# Indy Resolver - ARIES, Firewalls, and Ledgers Aries mobile agents are often in restrictive or limited environments with limited or filtered access to the internet. Firewalls may include port limitations ( only port 80 and 443 are open ), and protocol limitations ( only HTTP/HTTPS available ) Today, to access ARIES nodes, agents will need to access TCP and a separate port (usually 9907). Example: Corporate environment using a mobile agent, cannot get to ledger to get transactions, can connect to issuer, but can't get cred def to receive an issued credential, or get rev registry to validate credential ## Solutions ### HTTP ZMQ proxy It may be more efficient to have the HTTP be a more efficient process, as it may not consult all the nodes, but just the local node. Passthrough operation. Nonce needs to be passed from client through HTTP to ZMQ. Pros -Existing calls are made with existing cryptography -Client passes existing cryptographic message over HTTP, and passes call directly over ZMQ -Verify node answer on client side? Cons -Need to implment new proxy Andrew may have done research on this. May be similar to observer node behavior Next steps: define it like code with us ( ) Discuss with Andrew and my team ### Indy VDR Proxy on Nodes running on port 80 or 443 We could have the Nodes provide HTTP or HTTPS access directly on the nodes. Pros - Reverse Proxy is hosted on source of truth - No extra encryption is needed ? - Reverse proxy only can access one source, limiting risk of DOS attacks, or other exploits - Uses HTTP or HTTPS and supports port 80 and 443 - May not require adjustment of Genesis File Cons - Nonce is not generated on client side ( Could miss out on cryptographic checks ) - Nodes would need to add a new method for access - ARIES Bifold or other agent needs support for new method ### Add DIDComm Support on Nodes Pros - Messages from nodes can be verified - DIDComm can only access one source, limiting risk of DOS attacks, or other exploits - Uses HTTP or HTTPS and supports port 80 and 443 - May not require adjustment of Genesis File Cons - Extra encryption overhead ( more nodes or larger nodes may be required in a Node environnent ) - ARIES Bifold or other agent needs support for new method ### Add mediator support to access Nodes Message through DIDComm to mediator, then mediator provides service. This could also be a VDR proxy hosted by a third party. Pros - Agents don't need access to anything other than the mediator Cons - Trust issues (Risk of man in the middle type of activities) - If mediator is not limited to a single source, nefarious behavior could be exploited, DOS attacks, typicaly proxy exploits - Additional overhead on mediators - ARIES Bifold or other agent needs support for new method ## DNS Issues HTTPS may require a DNS based entry. This may require adjusting genesis files, and may add more overhead.