[Info-vax] Rethinking DECNET ?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Tue Sep 2 08:43:47 EDT 2014 

On 2014-09-01 19:05:59 +0000, David Froble said:

> And there-in lies the problem.  HP's TCP/IP on VMS does not support 
> IPsec.  Remember, this is c.o.v ....

There was an IPSec beta for VMS 
<http://h71000.www7.hp.com/openvms/products/ipsec/index.html>, and it 
looks like the IPSec bits are still present in the kit, though not 
documented and not supported for any of various reasons.  I see the DCL 
command procedure TCPIP$IPSEC_STARTUP.COM present on a system that's 
never had the IPSec beta installed, for instance.

> PErsonally, I think IPsec is great.  I haven't paid much attention to 
> any security flaws, since as a VMS user, it would not matter to me.

The beta wasn't as easy set up and to use as I would have preferred, 
but then that's been a concern of mine with most of the TCP/IP Services 
user interfaces, and with VMS management in general as compared with 
other current platforms.   (Prolonged exposure to OS X has undoubtedly 
skew[er]ed my perceptions here, of course.)   In general, the IPSec EAK 
seemed rather more like an early proof-of-concept than a beta, with PSK 
support and not with certificates, and with some other details.  But 
that's why you might call it an EAK, after all.

The whole of the TCP/IP Services stack is due for a look and a user 
interface overhaul and various updates, with overhauling the OpenVMS 
CDSA public key encryption and authentication support, and all that and 
more   More?  There's a push for STARTTLS in SMTP MAIL, for instance — 
this is how  a mail server switches from unencrypted to encrypted 
traffic on an established server-to-server connection 
<http://en.wikipedia.org/wiki/STARTTLS>, and TCP/IP Services SMTP lacks 
other features such as the submission port and SSL/TLS encrypted POP 
and IMAP support.  syslog or syslog-ng.   IPv6 addressing doesn't deal 
with subnets, IIRC — one of the folks slammed into some no-longer-valid 
assumptions in the IPv6 configuration.   It'd be nice to have COPY 
/SFTP, too.

There's more than a little basic work available in TCP/IP Services and 
its VMS integration, and that's before looking at potential 
enhancements such as re-rolling Phase V and/or embedding an IP-capable 
FAL-ish client into VMS for use by RMS and DCL.

On no evidence, I'd guess that (more) customers would probably want 
feature updates to the command line and DECwindows mail clients (for 
encryption, for better-integrated MIME support, for viewing attached 
PDF files, etc), encrypted ports (if you want to have VMS as a "trusted 
mail server", you want have SSL/TLS mail support), or for than would 
want FAL-IP support for RMS and DCL, for instance.

As Hein alluded and beyond the x86-64 port and outside of advanced 
development work hopefully on the docket, a successful VSI will always 
have an unachievable list of VMS and layered product bits to fix and to 
update.  They'll have far too few staffers, and the same budgetary 
limitations as most any other company.  This means they're going to 
prioritize features that will keep or will attract customers, and 
particularly which features they can achieve on their available 
schedule that'll provide the biggest benefit to their customers.  
(Moving to a continuous software release process would probably melt 
VMS brains, but that's another discussion.)  Hopefully, overhauls for 
usability and for capabilities will be included here, as you can either 
hack more stuff into the existing and limited SYSUAF world and a 
gazillion private places (for instance) and dig yourself deeper into 
API gridlock and into ever-deeper technical debt, or you can 
occasionally rework and migrate annd overhaul; to more fully integrate 
with LDAP and Kerberos, for instance.

There are always trade-offs with an operating system.

VSI is always going to be looking to be and to stay profitable.  That's 
Poulson and particularly then x86-64 support, too.

That written, I do hope VSI breaks some of the existing interfaces, 
breaks some compatibility, and ploughs in and fixes some of the 
longstanding bugs and misfeatures in VMS, too.



-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list