On 2016-12-10 11:33:43 +0000, Dirk Munk said:
> I don't understand what you mean.
Um, that dragging the corpse of OSI out of the crypt during even a
severe network thunderstorm won't ever reanimate it? 😀
> As far as I'm aware, IPsec has nothing to do with any application
> (except for management perhaps). It is completely transparent for all
> IP traffic, for all applications that use IP.
Nothing is ever completely transparent, as applications have to deal
with at least requesting the security required and contending with the
errors and notifications that inevitably arise. Having a connection
blow up in the middle, or to get MITM'd successfully or otherwise, or
to ascertain the identity of the specific client or server based on a
certificate, are details that a secure application are probably going
to want to know about, after all.
But as I have repeatedly stated here, I really don't care if it's IPsec
or TLS underneath.
> A very simple example. Your touter at home can set up a tunnel with
> another router. It's done using IPsec, and all traffic between both
> routers is encrypted.
Few folks want to recreate a DESNC-style connection in this era.
End-to-end is preferred. Particularly over what is an explicitly
MITM'd connection, and one that inherently cannot verify the end-points
of the connection.
Put another way, I cannot imagine setting up a connection such as this,
save for connecting to a system with utterly incompetent security.
> The same applies to two hosts connected using IPsec. That's the beauty of it.
Other than that there's no IPsec on OpenVMS via the vendor stack, and
other than that IPsec isn't as ubiquitous as any of us would prefer,
sure.
But as I've repeatedly stated, I don't care what's downstairs from a
(simpler!) API, wither it's TLS or IPsec or such, or a slightly
higher-layer HTTPS or otherwise.
>> IPsec is a great approach, but it's still not common.
>
> Not commonly in use perhaps, but present in any decent IP stack.
Not commonly used is not commonly used.
If I have to set up a DESNC or a VPN server on the target network, or
install and configure OSI or IPsec or whatever else, beauty and
elegance can lose some of its luster, and the installation and support
costs can go up.
But I'm not inclined to continue the TLS versus IPsec debate — that
debate raged fifteen years ago. For uses where arbitrary connections
are required for application-to-application communcations, TLS largely
won. For VPNs and dedicated connections, IPsec or various other VPN
protocols or even network bridging over a secure link — how DECnet
Phase IV can connect site-to-site, for instance — all works fine.
For those interested in and unfamiliar with the discussion and the
trade-offs, here's a decent write-up:
https://www.k2esec.com/network-security-protocols-ipsec-vs-tlsssl-vs-ssh-part-ii/
Added atop that debate is my preference for a vastly improved API, as
part of an effort to improve or overhaul the crypto and authentication
support and the general socket-level and DNS-related efforts within
OpenVMS. There's way too much glue code involved in that, and some of
the sequences are quite arcane. Much like how many of the OpenVMS
programming languages abstracted the complexity of RMS through various
language extensions, the network stack needs to be much simpler and
more abstract for the most common client and server operations, with
sockets or $qio or $io_perform interfaces and the libtls or OpenSSL
APLs remaining available for those applications and tasks that need
that control. I'd prefer OO here for ease of future work, but that's
probably a bridge too far for existing applications and designs.
> If we're talking about a company connecting it's servers locally or
> over the internet, setting up IPsec to connect all nodes would
> certainly be a priority for me.
I am discussing the utterly absurd state of the OpenVMS APIs available
for establishing and securing network connections, and the associated
difficulties around that, when communicating with a variety of remote
hosts where I may or may not have control over the other end of the
connection and the remote gateway box, If you want to set up a
DESNC-secured OSI link for DECnet Phase V or other such, or a
gateway-to-gateway VPN, have at. Those are certainly valid for some
applications. Those approaches do utterly lack the ability to
establish end-to-end connections, they also mean there's no way to
verify remote identity within the applications, and DESNC- or
gateway-based VPNs do pile prerequisites into the network
infrastructure; dependencies and setup steps outside of the constituent
client and server application code.
> Perhaps a bit of a headache to set it up (that's why I asked for a good
> manual), but once it's running you can sit down and relax, all your IP
> traffic will be safe. No need for firewalls, only ports 500, 50 and 51
> are in use.
I'm guessing you were referring to a mix of ports and protocols there,
as AFAIK ports 50 and 51 aren't used in any context related to what I'm
discussing. Again, if you can institute requirements on the remote
network, then IPsec or a VPN or even OSI is certainly feasible. And I
don't really care what's underneath the particular application API, so
long as I can authenticate the connection, and the network traffic is
securely encrypted.
> Yes I know, quick and dirty is still the preferred approach in ICT
> land. However in the end it will always be more costly, and more
> cumbersome then a better approach would have been. The present IPv4 to
> IPv6 migration is a beautiful example of that.
Ayup. Now imagine how long it'll take to get everybody over to IPsec
or over to OSI.
>> OSI is now and will remain dead. It was and is an elegant and
>> inclusive (and complex) approach, but one that utterly missed the
>> market.
>
> Or perhaps the market missed OSI
Thankfully.
For anybody reading that might be planning to attend business school,
you might want to research where the OSI effort went wrong, why an
all-inclusive and complex solution that arrived late is problematic,
and why the customers decided to roll out the good-enough IP stack, and
where that's all led. OSI tried to do everything up front, IP did
less and rolled out with incremental changes in the stacks and in
applications. It's rather fascinating stuff to ponder, including
around what happened to the products and platforms that didn't adapt to
and accept the ascendence of IP as quickly as others.