[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference ozrock::x25_avms

Title:DEC X.25 for OpenVMS AXP
Moderator:OZROCK::MUGGERIDGE
Created:Mon Jan 18 1993
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:524
Total number of notes:2218

513.0. "X25 security works (sometimes)" by BACHUS::GOOVAERTS () Wed Apr 23 1997 03:00

Hi,

	I have a very strange problem with x25-security.
	I have 2 Alpha's with 1.0g connected to a decnis.
	I only have security setup on the decnis,where
	I decide which dte can call,and outgoing security
	is open.
	AFter setup of the security of the decnis,the security
	remained open also for the incoming calls.
	I rebooted several times the decnis but this didn't change,
	until one of the Alpha's were booted,suddenly the security worked.
	After the next reboot of the system the security was again gone.
	So I rebooted both the nodes and the security was again ok.

	Can somebody give me a hint on this behaviour?

Danny Goovaerts

TSC Brussels
T.RTitleUserPersonal
Name
DateLines
513.1OZROCK::HARTWIGArthur Hartwig, TaN Engineering-AustraliaWed Apr 23 1997 08:492
    The information is pretty scanty: are you trying to prevent certain
    incoming calls? Are the calls using different address formats?
513.2More InfoBACHUS::GOOVAERTSTue Apr 29 1997 03:50316
    Sorry for my late reply but I had a good excuse.
    
    
    	What we simply have is one decnis,two clients via gap (Alpha's)
    
    	We have 4 dte's and we want to restrict the incoming calls
    	to those numbers we allow.Outgoing calls are not restricted.
    	I have configured the decnis security via the configurator,
    	and we rebooted the decnis.But the security didn't work.
    	We rebooted one of the Alpha's and suddenly the security worked.
    	We rebooted again and now we had no security anymore.
    	So my question is,what triggers this mechanism?
    	Should I reboot all clients?
    	I can post the whole ncl script if you want,but it's rather long
    	so I post only the security part:
     
!
!		DECNIS CONFIGURATION SCRIPT
!		===========================
!
!	This script was produced on:	Thu Apr 17 09:51:19 1997 
!	using the utility:	SYS$MANAGER:NIS$DECNIS_CONFIG.COM V3.1
!
!
!	To use this script on a DECNIS system, the script
!	must be processed by the CMIP utility.
!
!
!
! This is an NCL script for the following DECnis
!
! Node:  LOCAL:.NIS001 
! MOP Client Name:  NIS001 
! Hardware Type:  DECNIS-600 
! Hardware Address:  08-00-2b-a5-dd-b0 
!
!
!
! The tower set for the DECNIS
!
! { 
!    ( 
!         [DNA_CMIP-MICE] , 
!         [DNA_SessioncontrolV3, number=19],
!         [DNA_NSP],
!         [DNA_OSInetwork , 49::00-06:AA-00-04-00-57-1A:20 ]
!     )  
! }
!
! Create the Event Dispatcher
!
create event dispatcher
!
! Create and set up the Event Stream:  event_nis001_saturn 
!
create event dispatcher outbound stream event_nis001_saturn 
set event dispatcher outbound stream event_nis001_saturn -
    sink address  -
    {  -
     (  -
      [ DNA_CMIP-MICE ] ,  [ DNA_SessionControlV2 ,Number = 82 -
    ], [ DNA_NSP ],  -
      [ DNA_OSInetwork , 49::00-06:AA-00-04-00-62-1A:20  ]  ) -
      }
    
======================deleted a lot =============================
!
! Create and set DTE:  DTE-3-0 
! and LAPB link:  DTE-3-0 
! using Line:  W618-3-0 
!
create lapb link DTE-3-0 profile  "LUXPAC"
set lapb link DTE-3-0 physical line modem connect line W618-3-0 ,  -
    maximum data size 261 ,  window size 3 
!
!
! Create and set DTE:  DTE-3-0 
! using Line:  W618-3-0 
!
!
create x25 protocol dte DTE-3-0 profile  "LUXPAC"
set x25 protocol dte DTE-3-0 link service provider lapb link DTE-3-0 ,  -
    inbound dte class LUXPAC ,  x25 address 451213 ,  -
    outgoing list  {[1..16]} ,  minimum packet size 32 ,  -
    maximum packet size 128 ,  default packet size 128 ,  -
    minimum window size 1 ,  maximum window size 2 ,  default window size 2 
!
! Create and set DTE:  DTE-3-1 
! and LAPB link:  DTE-3-1 
! using Line:  W618-3-1 
!
create lapb link DTE-3-1 profile  "LUXPAC"
set lapb link DTE-3-1 physical line modem connect line W618-3-1 ,  -
    maximum data size 261 ,  window size 3 
!
! Create and set DTE:  DTE-3-1 
! using Line:  W618-3-1 
!
create x25 protocol dte DTE-3-1 profile  "LUXPAC"
set x25 protocol dte DTE-3-1 link service provider lapb link DTE-3-1 ,  -
    inbound dte class LUXPAC_2 ,  x25 address 451212 ,  -
    outgoing list  {[1..16]} ,  minimum packet size 32 ,  -
    maximum packet size 128 ,  default packet size 128 ,  -
    minimum window size 1 ,  maximum window size 2 ,  default window size 2 
!
! Create and set DTE:  DTE-3-2 
! and LAPB link:  DTE-3-2 
! using Line:  W618-3-2 
!
create lapb link DTE-3-2 profile  "LUXPAC"
set lapb link DTE-3-2 physical line modem connect line W618-3-2 ,  -
    maximum data size 261 ,  window size 7 
!
! Create and set DTE:  DTE-3-2 
! using Line:  W618-3-2 
!
create x25 protocol dte DTE-3-2 profile  "LUXPAC"
set x25 protocol dte DTE-3-2 link service provider lapb link DTE-3-2 ,  -
    inbound dte class INFONET_1 ,  x25 address 313723520283 ,  -
    outgoing list  {[1..32]} ,  minimum packet size 128 ,  -
    maximum packet size 128 ,  default packet size 128 ,  -
    minimum window size 2 ,  maximum window size 2 ,  default window size 2 
!
! Create and set DTE:  DTE-3-3 
! and LAPB link:  DTE-3-3 
! using Line:  W618-3-3 
!
create lapb link DTE-3-3 profile  "LUXPAC"
set lapb link DTE-3-3 physical line modem connect line W618-3-3 ,  -
    maximum data size 261 ,  window size 7 
!
! Create and set DTE:  DTE-3-3 
! using Line:  W618-3-3 
!
create x25 protocol dte DTE-3-3 profile  "LUXPAC"
set x25 protocol dte DTE-3-3 link service provider lapb link DTE-3-3 ,  -
    inbound dte class GLOBAL_ONE_1 ,  x25 address 153171862 ,  -
    outgoing list  {[1..16]} ,  minimum packet size 256 ,  -
    maximum packet size 256 ,  default packet size 256 ,  -
    minimum window size 2 ,  maximum window size 2 ,  default window size 2 
!
! Create Local DTE Class: LUXPAC 
!
create x25 access dte class LUXPAC type local
set x25 access dte class LUXPAC local dtes -
     (DTE-3-0) 
!
! Create Local DTE Class: DTE-3-0 
!
create x25 access dte class DTE-3-0 type local
set x25 access dte class DTE-3-0 local dtes -
     (DTE-3-0) 
!
! Create Local DTE Class: LUXPAC_2 
!
create x25 access dte class LUXPAC_2 type local
set x25 access dte class LUXPAC_2 local dtes -
     (DTE-3-1) 
!
! Create Local DTE Class: DTE-3-1 
!
create x25 access dte class DTE-3-1 type local
set x25 access dte class DTE-3-1 local dtes -
     (DTE-3-1) 
!
! Create Local DTE Class: INFONET_1 
!
create x25 access dte class INFONET_1 type local
set x25 access dte class INFONET_1 local dtes -
     (DTE-3-2) 
!
! Create Local DTE Class: DTE-3-2 
!
create x25 access dte class DTE-3-2 type local
set x25 access dte class DTE-3-2 local dtes -
     (DTE-3-2) 
!
! Create Local DTE Class: GLOBAL_ONE_1 
!
create x25 access dte class GLOBAL_ONE_1 type local
set x25 access dte class GLOBAL_ONE_1 local dtes -
     (DTE-3-3) 
!
! Create Local DTE Class: DTE-3-3 
!
create x25 access dte class DTE-3-3 type local
set x25 access dte class DTE-3-3 local dtes -
     (DTE-3-3) 
!
create x25 access filter saturn 
set x25 access filter saturn priority 1 ,  security filter saturn 
create x25 access filter DUNE 
set x25 access filter DUNE priority 1 ,  inbound dte class LUXPAC 
create x25 access filter tethys 
set x25 access filter tethys priority 1 ,  security filter tethys 
!
!
! Create and set up CLIENTS
!
!
create x25 server client saturn 
set x25 server client saturn node saturn 
set x25 server client saturn filters -
     (saturn) 
create x25 server client DUNE 
set x25 server client DUNE node dune 
set x25 server client DUNE filters -
     (DUNE) 
create x25 server client tethys 
set x25 server client tethys node tethys 
set x25 server client tethys filters -
     (tethys) 
!
!
! Create Security filters
!
!
!
create x25 access security filter tethys 
set x25 access security filter tethys -
    acl ((identifier =( PSI$TETHYS_ALL -
    ), access = ALL),(identifier = ( PSI$TETHYS_REMOTE -
    ), access = REMOTE_CHARGE),(identifier = ( PSI$TETHYS_NONE -
    ), access = NONE))
create x25 access security filter saturn 
set x25 access security filter saturn -
    acl ((identifier =( PSI$SATURN_ALL -
    ), access = ALL),(identifier = ( PSI$SATURN_REMOTE -
    ), access = REMOTE_CHARGE),(identifier = ( PSI$SATURN_NONE -
    ), access = NONE))
!
!
! Create Remote DTEs
!
!
create x25 access security dte class default remote dte match_all -
    remote address prefix * 
set x25 access security dte class default remote dte match_all -
    rights identifiers -
     (PSI$SATURN_NONE,PSI$TETHYS_NONE) 
set x25 access security dte class default remote dte match_all    -
    acl ((identifier = ( PSI$DUNE -
    ), access = ALL),(identifier = ( PSI$SATURN -
    ), access = ALL),(identifier = ( PSI$TETHYS -
    ), access = ALL),(identifier = (*), access = NONE))
!
!
create x25 access security dte class default remote dte remdte-0 -
    remote address prefix 021352230054 
set x25 access security dte class default remote dte remdte-0 -
    rights identifiers -
     (PSI$SATURN_ALL,PSI$TETHYS_ALL) 
set x25 access security dte class default remote dte remdte-0    -
    acl ((identifier = ( PSI$DUNE -
    ), access = ALL),(identifier = ( PSI$SATURN -
    ), access = ALL),(identifier = ( PSI$TETHYS -
    ), access = ALL),(identifier = (*), access = NONE))
create x25 access security dte class default remote dte remdte-1 -
    remote address prefix 0505223453000 
set x25 access security dte class default remote dte remdte-1 -
    rights identifiers -
     (PSI$SATURN_ALL,PSI$TETHYS_ALL) 
set x25 access security dte class default remote dte remdte-1    -
    acl ((identifier = ( PSI$DUNE -
    ), access = ALL),(identifier = ( PSI$SATURN -
    ), access = ALL),(identifier = ( PSI$TETHYS -
    ), access = ALL),(identifier = (*), access = NONE))
!
========================== deleted a lot ========================
    
    
! Create Security Nodes
!
!
!
create x25 server security nodes tethys 
set x25 server security nodes tethys nodes { tethys }
set x25 server security nodes tethys rights identifiers { PSI$TETHYS }
create x25 server security nodes saturn 
set x25 server security nodes saturn nodes { saturn }
set x25 server security nodes saturn rights identifiers { PSI$SATURN }
create x25 server security nodes dune 
set x25 server security nodes dune nodes { dune }
set x25 server security nodes dune rights identifiers { PSI$DUNE }
!
!
!	Create the Towers for Gateway Clients and Security Nodes
!
!
create session control known tower juliet towers  -
    {  -
     ( [ DNA_CMIP-MICE ] , [ DNA_SessionControlV2 ,Number = 25 -
    ], [ DNA_NSP ],  -
      [ DNA_OSInetwork , 49::00-06:AA-00-04-00-58-1A:20  ] )   -
    }
create session control known tower saturn towers  -
    {  -
     ( [ DNA_CMIP-MICE ] , [ DNA_SessionControlV2 ,Number = 25 -
    ], [ DNA_NSP ],  -
      [ DNA_OSInetwork , 49::00-06:AA-00-04-00-62-1A:20  ] )   -
    }
create session control known tower dune towers  -
    {  -
     ( [ DNA_CMIP-MICE ] , [ DNA_SessionControlV2 ,Number = 25 -
    ], [ DNA_NSP ],  -
      [ DNA_OSInetwork , 49::00-06:AA-00-04-00-02-18:20  ] )   -
    }
create session control known tower tethys towers  -
    {  -
     ( [ DNA_CMIP-MICE ] , [ DNA_SessionControlV2 ,Number = 25 -
    ], [ DNA_NSP ],  -
      [ DNA_OSInetwork , 49::00-06:AA-00-04-00-6C-1A:20  ] )   -
    }
!
!  
                                                                 
513.3Sounds like an "interesting" problemOZROCK::HARTWIGArthur Hartwig, TaN Engineering-AustraliaThu May 01 1997 04:0634
    You could have the security setup on the DECnis OR on the client
    systems OR both.
    
    Since you have setup security on the DECnis ONLY, it is the
    responsibility of the DECnis to refuse the incoming calls you don't
    want. I can't understand how rebooting the Alpha by itself could change
    the DECnis X.25 security attributes. Is there any possibility the Alpha
    startup modifies the DECnis security in a conditional way?
    
    Can you perform a controlled experiment making calls that should fail;
    getting a trace (to verify the DECnis refuses them) and recording the
    DECnis x.25 security attributes, then try again to make the calls that
    should fail actually succeed and also record this in a trace and
    record the DECnis X.25 security attributes then compare with the
    previous set of attributes and traces?
    
    You could also check the X.25 startup ncl scripts
    (sys$startup:x25$config.ncl) to see if they change anything on the
    DECnis. (The Alpha X.25 configurator shouldn't generate any commands to
    modify a node other than the local node, but someone may have edited
    the file.)
    
    If a DECnis reboot is a factor in this situation, then perhaps the
    DECnis is being loaded by different load hosts with different
    configurations.
    
    In summary, it sounds as if the DECnis is getting different X.25
    security attribute values and you have a bit of challenging detective
    work ahead of you to identify how that happens. The other possibility
    is a bug in the DECnis security implementation; the traces and records
    of x25 security attribute values should be useful evidence in
    presenting claims of a bug.