1 INFO-VAX	Fri, 23 Jun 2006	Volume 2006 : Issue 346       Contents:' Re: Cost of used alphas vs 8086+charron ? Re: Has any version of VMS ever received an A1 security rating? ? Re: Has any version of VMS ever received an A1 security rating? ? Re: Has any version of VMS ever received an A1 security rating? 8 Re: how to turn off OPCOM messages on a console terminal8 Re: how to turn off OPCOM messages on a console terminal8 Re: how to turn off OPCOM messages on a console terminal TELNET PERFORMANCE OVER WAN  Re: TELNET PERFORMANCE OVER WAN  Re: TELNET PERFORMANCE OVER WAN  Re: TELNET PERFORMANCE OVER WAN  Re: TELNET PERFORMANCE OVER WAN   F ----------------------------------------------------------------------  % Date: Thu, 22 Jun 2006 20:53:03 -0700 0 From: glen herrmannsfeldt <gah@ugcs.caltech.edu>0 Subject: Re: Cost of used alphas vs 8086+charron: Message-ID: <eYadnQuZNvvu-AbZnZ2dnUVZ_r-dnZ2d@comcast.com>   JF Mezei wrote:    (snip)  C > Intel has not named the architecture that was begun with the 8086 J > (perhaps because it knew it was a mere toy controller and never expectedE > it to last so long). And it has changed the product name many times  > based on the "chip du jour".  G The architecture changed a lot with the 32 bit extensions in the 80386. A Many systems specified 80386 as a minimum system for a long time, @ though it will run a little slow.  Most modern systems depend on? 32 bit registers and addressing, so calling it 8086 is a little < strange.  If you don't like IA32, then x86 is commonly used.  J > The "8086" is the root of that architecture and  unambiguously refers to > that family.   (snip)  G > Also, IA-32 is not commonly used. And it is ambiguous since Intel has I > multiple 32 bit architectrures (it inherited the StrongArm from DEC and 1 > either uses it or developped its own for PDAs.)   ) In the places I look it is commonly used.    -- glen    ------------------------------  % Date: Thu, 22 Jun 2006 17:52:35 -0400 / From: "William Webb" <william.w.webb@gmail.com> H Subject: Re: Has any version of VMS ever received an A1 security rating?I Message-ID: <8660a3a10606221452o73e8a3acpa5a344e341cf1103@mail.gmail.com>   M On 21 Jun 2006 06:56:38 -0500, Larry Kilgallen <Kilgallen@spamcop.net> wrote: b > In article <4498DF21.2030507@procyonlabs.com>, "Randal T. Rioux" <randy@procyonlabs.com> writes: > J > > >>> I seem to recall having heard of at least one customized [at greatI > > >>> expense] VAX/VMS version that achieved the Orange Book A1 rating.  > > >>> O > > >>    The package that the paper is citing -- variously known as SVS, or as N > > >> the VVAX Virtual VAX -- did not receive an A1 evaluation, and was never > > >> released as a product.  > > > I > > > My recollection is that the decision not to release it as a product - > > > was what caused it not to be evaluated.  > > > ...snip...snip...cut... E > > > For an example of how unimportant this has become, note that in E > > > recent years VMS development has not felt sufficient government G > > > pressure to get an evaluation under the new Common Criteria.  The G > > > only hint I have seen from the feds is the second public draft of E > > > 800-53A (comment period still open) which places a considerably I > > > heavier burden on those running High Impact applications on systems G > > > that have not received a TCSEC or Common Criteria evaluation.  An L > > > example of a High Impact system is one that contains personal data :-) > > L > > It does seem that rather than initiating certification based on product,D > > government regulations are pushing more for certification of theL > > implementation. My opinion: you will never again see a "rating" given toI > > a specific COTS product... or even a modified product. At least not a ' > > truly recognized, respected rating.  > I > I cannot say that with certainty, and a CC evaluation would be of great K > assistance if the Second Public Draft of 800-53A goes into effect intact. $ > Consider for instance from page 4: > N >         "Product testing, evaluation, and validation are routinely conductedH >         today on cryptographic modules and general-purpose informationJ >         technology products such as operating systems, database systems,C >         firewalls, intrusion detection devices, web browsers, web J >         applications, smart cards, biometrics devices, personal identityF >         verification devices, web applications, network devices, andG >         hardware platforms using national and international standards N >         such as FIPS 140-2, Security Requirements for Cryptographic Modules,G >         and ISO/IEC 15408, Common Criteria for Information Technology I >         Security Evaluation. If an information system component product H >         is identified as providing support for the implementation of aI >         particular security control in NIST Special Publication 800-53, L >         then the evidence produced during the product testing, evaluation,C >         and validation processes can be used with other available C >         assessment-related evidence obtained from the application F >         of the assessment methods and procedures in this publicationF >         to produce an effective justification and rationale that the< >         security control is effective in its application." > D > Absent that evaluation, government folks must comply with AC-12.3: > E >         "Test the session termination mechanism by allowing a valid K >         user session to remain inactive for [organization-defined period] @ >         to determine if the session automatically terminates." > J > Testing that on multiple individual VMS machines (for instance) is a lotH > more work than just testing the value of TTY_TIMEOUT with an automatedG > tool and relying on the operating system evaluation.  Likely agencies F > will decide they can test the effectiveness of that operating systemE > control just once for each version of a given operating system, but ) > that still takes a lot of coordination.  > L > > I actually see that as a plus, thus removing the mindset that says "thisK > > product is A1_Orange_Green_NSA_Super_Secret Approved - so let's install / > > it, use the defaults, and forget about it!"  > G > Yes, the FISMA/FIPS 200/NIST 800-53 approach is certainly superior in I > requiring machines be configured securely.  But for High Impact systems I > on certain controls it still requires evaluation (rating) style testing 2 > of the integrity of operating system mechanisms. >   D It's my understanding that the process of taking an operating systemC through the Common Criteria process, to put it mildly, ain't cheap.   E It's also my understanding that the powers that be at HP have decided D not to do so unless given a "dollars and sense" reason for doing so.  F Now my understanding could be a misunderstanding, and it's worth every dime that y'all paid for it.   WWWebb --  C NOTE: This email address is only used for noncommerical VMS-related  correspondence. C All unsolicited commercial email will be deemed to be a request for 8 services pursuant to the terms and conditions located at# http://bellsouthpwp.net/w/e/webbww/    ------------------------------  # Date: Thu, 22 Jun 2006 23:12:43 GMT , From: Hoff Hoffman <hoff-remove-this@hp.com>H Subject: Re: Has any version of VMS ever received an A1 security rating?2 Message-ID: <LtFmg.2200$HS6.1991@news.cpqcorp.net>   William Webb wrote:   F > It's my understanding that the process of taking an operating systemE > through the Common Criteria process, to put it mildly, ain't cheap.   H    The administrative and technical requirements of specific evaluation F processes are well documented, and an evaluation can involve teams of > engineers and administrative folks working for a year or more.  G > It's also my understanding that the powers that be at HP have decided F > not to do so unless given a "dollars and sense" reason for doing so.  @    That does parallel the definition of a commercial enterprise.  H    I'd certainly tend to want to configure and operate System-High if I H can operate it (and obviously to operate distinct servers for the local F information security requirements), and to avoid the requirements and F the difficulties of managing and operating and monitoring Multi-Level 	 Security.   E    NCSC C2 is single-level, while B1 is multi-level.  B1 security is  H more involved to operate and even to simply use, whether for the system - and security manager or even for an end-user.    ------------------------------    Date: 22 Jun 2006 18:32:53 -0500- From: Kilgallen@SpamCop.net (Larry Kilgallen) H Subject: Re: Has any version of VMS ever received an A1 security rating?3 Message-ID: <EsR6VBJzDTqq@eisner.encompasserve.org>   a In article <LtFmg.2200$HS6.1991@news.cpqcorp.net>, Hoff Hoffman <hoff-remove-this@hp.com> writes:  > William Webb wrote:  > G >> It's my understanding that the process of taking an operating system F >> through the Common Criteria process, to put it mildly, ain't cheap.  J >    I'd certainly tend to want to configure and operate System-High if I J > can operate it (and obviously to operate distinct servers for the local H > information security requirements), and to avoid the requirements and H > the difficulties of managing and operating and monitoring Multi-Level  > Security.   C But Common Criteria evaluation is not just for multilevel security, , it has also replaced the old C2 evaluations.  G >    NCSC C2 is single-level, while B1 is multi-level.  B1 security is  J > more involved to operate and even to simply use, whether for the system / > and security manager or even for an end-user.   B Probably a minority of those running VMS systems in the US Federal Government are running:    	   VAX		Alpha  	 	VMS V4.3 	 	VMS V6.1  	VMS V6.2	VMS V6.2  I and those are the only versions that have been evaluated at the C2 level.   < If the provisions of the Second Public Draft of NIST 800-53A  ; 	http://csrc.nist.gov/publications/drafts/SP800-53A-spd.pdf   F go into effect as planned, those running VMS systems in the US FederalF Government may be required to perform their own testing of the correctE operation of VMS security features, at least for high impact systems. C My own belief is that the only people running VMS in the US Federal E government are those using it for high impact systems (see FIPS 199).   A A sample of the sort of test of the operating system required is:   > 	IA-5.7 Test the information system to determine if the systemA 	protects passwords from unauthorized disclosure and modification < 	when stored and transmitted, prohibits passwords from being> 	displayed when entered, enforces password minimum and maximum: 	lifetime restrictions, and prohibits password reuse for a, 	specified number of generations. (PAGE 130)  F Using a version of VMS that is evaluated at C2 (the four above) or theC corresponding Common Criteria rating (none) exempts those operating # the system from doing that testing.    ------------------------------  # Date: Thu, 22 Jun 2006 17:49:02 GMT  From: hoff@hp.nospam () A Subject: Re: how to turn off OPCOM messages on a console terminal 1 Message-ID: <iKAmg.2177$SF6.100@news.cpqcorp.net>   p In article <OF2D1DC406.EB9ED9AF-ON85257195.005725CE-85257195.0058BA49@metso.com>, norm.raphael@metso.com writes:M |> Can I get "REPLY/TO" messages to go to the operator.log file only, but not  |> hang.    F   The REQUEST/REPLY (or the lower-level equivalent that an applicationC program can use, a call via $sndopr) will continue to be broadcast  G because there is an enabled operator terminal somewhere in the cluster. H If there is no operator terminal, the REQUEST/REPLY (or the $sndopr call analog) will terminate.   D   If you have a specific operator target via REQUEST/REPLY/TO or viaC the target operator bitmask within $sndopr, you can ensure that no  E matching operators enabled, while also ensuring the operator log has  D the operator class enabled for logging. This via SYLOGICALS.* OPC$*  logical names.  C   If you just want to log a message, then REQUEST (or an equivalent B $sndopr call) will work fine, and will display the message at the  target operator(s).   @   If you are seeing a hang within OPCOM (other than the expected@ synchornization involving REQUEST/REPLY, obviously), then there  is something else going on.   B   If the application hangs, then there is probably something wrongB within the application -- a resource leak or other run-time error.@ I can think of a potential brute-force work-around (or two) for < this sort of thing, but I'd tend to look to the application  maintainer(s) first.    B   If you are seeing new request ids, then there may well be a leakB within the $sndopr code involved in the application.  The expected> and normal behaviour is to repeat the operator broadcasts at aC periodic interval until the request is serviced.  If you are seeing C new request identifiers issued, this may well be the source of the   eventual application stall.1  C   Again, the best approach is to engage whomever is maintaining the B application -- or to ensure there are either no operators, or thatC the operators service the request before the application tips over. 
 Obviously.       |> Here's an excerpt: 
 |> [start]I |> %%%%%%%%%%%  OPCOM  11-JUN-2006 09:18:22.46  %%%%%%%%%%%    (from node  |> NODE1  at |>  11-JUN-2006 09:18:22.46)) |> Request 3798, from user USERx on NODE1 1 |> CSTI006O APPLID, Reply with an APPLID command.  |>   |> *************** |>  I |> %%%%%%%%%%%  OPCOM  11-JUN-2006 09:23:47.91  %%%%%%%%%%%    (from node  |> NODEA  at |>  11-JUN-2006 09:23:47.92) |> Request 3798 was canceled |> [end] |>  K |> The app puts out this every 5 minutes and apparently the new one cancels $ |> the prior one, but if no terminalD |> is REPLY/ENABLED the application eventually fills some buffer (or |> something) and hangs. |>   ------------------------------  % Date: Thu, 22 Jun 2006 14:58:35 -0400  From: norm.raphael@metso.comA Subject: Re: how to turn off OPCOM messages on a console terminal Q Message-ID: <OF5235790D.425F9AD6-ON85257195.00671BB6-85257195.00683DE0@metso.com>   2 hoffman@xdelta () wrote on 06/22/2006 01:49:02 PM:  ? > In article <OF2D1DC406.EB9ED9AF-ON85257195.005725CE-85257195. 5 > 0058BA49@metso.com>, norm.raphael@metso.com writes: H > |> Can I get "REPLY/TO" messages to go to the operator.log file only,=  but not 
 > |> hang. >  > H >   The REQUEST/REPLY (or the lower-level equivalent that an applicatio= n D > program can use, a call via $sndopr) will continue to be broadcastH > because there is an enabled operator terminal somewhere in the cluste= r.H > If there is no operator terminal, the REQUEST/REPLY (or the $sndopr c= all  > analog) will terminate.  > =18 F >   If you have a specific operator target via REQUEST/REPLY/TO or viaD > the target operator bitmask within $sndopr, you can ensure that noF > matching operators enabled, while also ensuring the operator log hasE > the operator class enabled for logging. This via SYLOGICALS.* OPC$*  > logical names. > E >   If you just want to log a message, then REQUEST (or an equivalent C > $sndopr call) will work fine, and will display the message at the  > target operator(s).  > B >   If you are seeing a hang within OPCOM (other than the expectedA > synchornization involving REQUEST/REPLY, obviously), then there  > is something else going on.  > D >   If the application hangs, then there is probably something wrongD > within the application -- a resource leak or other run-time error.A > I can think of a potential brute-force work-around (or two) for = > this sort of thing, but I'd tend to look to the application  > maintainer(s) first. > D >   If you are seeing new request ids, then there may well be a leakD > within the $sndopr code involved in the application.  The expected@ > and normal behaviour is to repeat the operator broadcasts at aE > periodic interval until the request is serviced.  If you are seeing D > new request identifiers issued, this may well be the source of the > eventual application stall.1 > E >   Again, the best approach is to engage whomever is maintaining the D > application -- or to ensure there are either no operators, or thatE > the operators service the request before the application tips over.  > Obviously.  A This has always vexed me.  This app  AFAIK does not listen for or D expect a response to the message; it's more like an "I'm still here"A sanity check.  (I always thought it was part of some vestigial or E debugging code that got left in the final product - ISTM that REQUEST H or a call to $SNDOPR without expecting a reply would have been correct.= ) H It does get automagically cancelled after 5 minutes, when a new-numbere= d H request is issued.  The docs say a terminal must be enabled somewhere o= n H the system to process this message.  No operator action (service of the=  D request?) is needed.  I no terminal is enabled for OPERxx - assigned@ at startup of the app - eventually it will tip over, as you say.? There does not appear to be a leak, but the "maintainer" has no D intention of touching the code, which has been frozen for some time,> as the workaround is documented.  If I can use logicals to get@ messages to, say, OPER10 to log to operator.log without having aA physical terminal set "REPLY/ENABLE=3D(OPER10)" that would do it. A Alternately, if there is a way to create a "virtual terminal" and B enable it to get-and-ignore these messages and I could start it at0 boot and just leave it, that would be okay, too.   >  >  >  > |> Here's an excerpt:  > |> [start]H > |> %%%%%%%%%%%  OPCOM  11-JUN-2006 09:18:22.46  %%%%%%%%%%%    (from = node > |> NODE1  at > |>  11-JUN-2006 09:18:22.46)+ > |> Request 3798, from user USERx on NODE1 3 > |> CSTI006O APPLID, Reply with an APPLID command.  > |> > |> *************** > |>H > |> %%%%%%%%%%%  OPCOM  11-JUN-2006 09:23:47.91  %%%%%%%%%%%    (from = node > |> NODEA  at > |>  11-JUN-2006 09:23:47.92) > |> Request 3798 was canceled
 > |> [end] > |>E > |> The app puts out this every 5 minutes and apparently the new one  cancels & > |> the prior one, but if no terminalF > |> is REPLY/ENABLED the application eventually fills some buffer (or > |> something) and hangs. > |>=    ------------------------------  # Date: Thu, 22 Jun 2006 19:19:47 GMT  From: hoff@hp.nospam () A Subject: Re: how to turn off OPCOM messages on a console terminal 1 Message-ID: <n3Cmg.2181$TL6.892@news.cpqcorp.net>   p In article <OF5235790D.425F9AD6-ON85257195.00671BB6-85257195.00683DE0@metso.com>, norm.raphael@metso.com writes:  D |> This has always vexed me.  This app  AFAIK does not listen for orG |> expect a response to the message; it's more like an "I'm still here" D |> sanity check.  (I always thought it was part of some vestigial orH |> debugging code that got left in the final product - ISTM that REQUESTB |> or a call to $SNDOPR without expecting a reply would have been  |> correct.)  F   I'd (personally) probably NO-OP the $sndopr call, then, via a patch.G   Using DUMP and some digging, and patch or a related too, I'd make the D   call go away.  Or I'd tweak the call to switch it over to a "true"D   request, depending on how obvious the $sndopr call construction is-   from the vantage available within the dump.   D   (I'm assuming there's no way to re-build this application, and you%   have no support channel available.)   B   And yes, you can pseudo-terminal your way out of this mess, too.   ------------------------------  % Date: Thu, 22 Jun 2006 14:02:28 -0500 + From: brandon@dalsemi.com (BRANDON, JOHN M) $ Subject: TELNET PERFORMANCE OVER WAN1 Message-ID: <06062214022850@dscis6-0.dalsemi.com>   O I would like some feedback on how to check for and tune performance issues with  TELNET over the WAN.   servers: VMS 7.2 TCP V5.0* ~50ms ping to PC clients using the servers  J Some of the users are complaining about screen freezes while they are text editing.  3 I have been able to (somewhat) observe the problem.    The problem ...   N While holding down the space bar to position the cursor in the text file - sayK position 70 - the cursor will freeze - say at position 40 - then reapear at M position 65.  This is an example - sometimes I can space through 2 or 3 lines  before the event happens.   # This happens every 5 or 20 seconds.   - This happens when the system is busy or idle. ' This also happens on other VMS servers.    TIA!     John "REBOOT" Brandon  VMS Systems Administrator * firstname.lastname.spam.me.not@dalsemi.com   ------------------------------  # Date: Thu, 22 Jun 2006 19:21:53 GMT & From: hoffman@xdelta.zko.dec.nospam ()( Subject: Re: TELNET PERFORMANCE OVER WAN2 Message-ID: <l5Cmg.2182$TL6.1981@news.cpqcorp.net>  _ In article <06062214022850@dscis6-0.dalsemi.com>, brandon@dalsemi.com (BRANDON, JOHN M) writes: R |> I would like some feedback on how to check for and tune performance issues with |> TELNET over the WAN.  |>   |> servers:  |> VMS 7.2 TCP V5.0   <   There's a nasty telnet bug or two in TCP/IP Services V5.0.;   The one I've seen involves a loop that sucks down cycles. ;   Can you move to something slightly newer, or at least ECO :   the release?  V5.0A with ECOs would be good, or later...         ------------------------------  % Date: Thu, 22 Jun 2006 16:08:15 -0400 - From: JF Mezei <jfmezei.spamnot@teksavvy.com> ( Subject: Re: TELNET PERFORMANCE OVER WAN, Message-ID: <449AF8A5.9697D9F4@teksavvy.com>   "BRANDON, JOHN M" wrote:P > While holding down the space bar to position the cursor in the text file - sayM > position 70 - the cursor will freeze - say at position 40 - then reapear at O > position 65.  This is an example - sometimes I can space through 2 or 3 lines  > before the event happens.     B It is possible that the client, upon seeing a burst of data, wouldG buffer it and send it as one packet instead of one packet per character . typed.  Even the VMS telnet client does that.    $Telnet  TELNET> HELP SET MODE   D If you are on a PC or worstation, try to reduce the key repeat rate.B Perhaps below a certain threshold, the telnet client won't see any: opportunities to optimiza many bytes into a single packet.   ------------------------------  # Date: Thu, 22 Jun 2006 21:20:19 GMT % From: Rick Jones <rick.jones2@hp.com> ( Subject: Re: TELNET PERFORMANCE OVER WAN1 Message-ID: <nQDmg.2191$pK6.470@news.cpqcorp.net>   ? It might be a good idea to take a packet trace and see if those E freezes correlate to TCP retransmissions.  WANs have this nasty habit F of dropping the odd packet. (You could try to correlate with transportE level stats without the packet trace, but the packet trace would be a  bit more definitive).   
 rick jones --  . a wide gulf separates "what if" from "if only"F these opinions are mine, all mine; HP might not want them anyway... :)D feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...   ------------------------------  % Date: Fri, 23 Jun 2006 05:32:08 +0200 + From: Karsten Nyblad <nospam@nospam.nospam> ( Subject: Re: TELNET PERFORMANCE OVER WAN= Message-ID: <449b606e$0$60786$157c6196@dreader1.cybercity.dk>    BRANDON, JOHN M wrote:Q > I would like some feedback on how to check for and tune performance issues with  > TELNET over the WAN. > 
 > servers: > VMS 7.2 TCP V5.0, > ~50ms ping to PC clients using the servers > L > Some of the users are complaining about screen freezes while they are text
 > editing. > 5 > I have been able to (somewhat) observe the problem.  >  > The problem ...  > P > While holding down the space bar to position the cursor in the text file - sayM > position 70 - the cursor will freeze - say at position 40 - then reapear at O > position 65.  This is an example - sometimes I can space through 2 or 3 lines  > before the event happens.  > % > This happens every 5 or 20 seconds.  > / > This happens when the system is busy or idle. ) > This also happens on other VMS servers.   I Many of the editors are build such that they process each key stroke and  E then update the screen.  After processing a key stroke they check if  F they have received more key strokes.  In that case they wait updating I the screen and process the received key strokes first.  On old terminals  H the screen could take long time to update.  Say you typed ten keys each H of these keys using a long time to update the screen.  Then the editors I would make the updates for the first key.  During these updates the rest  F of the key stroke would get to the VMS system, and these nine strokes H would be processed together before the screen would be updated.  If for E some reason the editor is delayed, e.g., a package is lost, then the  & editors should behave as you describe.   ------------------------------   End of INFO-VAX 2006.346 ************************