[Info-vax] Software does wear out, was: Re: Raid Controller in I64 ans Alpha(MSA$UTIL)
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Mon Dec 2 21:17:08 EST 2013
On 2013-12-03 00:59:26 +0000, Simon Clubley said:
> It seems now from what you are saying is that this DPI capability, at
> emulated NIC level, still doesn't exist.
I've not encountered anything similar with any of the emulators, though
it might exist. Given the privileged network access available to the
emulators, it's certainly possible to implement that, and would be
feasible to implement a firewall or similar.
DPI can easily run afoul of SSL/TLS. Given an OpenVMS app using
SSL/TLS, the emulator would need to MiTM the connection and could not
just peek into packets, as the emulator won't otherwise have access to
the encrypted data.
It is probably easier to just MiTM various network connections outboard
of the emulator or the OpenVMS host, without tying that operation
directly into the emulator.
MiTM works if you have the necessary certificates, and if your clients
aren't pinned, or if the pinning can be adjusted.
<http://mitmproxy.org>
<http://www.doubleencore.com/2013/03/ssl-pinning-for-increased-app-security/>
<https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning>
For various reasons, a VPN can be more convenient, and can provide a
mechanism to protect an insecure network connection, or a host that
isn't hardened.
I'm well ensconced in the "bits rot" camp, particularly given the
complexity of the environment involved. Technically, the bits don't
and won't ever rot. But devices change, timings can change, needs and
loads and scale and scope can change, and the resulting failures from
latent bugs or inherent limits or whatever you want to call these
misfeatures can be little different from rot. VMS itself has had bugs
latent for 20+ years, and in code paths that do get heavily exercised,
too.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list