Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

IPSec and VMS Roadmaps

 
SOLVED
Go to solution
Richard J Maher
Trusted Contributor

IPSec and VMS Roadmaps

Hi,

I have just read this: -
http://www.openvms.org/stories.php?story=09/03/27/7344668

and am *extremely* worried about the future of IPSec, and VMS in general :-(

Has IPSec/VMS been cancelled? Released in a patch? or Just a mistake on the Roadmap?

The EAK is still available, I just downloaded it!
http://h71000.www7.hp.com/openvms/products/ipsec/index.html

Please tell me that no one could be so stupid to cancel this *essential* functionality especially after it is already written!

Regards Richard Maher
17 REPLIES 17
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

Richard,
you need to contact hp product management directly and show them the money.

They don't read this forum.
____________________
Purely Personal Opinion
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Ian,

OK, Who would that be in this case?

Who contacted them about the RTR to Linux port or WSIT V3.0? Who showed them the money? Yeh, I thought as much.

Cheers Richard Maher

PS. Thanks for your work with openvms.org.
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

The appropriate form on the web site appears to be

http://h71000.www7.hp.com/fb_business.html

"Please use the following form to submit product or business questions or comments about HP OpenVMS."

____________________
Purely Personal Opinion
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Ian,

I have entered a question via the link you provided - thanks.

I had previously entered a similar requested via the IPsec product page: -
http://h71000.www7.hp.com/openvms/products/ipsec/ipsec_support.html

I invite all here to please do the same!

Do youself a favour and just read-up a bit about what IPsec is and what it can do for you with regard to e-business as well as secure intranets.

Surely it must just be a mistake that IPsec was left off the roadmap?

Regards Richard Maher
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

I've heard the downloads of the IPSEC EAK where not exactly putting a big strain on the VMS web site, (very few people downloaded it).

If this was due to not wanting to try a EAK but you really want IPSEC then do explain this to OpenVMS Product management via the form on the HP OpenVMS web site

http://h71000.www7.hp.com/fb_business.html

If you think that people would want IPSEC if only they knew what it could do then do explain that too.
____________________
Purely Personal Opinion
Richard W Hunt
Valued Contributor

Re: IPSec and VMS Roadmaps

One thing that having IPSec compatibility buys you is that you can use US government CAC (computer access card) if you have a utility that reads the IPSec format key on that card. I had a LLLLOOOOOONNNNNNGGGG talk with my security people on this one.

Really, ALL you need is the ability to read a public X509v3 certificate and extract the RSA key from it. Which you already have if you have the OpenSSL stuff installed. The problem, of course, is that the key is IPSec format, not OpenSSH, so SSH inbound connections cannot use it.

Remember, the public key is PUBLIC i.e. you are allowed to see its parts. If you have a working utility to convert IPSec to OpenSSN format, you could set up SSH TELNET-like sessions with non-password logins.

NOTE that if you use the certificate in a web-based environment, the above is no longer quite true. But if you have a shop that is command-line only, you're good. And it is a razor-thin line, in case anyone was wondering about it.
Sr. Systems Janitor
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Ian,

I'm used to you being a bit more even handed than this, but no matter: -

> I've heard the downloads of the IPSEC EAK where not
> exactly putting a big strain on the VMS web site,
> (very few people downloaded it).

When compared to which other EAKs Ian? What is the standard HP yardstick for EAK-downloading for VMS products over say the last 10 years?

How many people downloaded the IPv6 EAK?
How many people downloaded the WSIT 3.0 EAK?
How many people downloaded the HP-Supported Stunnel EAK? (And how many would happily abandon Stunnel right now if the had the IPsec alternative)
How many people will download the RTR/Linux EAK?

[Dear Mr Conservative Banking/Security customer, please install and run your security backbone on what we lovingly call an "Early Adopters" kit.] Can't see why they're not gaggin' for it!

I also have to admit that, after the comprehensive series of presentations at the various HP/VMS Bootcamps and Technical Update Days, it is suprising that VMS/IPsec interest is at this level at all. And don't forget those wonderful VTJ articles from Matt Muggeridge about IPsec and VMS e-business! :-(

But you gotta love this latest HP/VMS Software Development Business strategy - You spend what 5 to 10 years developing a product, and X million dollars and then you say "Maybe people won't like it. Let's scrap the whole thing instead." - disbelief!

Maybe that's it; maybe Matt's IPsec just doesn't work at all? It would certainly be the only half-logical explanation for the infanticide I'm witnessing :-(

> If this was due to not wanting to try a EAK but you
> really want IPSEC

Imagine wanting to encrypt all trafic at the transport layer (with port-level granularity) and not have to employ specialized software for each Application(*Including UDP*). Imagine authenticating servers and clients and Matt Muggeridge's host-based firewall capability.
Forget that, imagine having a Manufacturer-supplied VMS TCP/IP stack that enjoyed only half the support of the one on HP/UX! Wouldn't be suprised if NSK has IPsec as well; IBM and Windows have certainly had it for about 10 years.

And this just in from the world of Google Android and the e-commerce future of handheld devices: -

http://www.net-security.org/secworld.php?id=7257
Didn't seem to take them too long, did it? Using the MOBIKE/IPsec protocol so your salesmen can have constant secure access to your VMS servers, data, and applications from LAN to wireless? "I'd buy that for a dollar!"

"But we can get that from HP-UX! VMS is exclusively behind the firewall anyway and we just FTP stuff to the real servers when we need to" :-(

> then do explain this to OpenVMS
> Product management via the form on the HP OpenVMS web site
>
> http://h71000.www7.hp.com/fb_business.html

I have received no reply from that website in the past week; where would you set customer expectations at a response? I was waiting for Matt to get the ok for me to publish the Project Manager's e-mail but that no longer seems forthcomming. Perhaps he simply does not want to know the level of IPsec demand out there?

> If you think that people would want IPSEC if only
> they knew what it could do then do explain that too.

All they have to do is step outside the VMS bubble and see what the rest of the world is doing. But again you seem to constantly be putting obstacles and hurdles in front of IPsec that are never put in front of less worthy functionality; why is that?

Why should VMS be deprived of standard IP network functionality that the rest of the world has been enjoying for years? (Especially when the code for IPsec is already there!)

Why aren't you also asking people to justify the IPv6 rollout? See Wikipedia: -
http://en.wikipedia.org/wiki/Ipsec
"IPsec implementation is a mandatory part of IPv6" So without IPsec, how are you gonna claim IPv6 support? Might as well can the whole thing now- what say you Ian?

Regards Richard Maher
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Ian,

Here's another link you might want to run past whoever it is you're talking to: -
http://h20338.www2.hp.com/hpux11i/cache/323855-0-0-14-121.html#ipsec

I'd be interested in knowing the HPUX download levels for their IPsec EAK! (Also how long HPUX has enjoyed IPsec)

Regards Richard Maher
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Having seen the HPUX embrace of IPsec I was wondering what other IT industry heavy-weights might be doing, and wasn't really suprised to discover that just about all of them have been supporting IPsec on their various operating systems for many years. You'll find heaps more IPsec info on the IBM, SUN, Apple, and Microsoft web-sites.

As far as Linux goes, I found comprehensive IPsec support has existed for some time on Red Hat, SuSe, and Debian flavours. Are there others I should look at?

So from Apple to IBM, from Windows to Android and from OSX to Linux, it appears everyone outside of VMS has committed to supporting IPsec on their IP stacks as an essential tool in their integrated e-business infrastructure offerings. So can someone please explain to me why HP/VMS continue to sit on their hands over this? And why VMS customers do not need the secure network connectivity that the rest of the industry needs? Perhaps a new VMS ambassador could tell us :-)

And if you're planning a move off VMS to obtain this industry-standard IPsec capability, just let me point out that Process Software's Multinet has supported IPsec on VMS for years and since version 5.2 (at least 18 months ago) has supported "Dynamic Key Exchange" to remove the need for Static Keys or "Pre-shared secrets".

I don't mind if HP/VMS continues its SLA of 2 to 10 years late; I don't care that the IPsec version in 8.4 might only have static keys, but for Pete's sake, this shoul've shipped with 8.3! The fact that 8.4 is moving farther and farther out on the horizon should be a blessing and give you time to get more and more functionality in - what's going on?

Once again, please contact HP and let them know that you are interested in IPsec and you want it in 8.4! Sadly, I have still not received a reply from my question to the above web-sites that Ian posted, and I am still unable to give you the PL's e-mail, but just please do what you can.

Regards Richard Maher

PS. Here are a couple more HP-UX links: -
http://h20338.www2.hp.com/hpux11i/cache/532713-0-0-0-121.html
leads to: -
http://h20338.www2.hp.com/hpux11i/cache/323855-0-0-14-121.html#ipsec
Brad McCusker
Respected Contributor

Re: IPSec and VMS Roadmaps

>Who contacted them about the RTR to Linux >port
>Yeh, I thought as much.

The RTR to Linux port was customer funded. No, I won't tell you who, it's none of your business. But, I do know for a fact that it was customer funded.

I agree with you - IPSEC should be on the roadmap. Actually, it should be delivered by now. At least one of our clients was expecting it and will be sending cards and letters to product management.

Brad McCusker
Brad McCusker
Software Concepts International
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi Brad,

Thanks for the reply.

>>>>>>>>>>>>>>>
The RTR to Linux port was customer funded. No, I won't tell you who, it's none of your business. But, I do know for a fact that it was customer funded.
<<<<<<<<<<<<<<<

I sure hope it's not NasdaqOMX as part of a migration to Linux! But hey, as long as I and other VMS license payers don't have to foot *any of* the bill then who cares? Anyway, thanks for pointing that out.

>>>>>>>>>>>>>>>>>>>>
I agree with you - IPSEC should be on the roadmap. Actually, it should be delivered by now. At least one of our clients was expecting it and will be sending cards and letters to product management.
<<<<<<<<<<<<<<<<<<<<<

Glad to hear it!

Cheers Richard Maher
Solution

Re: IPSec and VMS Roadmaps

I've been clicking around myself over the past few days, trying to figure out when IPSec will (finally) be released for OpenVMS. I noticed the missing mention of IPSec in the roadmaps and was similarly worried.

We are a small shop with only five VMS boxes, but like many others out there (I guess), the requirement for secure comms is becoming more and more pressing.

The EAK has been running on a couple of our test boxes with no major problems at all, with the only caveat being that it broke our LPD printing.

I too very much hope that the essential IPSec functionality will be made available in TCP/IP 5.7.
John Abbott_2
Esteemed Contributor

Re: IPSec and VMS Roadmaps

The last I heard was that it'll not ship with 5.7

With the TUDs just finishing the in the US, maybe someone knows something more and can share... please!
Don't do what Donny Dont does
Ian Miller.
Honored Contributor

Re: IPSec and VMS Roadmaps

There appeared to be an updated IPSEC in the T5.7 field test kit included in the OpenVMS 8.4 field test kit.
____________________
Purely Personal Opinion
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Steven,

If you look at the latest RoadMap (not that it has been historically worth the vapourware it is written on) it now says "IPSEC: Future Release". Sadly this can once again only be considered a further downgrade as, last I looked (and you had to cut and paste it to notepad et all just to make it visible), there was a commitment to 2010 :-(

Either way, IPSEC ships with TCP/IP services ('cos it would be too much work to extracate it) but it is uncertified and unsupported.

Lamentably, those left at HP/VMS continue to do whatever they like whenever they damn well feel like it. So you've probably got more chance of seeing "32 volume shadow-sets", "RTR on the iPhone" or "Clusters over gSOAP" than you have of the essential e-business infrastructure of IPSEC being delivered in a usable form any time soon :-(

They simply can't have been "working" on IPSEC all this time or they'd be moer incompetent than I give them credit for.

In the meantime allow me to point out that Process Software offer quite a feature-rich line of IPSEC that has just been expanded: -

http://www.openvms.org/stories.php?story=10/04/08/4128705

Regards Richard Maher
John Abbott_2
Esteemed Contributor

Re: IPSec and VMS Roadmaps

Hi Richard,

I asked the question yesterday, whilst it is suggested and there may well be "something" in TCP/IP v5.7... Full support will not come until 2011. Sounded like another kit to me.

Whilst clearly not what you want to here, I did hear a commitment that it _WILL_ be done.

Kind Regards
John.
ps.. please don't shoot the messenger! :-)
Don't do what Donny Dont does
Richard J Maher
Trusted Contributor

Re: IPSec and VMS Roadmaps

Hi John,

"Full support will not come until 2011."

It's only April 2010 for Pete's sake! And IPSec was supposed to "ship" with VMS 8.3. Do these people have absolutely no shame or embarasssment???

Seeing as you have access to the horse's "mouth" could you be so bold as to enquire why it could take more than a year to simply certify an already bundled IPSec?

Clearly UCX(TCP/IP Services) users have had their expectations managed so as to expect sloth-like response times, but we are clearly in glacial-pace territory now. Well why not 3011 for all the good it'll do :-(

The inability of HP/VMS Middle Management to respond to customer requirements and industry trends may help to explain why VMS is in the place it is today.

But that is *not* the problem here John! No, here we have essential e-business infrastructure being deliberately and maliciously ham-strung for no reason other than to satisfy someone's petty political agenda and self-interest.

IPSec *can* be shipped any time they like with 8.4 or after. The obstacles are now imaginary (if they were ever valid in the first place). Go ahead ask them!

I sat outside Oracle's offices in Sydney discussing IPSec with Matt Muggeridge over 4 years ago now and I can assure there is now valid reason or insurmountable obstacle preventing IPSec from being delivered this year!

They are deliberately sand-bagging for reasons and agendas only known to themselves :-(

Regards Richard Maher