cipherdyne.org

24 October, 2006

The netfilter-devel mailing list is the main discussion forum for technical development issues surrounding Netfilter and iptables. Recently, a thread entitled "new match extension to implement port knocking" appeared on this list in which a new Netfilter match is proposed to accomplish in-kernel port knocking and an HMAC variation of Single Packet Authorization. A proof of concept implementation is available here. While building some port knocking/SPA functionality into the kernel can be useful for some applications, I think this strategy is not generally flexible or scalable enough for many SPA deployments. Still, it is an interesting concept, and goes to show that people are interested in authenticating to default-drop packet filters in order to provide network services with an added layer of security.