[zeromq-dev] Feature requests/thoughts for TCP transport
Sergey Hripchenko
shripchenko at intermedia.net
Mon Apr 2 23:24:22 CEST 2012
I recently use zmq in some projects and although I pretty much like it and think it is awesome I feel that it needs some new features to be implemented for TCP transport to be widely used everywhere(in un-trusted and unreliable environment).
I will try to summarize them in one place and kindly ask You(persons developing this product) to comment on each feature:
• Whenever it fits in zmq framework/philosophy?
• Is it hard to implement?
• Is it could be implemented (or could be planned to be implemented)? And in what release? (or how many releases away from now?)
• Will you approve and merge it if someone makes a patch? For what release?
1. zmq->socket(*)->setsockopt(ZMQ_TCP_KEEPALIVE) on both (server and client) ends for fault tolerant connections:
(we also need KEEPALIVE_IDLE, KEEPALIVE_INTVL, KEEPALIVE_CNT to properly configure it).
Without it for example zmq->socket(SUB)->connect(tcp://) will not reconnect and will hung forever if the remote side silently falls off at some point after the successful connect and the PUB server socket connected to this endpoint will be closed while the server is still off-line.
2. zmq->socket(*)->setsockopt(ZMQ_TCP_MAX_PEERS, int) before zmq->socket(*)->bind(tcp://) to preserve server resources in case of evil while(true){connect()}; attack or bug in the code
3. zmq->socket(*)->setsockopt(ZMQ_TCP_MAX_PEERS_BY_IP, int) before zmq->socket(*)->bind(tcp://) to limit impact of DDoS like situations
4. multiple zmq->socket(*)->setsockopt(ZMQ_TCP_ACCEPT_FROM, cidr) before/after zmq->socket(*)->bind(tcp://) to allow zmq->socket(*)->accept() connections from only trusted ips.
(no filtering by default)
5. zmq->socket(*)->setsockopt(ZMQ_TCP_AUTH_TOKEN, string) on server and client sides for peer authentication…. This is though… it breaks protocol compatibility…
a. weak but easy to add: client will send this token(or nothing by default) in connect packet. Server will match it if configured(or skip this check by default)
b. sufficient: client asks for random SALT in connect phase, then sends his md5(SALT, ZMQ_TCP_AUTH_TOKEN) in 2nd connect packet. Server matches it with saved SALT and his ZMQ_TCP_AUTH_TOKEN.
6. zmq->socket(*)->disconnect(tcp://connstring) as the opposite to zmq->socket(*)->connect(tcp://connstring)
________________________________
This message is intended only for the person(s) to which it is addressed and may contain Intermedia.net Inc privileged, confidential and/or proprietary information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20120402/78a06390/attachment.htm>
More information about the zeromq-dev
mailing list