According to the current project creation policy [1], I need
endorsement from one or more communities to establish a project on
opensolaris.org.
I intend to to request endorsement from the Networking and Security
Communities for this proposed project but I'd like a round of comments
on this proposal first. Please send comments to me or to the
security-discuss list.
- Bill
-- DRAFT OPENSOLARIS PROJECT PROPOSAL --
Project Name: Labeled IPsec (txipsec)
Project Synopsys:
Bring together IPsec and Trusted Networking.
Project Purpose (and commentary):
Currently OpenSolaris contains an IPsec component and a Trusted
Networking component that solve closely related problems but which
currently operate entirely independently of each other.
This project proposes to bring the two together in a way which
preserves all existing capabilities of the individual components but
which allows the capabilities to be combined to increase the
usefulness, applicability, and security of both components.
Trusted Networking will gain on-the-wire cryptographic protection of
sensitivity labels and an optional more-compact on-the-wire
representation of the label (as an implicit property of the security
association), making it less reliant on physically secured network
paths.
IPsec will gain from be able to use network repositories for policy
configuration, allowing even unlabelled networks (which is to say,
those not using TX) to benefit from this project.
Note:
On Solaris, IPsec key management is considered a modular,
replaceable component, with open interfaces.
The IKE key management daemon for IPsec, in.iked, is not open
source. Correcting this is not part of this project. Changes
to interfaces used by key management will be specified by this
project to permit an open reimplementation of key management.
Proposed Sponsors: Networking and Security
Participants:
Initial set of proposed project leads:
Bill Sommerfeld <sommerfeld at sun.com> [point of contact]
Dan McDonald <danmcd at sun.com>
Other Participants:
Jarrett Lu <jarrett.lu at sun.com>
Other interested participants: please speak up, or join the project
list once we have it running. Contributions of both code and review
time are obviously quite welcome; there's a lot of work to be done
here.
[1]
http://www.opensolaris.org/os/community/ogb/policies/project-instantiation.txt
