LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

authenticating with XMPP ID (jabber address)

authenticating with XMPP ID (jabber address)

Posted May 28, 2008 7:16 UTC (Wed) by tzafrir (subscriber, #11501)
In reply to: authenticating with XMPP ID (jabber address) by martinfick
Parent article: The problem(s) with OpenID 

XMPP uses an SRV record, and thus has an MX-like priority at the DNS level.

http://en.wikipedia.org/wiki/SRV_record

$ host -t srv _xmpp-server._TCP.gmail.com
_xmpp-server._TCP.gmail.com     SRV     20 0 5269 xmpp-server4.l.google.com
_xmpp-server._TCP.gmail.com     SRV     5 0 5269 xmpp-server.l.google.com
_xmpp-server._TCP.gmail.com     SRV     20 0 5269 xmpp-server1.l.google.com
_xmpp-server._TCP.gmail.com     SRV     20 0 5269 xmpp-server2.l.google.com
_xmpp-server._TCP.gmail.com     SRV     20 0 5269 xmpp-server3.l.google.com


What's the next obvious problem I have missed?

(Log in to post comments)

authenticating with XMPP ID (jabber address)

Posted May 28, 2008 18:09 UTC (Wed) by martinfick (subscriber, #4455) [Link] 

Please forgive my ignorance on this one, I understand DNS SRV records, but how does jabber
interact with this since (unlike email) it requires a session?   If at connection time my
jabber client connects to  xmpp-server4.l.google.com and later this server goes down, will my
connection be maintained by xmpp-server.l.google.com?  Probably not right?  So I guess a
manual fail over is required at this point (I simply need to relogin to the next available
server), which should actually be fine since an automated solution does not seem required for
this.

I admit that perhaps I have not been clear enough about what I consider a valid HA solution
for an individual, but the above will probably not be sufficient, let me explain why.
Remember, as an individual, HA for an SSO solution is probably more important than for any
other protocol!  If my email goes down for an hour, big deal, if my SSO goes down for an hour
this will affect me much more!  But yet, my email solution (which is less important to make HA
than SSO) has a simple backup method that I can easily delegate to someone else, does jabber?

So a valid SSO HA solution for an individual would require that it be easy to failover to an
offsite solution that someone else can handle for me.  MX records allow me to do this for
email, I can simply point my MX records to my friend's (or my ISP's) mail server and they can
accept mail for me when my server goes down.  Throwing expensive hardware at the solution at
my site will still not be as reliable as simply having a friend provide backup MX service for
me.  

Can a friend easily provide a backup XMPP service for you?  How would the naming scheme work?
If my jabber account is  JohnDoe@mydomain.com, how can my friend (or ISP) use his jabber server
which hosts Friend@backup.com to backup my JohnDoe@mydomain.com account?  If you solve this,
than I think that you may have a solution that is a valid replacement for both the current
schemes of username/passwords backed up by an email "reset" feature.

authenticating with XMPP ID (jabber address)

Posted May 29, 2008 6:29 UTC (Thu) by job (subscriber, #670) [Link] 

This is of course client specific behaviour and has nothing to do with Jabber the protocol,
but most Jabber clients handle this by automatically reconnecting when the socket breaks. So
in practice your connection would break for a few seconds and then be back online with the
next server.

So Jabber failover works (almost) as good as email (because jabber messages are not
transactions in the same way email are, but close enough). But there are many ways a server
can fail and a server that is otherwise dead but accepts logins properly would trap most
(all?) existing Jabber clients. HA is hard in practice.

authenticating with XMPP ID (jabber address)

Posted May 29, 2008 18:22 UTC (Thu) by martinfick (subscriber, #4455) [Link] 

Yes, so jabber client failover will probably work, and as I mentioned, in most cases this
would be fine even if the failover had to be manual (i.e. log out and then back in).  I agree
that HA is hard and there could be other weird server behavior as you mention, but I believe
that for email this kind of weird flaky behavior is still likely to at least cause the
alternate MX record to be used.  There is no reason that a jabber based authentication
protocol could not be smart enough and even required by the specification to do this.

That still leaves the delegation issue.  How do I delegate this to a friend or an ISP (only in
case of failure) so that if my house burns down their server can answer requests to my jabber
id?  What naming scheme would allow this?

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds