new Poll: IPSEC support in HP TCPIP

Richard J Maher · ‎05-13-2009

Hi,

Please vote for IPsec at the following site: -
http://www.openvms.org/stories.php?story=09/05/13/1922766

Thanks for setting that up Ian.

Cheers Richard Maher

PS. It's free! It allows you secure all (TCP/IP and UDP) traffic between hosts transparently! Host or Port level granularity! No more SSL coding at the application level! Comes with a host-based firewall capability! Secure your hand-held and portable communications today(ish)! Most of the code already exists and is able to make 8.4!

PPS. If you're going to vote "no" then why not just scratch your initials into a bus window, or spay-paint a wall like you normally do :-)

Jon Pinkley · ‎05-13-2009

Just for people's information, these are your choices:

OpenVMS.org Polls

If IPSEC support was available in HP TCPIP Services for OpenVMS

o You would deploy it on a production server within a year

o Be not interested because you already use another vendors IPSEC on OpenVMS

o Have no interest in using IPSEC on OpenVMS

o Don't know what IPSEC is

it depends

Jon Pinkley · ‎05-13-2009

How many sites would use a V1 security related product in production systems within a year of its initial release? That appears to be the only choice "in favor" of IPSec, as all the rest would seem to indicate no interest.

My point being that you can design a poll to get the result you want, and it appears to me the result that is wanted is "Our customers show no interest in IPSec at this time".

it depends

Richard J Maher · ‎05-13-2009

Hi John,

I certainly hope you're wrong. (Although I too would have like a less qualified "Yes" box)

I'm guessing any confusion with the questions, would have more to with the inexperience of the framers as pollsters rather than malicious intent or agenda.

OTOH, maybe they were told "that's what it'd take" and had to run with it :-(

Cheers Richard Maher

PS. Looking forward to once again saying a big *NO* to daylight saving in WA this week-end. (Hopefully for the last time!)

Jan van den Ende · ‎05-13-2009

Richard,

thanks for the pointer.

I just voted in favor, and I strongly advise every regular (and not so very regular) visitor here to do the same!

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

John Abbott_2 · ‎05-14-2009

Thanks from me too, for setting this up. It's a yes both here and directly to HP (from your previous heads-up post)

re: pps... lol :-)

Regards,
John.

Don't do what Donny Dont does

John Gillings · ‎05-14-2009

Richard,

We recently put this question to HP Engineering directly, not because we want, need or even intend to use IPsec, but more as a sign of reduced investment, care and feeding, etc... in OpenVMS by HP.

In a nutshell, their answer was "show us the money". They pointed to the very low uptake of the EAK, and lack of feedback from customers stating that they wanted the product.

Rather than conduct a poll, I would urge anyone who is willing to pay for this product (even assuming that it will be "free" with an existing TCPIP license), to contact their account reps directly. A poll is not likely to be as effective as "if you don't implement IPsec, THIS customer will stop paying maintenance on TCPIP services and switch to one of the competing products".

A crucible of informative mistakes

Richard J Maher · ‎05-14-2009

John,

I will go over the same ground as I have done many times before in various forums.

1) Nobody is asking for some blue-sky thinking here or to invest in a huge startup project. IPSec is not just low-hanging fruit, it's a wind-fall sitting on the ground; all they have to do is pick it up! Unless of course, all of the money that's been poured into its development over the last 5+ years has produced something a tad less than merchantable quality. (In which case if I was the developer(s) or project manager(s) I too would be desperate to stop people asking what we've been doing all this time!)

2) What is the standard or average EAK download stats for say the last 10 VMS products released in this fashion? What is a "low uptake" and what are "they" comparing it to?

What was the Java EAK download stats? WSIT 3.0? RTR on Linux? IPv6? Clusters over IP perhaps?

Oh, I see; they don't have to jump through the same imaginary hoops as someone's pet project? I get it, VMS management only does this when they want to kill something.

"Global clusters over IP" has everyone asking for it, but "VPN my laptops and hand-helds" is an orphan? I think not.

3) Your world may well revolve around what "We" do but when every other OS and IP Stack vendor from SUN to Microsoft to IBM to all flavours of Linux and Android and iPhone have implemented IPsec (and most of them years ago on IPv4) you'll forgive me for dismissing the argument as being akin to the horse that won't drink. The ability to encrypt and authenticate all communication between hosts or just some ports on different hosts is not something I see as being limited in its application these days, even in intranets.

Why bother with IPv6 at all for Pete's sake? Where were you when they were presumably wasting more money on that redundant rubbish? Big EAK hit? BTW, IPsec is a *mandatory* component for those claiming IPv6 compliance.

What's that you say?

"We don't put VMS on the network and expose it to nastiness, VMS is a local shop for local people!" We don't need a firewall on VMS, we don't need secure communications, we just buy a whole lot of *nix boxes for the real world stuff and lock VMS up in a room :-(

> Rather than conduct a poll,

Oh, I see, the jury's back but no one likes the verdict? I also see Ian has adopted a similar tack in OpenVMS.org :-( Looks like John P was right after all.

Anyway, it maybe fun to watch me run around like Pavlov's Dog but seeing long suffering VMS customers have to do the same for even the most basic, essential e-business functionality helps explain why VMS is where it is today.

Why don't they stop all IPv6, no all VMS, development now? Hold on. . .Ooops!

Richard Maher

Richard J Maher · ‎05-14-2009

Hi again John,

I just had a look at: -
http://h71000.www7.hp.com/ebusiness/technology.html

And was once again surprised to find not 1, 2, or 3, but *4* web-browsers for VMS! Well I guess you just can't have too many of those.

Anyway what I couldn't find on the page was how much profit HP/VMS makes from the sale of these products, or the additional VMS units shipped on the back of them. You couldn't get your contacts to help me out and "Show me the money" could you?

Also, what were the EAK download stats for each of these web-browsers?

Regards Richard Maher

PS. What has changed in the last say 5 years since millions of license-payer dollars were allocated to IPsec development, and thousands of man-hours spent, and today where presumably that money will just be written off as "I bet ya no one was gonna use it anyway"?

Richard Whalen · ‎05-14-2009

I have no idea how many MultiNet sites use IPSec; we haven't had a lot of questions, so I don't believe that it is many. But we have had questions about it since before we added the key management program, so I know that there are a few users.

Based upon number of support calls, the number of users of SSH & SFTP is orders of magnitude higher.

FTP over TLS (FTPS) hasn't been out long enough to measure, but we have had a few calls on it as well.

I would say that there is great demand for methods of securing user authentication and data exchange, which method ends up being the most popular in the long run is hard to say.

John Gillings · ‎05-14-2009

Richard,

Don't shoot the messenger. You don't need to convince me! I believe HP should implement IPsec.

We had an opportunity recently, with HP Engineering on the other side of a table, in person (well, at least on HALO). We put the question of IPsec futures to them. I'm just giving you a summary of the answer we got.

That doesn't mean I believe it's a GOOD answer, nor that I think their justification is valid. That's just what they said. I can't answer your (rhetorical?) questions.

From my experience of getting stuff put into VMS, I've found that forum discussions or complaining to support folk, no matter how vociferous or compelling, don't tend to get results.

You need to find a (small) number of real live, paying customers, and get them to rattle account rep cages. That's far more likely to get the result you want than preaching fire and brimstone to the choir.

A crucible of informative mistakes

Ian Miller. · ‎05-15-2009

It was me that setup the poll and made the questions. The questions where just what I occurred to me at the time :-)

People in HP are watching the results and I'm collecting comments to pass on to.

I have no control over the decision but am attempting to provide a way of getting the VMS community feedback to the people that do make the decision.

____________________
Purely Personal Opinion

marsh_1 · ‎05-15-2009

ian,

there may also be traction for this in the lottery gaming market as suppliers like GTECH are looking to offer online products to complement existing terminal based lottery software, they can do IPSec on VMS's rival platforms...
perhaps HP might run that by them ?

Cass Witkowski · ‎05-17-2009

Right now I don't think IPSEC has hit a critical mass. What will drive it is when someone like US Government mandates the use of IPSEC on all products.

It looks like IPSEC will be the future and when mandated I will need to implemented it yesterday. I hope OpenVMS Management will be on board and ready to ship.

I don't know about everyone else but the request on my time is such that unless our customer is asking for it I have very little time to expore every new thing. It's only when they ask that I better have the answer ready.

Richard J Maher · ‎05-17-2009

Hi Cass,

Not sure what the critical mass needed would look like, but for the benefit of the VMS-only HP customers let me point out that "HP" haven't figured out IPsec requirements today or yesterday, they've *known* it was absolutely needed years ago. It's right there in HP UX and has been for almost *10 years*! (Not sure about HPUX chronology but a quick glance through ITRC has the earliest post on 25/9/2000 talking about IPsec availability in version 10.4 or a production-grade realease in HPUX 11.0)

Just found a interesting HP/UX web-page regarding IP with the catch phrase "Delivering the promise"
http://h20338.www2.hp.com/hpux11i/cache/324347-0-0-0-121.html

Little do they know that HP/VMS have a similar program, but ours is tailor made for the amount development taking place on VMS at the moment and for the calibre of the user-base; it's called "Breaking the promise" :-(

And for John G and other's appologizing for having the temerity to discuss such things in a public forum, here's one where it looks like HPUX IPsec project management actually
encourage public forum feedback:-
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=866391

I wonder what the EAK take-up for IPsec on HPUX was? I wonder what hoops HP's valued customers were made to jump through there?

Your problem is not with HP as a whole, they're fully on board, your problem is with HP/*VMS* management!

Just search ITRC for IPsec to see all sorts of lively development and system management discussion. (Then there's Linux, SUN, IBM, Apple, Microsoft, all with IPsec. Android? iPhone? - Good to go!)

Regards Richard Maher

BTW. here's another coup of useful links: -
http://www.ipv6ready.org/?page=faq
http://www.ipv6ready.org/?page=phase-2-about

Now clearly TCP/IP Services for OpenVMS will find it impossible to obtain Stage 3 IPv6 Ready status and qualification without IPsec, but how is it able to still be listed for the Gold Logo at all? All you have to do is pass a test in the labs and never release anything?

John Gillings · ‎05-17-2009

Richard,

>And for John G and other's appologizing for
>having the temerity to discuss such things
>in a public forum,

Probably no point in responding because you're refusing to try to understand my message :-(

I am NOT apologising for OpenVMS engineering! I think their stance on IPsec is stupid, short sighted and unjustified. Can I make it clearer than that?

However, rather than just rant and abuse anyone even perceived to have a contrary opinion, I have actually DONE SOMETHING about it by speaking directly to the people who make the decisions. What I posted was their response, and a suggestion about a potentially more productive way to achieve your objective.

I've told HP that I would like IPsec to be released, but I can't tell them that we actually need it because at this time we don't have any plans to use it. Sorry if you're offended by that.

Richard, how you ever expect anyone to listen to you when even those in full agreement cop abuse and sarcasm is beyond me!

A crucible of informative mistakes

Thomas Ritter · ‎05-17-2009

I'd thought I add my two cents. I work for a big Telco and an number of other companies. I have some first hand insight on what is happening. IMO OpenVMS's history is bleak. In the last 10 years, no new applications have been developed on VMS. Some reasons could be 1) IT cartels with off-shoring strategies influence decision making, 2) Management's big concern about the inability to recruit smart upcoming graduates to work on VMS. No problems with Linux/UNIX or even Windows. 3) Aging VMS workforce.
We managed to keep an OpenVMS drop box alive and still in service by purchasing Process Software's SSH. The poor support for a rich TCP/IP stack on lower version of VMS has not helped. Salaries for strong Linux or Unix skills exceed those for VMS. I spend a lot of time now managing Linux clusters solving problems which just cannot happen on VMS.
So IPSEC on OpenVMS ? Why ?

Richard J Maher · ‎05-17-2009

Hi Mark,

GTECH is certainly not the only one looking for such functionality, and with IPsec having reached ubiquitous-status in recent years (everywhere outside of VMS that is) the option of deploying IPsec for mutual-authentication and encryption is gaining a lot of traction.

As the Financial Services Technology Consortium put it in its January 2005 report, "Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."

Home-Banking, Online-Trading, and Online-Gaming, are all areas I expect to see IPsec become much more prevalent in, as well as the traditional branch-offices, mobile-salesmen, or employees working-from-home market. With Android and iPhone both supporting IPsec, the hand-held VPN market is also set to explode!

But to know why I'm so passionate about IPsec have a look at: -
http://manson.vistech.net/t3$examples/demo_client_web.html
Username: TIER3_DEMO
Password: QUEUE

Tier3 does not currently support (code for) SSL on the server side, therefore those that need an encryption and authentication capability currently have to stick a product like Stunnel in the way, or IPsec to a router or other IPsec supporting OS behind the firewall. Similarly with the hotTIP functionality described in detail at
http://manson.vistech.net/t3$examples/Tier3_031.pdf

But intrinsic IPsec in VMS is extremely desirable not just for Tier3/hotTIP but for any application that wants to communicate over TCP/IP (*and UDP*) Sockets. Port 443 is *not* the only game in town! Why should every application have to re-code and re-invent SSL support when with IPsec a System Manager can simply say "I want secure, authenticated, communications between these hosts and those; all Mail, Telnet, HTTP, FTP and every other application protocol you'd like."?

It's all good! And it's already done: -
http://h71000.www7.hp.com/openvms/products/ipsec/index.html
All they have to do is support it just like HP-UX, IBM, Microsoft, SUN, Apple, Linux. . .

Regards Richard Maher

PS. John, I'd very much like to know the names of the people "making the decisions"!

Ian Miller. · ‎05-18-2009

The poll will close on Wednesday 20th May 2009 sometime (when I get around to it).

The results are publically visible.

Comments here and elsewhere will be collected and passed on to people in HP who have asked about this.

____________________
Purely Personal Opinion

Richard J Maher · ‎05-18-2009

Hi,

Please also be advised that Process Software will be holding a Webinar on IP Security on Wednesday, May 27th discusiing IPsec (among other things): -
http://www.openvms.org/stories.php?story=09/05/13/1331735

When forced by HP/VMS management to choose between HP-UX or an alternative IP Stack provider, I suggest that you look seriously at Multinet and one of the *many* Linux-based IPsec solutions.

Cheers Richard Maher

PS. Personally, I'd see the upcoming HP Tech-Forum as an ideal opportunity for HP to re-commit to the VMS client-base by re-committing to IPsec with TCP/IP services. What better way to prove to doubting customers that VMS is still in safe hands and that their business infrastructure is safe with HP/VMS!

Richard W Hunt · ‎05-18-2009

I cannot speak for other sites, but I work at a U.S. Dept. of Defense site where there is a requirement to use a Computer Access Card (a specifically programmed Smart Card) as part of your login. I went through huge hoops with the Attachmate techs before coming to the realization that deep down inside, our inability to communicate was because OpenSSH for OpenVMS is one format and the Windows workstation gets one of these Smart Cards in IPSEC format.

What would you get if you did more with IPSEC? How about no-password logins using the Computer Access Card as the starting point. You would be surprised how many sites want that. (No, maybe you wouldn't be surprised.) Attachmate s/w could extract the RSA key from the card, but its in the wrong format completely - IPSEC. So our OpenSSH won't take it. Drives me nuts because I am bound in regulation about how I can approach the problem. But even with something so simple as the ability to convert OpenSEC keys to IPSEC or vice versa, I could take that ball and run with it for miles!

Sr. Systems Janitor

Richard J Maher · ‎05-18-2009

Run Forest, Run!

Ian Miller. · ‎05-20-2009

I've closed the poll.

Results

If IPSEC support was available in HP TCPIP Services for OpenVMS

You would deploy it on a production server within a year 85.87% (79)

Be not interested because you already use another vendors IPSEC on OpenVMS 4.35% (4)

Have no interest in using IPSEC on OpenVMS 4.35% (4)

Don't know what IPSEC is 5.43% (5)

I will pass this on with the collected comments to HP.

____________________
Purely Personal Opinion

Richard J Maher · ‎05-20-2009

That's funny, I just looked at the page and it says/said: -

If IPSEC support was available in HP TCPIP Services for OpenVMS
You would deploy it on a production server within a year 83.05% (98)
Be not interested because you already use another vendors IPSEC on OpenVMS 4.24% (5)
Have no interest in using IPSEC on OpenVMS 5.08% (6)
Don't know what IPSEC is 7.63% (9)

Maybe you have a cached page?

Ian Miller. · ‎05-20-2009

Could be :-(

I'm now seeing the figures you posted.

However the overall pattern is the same.

____________________
Purely Personal Opinion

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

new Poll: IPSEC support in HP TCPIP

new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP

Re: new Poll: IPSEC support in HP TCPIP