Experimental Physics and
Industrial Control System

Andrew Johnson <[email protected]> · Tue, 4 Dec 2012 11:56:42 -0600

Hi Lewis,

On 2012-12-03 J. Lewis Muir wrote:
> Of course this whole business of access security based on a hostname
> that the client provides to the server is pretty silly.  Why doesn't the
> server obtain the source IP address of the CA client request, convert
> that into a hostname, and perform the hostname matching for the access
> security?

I agree that would be a more sensible approach.  However when the AS (Access 
Security) system was designed most vxWorks systems didn't have a connection to 
a DNS server.  They couldn't have done the IP to hostname conversion reliably, 
so most client machines would only have been identified by their IP address, 
which would not be conducive to error-free AS configuration.

Even now a DNS connection is not essential to run an IOC on vxWorks with AS; 
here at the APS my vxWorks boot images assume that the boot host is also a DNS 
server, but I'm sure there are IOCs here that boot from FTP servers which 
don't respond to DNS requests.  With the current design those IOCs can still 
use Access Security to limit which machines get access to its PVs.

I agree that what we actually implement is not really security though, it's 
much too easy to circumvent, which is why CA must stay inside the firewall.  
Without a major incompatible protocol overhaul there's not a lot we can do to 
improve it as far as I can see.

- Andrew
-- 
Computer science is as much about computers as astronomy is about
telescopes. -- Edsger Dijkstra

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System