[cap-talk] Port Knocking
Rob Meijer
rmeijer at xs4all.nl
Sat Feb 10 12:26:15 CST 2007
On Fri, February 9, 2007 18:04, David Hopwood wrote:
>>> - it magnifies any unreliability of the network -- all of the packets
>>> making up the "knock" have to get through correctly;
>>
>> This assumes implicitly the server uses the 'silently drop' approach.
>
> The 'silently drop' approach is what the page described.
Strange, I've never seen port knocking implemented like that, I feel
that it simply could not work using the 'silently drop' approach.
>> The sequence has to be received 'in order', that is the connect attempts
>> have to be made (and rejected) in order.
>
> That is not what the Wikipedia page described; it described silent-drop
> with
> no acknowledgements.
>
> The fix is obvious, but I don't feel like encouraging this protocol since
> I think it would be a bad thing for it to be deployed widely. TCP
> connection
> establishment is unreliable enough as it is, and we don't need ideas that
> increase the complexity of network protocols without really increasing
> security.
I think it was deployed rather widely some years ago as added security for
ssh connections. It might have lost much of its use with sshd privsep.
I feel that port-knocking effecively increases the number of bits in a
service port number, and thus makes them effecively unguessable.
The way it is implemented may however be a bit outdated.
Rob
More information about the cap-talk
mailing list