Slirp

Slirp
Developer(s)	Danny Gasparovski, Kelly Price (maintainer)
Initial release	March 30, 1995
Stable release	1.0.17 / January 8, 2006
Operating system	Unix-like
Platform	shell account
Type	Dial-up access
License	BSD-like, modified 4-clause BSD license
Website	slirp.sf.net

Last updated May 15, 2024

Slirp (sometimes capitalized SLiRP) is a software program that emulates a PPP, SLIP, or CSLIP connection to the Internet using a text-based shell account. Its original purpose became largely obsolete as dedicated dial-up PPP connections and broadband Internet access became widely available and inexpensive. It then found additional use in connecting mobile devices, such as PDAs, via their serial ports. Another significant use case is firewall piercing/port forwarding.^[1]^[2] One typical use of Slirp creates a general purpose network connection over a SSH session on which port forwarding is restricted. Another use case is to create external network connectivity for unprivileged containers.

Usage

Shell accounts normally only allow the use of command line or text-based software, but by logging into a shell account and running Slirp on the remote server, a user can transform their shell account into a general purpose SLIP/PPP network connection, allowing them to run any TCP/IP-based application—including standard GUI software such as the formerly popular Netscape Navigator—on their computer. This was especially useful in the 1990s because simple shell accounts were less expensive and/or more widely available than full SLIP/PPP accounts.^[3]

In the mid-1990s, numerous universities provided dial-up shell accounts (to their faculty, staff, and students). These command line-only connections became more versatile with SLIP/PPP, enabling the use of arbitrary TCP/IP-based applications. Many guides to using university dial-up connections with Slirp were published online (e.g. , , , ). Use of TCP/IP emulations software like Slirp, and its commercial competitor TIA was banned by some shell account providers, who believed its users violated their terms of service or consumed too much bandwidth.^[4]^[5]

Slirp is also useful for connecting PDAs and other mobile devices to the Internet: by connecting such a device to a computer running Slirp, via a serial cable or USB, the mobile device can connect to the Internet.^[6]

Limitations

Unlike a true SLIP/PPP connection, provided by a dedicated server, a Slirp connection does not strictly obey the principle of end-to-end connectivity envisioned by the Internet protocol suite. The remote end of the connection, running on the shell account, cannot allocate a new IP address and route traffic to it.^[7] Thus the local computer cannot accept arbitrary incoming connections, although Slirp can use port forwarding to accept incoming traffic for specific ports.

This limitation is similar to that of network address translation. It can provide enhanced security as a side effect, it also can enforce policies and act as a firewall between the local computer and the Internet.^[7]

Current status

Slirp is free software licensed under a BSD-like, modified 4-clause BSD license by its original author. After the original author stopped maintaining it, Kelly Price took over as maintainer.^[8] There were no releases from Kelly Price after 2006. Debian maintainers have taken over some maintenance tasks, such as modifying Slirp to work correctly on 64-bit computers.^[9] In 2019,^[10] a more actively maintained Slirp repository was used by slirp4netns to provides network connectivity for unprivileged, rootless containers and VMs.

Influence on other projects

Despite being largely obsolete, Slirp made a great influence on the networking stacks used in virtual machines and other virtualized environments. The established practice of connecting the virtual machines to the host's network stack was to use the various packet injection mechanisms. Raw sockets, being one of such mechanisms, were originally used for that purpose, and, due to many problems and limitations, were later replaced with the TAP device.

Packet injection is a privileged operation that may introduce a security threat, something that the introduction of TAP device solved only partially. Slirp-derived NAT implementation brought a solution to this long-standing problem. It was discovered that Slirp has the full NAPT implementation as a stand-alone user-space code, whereas other NAT engines are usually embedded into a network protocol stack and/or do not cooperate with the host OS when doing PAT (use their own port ranges and require packet injection). QEMU project have adopted the appropriate code portions of the Slirp package and got the permission from its original authors to re-license it under 3-clause BSD license.^[11] Such license change allowed many other FOSS projects to adopt the QEMU-provided Slirp portions, which was (and still is) not possible with the original Slirp codebase because of the license compatibility problems. Some of the notable adopters are VDE and VirtualBox projects. Even though the Slirp-derived code was heavily criticized,^[12] to date there is no competing implementation available.

Related Research Articles

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

A shell account is a user account on a remote server, typically running under Unix or Linux operating systems. The account gives access to a text-based command-line interface in a shell, via a terminal emulator. The user typically communicates with the server via the SSH protocol. In the early days of the Internet, one would connect using a modem.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to choose from. The two primary categories of application firewalls are network-based and host-based.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

<span class="mw-page-title-main">Terminal server</span> Device that interfaces serial hosts to a network

A terminal server connects devices with a serial port to a local area network (LAN). Products marketed as terminal servers can be very simple devices that do not offer any security functionality, such as data encryption and user authentication. The primary application scenario is to enable serial devices to access network server applications, or vice versa, where security of the data on the LAN is not generally an issue. There are also many terminal servers on the market that have highly advanced security functionality to ensure that only qualified personnel can access various servers and that any data that is transmitted across the LAN, or over the Internet, is encrypted. Usually, companies that need a terminal server with these advanced functions want to remotely control, monitor, diagnose and troubleshoot equipment over a telecommunications network.

In computer networking, TUN and TAP are kernel virtual network devices. Being network devices supported entirely in software, they differ from ordinary network devices which are backed by physical network adapters.

The Internet Adapter (TIA) was software created by Cyberspace Development in 1993 to allow Serial Line Internet Protocol (SLIP) connections over a shell account. Point-to-Point Protocol (PPP) was added in 1995, by which time the software was marketed and sold by Intermind of Seattle. Shell accounts normally only allow the use of command line or text-based software, but by logging into a shell account and starting the TIA daemon, a user could then run any TCP/IP-based application, including standard GUI software such as the then-popular Netscape Navigator on their computer. This was especially useful at the time because simple shell accounts were much less expensive than full SLIP/PPP accounts. TIA was ported to a large number of unix or unix-like systems.

Web-based SSH is the provision of Secure Shell (SSH) access through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.

TCP Gender Changer is a method in computer networking for making an internal TCP/IP based network server accessible beyond its protective firewall.

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

In computing, Mosh is a tool used to connect from a client computer to a server over the Internet, to run a remote terminal. Mosh is similar to SSH, with additional features meant to improve usability for mobile users. The major features are:

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

References

↑ Rideau, François-René (2001), Firewall Piercing mini-HOWTO, Secure solution: piercing using ssh
↑ JDIMPSON (2008), pppsshslirp: create a PPP session through SSH to a remote machine to which you don't have root
↑ Jim Knoble (1996-08-01). "Almost Internet with SLiRP and PPP". Linux Journal . Retrieved 2009-08-28.
↑ Craig J. Miller (1995-03-15). "Intermind discussion of TIA on TENET" . Retrieved 2009-08-31.
↑ "Everybody's Internet Update (section 1.5)". Electronic Frontier Foundation. September 1994. Retrieved 2009-08-31.
↑ Kelly Price. "Slirp Maintenance Project home page" . Retrieved 2009-08-31.
1 2 Glen Reesor (2001-02-21). "SLIP/PPP Emulator mini-HOWTO" . Retrieved 2009-08-29.
↑ Kelly Price. "Slirp FAQ" . Retrieved 2009-08-28.
↑ "Debian Changelog slirp" . Retrieved 2009-08-28.
↑ "Releases - rootless-containers/slirp4netns". 2019-01-04.
↑ "[Qemu-devel] Remove the advertising clause from the slirp license".
↑ "[Qemu-devel] Re: slirp-related crash".

External links

Slirp Maintenance Project, official site for recent versions of Slirp
Latest version of Slirp (1.0.17) from Debian

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Rideau, François-René (2001), Firewall Piercing mini-HOWTO, Secure solution: piercing using ssh

[2] JDIMPSON (2008), pppsshslirp: create a PPP session through SSH to a remote machine to which you don't have root

[ljart-3] Jim Knoble (1996-08-01). "Almost Internet with SLiRP and PPP". Linux Journal . Retrieved 2009-08-28.

[4] Craig J. Miller (1995-03-15). "Intermind discussion of TIA on TENET" . Retrieved 2009-08-31.

[5] "Everybody's Internet Update (section 1.5)". Electronic Frontier Foundation. September 1994. Retrieved 2009-08-31.

[homepage-6] Kelly Price. "Slirp Maintenance Project home page" . Retrieved 2009-08-31.

[howto-7] 1 2 Glen Reesor (2001-02-21). "SLIP/PPP Emulator mini-HOWTO" . Retrieved 2009-08-29.

[8] Kelly Price. "Slirp FAQ" . Retrieved 2009-08-28.

[9] "Debian Changelog slirp" . Retrieved 2009-08-28.

[10] "Releases - rootless-containers/slirp4netns". 2019-01-04.

[11] "[Qemu-devel] Remove the advertising clause from the slirp license".

[12] "[Qemu-devel] Re: slirp-related crash".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]