[HECnet] Minimal Requirements
Mark Berryman
mark at theberrymans.com
Thu Apr 4 18:32:50 PDT 2019
I can configure my system to accept a connection from a host with a dynamic address since I can limit the port to the range of possible addresses instead of opening it to the world. I would probably want to configure the circuit to use a routing initialization password, however. Let me know if interested.
Mark Berryman
> On Apr 4, 2019, at 6:03 PM, Paul Koning <paulkoning at comcast.net> wrote:
>
>
>
>> On Apr 4, 2019, at 6:32 PM, Johnny Billquist <bqt at softjar.se> wrote:
>>
>> On 2019-04-04 15:28, Paul Koning wrote:
>>>> On Apr 4, 2019, at 7:53 AM, Supratim Sanyal <supratim at riseup.net> wrote:
>>>>
>>>> On 4/4/19 6:12 AM, Keith Halewood wrote:
>>>>> Hi,
>>>>> I'm pretty sure that a TCP listen doesn't care who connects to it on VAX Multinet. UDP is a different matter.
>>>>> For example, there's a listener device set up with a 1.1.1.1 address on DUNE here. PIVAX0 connects to it from a completely different address. I use access controls on the router to restrict just who is allowed to connect to it.
>>>>> If you want I can set up another incoming line/circuit and you can connect to it. I'm in area 29 FYI.
>>>>
>>>> I have listeners waiting on 0.0.0.0. Yes, MULTINET does not seem to care what address connections come in from.
>>> Does that mean anyone can connect to HECnet without any authentication? Or is DECnet node init authentication used?
>>> "Security by obscurity" only goes so far. Is it good enough for HECnet?
>>
>> So far that's mostly what we have, yes.
>> I have from time to time considered maybe adding a password on the link, as DECnet do support that.
>>
>> But so far, there has never been a single instance of someone actually trying to connect some unknown node with DECnet on any link of mine. But it is most likely just because pretty much any remote script-kid just have no clue that DECnet even exists, what to do with it, or anything else.
>>
>> Also, the worst I think anyone could do would just be disrupting DECnet. But maybe someone else can think of anything else potentially interesting someone could do by hijacking a circuit.
>
> The worst you could do is what was done with BGP in the past: create a route diversion that sends a pile of the traffic to a rogue router. Most of that traffic would not be all that interesting, I suppose.
>
>> My biggest issue with those link passwords in RSX is that I think I can only have one password, and it will be applied to all links. And I also think that maybe I had to turn it on on all links if I turn it on on any.
>>
>> But if people are willing to experiment some, we could test enabling it.
>
> For RSTS, the password to use is a node attribute, so you specify what password to send to and expect from a given claimed neighbor node. (RSTS doesn't support Multinet or GRE, though -- but it does support DDCMP which is a fine way to offer point to point links over TCP.) And of course for routers we build we can make the flexibility whatever we care to code.
>
> paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20190404/cdc0b667/attachment-0001.html>
More information about the Hecnet-list
mailing list