[Info-vax] DECnet Phase IV and VMS code comments

Mon Nov 21 13:49:14 EST 2016

On 2016-11-21, David Froble <davef at tsoft-inc.com> wrote:
> Simon Clubley wrote:
>> The reason I've been asking about DECnet Phase IV recently is
>> because I decided to explore it a little bit from the security
>> point of view. I didn't expect to find anything major in the
>> limited time I allocated for this and sure enough I didn't.
>> 
>> However, I did find something unusual which while not an obvious
>> security issue caused me a little concern because it does raise
>> questions about the level of checking in the VMS networking code.
>> 
>> What I have discovered is that DECnet blindly trusts what it is
>> being told about the originating address, even when that information
>> cannot possibly be valid. For example, when the target node is 1.1,
>> then the target node trusts (and processes) an incoming packet which
>> also claims to be 1.1 instead of instantly dropping it.
>
> Without getting into the rest of your post, DECnet can be used for task to task 
> communications in the same system.  At least, that's what I remember from the 
> dim past while using it on RSTS/E.
>
> So, yeah, node 1.1 getting a connection from another task on node 1.1 should be 
> valid.  Now, if DECnet can determine that the connection came from another node, 
> (the lack of which seems to be your issue), then such a connection should be 
> considered a problem.  Perhaps not for handling the connection, but surely a 
> problem with network configuration.
>

Any decent network stack should be able to validate an incoming packet
based on it's origin. That's the core issue here and is what allows an
internal connection on a node to loop back to itself while also at the
same time dropping external packets which claim to be coming from itself.

Under no circumstances _whatsoever_ should an external node be able to
pretend to be the target node and be able to get away with it.

The lowest levels of the DECnet code should have hard dropped those
packets the moment they saw the external packet had the same source
address as their node's address and it's more than a little unsettling
that they didn't.

It's a basic security countermeasure and something which I would expect
to be implemented in every network stack written today, regardless of
protocol, as a routine measure.

The concern here is not so much DECnet Phase IV (which isn't exactly
secure to begin with by today's standards) but more if the same types
of expected checks are missing elsewhere and in areas that it might
actually matter to system security.

> Not sure what you're looking at, I can also use sockets for task to task 
> communications on the same system?

As explained above, that's not the issue here.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world