Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
<== Date ==> <== Thread ==>

Subject: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request]
From: "Hartman, Steven M." <hartmansm@ornl.gov>
To: Benjamin Franksen <benjamin.franksen@helmholtz-berlin.de>
Cc: EPICS Tech Talk <tech-talk@aps.anl.gov>
Date: Tue, 23 Jan 2018 18:54:49 +0000
> On Jan 23, 2018, at 12:56 PM, Benjamin Franksen <benjamin.franksen@helmholtz-berlin.de> wrote:
> 
>>>> Channel Access is not intended for use in a hostile environment.
>>> 
>>> I wouldn't call a port scan hostile.
>>> 
>> 
>> True. Let me rephrase:
>> Channel Access is not intended for use in an environment where clients
>> intentionally send malformed packages.
> 
> What about pvAccess in this regard?


Without using strong encryption and robust authentication/authorization, a control system server is going to be vulnerable to hostile clients. In this regard, pvAccess is vulnerable. Network segmentation is still a necessity for pvAccess as it has been for channel access. 

pvAccess does have hooks to allow extension to include authentication/authorization. When this happens will depend upon a project or facility having the need and providing the resources or funds to implement. 

Nonetheless, a malformed packet crashing a server would be considered in bug in the server implementation and should be fixed. 

-- 
Steven Hartman
hartmansm@ornl.gov






Replies:
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
References:
Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Shuei YAMADA
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Ralph Lange
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] J. Lewis Muir
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Ralph Lange
Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Benjamin Franksen

Navigate by Date:
Prev: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Benjamin Franksen
Next: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
Navigate by Thread:
Prev: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Benjamin Franksen
Next: Re: Port scan with nmap causes infinite loop in casDGClient::processDG() [Re: CA gatway runs away when zero length PV name in UDP search request] Michael Davidsaver
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  <20182019 
ANJ, 23 Jan 2018 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·