Menu
▾
▴
Re: [Quickfixj-users] One port for all clients
|
From: Christoph J. <chr...@ma...> - 2021-06-07 11:32:05
|
Hi Ajit, I am no security expert, but all servers that are reachable via one dedicated port would have this problem, right? When a counter-party has an established session to your server then there is a TCP point-to-point connection via a socket between the two parties. I don't think it is easily possible for another connection to get data that is not meant for its own socket connection. However, if you fear that this might happen it would be advisable to use SSL/TLS for each connection (of course with a separate key for each connection). I still don't know what you are doing in the first place. Since you are implementing an acceptor: do you want to create an own trading venue or are you just creating a routing service? In any case, I would strongly advise to make yourself acquainted with the following: https://www.fixtrading.org/technical-guidelines/ https://www.fixtrading.org/standards/fixs/ Cheers, Chris. On 06.06.21 13:02, Ajit Gautam wrote: > Hi Chris, > > I have implemented Quickfix acceptor with one port assigned to all clients and it's working fine. > Each inbound and outbound transactions are processed with respect to the session ID. > > I was just wondering, is there way possible while assigning one port for all client which can > result into malicious activity or raise any security concern. > > As acceptor is sending response over one port, but is it possible by programmatically or any > other way such that whatever information of different sessions are going over that port can be > received by a session such that it can get the information of all other sessions. > > I don't have much information on this. > I tried to run various transaction and each transaction is following its own session ID. > > Just wondering about the security concern. > > Any help would be appreciated. > > Regards > Ajit Gautam > > On Tue, Jun 1, 2021, 10:19 Ajit Gautam <aji...@gm... <mailto:aji...@gm...>> > wrote: > > Thanks Chris. > That's really helpful. > > Regards > Ajit Gautam > > On Tue, Jun 1, 2021, 03:45 Christoph John <chr...@ma... > <mailto:chr...@ma...>> wrote: > > Hi Ajit, > > On 31.05.21 15:37, Ajit Gautam wrote: >> Thanks chris. It was a configuration problem. But, mostly I see in FIX manuals, >> institutions follow one port per session. >> Is this option available only with Quickfix/J? > I am pretty sure that more FIX engines than QFJ offer this option. > Probably it is more convenient to have clients separated per port, e.g. for a tcp dump or > to create a specific allow-rule in a firewall. >> >> Apart from heavy traffic on a single port, I cannot see any problem. >> Does this approach of one port for all sessions have any disadvantages? > See above. Moreover, most of the time one port means one process. I.e. when you only have > one process listening on that port and that process goes down, all clients have a problem. >> >> Also, I was curious to know how quickfix handles all sessions on one port. I will >> appreciate it if you elaborate on the concept behind it. > I mean the concept is not new. Every server component handles clients on the same port... ;) > If you mean how QFJ can tell the different sessions apart: it simply looks at the > SessionID of the FIX message and forwards the message to that Session instance. > The relevant code is here: > https://github.com/quickfix-j/quickfixj/blob/7e3a07104cd8bfaf7e704896dd668b767c9aa13b/quickfixj-core/src/main/java/quickfix/mina/acceptor/AcceptorIoHandler.java#L62 > <https://github.com/quickfix-j/quickfixj/blob/7e3a07104cd8bfaf7e704896dd668b767c9aa13b/quickfixj-core/src/main/java/quickfix/mina/acceptor/AcceptorIoHandler.java#L62> >> >> Adding to the same approach, can we create a setting which can differentiate identical >> sessions(Same sender ID, TargetID and port). > You could use a SessionQualifier, but that is only available for initiators. I would also > not recommend to use it. At the beginning of this document there are a few words about it: > https://www.quickfixj.org/usermanual/2.3.0/usage/configuration.html > <https://www.quickfixj.org/usermanual/2.3.0/usage/configuration.html> > The SessionID should be unique, so there shouldn't be any identical sessions. You could > add e.g. a SenderSubID to tell different sessions apart. > > Cheers, > Chris. > >> >> >> Regards >> Ajit Gautam >> >> On Mon, May 31, 2021 at 5:16 PM Christoph John <chr...@ma... >> <mailto:chr...@ma...>> wrote: >> >> Hi, >> >> we are doing something similar and run almost 100 sessions all via the same acceptor >> port. So if something is "blocking" on your side it most likely is a configuration or >> application problem. >> >> Cheers, >> Chris. >> >> >> On 31.05.21 13:10, Ajit Gautam wrote: >>> Hi Chris, >>> >>> Thanks for acknowledging. >>> I will share the log soon. >>> >>> Just to confirm you, I am running one FIX acceptor with multiple sessions. Each >>> session is established by a Unique SenderID and XYZ Target ID (Target ID is the same >>> for all sessions) and a dedicated port for each session. >>> >>> I ran a FIX acceptor with multiple sessions configured on the *same port *with a >>> unique Sender ID of each session and Target ID XYZ same for all sessions. >>> >>> Regards >>> Ajit Gautam >>> >>> On Mon, May 31, 2021 at 3:17 PM Christoph John <chr...@ma... >>> <mailto:chr...@ma...>> wrote: >>> >>> Are you maybe starting multiple Acceptors? I definitely works when using one >>> Acceptor with multiple configured sessions. >>> What do you mean by "gets blocked"? A log file would be helpful. >>> >>> Cheers, >>> Chris. >>> >>> On 31.05.21 11:44, Ajit Gautam wrote: >>>> Hi, >>>> >>>> I have a FIX Acceptor trading session with each port assigned to one member. >>>> This results in opening multiple ports at the firewall which doesn't look a >>>> viable option. >>>> I tried keeping the same port for a few members(different sender ID connecting >>>> to the same port), but the session I start second gets blocked by the first. >>>> >>>> Any help would be appreciated. >>>> >>>> Regards >>>> Ajit Gautam >>>> >>>> On Thu, May 27, 2021 at 10:15 PM Christoph John <chr...@ma... >>>> <mailto:chr...@ma...>> wrote: >>>> >>>> What keeps you from configuring the same SocketAcceptPort for all sessions >>>> in your acceptor config file? >>>> >>>> Chris >>>> >>>> Am 27. Mai 2021 17:50:22 MESZ schrieb Ajit Gautam <aji...@gm... >>>> <mailto:aji...@gm...>>: >>>> >>>> Hi, >>>> >>>> I have a FIX acceptor which connects with Client FIX initiators with a >>>> separate port for each session assigned to each client. >>>> I was thinking of modifying the approach of having a separate port for >>>> each session to one port for all the members. >>>> >>>> Is there an implementation available in Quickfix/J for such a setup >>>> which assigns single port and IP to all the Client FIX initiators? >>>> >>>> >>>> Regards >>>> Ajit Gautam >>>> >>> >>> -- >>> Christoph John >>> Software Engineering >>> T +49 241 557080-28 >>> chr...@ma... <mailto:chr...@ma...> >>> >>> MACD GmbH >>> Oppenhoffallee 103 >>> 52066 Aachen, Germany >>> www.macd.com <http://www.macd.com> >>> >>> Amtsgericht Aachen: HRB 8151 >>> Ust.-Id: DE 813021663 >>> Geschäftsführer: George Macdonald >>> >> >> -- >> Christoph John >> Software Engineering >> T +49 241 557080-28 >> chr...@ma... <mailto:chr...@ma...> >> >> MACD GmbH >> Oppenhoffallee 103 >> 52066 Aachen, Germany >> www.macd.com <http://www.macd.com> >> >> Amtsgericht Aachen: HRB 8151 >> Ust.-Id: DE 813021663 >> Geschäftsführer: George Macdonald >> > > -- > Christoph John > Software Engineering > T +49 241 557080-28 > chr...@ma... <mailto:chr...@ma...> > > MACD GmbH > Oppenhoffallee 103 > 52066 Aachen, Germany > www.macd.com <http://www.macd.com> > > Amtsgericht Aachen: HRB 8151 > Ust.-Id: DE 813021663 > Geschäftsführer: George Macdonald > -- Christoph John Software Engineering T +49 241 557080-28 chr...@ma... MACD GmbH Oppenhoffallee 103 52066 Aachen, Germany www.macd.com Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663 Geschäftsführer: George Macdonald |
