[Info-vax] What would you miss if DECnet got the chop? Was: "bad select 38" (OpenSSL on VMS)

Fri Oct 7 03:08:26 EDT 2016

Stephen Hoffman wrote:
> On 2016-10-06 22:04:01 +0000, Dirk Munk said:
>
>> Stephen Hoffman wrote:
>>> On 2016-10-06 14:53:14 +0000, Dirk Munk said:
>>>
>>>> Stephen Hoffman wrote:
>>>>> On 2016-10-06 07:25:24 +0000, Dirk Munk said:
>>>>>
>>>>>> Well then, let me give you a very good reason to scrap....
>>>>>
>>>>> Get off of DECnet.
>>>>
>>>> The nice thing about DECnet Phase V over IP is that you can use IP DNS
>>>> names and thus IP addresses.
>>>>
>>>> So dir vsi.com::dka0: works in DECnet Phase V.
>>>>
>>>> Build a replacement in pure IP, and tell us when it's ready.
>>>
>>> DIRECTORY /FTP works fine without DECnet, and supports domain names.
>>> Available since V6.2.
>>>
>>> SFTP support, a decent client for SMB, and, yes, IP-based FAL-like
>>> support would be nice.  Particularly with encryption and authentication.
>>>
>>> But DECnet is still dead.
>>
>> So the bottom line is that DECnet is dead, but 40 year old DECnet has
>> functionality that today's IP can not offer to VMS. Or am I wrong?
>
> That train left the station ~twenty years ago, too.   It became clear to
> the die-hard DEC DECnet folks that DECnet and OSI were not the path the
> industry was following.    As much as I'd prefer to see DEC having been
> right, following that approach — what you're still trying to do —
> directly led OpenVMS networking to be in such a deep hole, too.   That
> approach fractured the work, and it bled off time and effort that could
> have been spent on the capabilities of the IP stack that became the path
> forward when OSI cratered, as well as the not-inconsequential issues
> around the management and maintenance and user interface for DECnet, and
> a whole host of other issues.

My statement was that DECnet has functionality that (pure) IP has not, 
period. You then conclude that I want to keep DECnet, but that's not 
what I wrote.

>
>> And that is the problem. To those who claim that we should forget
>> about DECnet, I can only say give use an equivalent IP product with
>> the same functionality as FAL, the same ease of use, even from within
>> commandfiles or applications. As long as you can't offer that, stop
>> telling us to forget about DECnet.
>
> Oddly, the rest of the universe gets by with ssh, netcat, file shares
> and related.    Sure, having an FTP client — or preferably FTPS or sftp
> — embedded into RMS would be nice.

It seeme you want to reduce VMS to some OS that has nothing more then 
any other OS is also offering. But then why should we use VMS at all?

>
>> That other protocol can be just as VMS specific as Multinet's DECnet
>> over IP lines, I don't care. Design it, put it in VMS and perhaps then
>> we can talk about forgetting DECnet.
>
> I don't want to see time spent on DECnet, more time on EDT nor more time
> away from the port and the roadmap.

Apart from implementing RFC2127 for DECnet over IPv6, I'm not asking for 
anything new in DECnet.

>
>> Oh yeah, and I don't think is has to be encrypted.
>
> Which is "acceptable" only because OpenVMS lacks that.
>
> If that were another platform, I'd expect you would be very unhappy
> about that omission.
>

No, because this remark must clearly be seen in conjunction with my next 
sentence. IPsec is the way to get encryption.

> I know auditors already get cranky about telnet and have gotten cranky
> for a decade or more.   Any auditors that knew to ask about or otherwise
> find DECnet would get cranky about that, too.
>
> It's also a case that's contrary to those claims that OpenVMS is a
> secure platform that get posted around here.
>
>> Like I wrote before, a VMS system should be communicating with other
>> VMS systems using IPsec. It will secure *all* IP communication between
>> these systems, no need to do encryption in applications.
>
> Sure.   Can't say I'd spend an iota of that time on DECnet, though.

No one is asking for that.

>
> In short, if you can't do it via IP (somehow, whether ssh or netcat or
> otherwise, preferably encrypted), then either the OpenVMS implementation
> of IP needs help or updates, or find a different way to solve the
> issue.   And yes, maybe even use DECnet in the interim.

Yes, DECnet over IP, encrypted with IPsec. As long as we don't have a 
kind of IP FAL, that is a good and secure solution.