OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

mqtt message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [mqtt] Connect with existing ID


Paul,

This is essential for stuck clients, clients that don't realise they've got a dead connection and reconnect, clients taking over when a node's unresponsive, etc. The same functionality exists in AMQP, where it features at the link level - there it's called link stealing. Think of it as STONITH for mq clients.

It shouldn't be a security hole if you're authenticating and authorising your clients. It may not be clear that's needed - if you like, you might want to add a JIRA.

It's a pain in the neck to implement, too, as a server, as it's the only time one connection 'needs to know' about another.


Raphael Cohn
Chief Architect, stormmq
Co-Chair, OASIS MQTT Standard
Secretary, OASIS AMQP Standard
raphael.cohn@stormmq.com
+44 7590 675 756

UK Office:
Hamblethorpe Farm, Crag Lane, Bradley BD20 9DB, North Yorkshire, United Kingdom
Telephone: +44 845 3712 567

Registered office:
16 Anchor Street, Chelmsford, Essex, CM2 0JY, United Kingdom
StormMQ Limited is Registered in England and Wales under Company Number 07175657
StormMQ.com


On 15 November 2013 15:36, Paul Fremantle <paul@wso2.com> wrote:
I never before noticed this line in the input spec:

If a client with the same Client ID is already connected to the server, the "older" client must be disconnected by the server before completing the CONNECT flow of the new client.

It corresponds to this in the WD:

If the ClientId represents a client already connected to the server then the server MUST disconnect the existing client.

Isn't this a bit of a security hole? If I can guess a ClientID I can disconnect it. If there is anyone using the clientId as a topic for replies and relying on clientId for security (e.g. in Mosquitto's ACL %c to match the client id of the client), then this is also a security hole. 

Can anyone comment?


Paul


--
Paul Fremantle
CTO and Co-Founder, WSO2
OASIS WS-RX TC Co-chair, Apache Member

UK: +44 207 096 0336
US: +1 646 595 7614

blog: http://pzf.fremantle.org
twitter.com/pzfreo
paul@wso2.com

wso2.com Lean Enterprise Middleware

Disclaimer: This communication may contain privileged or other confidential information and is intended exclusively for the addressee/s. If you are not the intended recipient/s, or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you received and in addition, you should not print, copy, retransmit, disseminate, or otherwise use the information contained in this communication. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]