Discussion: In PV-access security optionally check host names provided by client without DNS lookup

[goetzpf]

I have found that the p4p gateway always does DNS lookups for host names given in host access groups.

I see that this is more secure than it was with EPICS 3.15 and channel access, where the gateway relied on the host name the client provided, since the client could easily fake this.

However, at our facility, the BESSY II Storage Ring at the Helmholtz-Zentrum Berlin we currently use EPICS 3.15 with it's simple host name matching and have additional security by the many networks with separate gateways. We currently do not need to add every new PC or notebook at the beamline to our DNS system or assign fixed IP numbers. Adding the host name the new PC is configured with to our configuration is sufficient.

Would it be possible to add a switch to the PVAccess gateway so it does not do DNS name lookups and simply compares the host name provided by the client, just as the CA-Gateway with EPICS 3.15 did ?

[bfrk]

Let me clarify this.

Most of our IOC hosts have lots of IOCs running on them. We still distinguish them in the access security configuration because each IOC gets its own "host name" (via /usr/bin/unshare -u sethostname). These "host names" do not correspond to any IP adresses, nor should they. It is thus absolutely essential for us to be able to turn off IP address checking and instead use the "host name" provided by the PV Access client as is, exactly as it is done in EPICS base. (BTW, I wonder why the p4p gateway does not use the mechanism from EPICS base and instead chooses to re-implement it.)