HPE Community
Operating System - OpenVMS
1753745 Members
5036 Online
108799 Solutions
New Discussion юеВ

Re: new Poll: IPSEC support in HP TCPIP

 
SOLVED
Go to solution
John Gillings
Honored Contributor

тАО05-14-2009 06:22 PM

тАО05-14-2009 06:22 PM

Re: new Poll: IPSEC support in HP TCPIP

Richard,

Don't shoot the messenger. You don't need to convince me! I believe HP should implement IPsec.

We had an opportunity recently, with HP Engineering on the other side of a table, in person (well, at least on HALO). We put the question of IPsec futures to them. I'm just giving you a summary of the answer we got.

That doesn't mean I believe it's a GOOD answer, nor that I think their justification is valid. That's just what they said. I can't answer your (rhetorical?) questions.

From my experience of getting stuff put into VMS, I've found that forum discussions or complaining to support folk, no matter how vociferous or compelling, don't tend to get results.

You need to find a (small) number of real live, paying customers, and get them to rattle account rep cages. That's far more likely to get the result you want than preaching fire and brimstone to the choir.
A crucible of informative mistakes
Reply
Ian Miller.
Honored Contributor

тАО05-15-2009 02:41 AM

тАО05-15-2009 02:41 AM

Re: new Poll: IPSEC support in HP TCPIP

It was me that setup the poll and made the questions. The questions where just what I occurred to me at the time :-)

People in HP are watching the results and I'm collecting comments to pass on to.

I have no control over the decision but am attempting to provide a way of getting the VMS community feedback to the people that do make the decision.
____________________
Purely Personal Opinion
Reply
marsh_1
Honored Contributor

тАО05-15-2009 02:55 AM

тАО05-15-2009 02:55 AM

Re: new Poll: IPSEC support in HP TCPIP

ian,

there may also be traction for this in the lottery gaming market as suppliers like GTECH are looking to offer online products to complement existing terminal based lottery software, they can do IPSec on VMS's rival platforms...
perhaps HP might run that by them ?


Reply
Cass Witkowski
Trusted Contributor

тАО05-17-2009 12:58 PM

тАО05-17-2009 12:58 PM

Re: new Poll: IPSEC support in HP TCPIP

Right now I don't think IPSEC has hit a critical mass. What will drive it is when someone like US Government mandates the use of IPSEC on all products.

It looks like IPSEC will be the future and when mandated I will need to implemented it yesterday. I hope OpenVMS Management will be on board and ready to ship.

I don't know about everyone else but the request on my time is such that unless our customer is asking for it I have very little time to expore every new thing. It's only when they ask that I better have the answer ready.

Reply
Richard J Maher
Trusted Contributor

тАО05-17-2009 03:01 PM

тАО05-17-2009 03:01 PM

Re: new Poll: IPSEC support in HP TCPIP

Hi Cass,

Not sure what the critical mass needed would look like, but for the benefit of the VMS-only HP customers let me point out that "HP" haven't figured out IPsec requirements today or yesterday, they've *known* it was absolutely needed years ago. It's right there in HP UX and has been for almost *10 years*! (Not sure about HPUX chronology but a quick glance through ITRC has the earliest post on 25/9/2000 talking about IPsec availability in version 10.4 or a production-grade realease in HPUX 11.0)

Just found a interesting HP/UX web-page regarding IP with the catch phrase "Delivering the promise"
http://h20338.www2.hp.com/hpux11i/cache/324347-0-0-0-121.html

Little do they know that HP/VMS have a similar program, but ours is tailor made for the amount development taking place on VMS at the moment and for the calibre of the user-base; it's called "Breaking the promise" :-(

And for John G and other's appologizing for having the temerity to discuss such things in a public forum, here's one where it looks like HPUX IPsec project management actually
encourage public forum feedback:-
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=866391

I wonder what the EAK take-up for IPsec on HPUX was? I wonder what hoops HP's valued customers were made to jump through there?

Your problem is not with HP as a whole, they're fully on board, your problem is with HP/*VMS* management!

Just search ITRC for IPsec to see all sorts of lively development and system management discussion. (Then there's Linux, SUN, IBM, Apple, Microsoft, all with IPsec. Android? iPhone? - Good to go!)

Regards Richard Maher

BTW. here's another coup of useful links: -
http://www.ipv6ready.org/?page=faq
http://www.ipv6ready.org/?page=phase-2-about

Now clearly TCP/IP Services for OpenVMS will find it impossible to obtain Stage 3 IPv6 Ready status and qualification without IPsec, but how is it able to still be listed for the Gold Logo at all? All you have to do is pass a test in the labs and never release anything?
0 Kudos
Reply
John Gillings
Honored Contributor

тАО05-17-2009 03:37 PM

тАО05-17-2009 03:37 PM

Re: new Poll: IPSEC support in HP TCPIP

Richard,

>And for John G and other's appologizing for
>having the temerity to discuss such things
>in a public forum,

Probably no point in responding because you're refusing to try to understand my message :-(

I am NOT apologising for OpenVMS engineering! I think their stance on IPsec is stupid, short sighted and unjustified. Can I make it clearer than that?

However, rather than just rant and abuse anyone even perceived to have a contrary opinion, I have actually DONE SOMETHING about it by speaking directly to the people who make the decisions. What I posted was their response, and a suggestion about a potentially more productive way to achieve your objective.

I've told HP that I would like IPsec to be released, but I can't tell them that we actually need it because at this time we don't have any plans to use it. Sorry if you're offended by that.

Richard, how you ever expect anyone to listen to you when even those in full agreement cop abuse and sarcasm is beyond me!
A crucible of informative mistakes
Reply
Thomas Ritter
Respected Contributor

тАО05-17-2009 08:21 PM

тАО05-17-2009 08:21 PM

Re: new Poll: IPSEC support in HP TCPIP

I'd thought I add my two cents. I work for a big Telco and an number of other companies. I have some first hand insight on what is happening. IMO OpenVMS's history is bleak. In the last 10 years, no new applications have been developed on VMS. Some reasons could be 1) IT cartels with off-shoring strategies influence decision making, 2) Management's big concern about the inability to recruit smart upcoming graduates to work on VMS. No problems with Linux/UNIX or even Windows. 3) Aging VMS workforce.
We managed to keep an OpenVMS drop box alive and still in service by purchasing Process Software's SSH. The poor support for a rich TCP/IP stack on lower version of VMS has not helped. Salaries for strong Linux or Unix skills exceed those for VMS. I spend a lot of time now managing Linux clusters solving problems which just cannot happen on VMS.
So IPSEC on OpenVMS ? Why ?

0 Kudos
Reply
Richard J Maher
Trusted Contributor

тАО05-17-2009 08:22 PM

тАО05-17-2009 08:22 PM

Re: new Poll: IPSEC support in HP TCPIP

Hi Mark,

GTECH is certainly not the only one looking for such functionality, and with IPsec having reached ubiquitous-status in recent years (everywhere outside of VMS that is) the option of deploying IPsec for mutual-authentication and encryption is gaining a lot of traction.

As the Financial Services Technology Consortium put it in its January 2005 report, "Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."

Home-Banking, Online-Trading, and Online-Gaming, are all areas I expect to see IPsec become much more prevalent in, as well as the traditional branch-offices, mobile-salesmen, or employees working-from-home market. With Android and iPhone both supporting IPsec, the hand-held VPN market is also set to explode!

But to know why I'm so passionate about IPsec have a look at: -
http://manson.vistech.net/t3$examples/demo_client_web.html
Username: TIER3_DEMO
Password: QUEUE

Tier3 does not currently support (code for) SSL on the server side, therefore those that need an encryption and authentication capability currently have to stick a product like Stunnel in the way, or IPsec to a router or other IPsec supporting OS behind the firewall. Similarly with the hotTIP functionality described in detail at
http://manson.vistech.net/t3$examples/Tier3_031.pdf

But intrinsic IPsec in VMS is extremely desirable not just for Tier3/hotTIP but for any application that wants to communicate over TCP/IP (*and UDP*) Sockets. Port 443 is *not* the only game in town! Why should every application have to re-code and re-invent SSL support when with IPsec a System Manager can simply say "I want secure, authenticated, communications between these hosts and those; all Mail, Telnet, HTTP, FTP and every other application protocol you'd like."?

It's all good! And it's already done: -
http://h71000.www7.hp.com/openvms/products/ipsec/index.html
All they have to do is support it just like HP-UX, IBM, Microsoft, SUN, Apple, Linux. . .

Regards Richard Maher

PS. John, I'd very much like to know the names of the people "making the decisions"!
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО05-18-2009 01:08 AM

тАО05-18-2009 01:08 AM

Re: new Poll: IPSEC support in HP TCPIP

The poll will close on Wednesday 20th May 2009 sometime (when I get around to it).

The results are publically visible.

Comments here and elsewhere will be collected and passed on to people in HP who have asked about this.

____________________
Purely Personal Opinion
Reply
Richard J Maher
Trusted Contributor

тАО05-18-2009 02:45 AM

тАО05-18-2009 02:45 AM

Re: new Poll: IPSEC support in HP TCPIP

Hi,

Please also be advised that Process Software will be holding a Webinar on IP Security on Wednesday, May 27th discusiing IPsec (among other things): -
http://www.openvms.org/stories.php?story=09/05/13/1331735

When forced by HP/VMS management to choose between HP-UX or an alternative IP Stack provider, I suggest that you look seriously at Multinet and one of the *many* Linux-based IPsec solutions.

Cheers Richard Maher

PS. Personally, I'd see the upcoming HP Tech-Forum as an ideal opportunity for HP to re-commit to the VMS client-base by re-committing to IPsec with TCP/IP services. What better way to prove to doubting customers that VMS is still in safe hands and that their business infrastructure is safe with HP/VMS!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.