Experimental Physics and
Industrial Control System

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024	Index	2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 <2019> 2020 2021 2022 2023 2024
<== Date ==>		<== Thread ==>

Subject:	Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security
From:	Goetz Pfeiffer via Core-talk <[email protected]>
To:	<[email protected]>
Date:	Fri, 6 Dec 2019 17:09:26 +0100

Hello,

I would like to propose changes to EPICS Base, the portable channel access
server and the channel access gateway.

I have already implemented and tested these changes for version 3.15 and 7.0
of the EPICS base and the most recent versions of the portable channel access
server PCAS and the channel access gateway.

I would like to hear your comments and suggestions regarding this topic.

The changes consist of three parts:

- Define networks to be ignored by servers with environment variable
EPICS_CAS_IGNORE_NET_LIST
- Define networks to be ignored by clients with environment variable
EPICS_CA_IGNORE_NET_LIST
- Extend channel access security with IP access groups that define the IP
address a client must have

Here are the details:

Define networks to be ignored by servers, EPICS_CAS_IGNORE_NET_LIST

This environment variable is comparable to to EPICS_CAS_IGNORE_ADDR_LIST since
It causes a channel access server to ignore requests from some clients.

With EPICS_CAS_IGNORE_ADDR_LIST you specify a list of host names or IP
addresses. This works fine but you have to specify a very long string if you
need to ignore addresses of a whole subnet with hundreds of IP addresses.

With EPICS_CAS_IGNORE_NET_LIST you can specify one or more subnets to ignore.

The subnet specifications in EPICS_CAS_IGNORE_NET_LIST must be separated with
spaces.

Three forms of subnet specifications are supported:

- CIDR notation, example: 192.168.12.0/24
- Address and mask notation, example: 192.168.12.0:255.255.255.0
- Single IP address, example: 192.168.12.10

Example

In order to ignore hosts from 192.168.22.0/24, EPICS_CAS_IGNORE_ADDR_LIST
would need 254 entries like here::

EPICS_CAS_IGNORE_ADDR_LIST="192.168.22.1 192.168.22.2 192.168.22.3 \
192.168.22.4 192.168.22.5 192.168.22.6 192.168.22.7 192.168.22.8 \
....
192.168.22.250 192.168.22.251 192.168.22.252 192.168.22.253 192.168.22.254

With EPICS_CAS_IGNORE_NET_LIST the same can be archived like this::

EPICS_CAS_IGNORE_NET_LIST=192.168.22.0/24

Also, the check for a valid address is quicker with the new variable, instead
of 254 comparisons we have two AND operations and one comparison.

Usage in channel access gateway configuration

The configuration of exporting channel access gateways at the
Helmholtz-Zentrum Berlin as it is shown here:

https://www-csr.bessy.de/control/ca-net-gateways

is made much simpler, since we always have to ignore a complete subnet. For
now, we just had to ignore class C subnets, bigger subnets would be unusable
with EPICS_CAS_IGNORE_ADDR_LIST.

Changes in the software

Both, the "rsrv" server and the "PCAS" server were changed for this.

A patch exists for EPICS Base 3.15 and EPICS Base 7 and PCAS.

The generated file epicsVersion.h has a new macro,
EPICS_HAS_CAS_IGNORE_NET_LIST, that is defined with this patch. This enables
programs like the channel access gateway to support both, an EPICS Base with
and without this patch.

Define networks to be ignored by clients, EPICS_CA_IGNORE_NET_LIST

This variable introduces the concept of ignoring certain hosts to the channel
access client. Hosts whose IP address match one of the subnets specified
with EPICS_CA_IGNORE_NET_LIST are ignored.

This provides a possible solution for "duplicate PV" errors when a process
variable of the same name is presented by more than one server.

Although this variable can be used for all channel access clients, it is
particularly useful for the channel access gateway. With this there is an easy
way to let the gateway ignore certain channel access servers.

The subnet specifications in EPICS_CA_IGNORE_NET_LIST must be separated with
spaces.

Three forms of subnet specifications are supported:

- CIDR notation, example: 192.168.12.0/24
- Address and mask notation, example: 192.168.12.0:255.255.255.0
- Single IP address, example: 192.168.12.10

Changes in the software

The channel access client library in EPICS Base was changed for this.

A patch exists for EPICS Base 3.15 and EPICS Base 7.

The generated file epicsVersion.h has a new macro,
EPICS_HAS_CA_IGNORE_NET_LIST, that is defined with this patch. This enables
programs like the channel access gateway to support both, an EPICS Base with
and without this patch.

Access security with IP access groups

Access security currently allows a channel access server to check the host
name and the user name of a client that wants to connect.

However, the information of what host and what user wants to connect is
provided by the channel access library of the client and is not necessarily
reliable.

Another problem is that the host name the channel access client library
provides is not the fully qualified domain name, which can be assumed to be
unique, but the short host name as it is configured on the client's system.

With this patch, channel access security can be configured to check the IP
address of the client.

The definition of the access security configuration file was extended for
this. An IP access group, IPAG, was added to the existing host access group,
HAG, and the user access group UAG.

IP access groups can be added to an existing access security configuration or
can, for example, replace host access groups.

The changes in access security are backwards compatible, old access security
configuration files are still valid.

Changes in the software

The access security library in EPICS Base was changed for this. Changes were
also necessary in PCAS and the channel access gateway. A patch exists for
EPICS Base 3.15 and EPICS Base 7.

The generated file epicsVersion.h has a new macro, EPICS_HAS_AS_IPAG, that is
defined with this patch. This enables programs like the channel access gateway
to support both, an EPICS Base with and without this patch.

Verification and tests

I compiled my patches for linux-x86_64, windows-x64 and RTEMS-mvme2100 (RTEMS
4.9). I ensured that no additional critical compiler warnings were produced.

I tested the function with softiocs, the "cainfo" utility and the channel
access gateway on Linux (Fedora 30).