-
Notifications
You must be signed in to change notification settings - Fork 0
Security Model
AISMixer defines security boundaries for selected transport and control surfaces. This page distinguishes implemented behavior from operational responsibilities and explicit non-goals.
AISMixer does not validate the real-world truth of AIS payloads and does not turn AIS data into authenticated vessel identity.
Plain UDP ingress has no built-in station authentication or encryption.
Configured UDP input IDs, UDP alias maps, and source IP addresses are routing and metadata inputs. They are not cryptographic identities.
UDPSEC authenticates configured station keys and protects transport integrity and confidentiality with authenticated encryption. It carries encrypted AIS payloads and encrypted liveness messages between nmea_sproxy and AISMixer.
UDPSEC does not make every AIS payload semantically trustworthy. It authenticates the station transport, not the vessel or radio-origin truth of each AIS message. It does not detect AIS spoofing.
See UDPSEC and nmea_sproxy for operational details.
Internal routing uses source_id, not ingress TAG s.
For UDPSEC, source_id comes from the authenticated station identity, for example udpsec:rPiAIS002. For plain UDP, source identity comes from configured input ID, alias map, or remote IP fallback.
Ingress TAG s is metadata. It must not be treated as authenticated routing identity. Emitted TAG s and internal source_id are separate concepts.
The Unix control socket is local and opt-in. Authorization currently depends on Unix filesystem ownership, group, and mode on the parent directory and socket path.
There are no application-level authentication tokens. A client that can access the socket can request status and routing-state changes.
Parent-directory and socket permissions therefore matter. Treat the socket as an administrative interface.
Candidate routing configs are fully validated before atomic installation. Invalid candidates do not replace the active snapshot.
expected_generation protects against accidental stale updates. Generation checks are concurrency controls; they are not user authentication.
Station private keys must remain private. AISMixer should store authorized station public keys, not station private keys.
Deployment-specific config files, authorized_keys.yaml, station private keys, and server private keys should use restrictive filesystem permissions. Never commit private keys or real deployment secrets.
Debug output and process logs are useful operational signals, but they are not tamper-proof audit logs. Do not treat them as a cryptographic audit trail.
These are not implemented security features:
- AIS spoof detection.
- Vessel identity validation.
- Payload-signature validation.
- Application-level control authentication.
- Remote HTTP/TCP control.
- Tamper-proof audit logging.
- Distributed routing consensus.