[Info-vax] What would you miss if DECnet got the chop? Was: "bad select 38" (OpenSSL on VMS)

[David Froble]

Stephen Hoffman wrote:
> On 2016-10-06 22:04:01 +0000, Dirk Munk said:
> 
>> Stephen Hoffman wrote:
>>> On 2016-10-06 14:53:14 +0000, Dirk Munk said:
>>>
>>>> Stephen Hoffman wrote:
>>>>> On 2016-10-06 07:25:24 +0000, Dirk Munk said:
>>>>>
>>>>>> Well then, let me give you a very good reason to scrap....
>>>>>
>>>>> Get off of DECnet.
>>>>
>>>> The nice thing about DECnet Phase V over IP is that you can use IP DNS
>>>> names and thus IP addresses.
>>>>
>>>> So dir vsi.com::dka0: works in DECnet Phase V.
>>>>
>>>> Build a replacement in pure IP, and tell us when it's ready.
>>>
>>> DIRECTORY /FTP works fine without DECnet, and supports domain names.  
>>> Available since V6.2.
>>>
>>> SFTP support, a decent client for SMB, and, yes, IP-based FAL-like 
>>> support would be nice.  Particularly with encryption and authentication.
>>>
>>> But DECnet is still dead.
>>
>> So the bottom line is that DECnet is dead, but 40 year old DECnet has 
>> functionality that today's IP can not offer to VMS. Or am I wrong?
> 
> That train left the station ~twenty years ago, too.

Yep

> It became clear to 
> the die-hard DEC DECnet folks that DECnet and OSI were not the path the 
> industry was following.    As much as I'd prefer to see DEC having been 
> right, following that approach — what you're still trying to do — 
> directly led OpenVMS networking to be in such a deep hole, too.

Yep

> That 
> approach fractured the work, and it bled off time and effort that could 
> have been spent on the capabilities of the IP stack that became the path 
> forward when OSI cratered, as well as the not-inconsequential issues 
> around the management and maintenance and user interface for DECnet, and 
> a whole host of other issues.

If DEC had embraced IP, and migrated the DECnet capabilities to IP, we'd all be 
much better off.

Now, if there were some needs for OSI, then implelment that, but, not the whole 
DECnet thingy.

>> And that is the problem. To those who claim that we should forget 
>> about DECnet, I can only say give use an equivalent IP product with 
>> the same functionality as FAL, the same ease of use, even from within 
>> commandfiles or applications. As long as you can't offer that, stop 
>> telling us to forget about DECnet.

Odd, other then your "Phase IV must die", and Steve being controversial, I don't 
think that I've seen much of that issue.

Michael has stated that he doesn't think VSI will want to break anything.

It appears that VSI most likely keep the special DECnet IV transport over IP.

It's highly likely the DECnet V over IP will continue to function.

As I've written above, we'd all have been better off if DEC had implemented the 
useful functionality of DECnet in IP.  But "now is now", and it's up to VSI and 
/ or contributors to perform such implementation, should they choose to do so. 
VSI will follow the PAYING customers, as they should.  Have you made an offer to 
VSI to do some contributions, such as FAL over IP?

> Oddly, the rest of the universe gets by with ssh, netcat, file shares 
> and related.    Sure, having an FTP client — or preferably FTPS or sftp 
> — embedded into RMS would be nice.
> 
>> That other protocol can be just as VMS specific as Multinet's DECnet 
>> over IP lines, I don't care. Design it, put it in VMS and perhaps then 
>> we can talk about forgetting DECnet.

The issue of "paying customer" comes up, again ....

> I don't want to see time spent on DECnet, more time on EDT nor more time 
> away from the port and the roadmap.
> 
>> Oh yeah, and I don't think is has to be encrypted.
> 
> Which is "acceptable" only because OpenVMS lacks that.
> 
> If that were another platform, I'd expect you would be very unhappy 
> about that omission.
> 
> I know auditors already get cranky about telnet and have gotten cranky 
> for a decade or more.   Any auditors that knew to ask about or otherwise 
> find DECnet would get cranky about that, too.
> 
> It's also a case that's contrary to those claims that OpenVMS is a 
> secure platform that get posted around here.
> 
>> Like I wrote before, a VMS system should be communicating with other 
>> VMS systems using IPsec. It will secure *all* IP communication between 
>> these systems, no need to do encryption in applications.

Now that can be laid at the feet of HP how milked the VMS cow without bothering 
to feed it for some years.  Yes, IPSEC is something that should be mandatory, 
and I'm betting VSI will provide it.  Going to make a lot of people rather happy.

Speaking for myself, it's my opinion that transmission security is a network 
problem, and for some cases IPSEC is the optimal solution.

> Sure.   Can't say I'd spend an iota of that time on DECnet, though.

Frankly, with perhaps maybe a small iota of time, I doubt DECnet is going to 
need much work to keep the current functionality.  And I think most will agree 
that any other work on DECnet is a waste of critically needed resources.

Now, IPv6 should become standard in VMS, and I'd say ALL of VMS.  DECnet is part 
of VMS.

> In short, if you can't do it via IP (somehow, whether ssh or netcat or 
> otherwise, preferably encrypted), then either the OpenVMS implementation 
> of IP needs help or updates, or find a different way to solve the 
> issue.   And yes, maybe even use DECnet in the interim.

Yes, use DECnet as needed, until better comes along.  That's both IV and V ..