[Info-vax] Still no IPSEC for TCP/IP services?

Wed May 23 13:39:09 EDT 2012

On May 23, 3:24 am, Dirk Munk <m... at home.nl> wrote:
> Doug Phillips wrote:
...
<snip>
...

Before we go further let me say that I *do* understand your points. I
agree that (DEC/CPQ/HPQ) TCP/IP for OpenVMS (UCX) is an incomplete
product. I don't know why HP has delayed the IPsec release. If you
have VMS 8.3 or later with HP TCP/IP and you look at this web page
you'd think you already have everything:

< http://h71000.www7.hp.com/openvms/security.html >

My point is, if you must use VMS and you need to do something that HP
doesn't provide, then you have to find another way to do it.

Your choices are to either roll-your-own, bang your head against the
wall or use a 3rd party product. I believe MultiNet is a much better
product (than UCX), and I know there are fairly inexpensive appliances
that provide secure networking.

That said:

> > How are your nodes connected to the internet? Enterprise class devices
> > that I know of come with IPsec and are made to do exactly what you're
> > asking: securely connect sites by encrypting data at the OSI Internet
> > Layer (i.e., they use IPsec).
>
> It is not just for servers connected to the internet. Many large
> organizations demand encryption within their own network. In these
> organizations the network stuff is usually done by another group of
> people which means that setting up an encrypted connection would involve
> quite a lot of people. Believe me, you don't want to do that if possible.
>

IPsec is best used for full network VPN connections (because that's
what it provides!). Network security is never a picnic to support.
Every organization is different, but most security-driven
organizations that I know of require the "network people" to be
involved with anything/everything that happens on the network, and
they especially need to know what encrypted traffic is authorized on
the network.

>
>
> > What do your mobile or off-site users need to do? All off-site users
> > don't need IPsec, but, the last I looked an IPsec capable Home&  SB
> > router can be bought for $100 - $200 or less. SSL, if you haven't
> > looked lately, is gaining capability.  Do you need IPsec protecting
> > your server from your intranet? Buy an inexpensive appliance that's
> > made to do that. One benefit: no CPU cycles will be used.
>
> The CPU cycles argument is an interesting point. IPsec works directly on
> IP, so it is situated between IP and the higher layers like TCP and UDP.
> All high end NICs have a TCP offload engine, and that would mean that
> the NIC should do the IPsec work as well. Sending the received data from
> IP to the IPsec layer in software and then back to the NIC for the TCP
> offload engine is rather silly. The alternative is that TCP and iSCSI
> are not handled by the NIC but instead by the TCP/IP stack of the system.
>

For node-to node or network-to-network VPN's a specialized device will
do it with less overhead than a software stack. If an IPsec offload
NIC or an appliance does the encryption/decryption, it's just one more
job that it's been specifically designed to do. Either should be able
do the job much more efficiently than the software stack and, IMO,
both are usually easier to manage than the stack. WAN or Extended/
External LAN will always need special devices anyway, so why not let
them add the overhead and keep it off of the intranet. I don't see
anything silly.

Wire (or fiber) LAN connections can be physically secured. Local
traffic security is often more application specific and it can be
secured at a higher layer so other methods might be better. OpenSSL
does SSL v2/3 TLS v1. I don't have the latest version of HP TCP/IP so
I don't know if it has the latest OpenSSL or not, or how well it
works.

There are pros and cons to every encryption method and different ways
to implement each.

>
>
> > Why spend millions (or even thousands) to develop something that
> > competes with a relatively inexpensive appliance?
>
> It has been developed, it just has to be finished and released.

So, unfortunately, we either need to seek other solutions or find a
voice loud enough to get through to the right people.