Essentially what the subject says. I was wondering if there are there benefits to be gained performance-wise by using the same encryption/decryption mechanism when clients communicate via messages sent-to/received-from the same nats server.
I have posed the same question here if anyone is interested:
https://github.com/nats-io/nats-server/discussions/2740
Consider for instance the following two scenarios for nats-based communication:
- Scenario#1:
A publisher (P) is publishing over to nats on subject "foo.bar", using encryption-decryption-scheme (A) with his own encryption-key (A)
A consumer (C) is subscribed to nats-subject "foo.bar", using encryption-decryption-scheme (B) with his own encryption-key (B)
In this scenario I assume that that nats-server will decrypt messages published by (P) using decryption scheme (A) examine the subject and forward "foo.bar" messages over to consumer (C) after having re-encrypted these messages using encryption-scheme (B).
- Scenario#2:
A publisher (P) is publishing over to nats on subject "foo.bar", using encryption-decryption-scheme (A) with his own encryption-key (A)
A consumer (C) is subscribed to nats-subject "foo.bar", using the exact same encryption-decryption-scheme (A) as the publisher
In this scenario I assume that that nats-server would only need to decrypt just the subject of the message published by (P) using decryption scheme (A) and after examining the subject it would forward "foo.bar" messages over to consumer (C) by "copy-pasting" the payload (data) of the message "as-is" since the encryption-decryption mechanism is the exact same.
I guess this symmetry in encryption-decryption should provide better performance when the load is high.
Am I right in these assumptions? Or do I miss something? I haven't seen anyone pointing out scenario#2 as a means to boost performance and reduce latency (potentially reducing error rates as well).
Thoughts? Insights? Links to relevant documentation?
CodePudding user response:
Got a response from user "Todd Beets" in this thread:
https://github.com/nats-io/nats-server/discussions/2740#discussioncomment-1799935
<< NATS does not do encrypt/decrypt at the NATS Protocol [1] (Layer 7) level as in your assumption.
"On the wire" NATS does fully support TLS with NATS clients [2].
As TLS terminates at a NATS server, in affect, NATS is playing a pattern as in Scenario 1 (i.e. 1..N subscribing NATS Clients have independent TLS connections and keys).
[1] https://docs.nats.io/reference/reference-protocols/nats-protocol#client-protocol
[2] https://docs.nats.io/using-nats/developer/security/tls >>
(emphasis mine)