Re: [mosquitto-dev] Interface of auth plug-in and complex security polic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Interface of auth plug-in and complex security policies

From: Ricardo Neisse <r.neisse@xxxxxxxxx>
Date: Tue, 16 Sep 2014 15:38:03 +0200
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Dear Roger,

Thank you for the reply! Comments inline.

On Tue, Sep 16, 2014 at 1:23 PM, Roger Light <roger@xxxxxxxxxx> wrote:

Hi Ricardo,

> In the context of our research on security for IoT systems we implemented
> some changes in the Mosquitto auth plug-in interface with the broker, and we
> would like ask your opinion about this work.

Great, I'm always interested to hear what other people have been
doing. I've had some plans for auth plugin changes for a while.

> In a nutshell our changes are:
>
> 1 - Additional calls from the broker to the auth plugin when a message is
> delivered to a subscriber, and when a client disconnects, in addition to the
> calls for publish/subscribe.

At the moment the broker makes a check when a message is received from
a client or before a message is delivered to a client. It also makes a
check at subscribe time, but it is not possible to distinguish between
a subscribe ACL and an outgoing message ACL. This is something that
has been discussed on this list relatively recently - with the outcome
that a new MOSQ_ACL_SUBSCRIBE would be introduced.

You are right, the current version (1.3.4) does the ACL check when the message is delivered to the subscriber.

The check at the subscription time I'm not sure is happening. I just did some tests and it did not work, there is no call for acl_check.

I'm intrigued by adding calls for when the client disconnects - could
you explain what you hope to use that for?

The idea is to monitor the connect/disconnect behavior of clients.
To check how long clients remain connected, and what is their message pattern until they disconnect.

We also added the option to block the connection of clients, and to block specific IP addresses for instance.

> 2 - Additional parameters to the auth-plugin for information about the
> topic, payload, and client (e.g. IP address).

Yes, there are already bugs raised around this topic. There definitely
needs to be more information provided.

> 3 - Additional enforcement options to allow the auth-plugin to modify the
> topic, the message payload, and to delay messages in addition to allowing or
> denying only.

My initial thought here is that I'm not sure that an authentication
plugin is the correct place for this - it would be better implemented
in a more general plugin (the interface for which doesn't yet exist of
course). Have you already implemented delaying messages? I feel as
though that could be problematic to do.

We implemented delay at the plug-in layer, which basically delays to return success.

This is of course not the right way to do it, it should be an option embedded in the broker, but we implemented this way just for demonstration.
I agree with you, this goes beyond authentication. Maybe a general plugin that could subscribe/intercept all protocol messages would be the right way to go.

> We believe these additional changes could be added to Mosquitto in a future
> release to improve the flexibility of the security management, to allow
> obfuscation of messages, and dynamic context-based policies that are
> enforced not only when clients subscribe but also later when messages are
> delivered to them.

Great, I definitely agree with some of your proposed changes - we'll
have to discuss the rest of them :)

> How is the procedure to suggest/contribute to these changes for the next
> releases of Mosquitto?

The next release of mosquitto, 1.4, is mostly just going through bug
squashing, but I would be pleased to look at it for 1.5. The procedure
for contributing is outlined in this document:
http://git.eclipse.org/c/mosquitto/org.eclipse.mosquitto.git/tree/CONTRIBUTING.md
You should note that for administrative reasons the code in the git
repository is not current, but this will be fixed on the release of
1.4.

I will read the details about the contribution and after release 1.4 and discuss with my colleagues the possibility of contributing to it.

Thanks again!

Ricardo

Regards,

Roger
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

References:
- [mosquitto-dev] Interface of auth plug-in and complex security policies
  - From: Ricardo Neisse
- Re: [mosquitto-dev] Interface of auth plug-in and complex security policies
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] Custering of mosquitto broker instances?
Next by Date: Re: [mosquitto-dev] Custering of mosquitto broker instances?
Previous by thread: Re: [mosquitto-dev] Interface of auth plug-in and complex security policies
Next by thread: [mosquitto-dev] Unable to get SSL working: "routines:SSL3_GET_RECORD:wrong version number"
Index(es):
- Date
- Thread

Breadcrumbs