20010618: IDD security question

Steve,

The ldmd.conf file uses the "allow" lines to determine what
feed types a downstream LDM host may request from your server.
As long as your ECMWF data uses a feedtype that is only allowed
to your restricted set of hosts, then the LDM will appropriately
control access. You are correct that the downstream LDM's will
be responsible for their own "relaying" of the data. 

The "allow" line allows you to control by feedtype only. Eg, you cannot
restrict your downstreams to a subseting regular expression of
the feedtype. The hostname portion of the allow line lets you
specify the downstream hostname by regular expression. If you want to
limit the feed to a specific host, then be specific in the pattern-
eg, do not allow unexpected matches to wildcarding.

For example, if you are using the EXP feedtype,

allow   EXP     ^127\.90\.88\.142$
or
allow   EXP     ^host\.foo\.bar\.gov$



Steve Chiswell
Unidata User Support





>From: Ben Domenico <address@hidden>
>Organization: UCAR/Unidata
>Keywords: 200106182135.f5ILZDp07995

>Steve,
>
>I'm forwarding this note to our support staff which includes many others 
>who are more savvy about the technical details of LDM/IDD security than I 
>am.
>
>
>-- Ben
>
>--On Monday, June 18, 2001 2:10 PM -0700 Steve Hankin 
><address@hidden> wrote:
>
>> Hi Ben,
>>
>> In GODAE we have a potential situation in which we want to distribute
>> restricted (say, ECMWF) real-time data to a select group of users.  If
>> one selects only those users' machines as the downstream recipients for
>> IDD are you aware of any serious security concerns? (other than the risk
>> that those users might not honor the restrictions, of course.)
>>
>>     thanks - steve
>>
>> --
>>
>>                 |  NOAA/PMEL               |  ph. (206) 526-6080
>> Steve Hankin    |  7600 Sand Point Way NE  |  FAX (206) 526-6744
>>                 |  Seattle, WA 98115-0070  |  address@hidden
>>
>>
>
>