[cap-talk] Port Knocking
Rob Meijer
rmeijer at xs4all.nl
Fri Feb 9 02:45:32 CST 2007
On Thu, February 8, 2007 02:27, David Hopwood wrote:
>
> I don't see the attraction:
>
> - it substantially increases the latency of making a connection;
>
true, but so do network layer and sesion layer crypto.
> - it magnifies any unreliability of the network -- all of the packets
> making up the "knock" have to get through correctly;
This assumes implicitly the server uses the 'silently drop' approach.
As long as the server actively rejects, the port knocking is just
a simple 'connect' sequence at application level.
> - the port sequence can't be hidden from any passive eavesdropper (unless
> you use IPsec, but then why do you need the knock?);
true.
> - judging by "As a stateful system, the port would not open until after
> the
> correct three-digit sequence had been received *in order*" [emphasis
> added]
> and the fact that the client receives no acknowledgements at that
> stage,
> it seems like there is a basic misunderstanding of what packet ordering
> guarantees are (not) given by IP.
The sequence has to be received 'in order', that is the connect attempts
have to be made (and rejected) in order . The server still has to behave
robustly to retransmits of earlier
packets though, but that does not invalidate this statement.
That is, if the connect sequence is for example 1287,1099,1200 than the
folowing packet
sequence would be valid:
* 1287 1099 1287 1200
But the folowing would not:
* 1287 1200 1099 1200
The use of active rejection will ensure the later sequence will not get
received.
Rob
More information about the cap-talk
mailing list