[Info-vax] Still no IPSEC for TCP/IP services?

[Dirk Munk]

Johnny Billquist wrote:
> On 2012-05-22 00:23, Dirk Munk wrote:
>> Steven Underwood wrote:
>>>
>>>
>>> "Dirk Munk" wrote in message
>>> news:4797c$4fbac358$5ed43999$22551 at cache60.multikabel.net...
>>>
>>>> I'm planning to set up a couple of new OpenVMS systems, and I was
>>>> thinking of using IPSEC as well. I was amazed to find that IPSEC is
>>>> not included in the present version of TCP/IP services. It was
>>>> included in the Early Adopters Kit for TCP/IP services 5.7 in 2007
>>>> (!!!!), but it never made it to the final version and wasn't added
>>>> later on.
>>>>
>>>> As far as I know IPSEC is a mandatory part of IPv6, so the IPv6 stack
>>>> of TCP/IP services isn't complete either. It may well be that there is
>>>> more modern functionality missing in the IPv6 stack
>>>>
>>>> Does any one know what happened, why was HP not capable of producing a
>>>> full functional IPSEC stack in 5 years time? Even Windows Vista has
>>>> IPSEC........
>>>
>>> Dirk: The EAK is still the only version of IPSEC as far as I have heard.
>>> There are very few people (one other, really) asking for it. Your
>>> arguments mirror his.
>>>
>>> I personally have no use for IPSEC or IPv6 on VMS or not. That also
>>> seems to be the general consensus I seen here toward IPv6 and IPSEC on
>>> VMS.
>>>
>>> Steven Underwood
>>
>> Thanks Steve.
>>
>> I never liked IP anyway. It seems to be one enormous hobby project where
>> lots of people and groups are producing solutions for many different
>> problems without any conceptional thinking. The result is mountains of
>> RFC's
>>
>> Encryption is a prime example. If you want to keep your data
>> communication secret then you will need encryption. But if you want to
>> encrypt your data transport between two nodes, then it looks obvious to
>> me that you should want to encrypt all data, and IPSEC does just that
>> for IP traffic.
>>
>> Instead we are using products like SSH, which adds a secure kind of
>> telnet, and a secure kind of FTP (SFTP and SCP). SSH does not encrypt
>> telnet and FTP traffic because that would have been a logical approuch,
>> no it replaces telnet and FTP. And now we have encrypted DECNET over IP
>> using SSH! You can imagine how I think about this "solution".
>>
>> With IPSEC we could have encrypted all IP data, including DECNET over IP
>> and IP cluster.
>>
>> With regard to IPv6, it has been clear for more than 10 years now that
>> we will need that because the internet is running out of IPv4 address
>> space. Not only that, but many of the IPv6 protocols have been
>> significantly improved compared to their IPv4 counterparts.
>>
>> You might think that by now the whole IPv6 concept has been thought
>> through and is ready for implementation. But no, this is not the case.
>> As you know all kind of devices in your home can get a world-wide unique
>> IPv6 address. That works, but I'm sure you don't want to get to the web
>> page of your washing machine by using its IPv6 address directly. No, you
>> want to use the DNS name of your washing machine. Alas, no one thought
>> about that. Who is responsible for the DNS names, where to store them,
>> we don't know. There is one draft RFC dated march 2012 (!!) that starts
>> to deal with this problem.
>>
>> In my view this shows the total lack of conceptional thinking in the IP
>> world. But hey, it's a Unix protocol!!!
>>
>> By the way, I'm using IPv6 over a tunnel, and I have been doing so for
>> several years now. This year my ISP will implement IPv6, but they should
>> have done that years ago.
>
> Not sure what you are talking about. DNS for IPv6 have been around for
> years, and is no different than for IPv4. It works, and have been
> working for over 10 years. I have DNS names for IPv6 machines, and have
> had them for over 10 years. And some major internet sites also serve
> over IPv6 since quite some time (such as Google).

Yes of course DNS for IPv6 exists, that's not the point. And by the way 
I'm using it. But how do you want to populate DNS with the equipment in 
your home? I suppose you have a router at home. Only the IP address of 
the WAN port of that router is known to the internet and will have some 
cryptic DNS name from your ISP. You may have added a more understandable 
alias name like johnny.dyndns.org , and your router will make sure that 
this alias is always kept updated with the present IP address of the 
router. But how and where do you want to add entries for the devices on 
your home LAN? And which devices do you want to make public? And which 
IPv6 addresses do you want to use? It has been suggested that you use 
Unique Local Addresses (fd00:) on your internal LAN (and DNS) and Global 
addresses (2001: etc.) if the device has to be reached from the 
internet. So a device can be reached with two addresses and maybe DNS 
names at the same. And yes, I know a device can have many IPv6 addresses.

So the whole matter is not as simple as it may seem at first.

>
> And the whole IP thing is not much of a hobby project, but government
> sponsored, and started by the US military. There is a reason why it was
> called ARPAnet back in ancient times... And remnants of that can still
> be seen sometimes (such as in how reverse DNS lookups work, or why the
> class A network 10 is private space.)

I know all that, but these days the US military hasn't much to do with 
IP. I don't think SoHo routers have anything to do with the military.

>
> Johnny