[cap-talk] Port Knocking

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Fri Feb 9 11:04:13 CST 2007


Rob Meijer wrote:
> On Thu, February 8, 2007 02:27, David Hopwood wrote:
> 
>>I don't see the attraction:
>>
>> - it substantially increases the latency of making a connection;
> 
> true, but so do network layer and session layer crypto.

True, but network and session layer crypto are providing actual
security, rather than just obscurity ;-)

>> - it magnifies any unreliability of the network -- all of the packets
>>   making up the "knock" have to get through correctly;
> 
> This assumes implicitly the server uses the 'silently drop' approach.

The 'silently drop' approach is what the page described.

[...]
>> - the port sequence can't be hidden from any passive eavesdropper (unless
>>   you use IPsec, but then why do you need the knock?);
> 
> true.
> 
>> - judging by "As a stateful system, the port would not open until after
>>   the correct three-digit sequence had been received *in order*"
>>   [emphasis added] and the fact that the client receives no acknowledgements
>>   at that stage, it seems like there is a basic misunderstanding of what
>>   packet ordering guarantees are (not) given by IP.
> 
> The sequence has to be received 'in order', that is the connect attempts
> have to be made (and rejected) in order.

That is not what the Wikipedia page described; it described silent-drop with
no acknowledgements.

The fix is obvious, but I don't feel like encouraging this protocol since
I think it would be a bad thing for it to be deployed widely. TCP connection
establishment is unreliable enough as it is, and we don't need ideas that
increase the complexity of network protocols without really increasing
security.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>



More information about the cap-talk mailing list