See note inline:
> > One small question though. I assume that /etc/inet/ipsecalgs will be
> > updated by this case so that CCM and GCM are available without the admin
> > having to run ipsecalgs(1M). I also assume that the already existing
> > svc:/network/ipsec/ipsecalgs:default will be the SMF service doing this
> > update - since we should no longer attempt to do this in class action or
> > postinstall scripts.
>
> /etc/inet/ipsecalgs will be updated, this means that new installs will get
> this file with GCM/CCM already in place. The class action script has been
> updated so that BFU and upgrade using SVR4 packages will do the right thing.
> Existing IPS installs will NOT get the new file when they do an
> image-update, they will have to run ipsecalgs(1m), but only if they want to
> use these new ciphers. IPsec will work just fine with the old ipsecalgs file
> for the existing ciphers.
I stand corrected, for an IPS install, image-update will replace the existing
/etc/inet/ipsecalgs with the new one (which will include the new definitions
for CCM/GCM), *provided* the user didn't modify this file with ipsecalgs(1m)
after it was originally installed. This will probably cover almost all existing
installations, the use of ipsecalgs(1m) to modify the definitions is not
typical, usually only required for third-party algorithm support.
Sorry for the confusion.
Mark
----------------------------------------------------------------------------
Mark Fenwick, Solaris Security Technologies.
TEL: +1 (650) 786 2733 (X82733) __o
Sun Microsystems Inc, Menlo Park, California. `\<,_
(*)/ (*)
----------------------------------------------------------------------------
