A TwoTier PV Gateway for Channel Access from

  • Slides: 7
Download presentation
A Two-Tier PV Gateway for Channel Access from J-PARC Office Network to the Accelerator

A Two-Tier PV Gateway for Channel Access from J-PARC Office Network to the Accelerator Control Network Shuei Yamada KEK/J-PARC Center Accelerator Control Group Shuei YAMADA @ EPICS Collaboration Meeting June 2019 4 Jun. 2019 1

J-PARC LINAC 400 Me. V/c @ 25 Hz Japan Proton Accelerator Research Complex Joint

J-PARC LINAC 400 Me. V/c @ 25 Hz Japan Proton Accelerator Research Complex Joint project of : KEK (High Energy Accelerator Research Organization) and JAEA (Japan Atomic Energy Agency) KEK Neutrino Experiment Facility Materials and Life Science Facility J-PARC (in site of JAEA) Tokyo ©google Shuei YAMADA @ EPICS Collaboration Meeting June 2019 RCS 3 Ge. V/c @ 25 Hz Main Ring 30 Ge. V/c @ 2. 48 sec (FX to NU) @ 5. 52 sec (SX to HD) Hadron Experiment Facility 4 Jun. 2019 2

Motivation : Network and Policy in J-PARC I’d like to monitor our Acc. from

Motivation : Network and Policy in J-PARC I’d like to monitor our Acc. from my office I wish I could use the same app. as control LAN ⯲Allowed (NAT) Acc. Control LAN ⯲Allowed (routing) DMZ Office LAN ⯰ Forbidden ⯰ Acc. Equipment (EPICS IOCs) Shuei YAMADA @ EPICS Collaboration Meeting June 2019 The Internet 4 Jun. 2019 3

Idea : 2 -Tier Gateway CA Gateway #1 CA Gateway #2 ⯲Allowed (NAT) Acc.

Idea : 2 -Tier Gateway CA Gateway #1 CA Gateway #2 ⯲Allowed (NAT) Acc. Control LAN ⯲Allowed (routing) DMZ Office LAN ⯰ Forbidden ⯰ Acc. Equipment (EPICS IOCs) Requirements from J-PARC IT section: Operation of any devices in the control LAN shall be prohibited from the office LAN Shuei YAMADA @ EPICS Collaboration Meeting June 2019 4 Jun. 2019 4

Implementation CA Gateway #1 (NAT) CA Gateway #2 CA w/ TCP-only mode Acc. Control

Implementation CA Gateway #1 (NAT) CA Gateway #2 CA w/ TCP-only mode Acc. Control LAN Acc. Equipment (EPICS IOCs) DMZ Office LAN Both gateways are configured to be readonly Access control by iptables on both gateway Shuei YAMADA @ EPICS Collaboration Meeting June 2019 4 Jun. 2019 5

Hardware Pi. NON sabataro® Celeron J 1900 (4 cores @ 2. 4 GHz) /

Hardware Pi. NON sabataro® Celeron J 1900 (4 cores @ 2. 4 GHz) / 8 GB SL 6 + EPICS base R 3. 15. 5 + Gateway R 2. 1. 0 Shuei YAMADA @ EPICS Collaboration Meeting June 2019 4 Jun. 2019 6

Summary An one-way gateway system was constructed, which allows Channel Access thru two-layer firewall

Summary An one-way gateway system was constructed, which allows Channel Access thru two-layer firewall It has been in operation since Apr 2018 Shuei YAMADA @ EPICS Collaboration Meeting June 2019 4 Jun. 2019 7

TwoTier Resource Management Designed after the Internets twotierTwoTier Resource Management Designed after the Internets twotier
GATEWAY i INTERFEJS GATEWAY Gateway mreni prolaz jeGATEWAY i INTERFEJS GATEWAY Gateway mreni prolaz je
Channel Access Security 2006 kasemirkornl gov Channel AccessChannel Access Security 2006 kasemirkornl gov Channel Access
Channel Access Clients Introduction to Channel Access ClientsChannel Access Clients Introduction to Channel Access Clients
Channel Participants Classification of Channel Participants All channelChannel Participants Classification of Channel Participants All channel
Channel Participants Classification of Channel Participants All channelChannel Participants Classification of Channel Participants All channel