←back to thread

67 points xlmnxp | 2 comments | | HN request time: 0.396s | source
Show context
tptacek ◴[] No.45668433[source]
I will never, ever understand this "single-packet authentication" "port knocking" fetish. It has never made sense. Bin it, along with fail2ban, and just set up WireGuard.

Your network authentication should not be a fun game or series of Rube Goldberg contraptions.

replies(7): >>45668640 #>>45668974 #>>45669023 #>>45672079 #>>45672470 #>>45673304 #>>45676649 #
fencepost ◴[] No.45672079[source]
Knocking can cut down on grinding. I have in the past created setups where you had to knock prior to establishing a VPN connection, and given the semi-regular problems with VPN implementations I really don't feel bad about that. Fortigate, Sonicwall, Cisco, Ivanti, etc - sure a big part of it is "don't run VPNs based on big legacy codebases" but who's to say there won't be implementation problems found (or introduced given "Jia Tan" style attacks) in Wireguard?

Is knocking incredibly weak security through obscurity? Sure, but part of what it does is cut down on log volume.

replies(1): >>45672341 #
tptacek ◴[] No.45672341[source]
There is literally no value to cutting down on WireGuard attempts. Like, the exact same set of skbuffs are being created and destroyed in either case.
replies(1): >>45675501 #
1. immibis ◴[] No.45675501[source]
Sure there is, if the attacker has to fulfil some basic obfuscation then it cuts down on the amount of crypto work you have to do before ignoring the packet.

It's not extra security but it is a little extra efficiency.

Wireguard has something like this built in though, the PresharedKey (which is in addition to the public key crypto, and doesn't reduce your security to the level of a shared-key system). It's still more work to verify that than a port knock however.

replies(1): >>45675965 #
2. tptacek ◴[] No.45675965[source]
This has no value at all. WireGuard assumes an adversary trying to make it do extra work doing handshakes; a big chunk of the WireGuard paper discusses it. I don't think this is as important a problem as Jason does (but it's his baby), but either way: part of the point of WireGuard is that it's safe to hang out on the open Internet this way.