I recently use zmq in some projects and although I pretty much like it and
think it is awesome I feel that it needs some new features to be implemented
for TCP transport to be widely used everywhere(in un-trusted and unreliable
environment).
I will try to summarize them in one place and kindly ask You(persons developing
this product) to comment on each feature:
• Whenever it fits in zmq framework/philosophy?
• Is it hard to implement?
• Is it could be implemented (or could be planned to be implemented)? And
in what release? (or how many releases away from now?)
• Will you approve and merge it if someone makes a patch? For what
release?
1. zmq->socket(*)->setsockopt(ZMQ_TCP_KEEPALIVE) on both (server and
client) ends for fault tolerant connections:
(we also need KEEPALIVE_IDLE, KEEPALIVE_INTVL, KEEPALIVE_CNT to properly
configure it).
Without it for example zmq->socket(SUB)->connect(tcp://) will not reconnect and
will hung forever if the remote side silently falls off at some point after the
successful connect and the PUB server socket connected to this endpoint will be
closed while the server is still off-line.
2. zmq->socket(*)->setsockopt(ZMQ_TCP_MAX_PEERS, int) before
zmq->socket(*)->bind(tcp://) to preserve server resources in case of evil
while(true){connect()}; attack or bug in the code
3. zmq->socket(*)->setsockopt(ZMQ_TCP_MAX_PEERS_BY_IP, int) before
zmq->socket(*)->bind(tcp://) to limit impact of DDoS like situations
4. multiple zmq->socket(*)->setsockopt(ZMQ_TCP_ACCEPT_FROM, cidr)
before/after zmq->socket(*)->bind(tcp://) to allow zmq->socket(*)->accept()
connections from only trusted ips.
(no filtering by default)
5. zmq->socket(*)->setsockopt(ZMQ_TCP_AUTH_TOKEN, string) on server and
client sides for peer authentication…. This is though… it breaks protocol
compatibility…
a. weak but easy to add: client will send this token(or nothing by
default) in connect packet. Server will match it if configured(or skip this
check by default)
b. sufficient: client asks for random SALT in connect phase, then sends
his md5(SALT, ZMQ_TCP_AUTH_TOKEN) in 2nd connect packet. Server matches it with
saved SALT and his ZMQ_TCP_AUTH_TOKEN.
6. zmq->socket(*)->disconnect(tcp://connstring) as the opposite to
zmq->socket(*)->connect(tcp://connstring)
________________________________
This message is intended only for the person(s) to which it is addressed and
may contain Intermedia.net Inc privileged, confidential and/or proprietary
information. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer. Any
disclosure, copying, distribution, or the taking of any action concerning the
contents of this message and any attachment(s) by anyone other than the named
recipient(s) is strictly prohibited.
_______________________________________________
zeromq-dev mailing list
[email protected]
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
