xxx-port-knocking.txt 3.7 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091
  1. Filename: xxx-port-knocking.txt
  2. Title: Port knocking for bridge scanning resistance
  3. Author: Jacob Appelbaum
  4. Created: 19-April-2009
  5. Status: Draft
  6. Port knocking for bridge scanning resistance
  7. 0.0 Introduction
  8. This document is a collection of ideas relating to improving scanning
  9. resistance for private bridge relays. This is intented to stop opportunistic
  10. network scanning and subsequent discovery of private bridge relays.
  11. 0.1 Current Implementation
  12. Currently private bridges are only hidden by their obscurity. If you know
  13. a bridge ip address, the bridge can be detected trivially and added to a block
  14. list.
  15. 0.2 Configuring an external port knocking program to control the firewall
  16. It is currently possible for bridge operators to configure a port knocking
  17. daemon that controls access to the incoming OR port. This is currently out of
  18. scope for Tor and Tor configuration. This process requires the firewall to know
  19. the current nodes in the Tor network.
  20. 1.0 Suggested changes
  21. Private bridge operators should be able to configure a method of hiding their
  22. relay. Only authorized users should be able to communicate with the private
  23. bridge. This should be done with Tor and if possible without the help of the
  24. firewall. It should be possible for a Tor user to enter a secret key into
  25. Tor or optionally Vidalia on a per bridge basis. This secret key should be
  26. used to authenticate the bridge user to the private bridge.
  27. 1.x Issues with low ports and bind() for ORPort
  28. Tor opens low numbered ports during startup and then drops privileges. It is
  29. no longer possible to rebind to those lower ports after they are closed.
  30. 1.x Issues with OS level packet filtering
  31. Tor does not know about any OS level packet filtering. Currently there is no
  32. packet filters that understands the Tor network in real time.
  33. 1.x Possible partioning of users by bridge operator
  34. Depending on implementation, it may be possible for bridge operators to
  35. uniquely identify users. This appears to be a general bridge issue when a
  36. bridge operator uniquely deploys bridges per user.
  37. 2.0 Implementation ideas
  38. This is a suggested set of methods for port knocking.
  39. 2.x Using SPA port knocking
  40. Single Packet Authentication port knocking encodes all required data into a
  41. single UDP packet. Improperly formatted packets may be simply discarded.
  42. Properly formatted packets should be processed and appropriate actions taken.
  43. 2.x Using DNS as a transport for SPA
  44. It should be possible for Tor to bind to port 53 at startup and merely drop all
  45. packets that are not valid. UDP does not require a response and invalid packets
  46. will not trigger a response from Tor. With base32 encoding it should be
  47. possible to encode SPA as valid DNS requests. This should allow use of the
  48. public DNS infrastructure for authorization requests if desired.
  49. 2.x Ghetto firewalling with opportunistic connection closing
  50. Until a user has authenticated with Tor, Tor only has a UDP listener. This
  51. listener should never send data in response, it should only open an ORPort
  52. when a user has successfully authenticated. After a user has authenticated
  53. with Tor to open an ORPort, only users who have authenticated will be able
  54. to use it. All other users as identified by their ip address will have their
  55. connection closed before any data is sent or received. This should be
  56. accomplished with an access policy. By default, the access policy should block
  57. all access to the ORPort.
  58. 2.x Timing and reset of access policies
  59. Access to the ORPort is sensitive. The bridge should remove any exceptions
  60. to its access policy regularly when the ORPort is unused. Valid users should
  61. reauthenticate if they do not use the ORPort within a given time frame.
  62. 2.x Additional considerations
  63. There are many. A format of the packet and the crypto involved is a good start.