On Mon, Mar 31, 2014 at 09:27:20PM +0200, Laurent Alebarde wrote:
> Hi Greg,
>
> As far as I know, encryption is per socket. So you can have one
> context, and in this context, one CURVE socket for the wild, and one
> NULL socket for your homeland.
>
> Laurent
>
> Le 31/03/2014 21:12, Greg Ward a écrit :
> >Hi all --
> >
> >I'm helping maintain a ZeroMQ-based system that currently uses a
> >homebrew cryptosystem on top of libzmq 3.2.4. Obviously I'd like to
> >upgrade to curve and libzmq 4. While I'm doing that, I'd like to
> >change it so that only untrusted connections (across the Internet) are
> >subject to encryption and authentication. Connections within our data
> >center do not need the overhead.
> >
> >My understanding is that encryption/authentication is per-context, so
> >the server process that talks to both remote hosts (across the
> >Internet) and local hosts (inside our data center) would need *two*
> >contexts. Is this correct?
> >
> >My rationale, incidentally, is twofold: 1) reduce administrative
> >overhead, 2) reduce latency. Of course we need to maintain keys and
> >certificates for the hosts that we talk to out there on the Internet,
> >but it's annoying that we have to maintain them for hosts inside our
> >data center. I'd like to get rid of that. I also want to ditch the
> >overhead (network and CPU) of crypto + authentication when we don't
> >need it. Not sure how big a factor that is with libzmq 4, but it's
> >definitely a factor with our current homebrew cryptosystem.
> >
> > Greg
Now an interesting question is:
Can I have ONE (server) socket that accepts both CURVE and NULL connects?
I imagine on connect a ZAP requests is generated and the ZAP handler
could accept NULL connects for local IPs and only CURVE for external
ones.
Is that possible? Or does setting a CURVE keypair for the (server)
socket require all connects to use CURVE?
MfG
Goswin
PS: Google did not encrypt traffic within its own network for the same
reasons and then the NSA did listen in. Are you sure your network is
realy 100% secure?
_______________________________________________
zeromq-dev mailing list
[email protected]
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
