Experimental Physics and
Industrial Control System

Gedare Bloom via Core-talk <core-talk at aps.anl.gov> · Wed, 17 Mar 2021 16:14:08 -0600

On Tue, Mar 16, 2021 at 1:04 PM Michael Davidsaver via Core-talk
<core-talk at aps.anl.gov> wrote:
>
> Personally, I see IPv6 as one of several "modernization" requirements
> which seem likely drop at some point within say 5 years.
>
> The biggest one being something along the lines of "all network services
> must employ strong authentication and encryption".  I expect that the
> continuing drumbeat of headlines about PLC security problems will at
> some point spill over into the EPICS world in a way which makes arguing
> for exemptions untenable.
>
> Our community can either be proactive, or wait to be surprised.
>

Cherry-picking here, but I'm working both of these fronts from the
RTEMS side of things. Our network stack modernization _should_ help
bridge the gap with libbsd on higher-end boards and lwIP as the backup
plan for resource-constrained devices. Since RTEMS is most likely the
low water mark for the features and security mechanisms, hopefully our
efforts can help keep EPICS afloat (#dadjokes #sorrynotsorry) on
open-source.

We also will be exploring transport and application security solutions
including SSL and lightweight SSH (or telnet/SSL at the worst) ports.
I'm happy to entertain any inputs on other desired secure
communication services. I have about 1 more year of funding left to
push on improving the infrastructure security, and happy to
collaborate on current or future efforts of mutual interest.

>
> On 3/16/21 11:33 AM, Johnson, Andrew N. via Core-talk wrote:
> > On Mar 16, 2021, at 4:32 AM, Ben Franksen <benjamin.franksen at helmholtz-berlin.de> wrote:
> >>
> >> Am 16.03.21 um 09:44 schrieb Zimoch Dirk (PSI) via Core-talk:
> >>> On Fri, 2021-03-12 at 03:34 +0000, Johnson, Andrew N. via Core-talk wrote:
> >>>> https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf
> >>>>
> >>>> - Andrew
> >>>>
> >>>
> >>> TL;DR
> >>> Do we have a problem?
> >>
> >> I may be wrong, but AFAIU only facilities in the US have a problem. They
> >> need to convince their over-bosses that they get an exception.
> >
> > Sorry, but if we don’t consider how we can add support for IPv6 soon EPICS will probably no longer be eligible for use by the kinds of large experimental facilities that have funded its development to date, and it will die. I’m not saying it’s urgent, but we should start to plan for it.
> >
> > That OMB memo was signed by the previous US administration, but I’m pretty sure it wasn’t developed by their political appointees, and IMHO hoping that the new administration will rescind it would be a mistake. Existing DOE facilities will almost certainly be getting exemptions of some kind, but EPICS doesn’t have a monopoly in this field and if we don’t support it many future Government-funded projects will have to find an alternative since IPv6-only networking will most likely become a non-negotiable requirement at some point. This isn’t likely to be unique to the US either.
> >
> > IPv6 use has been growing and many cellphone networks now depend on it (that DJB article which Ben found has a last-modified date of August 2003). There’s a page with links to several adoption statistics websites at
> >     https://www.internetsociety.org/deploy360/ipv6/statistics/
> >
> > I’m hoping that we’ll be able to get some DOE funding to actually do the porting work. Given the number of DOE facilities that use EPICS it seemed reasonable to suggest that, which I have done to the team that is planning the DOE’s response to that memo.
> >
> > - Andrew
> >
>

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System