[Info-vax] Some SEARCH commands

[Simon Clubley]

On 2019-03-01, Dave Froble <davef at tsoft-inc.com> wrote:
> On 3/1/2019 3:25 AM, Simon Clubley wrote:
>>
>> Sorry Mark, but that is wrong as when they are setup correctly you can
>> make it vastly harder to spoof an IP node than it is to spoof a DECnet
>> Phase IV node.
>
> Not if Mark's suggestions are followed.  If you're responding to them, 
> then don't attempt to ignore them.
>

I'm assuming you are referring to the locking down DECnet using hardware
comments. I've already commented about depending on hardware but in case
that wasn't clear enough:

The idea that you _need_ enterprise level hardware locked down to
the level Mark has specified in his challenge in order to give
DECnet Phase IV any level of real security is insane.

TCP/IP also benefits from having custom enterprise level hardware on
the network but it doesn't actually _need_ it in order to provide a
core level of security.

>> That is because you can protect IP based nodes from spoofing by using
>> certificates which is simply not possible with DECnet Phase IV.
>> The certificate acts as a shared secret between IP nodes.
>>
>> Simon.
>>
>
> Ayep!
>
> All those SSL2, SSL3, TLS1.0, and TLS1.1 were so secure, until they weren't.
>

Those protocols are designed to allow TCP/IP based applications
to run in an untrusted environment without any custom hardware
needed and to still give a reasonable level of security.

As the security threats have increased, the protocols have been
enhanced in response to those threats.

Native DECnet Phase IV is utterly incapable of operating in such an
environment and needs to rely on IP based protocols to give it a core
level of security.

> I'd assume that any hardware security will be a bit harder to penetrate 
> than any software security.
>

Why ?

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world