2.6.1 Authenticated Firewall Traversal (aft)

NOTE: This charter is a snapshot of the 51st IETF Meeting in London, England. It may now be out-of-date. Last Modified: 31-Jul-01


Wei Lu <wlu@syl.dl.nec.com>

Security Area Director(s):

Jeffrey Schiller <jis@mit.edu>
Marcus Leech <mleech@nortelnetworks.com>

Security Area Advisor:

Jeffrey Schiller <jis@mit.edu>

Mailing Lists:

General Discussion:aft@socks.nec.com
To Subscribe: aft-request@socks.nec.com
Archive: http://www.socks.nec.com/aftmail/

Description of Working Group:

The goal of the Authenticated Firewall Traversal Working Group is to specify a protocol to address the issue of application-layer support for firewall traversal. The working group intends to specify a traversal protocol supporting both TCP and UDP applications with a general framework for authentication of the firewall traversal. To promote interoperability, the group will also propose a base authentication technique for use within the general authentication framework.

The output of the group will consist of a standards-track RFC(s) describing the traversal protocol, the base authentication methods and a reference implementation of the protocol, and base authentication methods. The working group will start with the SOCKS system described by David Koblas in his paper presented at the 1992 Usenix Security Symposium.

Goals and Milestones:



Issue Internet-Draft on V5 SOCKS protocol.



Publish sample implementation for UNIX.



Issue Internet-Draft on SOCKS base authentication methods.



Submit final draft of SOCKS protocol and authentication methods for RFC.

No Current Internet-Drafts
Request For Comments:






SOCKS Protocol Version 5



Username/Password Authentication for SOCKS V5



GSS-API Authentication Method for SOCKS Version 5

Current Meeting Report

Minutes of Authenticated Firewall Traversal (AFT) WG
51st IETF-London, August 7, 2001.

Chaired by: Wei Lu (wlu@permeo.com)
Prepared by: Wei Lu

1. Agenda Bashing

More people (more than 100) show up as expected.

2. Status Update

Wei Lu made the following introduction about AFT WG status:

The AFT WG is awfully quiet. At the time the current chair took over the WG, there were a number of interesting ideas, proposals and actual works on taking SOCKS protocol to the next level. The next generation of SOCKS would have better support of both TCP and UDP transport and would include authenticated MULTICAST firewall traversal support.

While the interests of having such works being done are high, the chair is not getting enough help from AFT members nor IETF. The chair felt frustrated of running a one-man show and asked members for opinions and suggestions about the future of AFT.

Responses from different members:

Members see the values of having a transport level proxy solution to firewall traversal problems. Even the existing version of the protocol works great for them.

Questions about the differences between AFT and other IETF WGs such as MIDCOM and OPES. Two answers were given. One is that MIDCOM's proposed solution doesn't break transport at the firewall. AFT's SOCKS solution does.

Another is that MIDCOM's solution is more related to firewall access policy management. All the packets are still going through the firewall directly. AFT's solution is independent from firewall. In terms of OPES, it looks like the WG is trying to extend HTTP proxy.

Questions about whether AFT's solution will solve SIP's firewall traversal problems. The answer is positive, for SOCKS only cares about TCP and UDP not specific application protocol. As long as SIP uses TCP and/or UDP as their transports, AFT's solution should be viable for SIP.

Members want the chair to continue working on the new version of the protocol. They will help.

Members complain that AFT web links at IETF site are out of date. Some of them are misplaced or dead ones.

3. Happy Ending

Wei Lu is willing to give AFT another shot. He will take some initiatives. AFT members will participate more actively.


None received.