Kacheong Poon wrote:
> >>> 1. Configuring IPsec related stuff will be replaced by IPsec service(s);
> >>> details in Sun Bug ID 6185380.
> >>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6185380
> >>> 2. Configuring IPv4 and/or IPv6 tunneling will be replaced by a
> >>> Clearview
> >>> tunneling service; details at Section 10 of IP tunneling design
> >>> document:
> >>> http://www.opensolaris.org/os/project/clearview/iptun-design.pdf
> >>
> >> So how does NWAM work with the above services? Is there a
> >> dependency between the proposed network/profiled and the above
> >> services? I believe this should be clearly stated.
> >>
> > good question. It was not specified clearly in the draft. I think they
> > should depend on milestone/network instead and should be enabled by NWAM
> > daemon when the daemon is in IF_RUNNING state.
>
> I am not sure if this is the case. For example, I believe there
> is no technical problem to have some IPsec policies set up before
> there is any external connectivity. In fact, one may want to do
> exactly this so that the policies are enforced right from the
> beginning. I'd suggest you to talk to the IPsec team for their
> opinion.
Right. Specifically, it has been the intention for milestone/network
to *depend on* IPsec (transport mode) policy and other network layer
security mechanisms being in place, so that the milestone represents
the earliest time that most network-listening services may safely
start ("safely" in the sense that they aren't exposed to attacks due
to the network layer policy not yet being enforced). IPsec tunnels,
however, do not need to (and perhaps shouldn't) be set up before
milestone/network.
-=] Mike [=-
