[Info-vax] Still no IPSEC for TCP/IP services?

Tue May 22 03:23:02 EDT 2012

Steven Underwood wrote:
>
>
> "Dirk Munk" wrote in message
> news:4797c$4fbac358$5ed43999$22551 at cache60.multikabel.net...
>
>> I'm planning to set up a couple of new OpenVMS systems, and I was
>> thinking of using IPSEC as well. I was amazed to find that IPSEC is
>> not included in the present version of TCP/IP services. It was
>> included in the Early Adopters Kit for TCP/IP services 5.7 in 2007
>> (!!!!), but it never made it to the final version and wasn't added
>> later on.
>>
>> As far as I know IPSEC is a mandatory part of IPv6, so the IPv6 stack
>> of TCP/IP services isn't complete either. It may well be that there is
>> more modern functionality missing in the IPv6 stack
>>
>> Does any one know what happened, why was HP not capable of producing a
>> full functional IPSEC stack in 5 years time? Even Windows Vista has
>> IPSEC........
>
> Dirk: The EAK is still the only version of IPSEC as far as I have heard.
> There are very few people (one other, really) asking for it. Your
> arguments mirror his.
>
> I personally have no use for IPSEC or IPv6 on VMS or not. That also
> seems to be the general consensus I seen here toward IPv6 and IPSEC on VMS.
>
> Steven Underwood

Thanks Steve.

I never liked IP anyway. It seems to be one enormous hobby project where 
lots of people and groups are producing solutions for many different 
problems without any conceptional thinking. The result is mountains of 
RFC's

Encryption is a prime example. If you want to keep your data 
communication secret then you will need encryption. But if you want to 
encrypt your data transport between two nodes, then it looks obvious to 
me that you should want to encrypt all data, and IPSEC does just that 
for IP traffic.

Instead we are using products like SSH, which adds a secure kind of 
telnet, and a secure kind of FTP (SFTP and SCP). SSH does not encrypt 
telnet and FTP traffic because that would have been a logical approuch, 
no it replaces telnet and FTP. And now we have encrypted DECNET over IP 
using SSH! You can imagine how I think about this "solution".

With IPSEC we could have encrypted all IP data, including DECNET over IP 
and IP cluster.

With regard to IPv6, it has been clear for more than 10 years now that 
we will need that because the internet is running out of IPv4 address 
space. Not only that, but many of the IPv6 protocols have been 
significantly improved compared to their IPv4 counterparts.

You might think that by now the whole IPv6 concept has been thought 
through and is ready for implementation. But no, this is not the case. 
As you know all kind of devices in your home can get a world-wide unique 
IPv6 address. That works, but I'm sure you don't want to get to the web 
page of your washing machine by using its IPv6 address directly. No, you 
want to use the DNS name of your washing machine. Alas, no one thought 
about that. Who is responsible for the DNS names, where to store them, 
we don't know. There is one draft RFC dated march 2012 (!!) that starts 
to deal with this problem.

In my view this shows the total lack of conceptional thinking in the IP 
world. But hey, it's a Unix protocol!!!

By the way, I'm using IPv6 over a tunnel, and I have been doing so for 
several years now. This year my ISP will implement IPv6, but they should 
have done that years ago.