACL in terms of DNS names, but the policy
> enforcement point, of course, only sees IP addresses, not names.
> 
> If there was a way to learn if SOCKS was in use on a particular network,
> such as via a DHCPv4 option, then devices could use it on networks where
> it existed.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -=
> IPv6 IoT consulting =-
> 
> 


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.