From: Alexander Holler <holler@ahsoftware.de>
To: Eric Dumazet <eric.dumazet@gmail.com>,
Christian Grothoff <grothoff@in.tum.de>
Cc: Jacob Appelbaum <jacob@appelbaum.net>,
Andi Kleen <andi@firstfloor.org>,
Stephen Hemminger <stephen@networkplumber.org>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
knock@gnunet.org
Subject: Re: [PATCH] TCP: add option for silent port knocking with integrity protection
Date: Tue, 19 Aug 2014 21:36:25 +0200 [thread overview]
Message-ID: <53F3A739.4070203@ahsoftware.de> (raw)
In-Reply-To: <1386858864.19078.60.camel@edumazet-glaptop2.roam.corp.google.com>
Am 12.12.2013 15:34, schrieb Eric Dumazet:
A bit late, but I've just stumbled over that feature which I do like a lot.
> Very soon you'll need to support different secrets. You do not want all
> clients share a common secret, do you ? How can a server change its
> secret without disrupting clients ?
Impossible because you already need a channel if you want to identify
the client. But that isn't the intention of the patch. You still have
the usual authentication stuff in the service you want to hide. It's
about hiding (from someone outside a closed group) the possibility to
authenticate.
> How having a constant initial sequence number can even be valid ?
> What about TCP timestamps being not available at all ?
> How typical servers can be behind a load balancer ?
> Or am I missing something ?
It doesn't have to work in every environment and it doesn't have to
solve all existing problems in the world. ;)
But it enables people to protect a bit more against malicious people or
governments.
And it is really very easy to use. It took me around half an hour to
find the places in openvpn and openssh where I had to add the
setsockopt() call and it can be used even easier with preloading
libknockify.so.
There can be found much more useless options in the kernel. At least I
like it and it fits my needs too.
Regards,
Alexander Holler
next prev parent reply other threads:[~2014-08-19 19:36 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 18:35 [PATCH] TCP: add option for silent port knocking with integrity protection Christian Grothoff
2013-12-11 20:01 ` David Miller
2013-12-11 20:19 ` Christian Grothoff
2013-12-11 20:26 ` Stephen Hemminger
2013-12-11 20:39 ` Christian Grothoff
2013-12-11 21:25 ` Andi Kleen
2013-12-11 22:53 ` Christian Grothoff
2013-12-12 1:23 ` Andi Kleen
2013-12-12 10:19 ` Jacob Appelbaum
2013-12-12 11:43 ` Christian Grothoff
2013-12-12 12:23 ` Jacob Appelbaum
2013-12-12 14:34 ` Eric Dumazet
2013-12-12 15:07 ` Christian Grothoff
2013-12-12 15:33 ` Eric Dumazet
2013-12-12 15:46 ` Hannes Frederic Sowa
2013-12-13 3:07 ` Hannes Frederic Sowa
2014-08-19 19:36 ` Alexander Holler [this message]
2014-08-20 8:24 ` Hagen Paul Pfeifer
2014-08-20 9:07 ` Alexander Holler
2014-08-20 9:28 ` Hagen Paul Pfeifer
2014-08-20 9:47 ` Alexander Holler
2014-08-20 10:20 ` Alexander Holler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F3A739.4070203@ahsoftware.de \
--to=holler@ahsoftware.de \
--cc=andi@firstfloor.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=grothoff@in.tum.de \
--cc=jacob@appelbaum.net \
--cc=knock@gnunet.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).