Subject: |
Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security |
From: |
Goetz Pfeiffer via Core-talk <[email protected]> |
To: |
"J. Lewis Muir" <[email protected]> |
Cc: |
[email protected] |
Date: |
Mon, 9 Dec 2019 11:05:49 +0100 |
On 12/6/19 10:48 PM, J. Lewis Muir wrote:
> On 12/06, Goetz Pfeiffer via Core-talk wrote:
>> I would like to hear your comments and suggestions regarding this topic.
>>
>> The changes consist of three parts:
>>
>> - Define networks to be ignored by servers with environment variable
>> EPICS_CAS_IGNORE_NET_LIST
> What about just using EPICS_CAS_IGNORE_ADDR_LIST but extending its
> syntax to allow specifying networks (e.g., 192.168.12.0/24)? Or you
> could extend the syntax to allow specifying a range with a ".." literal
> (e.g., 192.168.12.0..255)?
>
> It seems a bit weird to have two separate variables: one for addresses
> and one for networks. You're still trying to specify a list of
> addresses, you're just wanting to introduce the ability to specify a
> range of addresses in a short form.
>
>> - Define networks to be ignored by clients with environment variable
>> EPICS_CA_IGNORE_NET_LIST
> Similar comment here as above. What about just adding
> EPICS_CA_IGNORE_ADDR_LIST instead, and using it like
> EPICS_CAS_IGNORE_ADDR_LIST?
>
> Lewis
Hello,
EPICS_CAS_IGNORE_ADDR_LIST is in the end scanned by function aToIPAddr in aToIPAddr.c.
As you can see there this supports various formats like:
192.167.18.10
192.167.18.10:6064
3232174602
3232174602:6064
myhost.example.com
myhost.example.com:6064
However, for defining an IP subnet, you don't need a port number, you cannot use a
DNS hostname and a raw integer is not really needed.
I thought it a cleaner approach to have IP subnets with the "dotted decimal" address
notation in a separate variable instead of mixing it with entries in EPICS_CAS_IGNORE_ADDR_LIST.
A variable EPICS_CA_IGNORE_ADDR_LIST does not exist up to now, in order for name
consistency I named my variable EPICS_CA_IGNORE_NET_LIST.
An IP range would be more flexible than the the CIDR or ADDR:MASK specification of
a subnet. If there us a consensus that this is needed. this could be implemented. I thought
the usual case is you want to specify subnets.
Greetings
Goetz
Attachment:
signature.asc
Description: OpenPGP digital signature
- Replies:
- Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk
- References:
- Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Goetz Pfeiffer via Core-talk
- Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security J. Lewis Muir via Core-talk
- Navigate by Date:
- Prev:
Build failed: EPICS Base base-7.0-489 AppVeyor via Core-talk
- Next:
Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk
- Index:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security J. Lewis Muir via Core-talk
- Next:
Re: Proposed Changes in EPICS Base, PCAS and ca-gateway: Ignore IPs by environment / check IPs in access security Ralph Lange via Core-talk
- Index:
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
<2019>
2020
2021
2022
2023
2024
|