As SDRNode software is in fact a web HTTP Server - unless you add external system like firewall to prevent connection - anybody can connect as long as the IP address is public.

To control connections to one SDRNode, different mechanisms are available:

  1. The requester IP address is extracted from the incoming connection,
  2. If this IP is registered in the 'black-list', the connection is rejected;
  3. If this IP is registered in the 'white-list', the connection is accepted (by default 'localhost' is white-listed),
  4. For all other IP addresses, the request must be carried-in with a 'use-once' security token (see below). If this token is not present or not valid, the request is rejected and its associated IP address added to the blacklist, hence blocking following connections.

Next figure shows the workflow applied to each incoming connection :

Security token

A valid SDRNode license comes with a certificate pair : public key and secret key, stored in the 'sdrnode.conf' configuration file.

For example :

[security]
public_key="y4v$7zH2GalrsrnfSPq6TAtluxtPSLG$vuv828lQYQM"
private_key="FgPpj$XvskHLVVTMGxzh6f0H0rCzEWHgJcaIxVnTVAg"

A copy of the public key should be given to anybody you accept connections from. See the EXTIO DLL Interface for an example.

Remote clients willing to connect to the SDRNode use HTTP requests. If the public key is provided, the HTTP request structure is changed and a security token is generated :

  • The requested commands and parameters are associated in a string and 'sealed' with the public key and a 'use-once' pseudo-random sequence (each request to the same command will be different),
  • This 'sealed enveloppe' is then added to the HTTP request send to the SDRNode
  • On receive, the server can open the sealed enveloppe with its local private key if-and-only-if it was sealed with the corresponding public key.

Example :

To change the gain of stage 0 for the stream RF:1 we would use the following HTTP API request :

HTTP GET to http://<server_ip>:<server_port>/api/sources/RF:1/gain/0/10.0

The same request sealed by the C++ API would be :

HTTP POST to http://<server_ip>:<server_port>/
Parameter : token= Gx45XghcJaUJoIIk0pjmI5p0UE8Voph0Z6yCkZZcDFZR*h5FID8kzNb5OKKgw6RFCmc4XAOMII5gAyJfYQc7fcR0J3ohtUGl

Token contains the crypted sequence “Gx45XghcJaUJoIIk0pjmI5p0UE8Voph0Z6yCkZZcDFZR*h5FID8kzNb5OKKgw6RFCmc4XAOMII5gAyJfYQc7fcR0J3ohtUGl”. This can only be unsealed with the relevant private key.