[zeromq-dev] About CURVE and ROUTER sockets

Pieter Hintjens ph at imatix.com
Sun Jan 18 19:59:07 CET 2015


On Sun, Jan 18, 2015 at 7:43 PM, André Caron <andre.l.caron at gmail.com> wrote:

> ... the
> Harmony pattern doesn't provide for secure exchange of public keys.

It is identical to any pattern. Long term key exchange has to happen
out of band. Using router-router changes nothing here. Each peer has
its LT key, and each connection negotiates a short term key.

> How would you prevent untrusted peers from connecting to your nodes?

Using authentication via ZAP (e.g. zauth).

> My current solution is to use a directory
> service which is known to all nodes prior to joining.

it's a fine design and will work with Harmony. In fact you could use
Zyre for the peer to peer parts, and a separate protocol for getting
public keys from the directory service. Authenticate using ZAP in each
node. There's an edge case where a node tries to connect and is
rejected as its peer hasn't yet received a key. That can be resolved
by using the directory service in real time, to authenticate.

-Pieter



More information about the zeromq-dev mailing list