[HECnet] Question for PyDECnet users

[Keith Halewood]

Hi Paul et al.

I don't think there's any limit to the information that could/should be shown if your https connection to pydecnet's web interface is authenticated.
I assume extra line parameters encoded into a NICE message coming back could convey the actual physical details of the underlying 'line' in NCP's case?

As for security, the ports I open to let DECnet traffic through (Multinet over TCP, DDCMP over UDP, bridge over UDP), there are ACLs associated with them so that all but specific peers (individual IP addresses or small subnets) are dropped. The amount of port scanning that goes on is insane!

Keith

-----Original Message-----
From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On Behalf Of Paul Koning
Sent: 24 September 2020 22:16
To: <hecnet at update.uu.se> <hecnet at Update.UU.SE>
Subject: [HECnet] Question for PyDECnet users

Gentlepeople,

Currently the details of what PyDECnet circuits connect to are not displayed.  So you can see that a Multinet circuit is up and the other end is node 42.73, but you don't see the IP addresses or the like.

When things are working that's fine; when they are broken it might be helpful to see what something is trying to talk to.

On the other hand, hiding IP addresses is arguably a security feature.  So I have this question:

1. Should the addressing info (basically, what's in the --device config argument) be shown in the PyDECnet web interface?

2. Should the addressing info be visible via NCP / NML?

The difference is that #1 can be limited to be local only, if you use an internal address for the web service.  That's what I do for my nodes except for the mapper, though perhaps there isn't a strong argument why it should be so restrictive.  #2, on the other hand, is visible to all HECnet users assuming you haven't disabled NML in your config settings.

I'd be interested in comments.  Am I too concerned about hiding information, or is it sensible to be cautious?

	paul