Subaru IP address allocation and PFS network exposure.

This ticket is mostly for Subaru commissioning, and needs to be addressed by Subaru.

As it stands, Subaru has assigned PFS a /25 (510 IP addresses) inside the Subaru summit network (133.40.something).

PFS instrument development has to this point put all PFS hosts inside a 10.1/16 private network, with a single host routing between the two. Besides that, the gateway host applies very tight incoming and outgoing firewall rules. An internal PFS host provides DHCP, DNS, PXE, and TFTP to the PFS hosts.

The internal DHCP/DNS names are used to set the per-camera and per-spectrograph identities of the software running on those hosts: the DHCP configuration is the only place where per-camera bindings need to be kept. The DNS names are all in the .pfs domain.

As I understand it, PFS has a single top-level L2 switch in CB, and one at IR4. Those connect to an observatory switch.

Without discussing how we finally tie the Observatory and PFS networks together, I'd like to ask for some clarification:

• Can PFS in general stick to this addressing plan (10.1/16 internal, with a few hosts also on the summit.subaru.nao.ac.jp network)?
• If not, can we keep most of the PFS hosts inaccessible from outside the instrument? Many of these are unsecured embedded devices, or devices whose (Linux) OS we will prefer to freeze rather than keep up-to-date.
• If not, can we continue to provide internal DHCP and DNS service? This could be a significant factor in commissioning and maintenance.
• If we can, which hosts does the observatory want direct access to? The gateway machine can certainly map some number of 133.40 addresses to internal addresses.