SPA Data Format (Firewall Knock Operator Library

1.3.1 SPA Data Format

The format of the SPA message data used by fwknop (before encryption and before an HMAC is applied) is a colon-delimited string containing the individual SPA data fields. Some of these fields are base64-encoded in the final encoding process as dictated by the current fwknop implementation.

Variable: data spa_message_fields ¶

Using the libfko names for the data fields, the list of these fields (in order) follows:

rand_value - Default: Random (created upon context creation): A 16-byte random numeric string.
username - Default: Current login user or Value of SPOOF_USER env var: The base64-encoded username associated with this SPA data.
timestamp - Default: The Unix time at creation: The Unix timestamp value.
version - Default: the current fwknop version: The current fwknop version that supports this format. This field is not user settable.
spa_message_type - Default: SPA access message (FKO_ACCESS_MSG): The SPA message type value for this message.
spa_message: The base64-encoded SPA message itself (an access request or command string).
spa_nat_access: An optional base64-encoded request for NAT access.
spa_server_auth: An optional base64-encoded string that can be used as an additional authentication mechanism at the fwknop server.
spa_client_timeout: An optional client timeout value that can be supplied to the fwknop server.
spa_digest - Computed value: The digest of the previous fields (including the delimiters).

With all fields defined, a complete (unencoded) SPA message would look something like the following example (Note: The line is broken for readability and the username, message, nat_access, and server_auth fields are not base64-encoded):

8307540982176539:juser:1230665172:2.5:1:1.1.1.1,tcp/22:192.168.1.2,22:
crypt,mypw:120:xswj8V0zMR7/7MV9pQRarSKWG1l9Zfjv+kbXaKrJ+RA

For most of the fields, you need not be too concerned about the format as libfko handles that. The exceptions are the spa_message, spa_nat_access, and spa_server_auth. The formats for these are not handled by libfko during creation. However, they are checked for format validity during the endcoding and decoding (when parsing incoming) SPA data. More information on the specifics of the formats for these fields can be found in SPA Messages.