search

JoelBender / bacpypes

BACpypes provides a BACnet application layer and network layer written in Python for daemons, scripting, and graphical interfaces.
MIT License
294 stars 130 forks source link

Addendum g of the Standard #225

Open orcunelitez opened 5 years ago

orcunelitez commented 5 years ago

Hi Joel,

I hope you are well. I am new to BACNet and BACpypes really helped me understand the concepts. I would like to use the Network Security portion of the standard which is defined as Addendum g, but I couldn't find anything related to this in the source code. 1- Is there a version which this feature is implemented? 2- Is it worth implementing this, since BACNET/SC would solve the security issues? 3- Do you have any guidelines that could help me implement this on top of bacpypes stack?

Thank you in advance Regards, Orcun

JoelBender commented 5 years ago

Welcome to the BACnet community and thank you for your interest in BACpypes.

Ah, Addendum 135 2008g or more commonly referred to the infamous Clause 24. I tried for many years to hire a student programmer as a summer intern for the BFR project, and I thought it would be tempting... Full time programmer, open source project, C++, etc. Every year a batch of students would review the specification and come back with "no, thank you." I think it's regularly accepted fact right now that getting security right is hard work, and without other implementations to test against on campus I couldn't justify the amount of time it would take.

As far as I know there are only a few commercial products that support Clause 24, and those have a limited distribution. There are no open source implementations in any language (and if anyone has any pointers to ones that are, I would be delighted to be corrected). So the answer to (1) is a no.

Similarly, I think the answer to (2) is also "no", there is almost no chance that a BACpypes based application or service would run in an environment that requires the use of Clause 24. BACnet/SC solves one type of security issue, shuffling packets around, but it does not address per-device, per-service, per-object, or per-property security (see 24.8 Network Security Network Trust Levels).

If you would like to start implementing it, that would be very interesting! The BACpypes stack is designed to have layers that can be swapped in and out, and in theory you could stuff in the security layer in between the network and application layers (probably just below the NetworkServiceAccessPoint and above an adapter) and probably another piece for securing the application layer when it runs over untrusted networks. These classes have to know know how to dig around in NetworkSecurityObject and NetworkPortObject properties, so you'll need those as well.

For BACnet/SC, I have been planning on using websockets which gets all the details right, which is another push for me to learn async/await programming and targeting Python3.6+ and a quite different core API (like no more core module and iocb stuff turns into futures or promises or something).

If you decide to take this on, fork the project and let me know!

damienpicard commented 2 months ago

@JoelBender one of our clients came up with a project using BACnet/SC. If I'm not mistaken, bacpypes does not support that yet. Is that correct?

Thanks in advance!

JoelBender commented 2 months ago

@damienpicard Correct, BACpypes (legacy) will not support BACnet/SC, and the work in BACpypes3 is still in process.

damienpicard commented 2 months ago

@JoelBender thank you very much! I imagine that it is difficult for you to give us a timeline for support for BACnet/SC in bacpypes3?