search

VOLTTRON / volttron

VOLTTRON Distributed Control System Platform
https://volttron.readthedocs.io/
Other
456 stars 216 forks source link

Drop support for NULL authentication mechanism #881

Open zbeech opened 7 years ago

zbeech commented 7 years ago

According to https://rfc.zeromq.org/spec:27/ZAP:

"The NULL mechanism provides no security credentials but allows a server to filter bogus clients on the basis of IP address."

I don't think we should provide the NULL mechanism as an option. There are better ways to do IP filtering. I also don't like that NULL provides encryption without authentication. I think there should be at most two options:

  1. Encryption and authentication via the CURVE mechanism
  2. No encryption and no authentication via the --developer-mode (or some other explicit parameter like --no-encryption or --no-security)

And it looks like we want to drop that second option anyway (see #835).

Also see #541.

zbeech commented 7 years ago

Brandon mentioned we might want to keep the NULL mechanism around for IPC.