[zeromq-dev] About CURVE and ROUTER sockets
Pieter Hintjens
ph at imatix.com
Sun Jan 18 19:59:07 CET 2015
On Sun, Jan 18, 2015 at 7:43 PM, André Caron <andre.l.caron at gmail.com> wrote:
> ... the
> Harmony pattern doesn't provide for secure exchange of public keys.
It is identical to any pattern. Long term key exchange has to happen
out of band. Using router-router changes nothing here. Each peer has
its LT key, and each connection negotiates a short term key.
> How would you prevent untrusted peers from connecting to your nodes?
Using authentication via ZAP (e.g. zauth).
> My current solution is to use a directory
> service which is known to all nodes prior to joining.
it's a fine design and will work with Harmony. In fact you could use
Zyre for the peer to peer parts, and a separate protocol for getting
public keys from the directory service. Authenticate using ZAP in each
node. There's an edge case where a node tries to connect and is
rejected as its peer hasn't yet received a key. That can be resolved
by using the directory service in real time, to authenticate.
-Pieter
More information about the zeromq-dev
mailing list