-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIP003 - A simplified plugin design for shadowsocks #28
Comments
What about |
The plugin here is the name of the executable. Maybe rename obfs-local to obfs-http-local and handle the mode in the plugin would be clearer. |
Since all plugins are processes already, I wonder if just letting systemd do the job is more KISS? |
@nfjinjing Here we need a cross platform solution. Systemd looks not a good idea. |
I mean |
@Mygod It looks doable. Actually no spec for the command line, let me refine it later. |
I still prefer the PT one just because we can use it right now, and the saved overhead can be easily eaten by obfuscation itself. The new draft and PT just differs in the level of integration. And personally speaking, if user want to use obfuscation, then they are already trading bandwidth and latency for extra security.(Not data security, but channel security) in that case, no matter how hard we try our best to make the integration lightweight, the overhead will increase hugely. So for user who want maxium bandwidth, go plain ss and spend more time finetuning their server.(Encryption of ss won't really be a problem, for the most common use-case behind GFW) If there is some really strong deep packet filter, such obfuscation may bring some usability, but never expect high performance. |
@anonymous-contributor I agree with you about the "personally speaking" part. |
I think you are aiming for two different things here. I believe @madeye introduces obfuscation to boost performance. #26 was meant to boost performance (i.e. bandwidth) (see #26 (comment)). #26 is about HTTP obfuscation because HTTP/HTTPS traffic is the most common (i.e. least suspicious) traffic. Other people including @anonymous-contributor is wishing to use obfuscation to hide from your ISP that you use Shadowsocks or Tor, i.e. making detection computationally expensive (the so-called channel security). And currently SIP003 is a balance of both. It wishes to minimize performance overhead while making the platform easily extensible and compatible with Tor PT so that we will have something to move onto if the cheaper approach is no longer beneficial (which is why we call #26 a dirty hack). |
There's an obvious use case for chaining of plugins: ss -> obfs4 -> simple-obfs / fteproxy. This will increase the priority of QoS in some ISPs, confuse the hell out of gfw, and still be modular enough to deploy. This only works on the condition that gfw will not interfere with fake http requests. I know, strange. So we might keep the option of enabling multiple plugins all at the parent process open? |
And additionally, we are currently adding obfuscation mainly to gain additional performance since Shadowsocks is designed to be indistinguishable with random traffic. We wish to get additional bandwidth and get prioritized by pretending it's something else (like a normal HTTP/TLS connection). |
And mentioning lightweight, it's better to have a benchmark to determine if it's worthy. I'd like to compare the same obfuscation method using standalone mode vs the local interface mode. If the difference is less than, for example 10%, for average speed, using PT seems more reasonable. |
I'm quite in favour of this draft mainly because it doesn't touch the core protocol of shadowsocks! |
The communication of shadowsocks service and plugin service is not very clear to me. Does it mean the local shadowsocks client process would pass the datagram to plugin and retrieve them back, then finally sends it to the remote shadowsocks service? |
@librehat This proposal traces its roots to my mention of Tor's Pluggable Transport protocol in #26. You are welcome to read Tor's PT spec for more idea on this. In short, both the server and the client speaks and hears through an instance of the transport program. The transport is responsible for communication. Think KCPTUN. |
Thanks for all the feedbacks! @anonymous-contributor Yes, I think reusing PT is also important to us. However, it's quite a lot effort to implement it for all our implementations. My suggestion is to build a adapter to PT based on SIP003. This adapter would be very easy to write as you can reuse all the golang source code from Tor project. After that, all the SIP003 based shadowsocks implementations would also benefit from PT. @nfjinjing There may be real cases for plugin chains, although ss-obfs4-simpleobfs is not necessary in my opinion. An easy way to do this is also implement SIP003 in your plugin. It means a SIP003 plugin could fork other plugins as a chain. However, shadowsocks itself should only start, maintain and talk to one plugin. @librehat Every SIP003 plugin works like a tunnel, like KCPTUN, stunnel and This proposal aims to provide a easy way to integrate third-party transport protocols with shadowsocks infrastructure. With this, I hope we can end all the debates about forking and license issues in the future. I suggest all the contributors try to add SIP003 support following the example. I believe you will find it's really easy to implement (It takes me four hours to write and debug the full example). |
Looks good. It seems without a tunnel software doing anything, a simple wrapper script that passes environment variables to command line arguments can make it complaint with this spec. |
|
|
Then what is the benefit from launching the plugin process by shadowsocks? How about just 1) bringing up the plugin in advance, and 2) asking shadowsocks to talk to |
@v2ray I think it's possible. Actually, in that case, shadowsocks itself works like a plugin. It'd be a better way to integrate all protocols in one framework (maybe it's just what v2ray is doing? 😄 ) However, as a SIP, I still prefer the design proposed here. |
Yes. That is exactly what V2Ray is trying to achieve. |
@madeye The extra work is almost to nothing if using standalone mode Tor PT. No idea why it's needed to re-invent the wheel, just for so-called lightweight communication? Using standalone mode parent process just exec the obfsproxy, redirecting its output as log, passing random port as SS<->obfsproxy communication, passing real destination port for obfsproxy <-> server. In that case, the only difference between your draft is, we are using the random local port to run ss. From this respect of view, it's even easier to implement than the draft. In this case, I can even submit a pull-request in several days for implement cmdline parameters. |
|
Hey, have we figured out how to properly pass server-returned args to the client yet? There has to be some stdout capturing and passing. |
@Artoria2e5 Answer 2 in #28 (comment) |
If this is going stable (for real), I think we should remove the "[Draft]" in the title. |
Implemented and published via https://github.com/shadowsocks/shadowsocks-libev/releases/tag/v3.0.3 |
Doc update?
|
I am not sure if I (already) understand this all, but I am wondering if this architecture can be used to let Shadowsocks and NetGuard (I am the author) operate together? If this is the wrong place to discuss this and there is interest in this, I am happy to create a new issue to discuss about this. |
@M66B It looks NetGuard works as a firewall? If so, it'd be not related. This issue is a proposal for plugin architecture of shadowsocks protocol. |
@madeye yes, NetGuard is a VPN based firewall. I was thinking like this, but maybe I am thinking wrong and/or there is a better way:
|
@M66B If it works as a TCP firewall, I think it'd be doable. What you need is only to implement a simple TCP tunnel feature for your app and follow the instruction here: https://github.com/shadowsocks/shadowsocks-android/blob/master/plugin/README.md |
As discussed in #26, it's dirty to hack original shadowsocks protocol for additional transport features.
A proposal from @falseen , @Artoria2e5, and @anonymous-contributor is that we may support Pluggable Transport from Tor. However, I found PT seems too heavy for shadowsocks. As we never try to or plan to support distributed architecture, I propose a simplified design instead.
SIP003: A simplified plugin design for shadowsocks
Dislike the socks5 proxy design in PT, every SIP003 plugin works like a tunnel (or called local port forwarding). This design aims to avoid per-connection arguments in PT, leading to much easier implementation.
Very similar to PT, the plugin client/server is started as child process of shadowsocks client/server.
If any error happens, the child process of plugin should exit with a error code. Then, the parent process of shadowsocks stops as well (SIGCHLD).
When a shadowsocks client/server is stopped by user, the child process of plugin will also be terminated.
A plugin accepts arguments through environment variables.
a. Four MUST-HAVE environment variables are
SS_REMOTE_HOST
,SS_REMOTE_PORT
,SS_LOCAL_HOST
andSS_LOCAL_PORT
.SS_REMOTE_HOST
andSS_REMOTE_PORT
are the hostname and port of the remote plugin service.SS_LOCAL_HOST
andSS_LOCAL_PORT
are the hostname and port of the local shadowsocks or plugin service.b. One OPTIONAL environment variable is 'SS_PLUGIN_OPTIONS'. If a plugin requires additional arguments, like path to a config file, these arguments can be passed as extra options in a formatted string. An example is 'obfs=http;obfs-host=www.baidu.com', where semicolons, equal signs and backslashes MUST be escaped with a backslash.
For all the plugins from Tor projects, there are two possible ways to support them. 1) We can fork these plugins and modify them to support SIP003, e.g. obfs4-tunnel. 2) Implement a adapter of PT as SIP003 plugin.
As all plugin services should run in a separate process, they can pick any license they like. There is no GPL restrictions for any plugin providers.
a. Plugin over plugin is NOT supported. Only one plugin can be enabled when a shadowsocks service is started. If you really need this feature, implement a plugin-over-plugin transport as a SIP003 plugin.
b. Only TCP traffic is forwarded. For now, there is no plan to support UDP traffic forwarding.
On the server:
ss-server --plugin obfs-server --plugin-opts "obfs=http"
On the client:
ss-local -c config.json --plugin obfs-local --plugin-opts "obfs=http;obfs-host=www.baidu.com"
The text was updated successfully, but these errors were encountered: