I want to try to implement some form of concealed port knocking in
OpenBSD, along the lines of Martin Kirsch:
https://gnunet.org/sites/default/files/ma_kirsch_2014_0.pdf
The application is electronic democracy. I want to demonstrate how it
is possible to do secure comms. over untrusted networks and hardware.
I hope to be able do this by carrying out a global referendum. See
http://livelogic.blogspot.com/2014/10/the-foundation-parts-iii-iii.html
My plan is to use a virtual interface which magically shows behind the
physical interface when connections are made with the right ISN key in
the SYN packet. If the ISN is not one of the 'knocks' then the
connection sees the ordinary physical interface.
Then I want to make a connection between applications and the TCP
stack so that the knocks can be determined only by data from within
the VPN. Then the knocks will vary non-deterministically. To bootstrap
into the VPN a machine will need a direct trusted connection to
another machine which is already in the VPN, and which can send it the
initial knock key sequence which will allow it to handshake into the
VPN, and thereafter have a connection.
The VPN will be tunneled over TCP and/or IP datagram connections.
Within the VPN the routing and representation of data within real TCP
network packets will also vary non-deterministically according to data
passed over the VPN.
The VPN will be used for trusted core protocols for authentication,
key-exchange and verification. So it need not carry such high volumes
of traffic The bulk of data will be carried over the exposed network.
If anyone here has a better idea, or any other useful advice (even if
it's "this has already been done!" or "It won't work," but please
explain exactly why.) or pointers: I am new to this game: I have never
seriously looked at network protocol driver code in OpenBSD or any
other OS.
Thanks in advance, and best wishes,
Ian
