[Info-vax] DECnet use in today's world, was: Re: Tangent about DECnet versions.

Thu May 31 19:27:00 EDT 2018

Simon Clubley wrote:
> On 2018-05-19, Grant Taylor <gtaylor at tnetconsulting.net> wrote:
>>
>> I'm curious, does anybody have any idea how prevalent any of the
>> following DECnet phases are these days?  Are there any production shops
>> still using any version of DECnet?  Or is it relegated to hobbyists?
>>
>> DECnet Phase I / II / III
> 
> Hopefully, these are now obsolete.
> 
> I think all the PDP-11 operating systems got DECnet Phase IV, but did
> the PDP-10 operating systems ever convert to DECnet Phase IV or were
> they stuck on DECnet Phase III ?
> 
>> DECnet Phase IV
> 
> Unfortunately, based on a recent discussion, DECnet Phase IV is alive
> and well, even though it's a horrible protocol from a security viewpoint
> to be running in a modern network environment.
> 
> BTW, DECnet Phase IV proxies are even more insecure in some ways than
> the plain text passwords which DECnet Phase IV uses because there are
> no shared secrets between the nodes.
> 
> All a rogue node has to do is to change its DECnet address to that
> of a trusted node and the proxy will work. There's even a warning about
> this somewhere in the VMS manuals.
> 
> And while everyone is worried about the security of TCP/IP, DECnet Phase IV
> just sits there silently waiting to receive malformed packets from an
> attacker.
> 
> One of the things that worries me about DECnet Phase IV is we don't
> know if there are any horrible security issues in the stack itself
> because no-one (at the moment anyway) is interested in probing it
> and in the old days when there was interest, you couldn't probe
> a network stack in the ways that you can now.
> 
> The DECnet Phase IV stack could be secure against malformed packets or
> it could be a ticking timebomb waiting to go off. We simply don't know.
> 
>> DECnet/OSI or DECnet-Plus
>>
> 
> I don't have a feeling for this one. I know there's some use but
> I don't have a feeling for how widely it is deployed.
> 
> Simon.
> 

As is so often the case in these types of discussions, running Decnet 
Phase V over IP is conveniently forgotten.

Decnet Phase IV routers are no longer being produced AFAIK. OSI (Decnet 
Phase V) routers are, but not many either.

With Decnet Pahse V over IP, you use IP addresses and DNS names instead 
of Decnet Phase IV or Decnet Phase V names.

 From the IP perspective, Decnet Phase V over IP is like FTP, or Telnet, 
or any other kind of IP traffic.

Is it secure? No.

Can it be made secure? Yes.

Two ways:

1. using IPsec to secure all IP traffic. But that is such an excellent 
solution, that nobody wants it. Making all IP traffic secure would mean 
giving up on all those protocols that have secure versions, like FTP 
with FTPS and SFTP and ???? Heaven forbid.

2. incorporating TLS in the OSI over IP stack. That should be possible, 
why not.

At the moment Decnet over IP does not support IPv6, however the RFC for 
this was written decades ago. It has to be implemented.

The question is how serious VSI takes its Decnet customers, and if VSI 
is willing to invest in TLS and IPv6 for the Decnet over IP stack.