Operating System - OpenVMS
1748179 Members
4024 Online
108758 Solutions
New Discussion юеВ

Re: IPSec and VMS Roadmaps

 
SOLVED
Go to solution
Richard J Maher
Trusted Contributor

IPSec and VMS Roadmaps

Hi,

I have just read this: -
http://www.openvms.org/stories.php?story=09/03/27/7344668

and am *extremely* worried about the future of IPSec, and VMS in general :-(

Has IPSec/VMS been cancelled? Released in a patch? or Just a mistake on the Roadmap?

The EAK is still available, I just downloaded it!
http://h71000.www7.hp.com/openvms/products/ipsec/index.html

Please tell me that no one could be so stupid to cancel this *essential* functionality especially after it is already written!

Regards Richard Maher
17 REPLIES 17
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

Richard,
you need to contact hp product management directly and show them the money.

They don't read this forum.
____________________
Purely Personal Opinion
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Ian,

OK, Who would that be in this case?

Who contacted them about the RTR to Linux port or WSIT V3.0? Who showed them the money? Yeh, I thought as much.

Cheers Richard Maher

PS. Thanks for your work with openvms.org.
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

The appropriate form on the web site appears to be

http://h71000.www7.hp.com/fb_business.html

"Please use the following form to submit product or business questions or comments about HP OpenVMS."

____________________
Purely Personal Opinion
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Ian,

I have entered a question via the link you provided - thanks.

I had previously entered a similar requested via the IPsec product page: -
http://h71000.www7.hp.com/openvms/products/ipsec/ipsec_support.html

I invite all here to please do the same!

Do youself a favour and just read-up a bit about what IPsec is and what it can do for you with regard to e-business as well as secure intranets.

Surely it must just be a mistake that IPsec was left off the roadmap?

Regards Richard Maher
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

I've heard the downloads of the IPSEC EAK where not exactly putting a big strain on the VMS web site, (very few people downloaded it).

If this was due to not wanting to try a EAK but you really want IPSEC then do explain this to OpenVMS Product management via the form on the HP OpenVMS web site

http://h71000.www7.hp.com/fb_business.html

If you think that people would want IPSEC if only they knew what it could do then do explain that too.
____________________
Purely Personal Opinion
Richard W Hunt
Valued Contributor

Re: IPSec and VMS Roadmaps

One thing that having IPSec compatibility buys you is that you can use US government CAC (computer access card) if you have a utility that reads the IPSec format key on that card. I had a LLLLOOOOOONNNNNNGGGG talk with my security people on this one.

Really, ALL you need is the ability to read a public X509v3 certificate and extract the RSA key from it. Which you already have if you have the OpenSSL stuff installed. The problem, of course, is that the key is IPSec format, not OpenSSH, so SSH inbound connections cannot use it.

Remember, the public key is PUBLIC i.e. you are allowed to see its parts. If you have a working utility to convert IPSec to OpenSSN format, you could set up SSH TELNET-like sessions with non-password logins.

NOTE that if you use the certificate in a web-based environment, the above is no longer quite true. But if you have a shop that is command-line only, you're good. And it is a razor-thin line, in case anyone was wondering about it.
Sr. Systems Janitor
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Ian,

I'm used to you being a bit more even handed than this, but no matter: -

> I've heard the downloads of the IPSEC EAK where not
> exactly putting a big strain on the VMS web site,
> (very few people downloaded it).

When compared to which other EAKs Ian? What is the standard HP yardstick for EAK-downloading for VMS products over say the last 10 years?

How many people downloaded the IPv6 EAK?
How many people downloaded the WSIT 3.0 EAK?
How many people downloaded the HP-Supported Stunnel EAK? (And how many would happily abandon Stunnel right now if the had the IPsec alternative)
How many people will download the RTR/Linux EAK?

[Dear Mr Conservative Banking/Security customer, please install and run your security backbone on what we lovingly call an "Early Adopters" kit.] Can't see why they're not gaggin' for it!

I also have to admit that, after the comprehensive series of presentations at the various HP/VMS Bootcamps and Technical Update Days, it is suprising that VMS/IPsec interest is at this level at all. And don't forget those wonderful VTJ articles from Matt Muggeridge about IPsec and VMS e-business! :-(

But you gotta love this latest HP/VMS Software Development Business strategy - You spend what 5 to 10 years developing a product, and X million dollars and then you say "Maybe people won't like it. Let's scrap the whole thing instead." - disbelief!

Maybe that's it; maybe Matt's IPsec just doesn't work at all? It would certainly be the only half-logical explanation for the infanticide I'm witnessing :-(

> If this was due to not wanting to try a EAK but you
> really want IPSEC

Imagine wanting to encrypt all trafic at the transport layer (with port-level granularity) and not have to employ specialized software for each Application(*Including UDP*). Imagine authenticating servers and clients and Matt Muggeridge's host-based firewall capability.
Forget that, imagine having a Manufacturer-supplied VMS TCP/IP stack that enjoyed only half the support of the one on HP/UX! Wouldn't be suprised if NSK has IPsec as well; IBM and Windows have certainly had it for about 10 years.

And this just in from the world of Google Android and the e-commerce future of handheld devices: -

http://www.net-security.org/secworld.php?id=7257
Didn't seem to take them too long, did it? Using the MOBIKE/IPsec protocol so your salesmen can have constant secure access to your VMS servers, data, and applications from LAN to wireless? "I'd buy that for a dollar!"

"But we can get that from HP-UX! VMS is exclusively behind the firewall anyway and we just FTP stuff to the real servers when we need to" :-(

> then do explain this to OpenVMS
> Product management via the form on the HP OpenVMS web site
>
> http://h71000.www7.hp.com/fb_business.html

I have received no reply from that website in the past week; where would you set customer expectations at a response? I was waiting for Matt to get the ok for me to publish the Project Manager's e-mail but that no longer seems forthcomming. Perhaps he simply does not want to know the level of IPsec demand out there?

> If you think that people would want IPSEC if only
> they knew what it could do then do explain that too.

All they have to do is step outside the VMS bubble and see what the rest of the world is doing. But again you seem to constantly be putting obstacles and hurdles in front of IPsec that are never put in front of less worthy functionality; why is that?

Why should VMS be deprived of standard IP network functionality that the rest of the world has been enjoying for years? (Especially when the code for IPsec is already there!)

Why aren't you also asking people to justify the IPv6 rollout? See Wikipedia: -
http://en.wikipedia.org/wiki/Ipsec
"IPsec implementation is a mandatory part of IPv6" So without IPsec, how are you gonna claim IPv6 support? Might as well can the whole thing now- what say you Ian?

Regards Richard Maher
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Ian,

Here's another link you might want to run past whoever it is you're talking to: -
http://h20338.www2.hp.com/hpux11i/cache/323855-0-0-14-121.html#ipsec

I'd be interested in knowing the HPUX download levels for their IPsec EAK! (Also how long HPUX has enjoyed IPsec)

Regards Richard Maher
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Having seen the HPUX embrace of IPsec I was wondering what other IT industry heavy-weights might be doing, and wasn't really suprised to discover that just about all of them have been supporting IPsec on their various operating systems for many years. You'll find heaps more IPsec info on the IBM, SUN, Apple, and Microsoft web-sites.

As far as Linux goes, I found comprehensive IPsec support has existed for some time on Red Hat, SuSe, and Debian flavours. Are there others I should look at?

So from Apple to IBM, from Windows to Android and from OSX to Linux, it appears everyone outside of VMS has committed to supporting IPsec on their IP stacks as an essential tool in their integrated e-business infrastructure offerings. So can someone please explain to me why HP/VMS continue to sit on their hands over this? And why VMS customers do not need the secure network connectivity that the rest of the industry needs? Perhaps a new VMS ambassador could tell us :-)

And if you're planning a move off VMS to obtain this industry-standard IPsec capability, just let me point out that Process Software's Multinet has supported IPsec on VMS for years and since version 5.2 (at least 18 months ago) has supported "Dynamic Key Exchange" to remove the need for Static Keys or "Pre-shared secrets".

I don't mind if HP/VMS continues its SLA of 2 to 10 years late; I don't care that the IPsec version in 8.4 might only have static keys, but for Pete's sake, this shoul've shipped with 8.3! The fact that 8.4 is moving farther and farther out on the horizon should be a blessing and give you time to get more and more functionality in - what's going on?

Once again, please contact HP and let them know that you are interested in IPsec and you want it in 8.4! Sadly, I have still not received a reply from my question to the above web-sites that Ian posted, and I am still unable to give you the PL's e-mail, but just please do what you can.

Regards Richard Maher

PS. Here are a couple more HP-UX links: -
http://h20338.www2.hp.com/hpux11i/cache/532713-0-0-0-121.html
leads to: -
http://h20338.www2.hp.com/hpux11i/cache/323855-0-0-14-121.html#ipsec