Thanks, Dan. You have seconds. I'll contact you offline to get you set up.
Eric On Thu, 15 Jun 2006, Dan McDonald wrote:
Hello OpenSolaris folks! I would like to open an OpenSolaris project - IPsec Tunnel Reform. Please read on if you'd like to learn more about the project. The IPsec implementation in Solaris interoperates very well with others as long as Transport Mode IPsec is used. When Tunnel Mode comes into play, we do not interoperate at all, or barely with carefully-crafted manual keys. IPsec Tunnel Reform aims to address this shortcoming. A 1.0 design document was released last year. See this URL: http://www.opensolaris.org/jive/thread.jspa?messageID=12831? for a pointer. IMPORTANT NOTE: While the IPsec code in Solaris is 100% open-sourced and in OpenSolaris, our IKE code (which is all user-land) is not. Fortunately, the IKE changes for tunnel reform are small, and what IKE uses from OpenSolaris is completely available for use by anyone's Key Management code (e.g. someone who wants to do a racoon(8) port, hint hint). libike and in.iked binaries will be available when we get OpenSolaris source diffs out. Tunnel Reform enables: * Interoperability with other IPsecs in Tunnel Mode. * NAT-Traversal allowing more than one IP-in-IP tunnel behind a single NAT-ted IP address (using ip.tunN:x + ipsecconf(1m) on the non-NAT side). Some technical highlights of Tunnel Reform include: * ipsecconf(1m) and corresponding PF_POLICY extensions to specify per-tunnel Security Policy Databases, where the keys are *inner* packet selectors. * PF_KEYv2 extensions to properly express Tunnel Mode packets. * Changes to ipseckey(1m) that reflect the above PF_KEYv2 work. * Some general cleanup work that falls out from this project. I would like to gauge community interest in Tunnel Reform. It's going to happen, as we're at working-prototype now. The project page will eventually include a new Design Document (2.0), as well as webrev pointers and other things. I expect this project to be endorsed by both Networking and Security communities, as IPsec straddles both. -- Daniel L. McDonald - Solaris Networking & Security Engineering Mail: [EMAIL PROTECTED] | * MY OPINIONS ARE NOT NECESSARILY SUN'S! * 1 Network Drive Burlington, MA |"rising falling at force ten http://blogs.sun.com/danmcd/ | we twist the world and ride the wind" - Rush This message posted from opensolaris.org
_______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
