Hi Burak, I have very little experience with security so bear with me if my questions are stupid.
> (X)REP/REQ sockets use message parts to store target nodes. If the > payload of the message is important enough to bother with complex > cryptography, its routing state also should be. > What's the possible attack scenario here? 1. Someone may find out that A is sending message to B. 2. Someone may fake a reply to be sent to the particular endpoint instead of regular reply. 3. Someone may fake a request to solicit a reply to be sent to a particular endpoint. If we want 0mq to become a generic internet-scale fabric, we have to treat intermediary nodes as untrusted. Otherwise we would be able to build only topologies that are fully owned by a single entity. If the intermediary nodes are untrusted they can track how messages are being routed. Thus I think scenario 1. cannot be prevented. As for 2. and 3. I would assume there are ways to ensure that reply corresponds to a particular request and that it was generated by the authorised service. I would further guess that it can be done on message level rather than having to mess with routing info. > It doesn't make sense to encrypt routing state as it has to be readable > by intermediate nodes. It may make sense to expose only the NEXT node, > but it will prevent routers from making shortest path decisions (???) > and will also force a router to handle both the requests and the > responses of a message exchange. so it's not a good idea to enrypt > message identities. > Finding shortest path is a functionality provided on IP level. Implementing a duplicit functionality on 0mq level would be a bad design choice. Also, passing both request and corresponding reply through the same middle node is a desirable characteristic as it allows for all kinds of interesting services provided by the intermediaries. Martin _______________________________________________ zeromq-dev mailing list [email protected] http://lists.zeromq.org/mailman/listinfo/zeromq-dev
