Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Decnet over IP

 
SOLVED
Go to solution
Randy W. Suhrbier
Occasional Advisor

Decnet over IP

Hi,

Does anyone know how to limit which IP interfaces the port 399 listener uses?
8 REPLIES 8
Hoff
Honored Contributor

Re: Decnet over IP

I'm not entirely certain what you are seeking here. If your goal here is to restrict TCP port 399 and thus DECnet-Plus over IP from using a particular NIC, toss the following NCL command at the device:

DISABLE NODE 0 CSMA-CD STATION CSMACD-1

Use whatever the particular device ENABLE command specified in NET$CSMACD_STARTUP.NCL might be. You will want to DISABLE what the NET$CSMACD_STARTUP.NCL script ENABLEs for your particular target NIC.

To make this DECnet-Plus configuration change survive a reboot, comment out the CREATE and ENABLE lines for the device in the NCL file. This file is located in SYS$MANAGER: for the host.

Other potential options include IP firewalls, depending on what your particular goal might be.

Stephen Hoffman
HoffmanLabs LLC
Hoff
Honored Contributor

Re: Decnet over IP

FWIW, some folks will suggest @NET$CONFIGURE ADVANCED and working through that tool and the device configuration, but simply nuking the lines in the NCL can be easier.
Volker Halle
Honored Contributor

Re: Decnet over IP

Randy,

DECnet-over-IP works at the transport layer.

I'm pretty sure, that it does not help to disable the CSMA-CD station trying to prevent DECnet-over-IP incoming traffic on that specific LAN interface.

The CSMA-CD station controls the DECnet datalink layer protocols (DECNETV and DECNET as shown by SDA> SHOW LAN).

Volker.
Colin Butcher
Esteemed Contributor

Re: Decnet over IP

Hello Randy,

I'll assume that you want to limit DECnet over IP use to specific NICs. You need to deal with both ports 102 and 399. These show up as OSI transport templates for RFC1006 and RFC1006-Plus in the entity heirarchy you look at with NCL. They're the hook across to the PWIP driver which then gets you out of the DECnet stack into the TCP/IP stack, thus using TCP/IP as a transport for DECnet.

Stopping the DECnet protocol on the NICs isn't going to achieve what you need - in fact if you were only using DECnet over IP you could entirely turn off DECnet at the routing circuit and CSMACD station layers because you've jumped sideways through the PWIP driver into the TCP/IP stack before you reach that far down the layers.

I've not tried to do what you want to achieve, but I would guess that you want to use some kind of filtering capability within the TCP/IP stack, or perhaps within the PWIP driver (if that's possible).

I'd guess it's mostly an inbound problem that you're trying to protect against. The outbound NIC will be selected by the TCP/IP stack based on the target IP address / subnet and the local interface addresses and routes in the usual manner.

By the time the data packets hit the DECnet stack I suspect that all the NIC related information has been stripped off and it's down to IP subnets and IP routing to find the path back when you talk back through the PWIP driver to the TCP/IP stack.

It seems to me that you'd want to interpose a filter at the point where the TCP/IP interface entity attempts to establish the connection to the entity listening on ports 102 and 399.

I have some vague recollection that you can do that kind of thing, probably by writing code and hooking your code into the TCP/IP stack at the point where it attempts to establish a connection (kind of an extra layer of security filtering).

There might also be logical names that help control the behaviour of the ports 102 and 399 listeners.

Much of this kind of behaviour is part of IPsec, so you should try the OpenVMS TCP/IP V5.7 IPsec EAK available at: http://h71000.www7.hp.com/openvms/products/ipsec/index.html - do give it a go and let us know how you get on.

Cheers, Colin (http://www.xdelta.co.uk).

Entia non sunt multiplicanda praeter necessitatem (Occam's razor).
Solution

Re: Decnet over IP

Looking at my V8.3 system, I notice a new NCL command?

$ NCL SHO OSI TRANSPORT RFC1006 LISTENER IPADDRESSES

Can listeners be set?

Steve
Colin Butcher
Esteemed Contributor

Re: Decnet over IP

Well spotted Stephen. That looks to be what's needed. It's described in the DECnet-Plus V8.3 release notes sections 2.1.2 and 2.1.3

URL: http://h71000.www7.hp.com/doc/83final/decnetplus/DECNET_PLUS_REL_NOTES.PDF

Extract of section 2.1.3:

2.1.3.1 Added information about Configuring the system to listen to DECnet/IP connections
Version 8.3 The following commands have been added to reflect the new feature described in
Section 2.1.2 for V8.3
$MC NCL SET OSI TRANSPORT RFC1006 LISTENER IPADDRESSES {a.b.c.d, w.x.y.z}
$MC NCL ADD OSI TRANSPORT RFC1006 LISTENER IPADDRESSES {a.b.c.d, w.x.y.z}
$MC NCL REMOVE OSI TRANSPORT RFC1006 LISTENER IPADDRESSES {a.b.c.d,
w.x.y.z}
$MC NCL SHOW OSI TRANSPORT RFC1006 LISTENER IPADDRESSES
These commands will enable or disable DECnet-Plus to listen to inbound DECnet
over IP connections on interfaces having local node IP addresses specified.
However, these commands do not support DECnet-Plus to listen to remote node
IP addresses. This is applicable for both RFC 1006 and RFC 1859.


Cheers, Colin (http://www.xdelta.co.uk).
Entia non sunt multiplicanda praeter necessitatem (Occam's razor).
Randy W. Suhrbier
Occasional Advisor

Re: Decnet over IP

That 8.3 NCL command looks like the answer, thanks. I'm currently at 7.3-2 and this may supply the reason for an upgrade.

Thanks again to all,
Randy S.

Randy W. Suhrbier
Occasional Advisor

Re: Decnet over IP

Signing off