Subject: |
Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security |
From: |
Goetz Pfeiffer via Core-talk <[email protected]> |
To: |
<[email protected]> |
Date: |
Fri, 6 Dec 2019 17:09:26 +0100 |
Hello,
I would like to propose changes to EPICS Base, the portable channel
access
server and the channel access gateway.
I have already implemented and tested these changes for version
3.15 and 7.0
of the EPICS base and the most recent versions of the portable
channel access
server PCAS and the channel access gateway.
I would like to hear your comments and suggestions regarding
this topic.
The changes consist of three parts:
- Define networks to be ignored by servers with environment variable
EPICS_CAS_IGNORE_NET_LIST
- Define networks to be ignored by clients with environment variable
EPICS_CA_IGNORE_NET_LIST
- Extend channel access security with IP access groups that define
the IP
address a client must have
Here are the details:
Define networks to be ignored by servers,
EPICS_CAS_IGNORE_NET_LIST
This environment variable is comparable to to
EPICS_CAS_IGNORE_ADDR_LIST since
It causes a channel access server to ignore requests from some
clients.
With EPICS_CAS_IGNORE_ADDR_LIST you specify a list of host names or
IP
addresses. This works fine but you have to specify a very long
string if you
need to ignore addresses of a whole subnet with hundreds of IP
addresses.
With EPICS_CAS_IGNORE_NET_LIST you can specify one or more subnets
to ignore.
The subnet specifications in EPICS_CAS_IGNORE_NET_LIST must be
separated with
spaces.
Three forms of subnet specifications are supported:
- CIDR notation, example: 192.168.12.0/24
- Address and mask notation, example: 192.168.12.0:255.255.255.0
- Single IP address, example: 192.168.12.10
Example
In order to ignore hosts from 192.168.22.0/24,
EPICS_CAS_IGNORE_ADDR_LIST
would need 254 entries like here::
EPICS_CAS_IGNORE_ADDR_LIST="192.168.22.1 192.168.22.2 192.168.22.3
\
192.168.22.4 192.168.22.5 192.168.22.6 192.168.22.7 192.168.22.8 \
....
192.168.22.250 192.168.22.251 192.168.22.252 192.168.22.253
192.168.22.254
With EPICS_CAS_IGNORE_NET_LIST the same can be archived like this::
EPICS_CAS_IGNORE_NET_LIST=192.168.22.0/24
Also, the check for a valid address is quicker with the new
variable, instead
of 254 comparisons we have two AND operations and one comparison.
Usage in channel access gateway configuration
The configuration of exporting channel access gateways at the
Helmholtz-Zentrum Berlin as it is shown here:
https://www-csr.bessy.de/control/ca-net-gateways
is made much simpler, since we always have to ignore a complete
subnet. For
now, we just had to ignore class C subnets, bigger subnets would be
unusable
with EPICS_CAS_IGNORE_ADDR_LIST.
Changes in the software
Both, the "rsrv" server and the "PCAS" server were changed for this.
A patch exists for EPICS Base 3.15 and EPICS Base 7 and PCAS.
The generated file epicsVersion.h has a new macro,
EPICS_HAS_CAS_IGNORE_NET_LIST, that is defined with this patch. This
enables
programs like the channel access gateway to support both, an EPICS
Base with
and without this patch.
Define networks to be ignored by clients,
EPICS_CA_IGNORE_NET_LIST
This variable introduces the concept of ignoring certain hosts to
the channel
access client. Hosts whose IP address match one of the subnets
specified
with EPICS_CA_IGNORE_NET_LIST are ignored.
This provides a possible solution for "duplicate PV" errors when a
process
variable of the same name is presented by more than one server.
Although this variable can be used for all channel access clients,
it is
particularly useful for the channel access gateway. With this there
is an easy
way to let the gateway ignore certain channel access servers.
The subnet specifications in EPICS_CA_IGNORE_NET_LIST must be
separated with
spaces.
Three forms of subnet specifications are supported:
- CIDR notation, example: 192.168.12.0/24
- Address and mask notation, example: 192.168.12.0:255.255.255.0
- Single IP address, example: 192.168.12.10
Changes in the software
The channel access client library in EPICS Base was changed for
this.
A patch exists for EPICS Base 3.15 and EPICS Base 7.
The generated file epicsVersion.h has a new macro,
EPICS_HAS_CA_IGNORE_NET_LIST, that is defined with this patch. This
enables
programs like the channel access gateway to support both, an EPICS
Base with
and without this patch.
Access security with IP access groups
Access security currently allows a channel access server to check
the host
name and the user name of a client that wants to connect.
However, the information of what host and what user wants to connect
is
provided by the channel access library of the client and is not
necessarily
reliable.
Another problem is that the host name the channel access client
library
provides is not the fully qualified domain name, which can be
assumed to be
unique, but the short host name as it is configured on the client's
system.
With this patch, channel access security can be configured to check
the IP
address of the client.
The definition of the access security configuration file was
extended for
this. An IP access group, IPAG, was added to the existing host
access group,
HAG, and the user access group UAG.
IP access groups can be added to an existing access security
configuration or
can, for example, replace host access groups.
The changes in access security are backwards compatible, old access
security
configuration files are still valid.
Changes in the software
The access security library in EPICS Base was changed for this.
Changes were
also necessary in PCAS and the channel access gateway. A patch
exists for
EPICS Base 3.15 and EPICS Base 7.
The generated file epicsVersion.h has a new macro,
EPICS_HAS_AS_IPAG, that is
defined with this patch. This enables programs like the channel
access gateway
to support both, an EPICS Base with and without this patch.
Verification and tests
I compiled my patches for linux-x86_64, windows-x64 and
RTEMS-mvme2100 (RTEMS
4.9). I ensured that no additional critical compiler warnings were
produced.
I tested the function with softiocs, the "cainfo" utility and the
channel
access gateway on Linux (Fedora 30).
Repositories with patches
The repositories with my patches can be found here:
Launchpad (only EPICS base)
https://code.launchpad.net/~goetzpf/+git/epics-ip-ignore-as-IPAG-patches_base_3.15
https://code.launchpad.net/~goetzpf/+git/epics-ip-ignore-as-IPAG-patches_base_7
Github
https://github.com/goetzpf/epics-base/tree/ip-ignore-as-IPAG-3.15
https://github.com/goetzpf/epics-base/tree/ip-ignore-as-IPAG-7.0
https://github.com/goetzpf/pcas/tree/ip-ignore-as-IPAG
https://github.com/goetzpf/ca-gateway/tree/ip-ignore-as-IPAG
I would appreciate your comments, suggestions or improvements.
Greetings,
Goetz Pfeiffer
Attachment:
signature.asc
Description: OpenPGP digital signature
- Replies:
- Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk
- Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security J. Lewis Muir via Core-talk
- Navigate by Date:
- Prev:
Build failed in Jenkins: epics-base-3.15-win64-test #264 APS Jenkins via Core-talk
- Next:
Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk
- Index:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Jenkins build is back to normal : epics-base-3.15-win64-test #265 APS Jenkins via Core-talk
- Next:
Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk
- Index:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
|