> When a CA client opens a connection to an IOC, it transmits its host
> and user name. It's these strings that the access security information
> is checked against.
>
> What makes you want to use IP numbers instead?
Here are 2 reasons this might be desireable:
1) IP numbers are more difficult to spoof if they are coming from another
subnet. On Unix systems one can change the "hostname" which CA security
sees without even rebooting. I realize that CA security is not intended to
stop determined hackers, but even an impatient operator can bypass security
trivially with hostname (I know, I've seen it done!)
2) IP numbers are more "stable" than hostnames. We have had many problems
where the hostname presented by our CA clients (typically NT machines) has
changed from a fully qualified domain name (e.g. ford.cars.aps.anl.gov) to a
simple name (e.g. ford). We don't know what caused these changes (NT
service packs?) but it is a pain, since the CA security database has to be
frequently modified. IP numbers would not have changed in this
circumstance.
Mark Rivers
- Navigate by Date:
- Prev:
EPICS VME ControlNet interface support Tang, Johnny Y
- Next:
Re: GPIB Problems Ned Arnold
- Index:
1994
1995
1996
1997
1998
1999
<2000>
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Access security by IP number? Ralph . Lange
- Next:
EPICS VME ControlNet interface support Tang, Johnny Y
- Index:
1994
1995
1996
1997
1998
1999
<2000>
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|