[Info-vax] Rethinking DECNET ?

Johnny Billquist bqt at softjar.se
Tue Sep 2 07:42:40 EDT 2014 

On 2014-09-02 11:36, Jan-Erik Soderholm wrote:
> Johnny Billquist wrote 2014-09-02 11:25:
>> On 2014-09-01 23:45, Dirk Munk wrote:
>>> David Froble wrote:
>>>>
>>>> And there-in lies the problem.  HP's TCP/IP on VMS does not support
>>>> IPsec.  Remember, this is c.o.v ....
>>>>
>>>> PErsonally, I think IPsec is great.  I haven't paid much attention to
>>>> any security flaws, since as a VMS user, it would not matter to me.
>>>
>>> You're right, and that is why I'm of the opinion that getting the IPv4
>>> and IPv6 stacks (incl. IPsec) in order is one of the most important
>>> tasks now.
>>>
>>> Yes, IPv6 too. It is gaining momentum, Belgium is word record holder
>>> with 30% of all internet connections having IPv6, and the percentage is
>>> rising quite fast.
>>>
>>> I will go further than that, in my opinion IPsec should be mandatory for
>>> a VMS cluster with cluster traffic over IP. At the moment IP cluster
>>> traffic can be encrypted with SSH (AFAIK). Of course it should have been
>>> IPsec from the beginning, SSH is a hobby solution compared with IPsec.
>>
>> Well, if VMS gets IPv6, then it will get IPsec, since that is
>> mandatory for
>> IPv6...
>>
>>      Johnny
>>
>
> Note that RFC6434 (replaced RFC 4294) changed the wording from
> MUST to SHOULD (that is, from REQUIRED to RECOMMENDED).
>
>   Previously, IPv6 mandated implementation of IPsec and recommended the
>   key management approach of IKE.  This document updates that
>   recommendation by making support of the IPsec Architecture [RFC4301]
>   a SHOULD for all IPv6 nodes...
>
>   This document recognizes that there exists a range of device types
>   and environments where approaches to security other than IPsec can be
>   justified.  For example, special-purpose devices may support only a
>   very limited number or type of applications, and an application-
>   specific security approach may be sufficient for limited management
>   or configuration capabilities.  Alternatively, some devices may run
>   on extremely constrained hardware (e.g., sensors) where the full
>   IPsec Architecture is not justified.
>
>
> So saying "mandatory" is, as far as I understand not fully correct.

Ah. Thanks for the follow up. I did not know they had changed it. Still, 
I would expect that an IPv6 implementation for VMS would include IPsec.

	Johnny

-- 
Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email: bqt at softjar.se             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

More information about the Info-vax mailing list