FAQ

There are many ways in which PK can be used. Since the method allows for transmitting information across closed ports, you can use PK to communicate with an isolated server. The server may be isolated for security reasons, to deny potential intruders access to your applications. As long as the client and server can decide on how information is encoded in the port sequence, the client can establish one-way communication to the server.

One way to use PK is to use it as an access granting system. The client sends a knock which encodes a request that the server open a given port, or range of ports, to the client for a specified amount of time. For example, if the port knock encodes the client’s IP, the port(s) that should be opened, and the length of time for which the ports should maintain their open state, the client can effectively open ports on demand. In this use of PK, ports are opened specifically to the client’s IP.

The client may extend the functionality of the knock, as long as the server knows how to interpret the extra information. Some additional information that can be added is

• check sum to decrease effect of transmission errors
• a flag that indicates whether further communication attempts are to be accepted from the client
• a flag that specifies that communication from the client’s IP should be rejected for M minutes after the end of the granted session
• a flag that specifies that the server reject concurrent connections from the client’s IP
• a flag that instructs the server to start or shut down a service behind the port requested by the client

The port knock may be intercepted by a third party. The IP of the client should be included in the encrypted knock to reduce the danger posed by replay attacks. Since the IP of the client can be deduced from analyzing the packet header itself, ideally the port knock should be carried out by a computer with a different IP than encoded in the knock. This way, even if someone replays the knock, and assuming that the server is allowing additional communication from the client (see point above), and spoofs their IP, the cannot know the actual IP of the client. If the listening third party detects traffic from the client to the server and changes their spoofed IP, the knock server can still reject additional connections (see point above).