[zeromq-dev] Getting connection info from pipe_t?

Merijn Verstraaten merijn at inconsistent.nl
Sat Nov 17 23:45:34 CET 2012


On Nov 17, 2012, at 23:09 , Pieter Hintjens wrote:
> On Sun, Nov 18, 2012 at 3:44 AM, Merijn Verstraaten
> <merijn at inconsistent.nl> wrote:
> 
>> Identities aren't what I want, as I actually want to build some type of
>> verification of identities.
> 
> There is ZMQ_TCP_ACCEPT_FILTER but probably not quite right.
> 
> Verification based on endpoint address is pretty poor; what you want
> is authentication based on some application-level identity (user,
> etc.)

Well, yes. Which is why I wanted to use a combination of endpoint + ZMQ identity. But if I have no way of getting the endpoint I can only use identities, which complicates application authentication (but fortunately makes implementing the router rather easy).

> For one-way patterns (pub/sub, push/pull), this is simply not possible
> as there's no route to send any data from receiver to sender.
> 
> For two-way patterns (dealer/router), this is similar to
> authentication in any protocol. The client connects to server and
> sends its identity; the server accepts or rejects.  You need some kind
> of command framing and some state machine in both sides that handles
> failures and reconnections.
> 
> I'm starting to use SASL (simple authentication and security layer) as
> the basis for this. If that's too complex there are simpler
> approaches.

I didn't want the router to actually implement the entire authentication, as that is (and should be) out of scope for the working of a socket.  Wanting to use ZMQ router's exposed to the internet I see it as a problem that routers accept any incoming identity. If you have your application's infrastructure routing messages using fixed identities than you'd want to disallow arbitrary people from the internet connecting using it. I believe the approach I mentioned in the previous mail (providing a identity checking callback) is actually simpler and more elegant than my original plan.

You can then implement authentication however you want (for example, by having a REQ/REP pattern that returns a signed identity) without having to make your router code aware of the authentication process.

The only downside I see is that, without endpoint information, you can't really do any rate limiting to stop someone trying to brute force identities. (Although I think that problem affects the internet use of almost any ZMQ socket and is beyond the scope of what I want to solve anyway)

--
Merijn




More information about the zeromq-dev mailing list