[Info-vax] Kernel Transplantation
Mark Berryman
mark at theberrymans.com
Wed Jan 10 15:06:59 EST 2024
On 1/10/24 6:40 AM, Simon Clubley wrote:
> On 2024-01-09, Lawrence D'Oliveiro <ldo at nz.invalid> wrote:
>> On Tue, 9 Jan 2024 14:32:48 -0500, Stephen Hoffman wrote:
>>
>>> And again, what you are interested here in has been available for many
>>> years via Sector 7.
>>
>> I?m not sure they did a comprehensive enough job. For instance, I remember
>> the previous time this came up, reading between the lines in one of their
>> case studies, the original customer scenario mentioned using DECnet, but
>> that was missiong from the description of the solution.
>
> DECnet should not be in use in today's security world and a customer
> should have been forced away from using DECnet anyway due to external
> auditing and security standards.
>
.
.
.
Hogwash. DECnet can be made just as secure as any IP communication by
simply using IP transports. A couple of simple examples:
1. Run DECnet phase V. Use DECnet-over-IP, and encrypt it with IPSEC
before it ever leaves your host. This not only encrypts all of your
DECnet traffic but it means that DECnet proxies are now as secure as
your IPSEC profile.
1a. If you are running OpenVMS on x86, TCP/IP Services does not
currently provide IPSEC and Multinet is not yet available. However,
VMware ESXi does support IPSEC. You can configure your ESXi host to do
the encryption for you. You just need to do your DECnet-over-IP traffic
using IPv6.
2. Run DECnet phase IV. Install pyDECnet on any host in your LAN that
supports python (I use a dedicated raspberry pi). This will be your
DECnet router. Isolate DECnet traffic to its own VLAN. All off-LAN
DECnet traffic is encrypted by the pyDECnet host, again, likely using IPSEC.
More security that this is possible. If you have a security requirement
this doesn't meet, let me know.
Mark Berryman
More information about the Info-vax
mailing list