Skip to content

Node Rendezvous

Jump to bottom
Rebecca Malamud edited this page Jan 3, 2014 · 9 revisions

The node-rendezvous package is a general purpose stand-alone package allowing rendezvous for 'hidden servers' (behind firewalls/NATs) and 'mobile clients' using a third-party service. The source code is available on GitHub

It is used by the steward software for this purpose, however it is not tied to the steward code base. The package implements an HTTP-specific protocol that will allow an HTTP connection from the mobile client to the hidden server.

##Protocol

The hidden server uses HTTPS and the CONNECT method both to authenticate itself and wait for a rendezvous. The mobile client establishes an HTTPS connection to the rendezvous server, and specifies the identity of the hidden server. At this point the rendezvous server moves the octets back-and-forth.

A detail description of the Rendezvous protocol is available.

##Setup

The protocol may be provisioned using a PAAS provider, if that service transparently supports the HTTP CONNECT method. Otherwise, deployment must be provisioned using a VPS.

Please follow the setup instructions for VPS provisioning to deploy the service.

##The Security Model

The security model is:

  1. The hidden server and the mobile client have to know the domain-name or IP-address of the rendezvous server, and have to trust the certificate used by the rendezvous server. This knowledge and trust is determined by out-of-band means.

  2. The hidden server and rendezvous server must share a time-based secret. This is how the rendezvous server knows that the hidden server is allowed to respond to requests for a particular UUID. This shared secret is created by out-of-band means.

  3. The mobile client does not need to authenticate itself to the rendezvous server. If a hidden server is responding for a particular UUID, then amy mobile client knowing the UUID is allowed to initiate a connection to that hidden server.

  4. Most importantly: it is the responsibility of the hidden server to authenticate the mobile client once the rendezvous occurs. Although there are many well-reasoned arguments as to why hiding behind a firewall is a bad thing, please do not negate the one good thing about being behind a firewall or NAT!

Analytics

Clone this wiki locally