I’ve been looking at remotely setting some device variables, and reading through the RPC (mos and mdash) and Shadow (mos and mdash) docs. I’m only looking at
mDash as the backend mechanism for all of this.
First off not sure if I’m missing something but the Shadow docs seemed to omit basic examples of the expected flow from
For C the smart light example on github really made it clear.
I wanted to clarify my understanding and ask for opinions on a few things:
RPC only works if the device is online and can accept/respond to the request.
Shadow allows the variable to be set independently and then picked up when the device when it comes online.
From this mDash diagram it looks as though the auth mechanism is the same for both RPC and Shadow (TLS 1.2), but reading the RPC docs auth section makes me feel as though Shadow might be more secure by default:
Mongoose OS RPC authentication is quite basic, and is vulnerable to replay attacks as the TC field is not incremented. However it enforces basic authentication that is not plaintext, and the intention is you’re communicating via a secure TLS channel like MQTT or HTTPS.
Both RPC and Shadow have the ability to be limited when used with
customersusing ACL on the device.
Based on this it feels like I should be using shadow where possible.
Would love to hear some opinions or experience around the above comments.