SPA Resources

Back to the main Single Packet Authorization page. Click here for all the SPA-related posts.

Implementations

fwknop – There are a number of different implementations of Single Packet Authorization (SPA). By far the most developed is Firewall Knock Operator (fwknop), by Michael Rash, which offers both port knocking and SPA capability. fwknop, originally written in Perl (and currently being re-written in C) offers some unique functionality including port randomization and ghost services. Thanks to the Perl implementation, fwknop runs on Linux, Mac OS X, and Windows, and there is even a GUI client for Windows. I’ve been contributing to this project since 2006, and there are some great developments in the pipeline.

Check out my video of fwknop in action!

Aldaba – Another good port knocking/spa implementation is the Aldaba Port Knocking Suite. Although it is a newer implementation, and lacks some of the functionality of fwknop, Aldaba is completely developed in C which makes it able to run on any system capable of compiling the necessary libraries. The Aldaba website features a great list of port knocking and SPA resources, including papers, websites and implementations.

knockknock – This implementation by Moxie Marlinspike takes SPA back to its Port Knocking roots and transmits all of the necessary authentication information by encoding that information into various header fields of a single TCP SYN packet. Due to the limited amount of information that can be transferred in this way, knockknock doesn’t offer some of the more advanced functionality and protocol support provided by the other implementations above. That said, it focuses on being small, efficient.

There are many other implementations of SPA, many of which are far more simplistic and lack the security properties or functionality of the two implementations above. Here are a few other implementations I’ve personally had a look at:

• Coarse Knocking – This is a very basic implementation of SPA techniques using a hash-based authorization packet. As with most other hash-based approaches it has a few security flaws, but it is simple and a good place to start for those wanting to learn the basics of how SPA works.
• Tumbler – Similar to above, Tumbler is another hash-based SPA implementation.
• Port Knocking Perl Prototype – One of the original port knocking implementations. This one doesn’t do any single packet authorization.
• More to come…

Discuss

Feel free to drop by the Single Packet Authorization forums to discuss implementations, develop ideas, or ask questions about using SPA.