DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

doc updates

Browse Source
This commit is contained in:
Michael Rash 2015-12-24 16:08:35 -05:00
parent 31c6c9e997
commit e3ae6747d9
4 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
client/fwknop.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknop .\" Title: fwknop
.\" Author: [see the "AUTHORS" section] .\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12/23/2015 .\" Date: 12/24/2015
.\" Manual: Fwknop Client .\" Manual: Fwknop Client
.\" Source: Fwknop Client .\" Source: Fwknop Client
.\" Language: English .\" Language: English
.\" .\"
.TH "FWKNOP" "8" "12/23/2015" "Fwknop Client" "Fwknop Client" .TH "FWKNOP" "8" "12/24/2015" "Fwknop Client" "Fwknop Client"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -38,7 +38,7 @@ fwknop \- Firewall Knock Operator
.sp .sp
SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits\&. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn\(cqt know the proper sequence)\&. All of these limitation are solved by SPA\&. At the same time, SPA hides services behind a default\-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption\&. SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits\&. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn\(cqt know the proper sequence)\&. All of these limitation are solved by SPA\&. At the same time, SPA hides services behind a default\-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption\&.
.sp .sp
This is the manual page for the \fBfwknop\fR client which is responsible for constructing SPA packets and sending them over the network\&. The server side is implemented by the \fBfwknopd\fR daemon which sniffs the network for SPA packets and interacts with the local firewall to allow SPA authenticated connections\&. It is recommended to read the \fIfwknopd(8)\fR manual page as well\&. Further detailed information may be found in the tutorial \fISingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\fR available online here: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR\&. This is the manual page for the \fBfwknop\fR client which is responsible for constructing SPA packets and sending them over the network\&. The server side is implemented by the \fBfwknopd\fR daemon which sniffs the network for SPA packets and interacts with the local firewall to allow SPA authenticated connections\&. It is recommended to read the \fIfwknopd(8)\fR manual page as well\&. Further detailed information may be found in the tutorial \(lqSingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\(rq available online (see: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR)\&.
.sp .sp
SPA packets generated by \fBfwknop\fR leverage HMAC for authenticated encryption in the encrypt\-then\-authenticate model\&. Although the usage of an HMAC is currently optional (enabled via the \fB\-\-use\-hmac\fR command line switch), it is highly recommended for three reasons: \fI1)\fR without an HMAC, cryptographically strong authentication is not possible with \fBfwknop\fR unless GnuPG is used, but even then an HMAC should still be applied, \fI2)\fR an HMAC applied after encryption protects against cryptanalytic CBC\-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent "Lucky 13" attack against SSL), and \fI3)\fR the code required by the \fBfwknopd\fR daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn\(cqt even sent through the decryption routines\&. Reason \fI3)\fR is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through \fBlibgpgme\fR functions unless the HMAC checks out first\&. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance\&. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the \fB\-\-key\-gen\fR option\&. SPA packets generated by \fBfwknop\fR leverage HMAC for authenticated encryption in the encrypt\-then\-authenticate model\&. Although the usage of an HMAC is currently optional (enabled via the \fB\-\-use\-hmac\fR command line switch), it is highly recommended for three reasons: \fI1)\fR without an HMAC, cryptographically strong authentication is not possible with \fBfwknop\fR unless GnuPG is used, but even then an HMAC should still be applied, \fI2)\fR an HMAC applied after encryption protects against cryptanalytic CBC\-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent "Lucky 13" attack against SSL), and \fI3)\fR the code required by the \fBfwknopd\fR daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn\(cqt even sent through the decryption routines\&. Reason \fI3)\fR is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through \fBlibgpgme\fR functions unless the HMAC checks out first\&. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance\&. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the \fB\-\-key\-gen\fR option\&.
.sp .sp
@ -513,7 +513,7 @@ in
\fB\-\-secure\-protocol\fR \fB\-\-secure\-protocol\fR
mode\&. Note that it is generally more secure to use the mode\&. Note that it is generally more secure to use the
\fB\-a\fR \fB\-a\fR
option if the externally routable IP address for the client is already known to the user since this elminates the need for option if the externally routable IP address for the client is already known to the user since this eliminates the need for
\fBfwknop\fR \fBfwknop\fR
to issue any sort of HTTPS request\&. to issue any sort of HTTPS request\&.
.RE .RE
@ -529,7 +529,7 @@ This option forces the
\fBfwknop\fR \fBfwknop\fR
client to resolve the external IP via HTTP instead of HTTPS\&. There are some circumstances where this might be necessary such as when client to resolve the external IP via HTTP instead of HTTPS\&. There are some circumstances where this might be necessary such as when
\fIwget\fR \fIwget\fR
is not available (or hasn\(cqt been compiled with SSL support), but generally this is not recommeded since it opens the possibility of a MITM attack through manipulation of the IP resolution HTTP response\&. Either specify the IP manually with is not available (or hasn\(cqt been compiled with SSL support), but generally this is not recommended since it opens the possibility of a MITM attack through manipulation of the IP resolution HTTP response\&. Either specify the IP manually with
\fB\-a\fR, or use \fB\-a\fR, or use
\fB\-R\fR \fB\-R\fR
and omit this option\&. and omit this option\&.
@ -1223,7 +1223,7 @@ For emphasis, if the \fBfwknopd\fR server is upgraded to 2\&.5 (or later), but o
.RE .RE
.\} .\}
.sp .sp
In addition, if the \fIKEY\fR variable has an encryption key longer than 16 bytes, it will need to be truncated to 16 characters in the \fIaccess\&.conf\fR file in order for pre\-2\&.5 clients to work properly\&. This limitation is fixed in 2\&.5, and provides additional motiviation for upgrading all clients and servers to 2\&.5 or later\&. In addition, if the \fIKEY\fR variable has an encryption key longer than 16 bytes, it will need to be truncated to 16 characters in the \fIaccess\&.conf\fR file in order for pre\-2\&.5 clients to work properly\&. This limitation is fixed in 2\&.5, and provides additional motivation for upgrading all clients and servers to 2\&.5 or later\&.
.sp .sp
Now, flipping the scenario around, if the \fBfwknop\fR clients are upgraded but the \fBfwknopd\fR server is still at a pre\-2\&.5 version, then add the \fI\-M legacy\fR argument to the fwknop command line: Now, flipping the scenario around, if the \fBfwknop\fR clients are upgraded but the \fBfwknopd\fR server is still at a pre\-2\&.5 version, then add the \fI\-M legacy\fR argument to the fwknop command line:
.sp .sp
@ -1270,7 +1270,7 @@ Additional commentary on Single Packet Authorization can be found via Michael Ra
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org> Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
.SH "CONTRIBUTORS" .SH "CONTRIBUTORS"
.sp .sp
This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttps://github\&.com/mrash/fwknop/blob/master/CREDITS\fR to view the online list of contributors\&. A few contributors deserve to be singled out including: Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Fernando Arnaboldi, and Erik Gomez\&. This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttps://github\&.com/mrash/fwknop/blob/master/CREDITS\fR to view the online list of contributors\&. A few contributors deserve to be singled out including: Jonathan Bennett, Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Fernando Arnaboldi, and Erik Gomez\&.
.sp .sp
The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005\&. The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005\&.
.SH "BUGS" .SH "BUGS"

16
doc/fwknop.man.asciidoc
View File

@ -44,9 +44,9 @@ constructing SPA packets and sending them over the network. The server side is
implemented by the *fwknopd* daemon which sniffs the network for SPA packets implemented by the *fwknopd* daemon which sniffs the network for SPA packets
and interacts with the local firewall to allow SPA authenticated connections. and interacts with the local firewall to allow SPA authenticated connections.
It is recommended to read the 'fwknopd(8)' manual page as well. Further detailed It is recommended to read the 'fwknopd(8)' manual page as well. Further detailed
information may be found in the tutorial 'Single Packet Authorization: information may be found in the tutorial ``Single Packet Authorization:
A Comprehensive Guide to Strong Service Concealment with fwknop' available A Comprehensive Guide to Strong Service Concealment with fwknop'' available
online here: 'http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html'. online (see: 'http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html').
SPA packets generated by *fwknop* leverage HMAC for authenticated encryption SPA packets generated by *fwknop* leverage HMAC for authenticated encryption
in the encrypt-then-authenticate model. Although the usage of an HMAC is in the encrypt-then-authenticate model. Although the usage of an HMAC is
@ -429,7 +429,7 @@ SPA OPTIONS
is accessed by *fwknop* via 'wget' in *--secure-protocol* mode. Note that is accessed by *fwknop* via 'wget' in *--secure-protocol* mode. Note that
it is generally more secure to use the *-a* option if the externally it is generally more secure to use the *-a* option if the externally
routable IP address for the client is already known to the user since this routable IP address for the client is already known to the user since this
elminates the need for *fwknop* to issue any sort of HTTPS request. eliminates the need for *fwknop* to issue any sort of HTTPS request.
*--resolve-url* '<url>':: *--resolve-url* '<url>'::
Override the default URL used for resolving the source IP address. For Override the default URL used for resolving the source IP address. For
@ -440,7 +440,7 @@ SPA OPTIONS
This option forces the *fwknop* client to resolve the external IP via This option forces the *fwknop* client to resolve the external IP via
HTTP instead of HTTPS. There are some circumstances where this might be HTTP instead of HTTPS. There are some circumstances where this might be
necessary such as when 'wget' is not available (or hasn't been compiled necessary such as when 'wget' is not available (or hasn't been compiled
with SSL support), but generally this is not recommeded since it opens with SSL support), but generally this is not recommended since it opens
the possibility of a MITM attack through manipulation of the IP resolution the possibility of a MITM attack through manipulation of the IP resolution
HTTP response. Either specify the IP manually with *-a*, or use *-R* HTTP response. Either specify the IP manually with *-a*, or use *-R*
and omit this option. and omit this option.
@ -1013,7 +1013,7 @@ the '@sysconfdir@/fwknop/access.conf' file, add the following line:
In addition, if the 'KEY' variable has an encryption key longer than 16 bytes, In addition, if the 'KEY' variable has an encryption key longer than 16 bytes,
it will need to be truncated to 16 characters in the 'access.conf' file in it will need to be truncated to 16 characters in the 'access.conf' file in
order for pre-2.5 clients to work properly. This limitation is fixed in 2.5, order for pre-2.5 clients to work properly. This limitation is fixed in 2.5,
and provides additional motiviation for upgrading all clients and servers to and provides additional motivation for upgrading all clients and servers to
2.5 or later. 2.5 or later.
Now, flipping the scenario around, if the *fwknop* clients are upgraded but the Now, flipping the scenario around, if the *fwknop* clients are upgraded but the
@ -1096,8 +1096,8 @@ on which many people who are active in the open source community have
contributed. See the CREDITS file in the fwknop sources, or visit contributed. See the CREDITS file in the fwknop sources, or visit
'https://github.com/mrash/fwknop/blob/master/CREDITS' to view the online 'https://github.com/mrash/fwknop/blob/master/CREDITS' to view the online
list of contributors. A few contributors deserve to be singled out including: list of contributors. A few contributors deserve to be singled out including:
Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Jonathan Bennett, Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven,
Fernando Arnaboldi, and Erik Gomez. Hank Leininger, Fernando Arnaboldi, and Erik Gomez.
The phrase ``Single Packet Authorization'' was coined by MadHat and Simple The phrase ``Single Packet Authorization'' was coined by MadHat and Simple
Nomad at the BlackHat Briefings of 2005. Nomad at the BlackHat Briefings of 2005.

14
doc/fwknopd.man.asciidoc
View File

@ -34,9 +34,9 @@ The main configuration for *fwknopd* is maintained within two files:
is determined at package configuration (typically '@sysconfdir@/fwknop'). is determined at package configuration (typically '@sysconfdir@/fwknop').
The configuration variables within these files are described below. The configuration variables within these files are described below.
Additional information may be found in the tutorial 'Single Packet Authorization: Additional information may be found in the tutorial ``Single Packet Authorization:
A Comprehensive Guide to Strong Service Concealment with fwknop' available A Comprehensive Guide to Strong Service Concealment with fwknop'' available
online here: 'http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html'. online (see: 'http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html').
COMMAND-LINE OPTIONS COMMAND-LINE OPTIONS
@ -243,7 +243,7 @@ FWKNOPD CONFIG AND ACCESS VARIABLES
*fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf' file for configuration *fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf' file for configuration
variables to define operational parameters (what network interface and port variables to define operational parameters (what network interface and port
to sniff, what features to enable/disable, etc.). The 'fwknopd.conf' file to sniff, what features to enable/disable, etc.). The 'fwknopd.conf' file
does not define any access control directives or set any encryption or authenitcation does not define any access control directives or set any encryption or authentication
keys. keys.
The access control directives are contained in the '@sysconfdir@/fwknop/access.conf' The access control directives are contained in the '@sysconfdir@/fwknop/access.conf'
@ -529,7 +529,7 @@ directive starts a new stanza.
*%include* '<file>':: *%include* '<file>'::
Have *fwknopd* import an additional 'access.conf' file. This allows more Have *fwknopd* import an additional 'access.conf' file. This allows more
access stanzas to be defined in other locations in the filesystem, and this access stanzas to be defined in other locations in the filesystem, and this
can be adventageous in some scenarios by letting non-privledged users define can be advantageous in some scenarios by letting non-privileged users define
their own encryption and authentication keys for SPA operations. This way, their own encryption and authentication keys for SPA operations. This way,
users do not need write access to the main '@sysconfdir@/fwknop/access.conf' users do not need write access to the main '@sysconfdir@/fwknop/access.conf'
file to change keys around or define new ones. file to change keys around or define new ones.
@ -841,8 +841,8 @@ on which many people who are active in the open source community have
contributed. See the CREDITS file in the fwknop sources, or visit contributed. See the CREDITS file in the fwknop sources, or visit
'https://github.com/mrash/fwknop/blob/master/CREDITS' to view the online 'https://github.com/mrash/fwknop/blob/master/CREDITS' to view the online
list of contributors. A few contributors deserve to be singled out including: list of contributors. A few contributors deserve to be singled out including:
Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Jonathan Bennett, Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven,
Fernando Arnaboldi, and Erik Gomez. Hank Leininger, Fernando Arnaboldi, and Erik Gomez.
The phrase ``Single Packet Authorization'' was coined by MadHat and Simple The phrase ``Single Packet Authorization'' was coined by MadHat and Simple
Nomad at the BlackHat Briefings of 2005. Nomad at the BlackHat Briefings of 2005.

12
server/fwknopd.8.in
View File

@ -2,12 +2,12 @@
.\" Title: fwknopd .\" Title: fwknopd
.\" Author: [see the "AUTHORS" section] .\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 12/23/2015 .\" Date: 12/24/2015
.\" Manual: Fwknop Server .\" Manual: Fwknop Server
.\" Source: Fwknop Server .\" Source: Fwknop Server
.\" Language: English .\" Language: English
.\" .\"
.TH "FWKNOPD" "8" "12/23/2015" "Fwknop Server" "Fwknop Server" .TH "FWKNOPD" "8" "12/24/2015" "Fwknop Server" "Fwknop Server"
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
.\" * Define some portability stuff .\" * Define some portability stuff
.\" ----------------------------------------------------------------- .\" -----------------------------------------------------------------
@ -40,7 +40,7 @@ The main application of this program is to conceal services such as \fISSH\fR wi
.sp .sp
The main configuration for \fBfwknopd\fR is maintained within two files: \fIfwknopd\&.conf\fR and \fIaccess\&.conf\fR\&. The default location for these files is determined at package configuration (typically \fI@sysconfdir@/fwknop\fR)\&. The configuration variables within these files are described below\&. The main configuration for \fBfwknopd\fR is maintained within two files: \fIfwknopd\&.conf\fR and \fIaccess\&.conf\fR\&. The default location for these files is determined at package configuration (typically \fI@sysconfdir@/fwknop\fR)\&. The configuration variables within these files are described below\&.
.sp .sp
Additional information may be found in the tutorial \fISingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\fR available online here: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR\&. Additional information may be found in the tutorial \(lqSingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\(rq available online (see: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR)\&.
.SH "COMMAND-LINE OPTIONS" .SH "COMMAND-LINE OPTIONS"
.PP .PP
\fB\-i, \-\-interface\fR=\fI<interface>\fR \fB\-i, \-\-interface\fR=\fI<interface>\fR
@ -344,7 +344,7 @@ Display version information and exit\&.
.RE .RE
.SH "FWKNOPD CONFIG AND ACCESS VARIABLES" .SH "FWKNOPD CONFIG AND ACCESS VARIABLES"
.sp .sp
\fBfwknopd\fR references the \fI@sysconfdir@/fwknop/fwknopd\&.conf\fR file for configuration variables to define operational parameters (what network interface and port to sniff, what features to enable/disable, etc\&.)\&. The \fIfwknopd\&.conf\fR file does not define any access control directives or set any encryption or authenitcation keys\&. \fBfwknopd\fR references the \fI@sysconfdir@/fwknop/fwknopd\&.conf\fR file for configuration variables to define operational parameters (what network interface and port to sniff, what features to enable/disable, etc\&.)\&. The \fIfwknopd\&.conf\fR file does not define any access control directives or set any encryption or authentication keys\&.
.sp .sp
The access control directives are contained in the \fI@sysconfdir@/fwknop/access\&.conf\fR file\&. Access control directives define encryption keys and level of access that is granted to an fwknop client that has generated the appropriate encrypted SPA message\&. The access control directives are contained in the \fI@sysconfdir@/fwknop/access\&.conf\fR file\&. Access control directives define encryption keys and level of access that is granted to an fwknop client that has generated the appropriate encrypted SPA message\&.
.SS "FWKNOPD\&.CONF VARIABLES" .SS "FWKNOPD\&.CONF VARIABLES"
@ -664,7 +664,7 @@ Have
\fBfwknopd\fR \fBfwknopd\fR
import an additional import an additional
\fIaccess\&.conf\fR \fIaccess\&.conf\fR
file\&. This allows more access stanzas to be defined in other locations in the filesystem, and this can be adventageous in some scenarios by letting non\-privledged users define their own encryption and authentication keys for SPA operations\&. This way, users do not need write access to the main file\&. This allows more access stanzas to be defined in other locations in the filesystem, and this can be advantageous in some scenarios by letting non\-privileged users define their own encryption and authentication keys for SPA operations\&. This way, users do not need write access to the main
\fI@sysconfdir@/fwknop/access\&.conf\fR \fI@sysconfdir@/fwknop/access\&.conf\fR
file to change keys around or define new ones\&. file to change keys around or define new ones\&.
.RE .RE
@ -964,7 +964,7 @@ Additional commentary on Single Packet Authorization can be found via Michael Ra
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org> Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
.SH "CONTRIBUTORS" .SH "CONTRIBUTORS"
.sp .sp
This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttps://github\&.com/mrash/fwknop/blob/master/CREDITS\fR to view the online list of contributors\&. A few contributors deserve to be singled out including: Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Fernando Arnaboldi, and Erik Gomez\&. This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttps://github\&.com/mrash/fwknop/blob/master/CREDITS\fR to view the online list of contributors\&. A few contributors deserve to be singled out including: Jonathan Bennett, Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Fernando Arnaboldi, and Erik Gomez\&.
.sp .sp
The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005\&. The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005\&.
.SH "BUGS" .SH "BUGS"