[HECnet] DECnet over IP

Wed Jan 20 07:45:22 PST 2016

> So Multinet do not control the local port number when in active mode.

  Correct.  AFAIK this is like most TCP applications (e.g. telnet) that initiate outgoing, active, connections.

>Does that mean it also accepts connections from anywhere for passive connections?

  Yep.

> Or how do they authenticate?  IP address only?

  Authenticate??  We don't need no stinking authentication :-)

  Seriously, though, AFAIK Multinet tunnels have no authentication at all.  If somebody out there was smart enough to know what we were doing and spoof the DECnet packets, then they could probably break in.  Or at least they could take over the DECnet tunnel - whether they could log in and access files depends on how secure you've made your host.  Since a lot of the HECnet hosts, especially ones with TCP/IP tunnels, already have direct Internet facing ports for telnet, ssh, ftp, etc the question of DECnet security seems moot.

  You can always configure your router, as I have, to only forward port 700 traffic from specific Internet hosts.  That'll solve the problem unless somebody also cares enough to go to the trouble of spoofing IPs as well.

  Getting off topic - don't I remember that there was a way to set a password on point-to-point DDCMP circuits?  How (or rather, at what level in the protocol stack) was that implemented ? 

Bob