I wouldn't implement it for ZABBIX server-agent communications now. This will add significant overhead to both communications and CPU resources.

However I'd love to see it implemented for inter-node communications! Keep going

Hi Alexei,

Thanks for your reply. I must admit I'm a bit disappointed by your response. I would have thought the security benefits far outweigh the overhead?

For example, I'm currently running Zabbix active checks over OpenVPN, and many people are doing the same using Stunnel. The TLS could be a configurable option; for those using Zabbix on LANs encryption may not be necessary, but for a distributed agents spread over the Net, TLS would be a god-send.

Obviously for distributed networks where many protocols work between the nodes, a VPN is a good solution, but for maximum security (especially for remote commands(!)), I think encryption and authentication is essential.

Is it because checks aren't multiplexed that the overhead would be so high? By inter-node do you mean between distributed zabbix_server's?

Thanks Alexei - please note I'm not criticising your approach but rather I thought this would be a popular feature and am curious as to your reasoning.

Thanks,
Matt

I think this is a good idea to have encrypted agents. Just because its implemented doesn't mean that it has to be used. No ? And you could disable it for local nodes and enable it for remote (internet) nodes.

I would guess that encryption would add very little to the CPU usage. Its more of a server issue and well, its up to the admin.

What I mean is that support of TLS (or any other public key encryption) has to be made along with other changes (bulk data transfers, etc) which would minimize number of connections between server and agent. Otherwise the solution will not be efficient and hardly practical for quite large setups because of extra latency, additional network and CPU load involved.

I agree with you. The TLS can be made optional, probably also with an option to use it for sensitive stuff (remote commands, inter node comms only) only. Go for it!

Great, thanks for clarifying Alexei!

I'll get hacking at the code and see what I can come up with. Have you done any work on the bulk data transfer code so far?

Many thanks,
Matt

PS To implement the bulk data transfer, would it be solved by keeping the connection open for say, 5 seconds, and then timeout if no further data has been sent in that time?

Matt

These two tasks (the bulk transfer and encryption) are quite independent. The bulk transfer is much complex issue, as it involves new algorithms and changes in communication protocol. The encryption is to be made on top of all this. I do not know how the bulk transfer will be implemented yet.

Hi Alexei,

Thanks for your reply - I'm probably not experienced enough to do the work on the bulk transfer myself, but would be more than happy to assist if possible. In the least I'm very happy to add the TLS code once you've made the optimisations on the Zabbix protocol.

Thanks!
Matt