On 12/4/12 11:56 AM, Andrew Johnson wrote:
> Hi Lewis,
>
> On 2012-12-03 J. Lewis Muir wrote:
>> Of course this whole business of access security based on a hostname
>> that the client provides to the server is pretty silly. Why doesn't the
>> server obtain the source IP address of the CA client request, convert
>> that into a hostname, and perform the hostname matching for the access
>> security?
>
> I agree that would be a more sensible approach. However when the AS (Access
> Security) system was designed most vxWorks systems didn't have a connection to
> a DNS server. They couldn't have done the IP to hostname conversion reliably,
> so most client machines would only have been identified by their IP address,
> which would not be conducive to error-free AS configuration.
>
> Even now a DNS connection is not essential to run an IOC on vxWorks with AS;
> here at the APS my vxWorks boot images assume that the boot host is also a DNS
> server, but I'm sure there are IOCs here that boot from FTP servers which
> don't respond to DNS requests. With the current design those IOCs can still
> use Access Security to limit which machines get access to its PVs.
Hi, Andrew.
I agree that there are certainly IOCs out there that can't do DNS
look-ups right now. But I still think having the server do the look-up
is the right way to do it. It would just need to be a requirement for
using certain features of AS: If you want to do hostname-based access
security, then your IOC server must be able to resolve IP addresses into
hostnames. If you use only IP addresses in your AS configuration, or if
you don't use AS at all, then your IOC does not need this capability--it
can remain unchanged.
I haven't looked at the CA protocol at all, but if the CA client can
send whatever hostname it wants, perhaps the CA client could send
whatever IP address it wants instead. The server could take that IP
address, resolve it into a hostname, and perform its access security
using that hostname. So now the CA client just has to figure out its IP
address, not its hostname. I think this would be much easier to make
work consistently across CA client implementation (e.g. EPICS Base CA
and CAJ).
> I agree that what we actually implement is not really security though, it's
> much too easy to circumvent, which is why CA must stay inside the firewall.
> Without a major incompatible protocol overhaul there's not a lot we can do to
> improve it as far as I can see.
Bummer.
Thanks,
Lewis
- References:
- Using CAJ in production Shankar, Murali
- Re: Using CAJ in production Andrew Johnson
- Re: Using CAJ in production J. Lewis Muir
- Re: Using CAJ in production Andrew Johnson
- Navigate by Date:
- Prev:
Re: Using CAJ in production Andrew Johnson
- Next:
RE: waveform put in CSS Steiner, Mathias
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
<2012>
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Using CAJ in production Andrew Johnson
- Next:
Re: Using CAJ in production (DBE_PROPERTY and CA gateway) Michael Davidsaver
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
<2012>
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|