https://lwn.net/Articles/577164/ This is a special feed containing comments posted to the individual LWN article titled "A proposal for "silent" port knocking". en-us Fri, 19 Sep 2025 19:32:21 +0000 Fri, 19 Sep 2025 19:32:21 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/578086/ https://lwn.net/Articles/578086/ mathstuf <div class="FormattedComment"> The Tor Project also wants to have their own TCP stack to avoid OS fingerprinting based on the different stacks.<br> </div> Wed, 25 Dec 2013 14:15:50 +0000 https://lwn.net/Articles/578078/ https://lwn.net/Articles/578078/ rwmj <div class="FormattedComment"> .. and by "become more mainstream" I mean, be explored in real, production kernels. Of course the promising results of research may fail in the real world, but we'd have to try it to find out if that is the case.<br> </div> Tue, 24 Dec 2013 16:15:05 +0000 https://lwn.net/Articles/578077/ https://lwn.net/Articles/578077/ rwmj <div class="FormattedComment"> The idea of moving TCP into userland is neither crazy nor new. It has been explored for years in (research) exokernels. There's a lot of very interesting research and potential performance gains, which I'd love to see become more mainstream.<br> </div> Tue, 24 Dec 2013 16:13:35 +0000 https://lwn.net/Articles/577913/ https://lwn.net/Articles/577913/ jzbiciak <div class="FormattedComment"> Yeah, that's true. Of course, if you do happen to save some state server side, then you could detect a replay attack. Adding 'time' to the equation limits the length of the memory you need to have to the time window each token's valid.<br> </div> Fri, 20 Dec 2013 22:34:50 +0000 https://lwn.net/Articles/577911/ https://lwn.net/Articles/577911/ nybble41 <div class="FormattedComment"> By itself, a hash of the shared secret and time won't protect against a replay attack within a short time frame (like right after observing the original port knocking sequence). However, if you added in some information about the connection, like the source IP address and port, that would frustrate replay attacks from other systems. Of course, the downside of that is that it would no longer be compatible with NAT.<br> <p> If the server responds to the knocks with an ICMP error, it might be possible to piggyback some challenge data in the response so that each sequence is unique after the first knock. The client would hash the challenge data with the shared secret to determine the next knock.<br> </div> Fri, 20 Dec 2013 22:18:15 +0000 https://lwn.net/Articles/577806/ https://lwn.net/Articles/577806/ jzbiciak <P> For ISN, if your connection rate is low, it seems like you could mix a low resolution version of the current time in the hash calculation. Allow a small range of ISNs in a defined "acceptance" interval.</P> <P>Downside is that you need moderately accurate time on both sides of the link.</P> <P>I can't claim this as a new idea. The two-factor authentication scheme I use at work basically uses this principle. The client generates a time-based token locally based on a shared secret and the current time. That token is good for 30 seconds. I use that token in addition to my username and password to log in.</P> <P>It seems like a similar idea would work to "randomize" the ISN in a useful way.</P> Fri, 20 Dec 2013 05:11:12 +0000 https://lwn.net/Articles/577778/ https://lwn.net/Articles/577778/ imitev <div class="FormattedComment"> One of the requirements of Moxie Marlinspike's (Thoughtcrime) port knock implementation [1] was<br> <p> "I don't want something that runs in the kernel."<br> <p> Sadly there's no explanation but one would guess he's against the added complexity of having something in the kernel.<br> <p> FWIW, I've tried quite a few port knock implementations over the years (but not Marlinspike's one, which is on my todo list for months); I've eventually settled on a custom solution: since I'm running a web server anyway, I've set up an https restricted area with a cgi-bin that writes my IP/username to a temporary file. The firewall wgets the file every minute and adds/removes stuff with iptables's xt_recent. Works perfectly.<br> <p> [1] <a href="http://www.thoughtcrime.org/software/knockknock/">http://www.thoughtcrime.org/software/knockknock/</a><br> </div> Thu, 19 Dec 2013 20:30:09 +0000 https://lwn.net/Articles/577712/ https://lwn.net/Articles/577712/ jengelh <div class="FormattedComment"> And there are already some existing codes out there, like xt_pknock.<br> </div> Thu, 19 Dec 2013 13:21:43 +0000 https://lwn.net/Articles/577679/ https://lwn.net/Articles/577679/ lolando <div class="FormattedComment"> I'll plug my implementation (which uses a little bit of userspace but where the actual opening of ports is purely in-kernel): <a href="http://roland.entierement.nu/blog/2008/08/19/netfilter-based-port-knocking.html">http://roland.entierement.nu/blog/2008/08/19/netfilter-ba...</a><br> <p> Maybe at some point I'll make it more polished and distributable. In the meantime, as you said, free software and so on. Also, yes, I know, it doesn't protect from MITM (although the attack window can be made arbitrarily short).<br> </div> Thu, 19 Dec 2013 08:57:40 +0000 https://lwn.net/Articles/577654/ https://lwn.net/Articles/577654/ wahern <div class="FormattedComment"> If people invested as much time fixing bugs in server code and simplifying administration as they do in writing and configuring port knocking environments....<br> <p> Ah well. It's free software. People can spend their time however they wish.<br> <p> <p> </div> Thu, 19 Dec 2013 05:16:03 +0000