smpp-connector — Security Model
Status: populated | Last updated: 2026-04-18
1. Authentication & Authorization
SMPP Credentials
- SMPP
system_idandpasswordare fetched fromoperator-management-serviceinternal API at bind time. operator-management-serviceproxies credentials from HashiCorp Vault.smpp-connectorholds credentials in memory only for the duration of the bind PDU exchange.- Credentials are never logged, never written to disk, and never included in NATS events.
- The connection to
operator-management-serviceis authenticated with a service account JWT token and uses mTLS.
NATS Authentication
- NATS NKey credentials mounted as Kubernetes Secret at
/run/secrets/nats/nkey.creds. smpp-connectorhas NATS permissions:- SUBSCRIBE:
smpp.operator.* - PUBLISH:
sms.dlr.inbound,operator.health - No other subjects accessible.
- SUBSCRIBE:
Internal API (operator-management-service)
- Service-to-service authentication via short-lived JWT issued by the cluster identity provider.
- Token is rotated every 15 minutes via an init container sidecar.
- TLS (mTLS) enforced on all internal API calls.
2. Secrets Management
| Secret | Storage | Injection method |
|---|---|---|
| SMPP passwords | HashiCorp Vault → operator-management-service | Fetched at runtime over mTLS; never at rest in smpp-connector |
| PostgreSQL DSN | Kubernetes Secret | Env var DATABASE_URL |
| Redis password | Kubernetes Secret | Env var REDIS_URL |
| NATS NKey | Kubernetes Secret | Mounted file /run/secrets/nats/nkey.creds |
| Internal service JWT | Cluster identity sidecar | Env var INTERNAL_SERVICE_TOKEN (rotated) |
3. Network Security
smpp-connectoris deployed with a KubernetesNetworkPolicy:- Allows inbound TCP on port
3001from Prometheus scraper only. - Allows outbound TCP to MNO SMPP servers (specific IP/port per operator, configured in NetworkPolicy egress rules).
- Allows outbound TCP to PostgreSQL, Redis, NATS within the namespace.
- Allows outbound TCP to
operator-management-serviceClusterIP. - Denies all other outbound traffic.
- Allows inbound TCP on port
- MNO connections are plain TCP (SMPP 3.4 does not natively support TLS); this is an industry standard constraint. Where MNOs offer SMPP over TLS, it should be configured via operator-management-service.
4. Sensitive Data Handling
| Data | Handling |
|---|---|
| SMPP password | Never logged; held in memory only during bind |
Destination phone number (to) | Masked in logs (prefix only, e.g. +93***) |
| Message text | Never logged (privacy); only PDU metadata logged |
operator_message_id | Logged for correlation; no PII |
5. Threat Model Summary
| Threat | Mitigation |
|---|---|
| SMPP credential theft via log exfiltration | Credentials never logged; stored only in Vault |
| Man-in-the-middle on MNO SMPP link | Industry constraint — SMPP 3.4 is plain TCP; mitigated by MNO firewall whitelisting our egress IP |
| NATS message injection (fake dispatch commands) | NKey auth; only sms-orchestrator has publish permission on smpp.operator.* |
| DLR flood attack from rogue TCP connection | NATS TPS limits; MNO connection is point-to-point; no public inbound TCP ports |
| Credential rotation delay during operator rebind | Vault lease TTL < 1 h; credential refresh before next bind attempt; no persistent caching of passwords |