I'm not sure I've 100% understood identities correctly, or maybe I
have... I'd like to use identities as a sort of validated login cookie
to make associating incoming data with a connection a wee bit easier,
something like:
import zmq ; zc = zmq.Context(1)
# Perform authentication.
sockAuth = zc.socket(zmq.REQ)
sockAuth.connect(authenticatorUri)
sockAuth.send(fancySchmancyEncryptedCredentials)
reply = sockAuth.recv()
sockAuth = None
if not reply or reply == "Go away":
# If this was real code, the message would be far sillier.
raise Exception("Login denied, or something. Possibly cake.")
# Obviously, sending the sessionId in plain text like this
# would be a bad idea, but I only want to write so much
# pseduo code. Writing comments, that I could do all day...
sessionId = reply.sessionId
# Now log in to the service.
sockSvc = zc.socket(zmq.XREQ)
sockSvc.setsockopt(zmq.IDENTITY, sessionId)
sockSvc.connect(reply.serviceUri)
sockSvc.send("Hello! You may recall me from such credentials as " +
fancySchmancyEncryptedCredentials + random.random())
reply = sockSvc.recv()
if reply[:8] != "Biscuits":
raise Exception("Should have gone with the cake :(")
# I wish I hadn't opened with a mention of cookies...
return sockSvc, reply[8:]
If cookies work the way I think, the only issue with this would be the
vulnerability to MITM injection?
If that's the case, my thinking is that the session ID + initial
[encrypted, not clear] exchange would double as the initial
application-level component for crypto seeding.
That would [effectively] prevent a different application instance or
imposter or bug causing a different connection to correctly communicate
as that identity, but would it also prevent the genuine application from
re-establishing the same tcp connection in the case of intermediate
network failure? e.g.
sock, seed = aboveCode()
sock.send(encryptedMsg)
system "ifconfig eth0 down"
sleep(30)
system "ifconfig eth0 up"
response = sock.recv()
If this is all sounding feasible...
- How would I poke ZeroMQ to give me a specific delivery tolerance?
sock.setsockopt(zmq.TIMEOUT, 30 * 1000)
- Is there a way to tell the XREP socket on the server to flush any
backlog/close the underlying tcp socket associated with a particular
identity?
serverSideSock = zc.socket(zmq.XREP)
...
def noMoreCakeFor(identity):
serverSideSock.setsockopt(zmq.DISCONNECT_IDENTITY, identity)
- Most importantly, where and how much overhead does the identity
impose across a single ZMQ-hop?
client <----wan-but-no-devices---> server
Is it only in the handshaking? Is it repeated periodically? Or
is it a per-message overhead?
- Oliver
_______________________________________________
zeromq-dev mailing list
[email protected]
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
