[Info-vax] Still no IPSEC for TCP/IP services?

Tue May 22 11:32:38 EDT 2012

On 2012-05-22 00:23, Dirk Munk wrote:
> Steven Underwood wrote:
>>
>>
>> "Dirk Munk" wrote in message
>> news:4797c$4fbac358$5ed43999$22551 at cache60.multikabel.net...
>>
>>> I'm planning to set up a couple of new OpenVMS systems, and I was
>>> thinking of using IPSEC as well. I was amazed to find that IPSEC is
>>> not included in the present version of TCP/IP services. It was
>>> included in the Early Adopters Kit for TCP/IP services 5.7 in 2007
>>> (!!!!), but it never made it to the final version and wasn't added
>>> later on.
>>>
>>> As far as I know IPSEC is a mandatory part of IPv6, so the IPv6 stack
>>> of TCP/IP services isn't complete either. It may well be that there is
>>> more modern functionality missing in the IPv6 stack
>>>
>>> Does any one know what happened, why was HP not capable of producing a
>>> full functional IPSEC stack in 5 years time? Even Windows Vista has
>>> IPSEC........
>>
>> Dirk: The EAK is still the only version of IPSEC as far as I have heard.
>> There are very few people (one other, really) asking for it. Your
>> arguments mirror his.
>>
>> I personally have no use for IPSEC or IPv6 on VMS or not. That also
>> seems to be the general consensus I seen here toward IPv6 and IPSEC on
>> VMS.
>>
>> Steven Underwood
>
> Thanks Steve.
>
> I never liked IP anyway. It seems to be one enormous hobby project where
> lots of people and groups are producing solutions for many different
> problems without any conceptional thinking. The result is mountains of
> RFC's
>
> Encryption is a prime example. If you want to keep your data
> communication secret then you will need encryption. But if you want to
> encrypt your data transport between two nodes, then it looks obvious to
> me that you should want to encrypt all data, and IPSEC does just that
> for IP traffic.
>
> Instead we are using products like SSH, which adds a secure kind of
> telnet, and a secure kind of FTP (SFTP and SCP). SSH does not encrypt
> telnet and FTP traffic because that would have been a logical approuch,
> no it replaces telnet and FTP. And now we have encrypted DECNET over IP
> using SSH! You can imagine how I think about this "solution".
>
> With IPSEC we could have encrypted all IP data, including DECNET over IP
> and IP cluster.
>
> With regard to IPv6, it has been clear for more than 10 years now that
> we will need that because the internet is running out of IPv4 address
> space. Not only that, but many of the IPv6 protocols have been
> significantly improved compared to their IPv4 counterparts.
>
> You might think that by now the whole IPv6 concept has been thought
> through and is ready for implementation. But no, this is not the case.
> As you know all kind of devices in your home can get a world-wide unique
> IPv6 address. That works, but I'm sure you don't want to get to the web
> page of your washing machine by using its IPv6 address directly. No, you
> want to use the DNS name of your washing machine. Alas, no one thought
> about that. Who is responsible for the DNS names, where to store them,
> we don't know. There is one draft RFC dated march 2012 (!!) that starts
> to deal with this problem.
>
> In my view this shows the total lack of conceptional thinking in the IP
> world. But hey, it's a Unix protocol!!!
>
> By the way, I'm using IPv6 over a tunnel, and I have been doing so for
> several years now. This year my ISP will implement IPv6, but they should
> have done that years ago.

Not sure what you are talking about. DNS for IPv6 have been around for 
years, and is no different than for IPv4. It works, and have been 
working for over 10 years. I have DNS names for IPv6 machines, and have 
had them for over 10 years. And some major internet sites also serve 
over IPv6 since quite some time (such as Google).

And the whole IP thing is not much of a hobby project, but government 
sponsored, and started by the US military. There is a reason why it was 
called ARPAnet back in ancient times... And remnants of that can still 
be seen sometimes (such as in how reverse DNS lookups work, or why the 
class A network 10 is private space.)

	Johnny