Re: [zeromq-dev] Using CurveZMQ to secure multiple sockets?
On Wed, 2016-10-05 at 14:56 +0100, Luca Boccassi wrote: > zauth and zcert can work with any socket and are the correct choice. > Curvezmq was a proof of concept (and made to bring auth for the legacy > libraries) and should not be used with libzmq/czmq as there's built in > support. > OK so authentication/encryption needs to be (separately) applied to every socket. And if some other part of the system springs up a socket between client & server for its own use, it has to remember to build in the zauth/zcert calls. Mark > On 5 October 2016 at 09:27, Mark Gillott <mgill...@brocade.com> wrote: > > Suppose we have a server and one or more client applications that > > communicate using a number of 0MQ sockets; a ROUTER-DEALER, a PUB-SUB > > and a REP-REQ. > > > > Is it possible to use CurveZMQ to secure all of these connections? Using > > the various zactor, zcert & zsock_set_curve functions I can secure the > > ROUTER-DEALER connections. But what about the other two? > > > > What I really want is to be able to do is secure the lower layer > > transport such that *any* 0MQ socket between client & server is always > > secure. From the curvezmq.org page: > > > > To secure a single hop between client and server, which is the > > CurveCP use case. For this use case we would embed CurveZMQ in > > the transport layer so that it can work for all patterns > > (publish-subscribe, pipeline, and so on). > > > > Yet I can't find any example. The examples I've seen secure a single > > socket. Have I misunderstood? Can I build a CurveZMQ-based "pipe" over > > which other 0MQ sockets can operate? > > > > Thanks, > > > > Mark > > ___ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev=DQIGaQ=IL_XqQWOjubgfqINi2jTzg=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk=gOqAiEHvYlTrTLGnWRWdFSR9dHwNTwB_wmYvb_WDKxM=oBgMsrha1azZ7qDvJEl-ki-0QCyO_C1hOC4Q-tDf5Q0= > > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev=DQIGaQ=IL_XqQWOjubgfqINi2jTzg=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk=gOqAiEHvYlTrTLGnWRWdFSR9dHwNTwB_wmYvb_WDKxM=oBgMsrha1azZ7qDvJEl-ki-0QCyO_C1hOC4Q-tDf5Q0= > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Using CurveZMQ to secure multiple sockets?
Suppose we have a server and one or more client applications that communicate using a number of 0MQ sockets; a ROUTER-DEALER, a PUB-SUB and a REP-REQ. Is it possible to use CurveZMQ to secure all of these connections? Using the various zactor, zcert & zsock_set_curve functions I can secure the ROUTER-DEALER connections. But what about the other two? What I really want is to be able to do is secure the lower layer transport such that *any* 0MQ socket between client & server is always secure. From the curvezmq.org page: To secure a single hop between client and server, which is the CurveCP use case. For this use case we would embed CurveZMQ in the transport layer so that it can work for all patterns (publish-subscribe, pipeline, and so on). Yet I can't find any example. The examples I've seen secure a single socket. Have I misunderstood? Can I build a CurveZMQ-based "pipe" over which other 0MQ sockets can operate? Thanks, Mark ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Access to underlying Linux socket?
On Wed, 2016-02-10 at 23:33 +, Luca Boccassi wrote: > On Feb 10, 2016 20:39, "Mark Gillott" <mgill...@brocade.com> wrote: > > > > On Wed, 2016-02-10 at 20:45 +0100, Pieter Hintjens wrote: > > > You can't do this really, since one ZeroMQ socket can map to 0..n > > > system sockets. > > > > > > > Had a feeling that was going to be the case. > > > > > There is a new option on libzmq master that lets you pre-configure > a > > > FD and give it to ZeroMQ to use for its first pipe. (ZMQ_USE_FD). > > > > > > > Care to expand a bit more? Is there something (test code? source > module) > > you can point me at? > > I can point you to the guy who developed that option. He sits a few > meters from you in the same office and he has an awesome beard. :-) > Is that the Italian guy who likes to add chicken to his pizza? :-). > > > A custom hook to configure new sockets is a nice idea. > > > > > > > So you register a hook with a newly created socket and you would get > a > > callback just prior to any bind/connect. Is that the idea? In czmq > > terms, something like: > > > > s = zsock_new(ZMQ_REP) > > zsock_configure(s, myfunc, myarg) > > zsock_bind(s) > > > > The callback would be provided with the base socket? > > Nice. That could work because all actual system sockets are created > after bind/connect. And in CZMQ we could add a global zys switch that > applies it automatically to all sockets to make it more convenient. > > But the problem is that such callback should be executed for all > sockets, be they TCP or IPC or inproc. So, there needs to be a way to > discriminate somehow, as what you can do with the FD varies wildly. > > It could be left to the application developer to be careful, but I > think that's confusing and likely to cause troubles. > Rather than a global callback, couldn't you attach the callback to individual sockets? Catch you later (if you're still talking to me!), Mark > Kind regards, > Luca Boccassi > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Access to underlying Linux socket?
On Wed, 2016-02-10 at 23:33 +, Luca Boccassi wrote: > > > There is a new option on libzmq master that lets you pre-configure > a > > > FD and give it to ZeroMQ to use for its first pipe. (ZMQ_USE_FD). > > > > > > > Care to expand a bit more? Is there something (test code? source > module) > > you can point me at? > > I can point you to the guy who developed that option. He sits a few > meters from you in the same office and he has an awesome beard. :-) > Many thanks Luca. To close the loop on this. Luca & I talked and the ZMQ_USE_FD option solves the issue for listener (bind) sockets. Unfortunately there needs to be a different solution for when an application wants to set an option prior to a ZeroMQ connect (need the option to be persistent across "reconnects"). Kicking around a few ideas. Mark ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Access to underlying Linux socket?
[I'm sure this must have been asked before, but can't find anything] Is there a facility or method to "map" a 0MQ socket to its supporting Linux socket? Working with a Linux kernel that has some new networking facility together with socket extensions to control the facility. With vanilla sockets this results in calls to setsockopt(sockfd, SOL_SOCKET, ...). But how do I manage 0MQ sockets wanting to enable/control this facility? Can I obtain the Linux socket and thus use native setsockopt() calls? Or is the only option to generate (& maintain) zmq_set_xyz() & zmq_xyz() patches for the base ZMQ library (together with the various language binding - C, Python, Perl, etc)? Cheers, Mark ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Access to underlying Linux socket?
On Wed, 2016-02-10 at 20:45 +0100, Pieter Hintjens wrote: > You can't do this really, since one ZeroMQ socket can map to 0..n > system sockets. > Had a feeling that was going to be the case. > There is a new option on libzmq master that lets you pre-configure a > FD and give it to ZeroMQ to use for its first pipe. (ZMQ_USE_FD). > Care to expand a bit more? Is there something (test code? source module) you can point me at? > A custom hook to configure new sockets is a nice idea. > So you register a hook with a newly created socket and you would get a callback just prior to any bind/connect. Is that the idea? In czmq terms, something like: s = zsock_new(ZMQ_REP) zsock_configure(s, myfunc, myarg) zsock_bind(s) The callback would be provided with the base socket? Thanks, Mark > -Pieter > > On Wed, Feb 10, 2016 at 6:29 PM, Jerry Scharf > <sch...@lagunawayconsulting.com> wrote: > > Mark, > > > > As a comment from the peanut gallery, it is generally a bad thing to > > leak that information up the protocol stack. Rather than getting that > > information back, it might be better to be able to attach user callout > > hooks at the places where you would want to make changes. That way there > > is still a unified code base and you can write and install your hook > > code to do your special work. It also allows people to do other things > > without needing to invent another mechanism. > > > > That's the way I have liked it the best when these things came up with > > other systems. > > > > jerry > > > > On 02/10/2016 07:50 AM, Mark Gillott wrote: > >> [I'm sure this must have been asked before, but can't find anything] > >> > >> Is there a facility or method to "map" a 0MQ socket to its supporting > >> Linux socket? > >> > >> Working with a Linux kernel that has some new networking facility > >> together with socket extensions to control the facility. With vanilla > >> sockets this results in calls to setsockopt(sockfd, SOL_SOCKET, ...). > >> > >> But how do I manage 0MQ sockets wanting to enable/control this facility? > >> Can I obtain the Linux socket and thus use native setsockopt() calls? Or > >> is the only option to generate (& maintain) zmq_set_xyz() & zmq_xyz() > >> patches for the base ZMQ library (together with the various language > >> binding - C, Python, Perl, etc)? > >> > >> Cheers, > >> > >> Mark > >> > >> ___ > >> zeromq-dev mailing list > >> zeromq-dev@lists.zeromq.org > >> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev=CwICAg=IL_XqQWOjubgfqINi2jTzg=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk=0hDDdkf0P3ySnqh5QzyjSsxZ80Vc3GGXl0hFFQsq1SU=2Xu9Jr_yHb-drSVHhsw4TPO6LNFJdyYqqH6EkCnsNHo= > >> > > > > ___ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev=CwICAg=IL_XqQWOjubgfqINi2jTzg=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk=0hDDdkf0P3ySnqh5QzyjSsxZ80Vc3GGXl0hFFQsq1SU=2Xu9Jr_yHb-drSVHhsw4TPO6LNFJdyYqqH6EkCnsNHo= > > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.zeromq.org_mailman_listinfo_zeromq-2Ddev=CwICAg=IL_XqQWOjubgfqINi2jTzg=jvQi-CKjLvh8eMz9WSgpXPemqlgP9vG7H0zwS3acfHk=0hDDdkf0P3ySnqh5QzyjSsxZ80Vc3GGXl0hFFQsq1SU=2Xu9Jr_yHb-drSVHhsw4TPO6LNFJdyYqqH6EkCnsNHo= > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
