Am 12.12.2013 15:34, schrieb Eric Dumazet:

A bit late, but I've just stumbled over that feature which I do like a lot.

Very soon you'll need to support different secrets. You do not want all
clients share a common secret, do you ? How can a server change its
secret without disrupting clients ?

Impossible because you already need a channel if you want to identify the client. But that isn't the intention of the patch. You still have the usual authentication stuff in the service you want to hide. It's about hiding (from someone outside a closed group) the possibility to authenticate.

How having a constant initial sequence number can even be valid ?
What about TCP timestamps being not available at all ?
How typical servers can be behind a load balancer ?
Or am I missing something ?

It doesn't have to work in every environment and it doesn't have to solve all existing problems in the world. ;)

But it enables people to protect a bit more against malicious people or governments.

And it is really very easy to use. It took me around half an hour to find the places in openvpn and openssh where I had to add the setsockopt() call and it can be used even easier with preloading libknockify.so.

There can be found much more useless options in the kernel. At least I like it and it fits my needs too.

Regards,

Alexander Holler
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to