[HECnet] Intermittent Connection with PyDECnet?

[Thomas DeBellis]

DECnet, like ARPAnet (the predecessor of IP) were designed in an era of 
point-to-point (largely synchronous) communications over private lines 
and locked down routers (called IMP's or Interface Message Processors).  
PC what??  If you control the wires (which AT&T did), the router (which 
BBN did) and the (timeshared) CPU (which was the case for large systems 
with staff), then the model is not immediately horrifying.

All of that went out the window with broadcast networks (1983), 
non-government user owned routers (I.E., Cisco) and PC's. However, you'd 
be surprised at how many people out there still think that ACL's for IP 
address are sufficient.  Nope.

You can not rely on /anything/ you put out on the Internet getting 
snooped unless you secure (I.E., encrypt) and firewall _all_ legs of the 
transport.  This is frequently done with NAT'ing routers and IPsec, so 
it is largely transparent.  I have installed a large number of these and 
they appear to function well.  At least, I haven't gotten nailed yet 
through that avenue (as he knocks on wood).

Off the top of my head, the only way to handle credential exchange in a 
public setting is to either not do it at all (I.E., allowing limited 
ANONYMOUS usage), non-transmitted shared secret (I.E., private key sent 
outside of regular channels), asymmetric authentication or information 
theoretic secure paradigms.

All of my HECnet hosts are behind a firewall specifically so they can't 
be scanned.  The only time I bring a host on the general Internet is to 
do regression tests of my FTP server.  Perhaps also when I get around to 
implementing some more TELNET options (not having SIGWINCH on Tops-20 is 
/really/ annoying).

On 3/2/20 4:33 PM, Mark J. Blair wrote:
> Re: multiple DECnet nodes on the same physical machine, I've set up things like tun/tap before for that. I don't remember the details, but I still have my scripts from the last time I played with it so that I can learn it all over again.
>
> Re: security, I don't expect any sort of modern security within HECnet. I presume that anything I connect to it may get to relive things like the Father Christmas worm at any moment, all of my packets transiting HECnet outside my local network are printed on billboards, and nothing but obscurity stands between my local network and all of the DECnet-aware malicious hackers in the world using my old VMS and RSX nodes as beachheads to break in. I was mostly just wondering if there's anything in place to provide a modicum of protection for the Internet-connected, IP-aware hosts on HECnet (particularly any nodes providing upstream connectivity to others on HECnet) from random bad people port-scanning them and making connections to their open IP ports. Is there even a plaintext login/password challenge at connection time when a downstream node connects to its upstream node over the public Internet? Does that vary depending on whether GRE, Multinet, etc. is used for the link?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20200302/2ce23f56/attachment.html>