ipsec

IPsec Tunnel Reform at OpenSolaris.org OpenSolaris DiscussionsCommunitiesProjectsDownloadSource BrowserYou are not signed in. Sign in or register. Project: IPsec Tunnel Reform Announcements Events News Blogs Discussions Leaders Observers Files OpenSolaris Project: IPsec Tunnel Reform View the leaders for this project Project Observers Endorsing communities Device Drivers Networking OS/Net (ON) Security NOW INTEGRATED as of OpenSolaris build 53.NOW in Solaris 10 08/07 (aka Update 4)The Solaris IPsec implementation has been dogged by complaints about poorinteroperability with other implementations in IPsec's Tunnel Mode.As defined in RFC 2401, Tunnel Mode is when a packet needs to be protectednot only by an IPsec header (AH or ESP), but also be encapsulated insideanother IP header first (sometimes with different source and/or destinationIP addresses).In Solaris 8, tunnels were implemented as network interfaces. This decision made foreasier network construction, as well as dovetailing in with IPv6 tunnels.The downside to this, however, was that configuring IPsec to tunnel packetswas not solely in the domain of IPsec configuration. This confused somecustomers. Also, because tunneling was a forwarding decision, not an IPsecdecision, some possible uses of IPsec tunnel mode could not be performed inSolaris 8. The best example was the case where the outer packet'sdestination IP address was equal the inner packet's destination IP address.In Solaris 8 (and later) one could not configure tunnelling to perform suchan encapsulation - it would black-hole due to a never-ending forwarding loop.In Solaris 9 and Solaris 10, the changes made for IKE and other IPsec policyimprovements did nothing to change how tunnels were implemented. Also, theIKE daemon would express Phase II identities in a non-standard way.According to RFC 2409 thePhase II identities must be set as follows:If ISAKMP is acting as a client negotiator on behalf of another party, theidentities of the parties MUST be passed as IDci and then IDcr.This is a fancy way of saying "use some form of the inner IP addresses forTunnel Mode". Currently Solaris sets both identities for packets protectedon a tunnel interface as proto=4 (IP-in-IP), 0.0.0.0/0 for IPv4-in-* tunnels,and proto=41 (IPv6-in-IP), 0::0/0 for IPv6-in-* tunnels. This decision leadto many interoperability problems with other IKE implementations.The Tunnel Reform project aims to end these shortcomings. Using an extendedset of ipsecconf(1m) syntax, extensions to PF_KEY to expressinner-packet selectors, and an improved IKE daemon, the goals of TunnelReform are:For packets that originate or are destined for a Solarisnode (where a tunnel interface counts as an originator or destination),implement the RFC 2401 set of selectors, while keeping in mind the upcomingchanges in RFC 4301.To severely reduce or eliminate customer callsof the form, "We can't talk to foo in Tunnel Mode (especially when IKEis involved)."To lay groundwork for better PF_KEY expression of RFC2401 and 4301 selectors, hopefully as input into PF_KEYv3.Peforming IPsec actions on forwarded packets that do not go through anexplicit tunnel interface is well beyond the scope of this project.DocumentationDesign DocumentCode snapshotsJuly 14, 2006Fragment cache and per-port tunnel policy is incomplete, but everything elsepasses initial smoke-tests, and passes basic regression tests.Nevada build 45Gate snapshot versus Build 45 of Nevada.Nevada build 47Gate snapshot versus Build 47 of Nevada. DEV COMPLETE SNAPSHOT.Nevada build 50Gate snapshot versus Build 50 of Nevada. CODE REVIEW SNAPSHOT.Nevada build 51Gate snapshot versus Build 51 of Nevada.Nevada build 51 vs. Nevada build 50Gate snapshot versus the build 50 gate snapshot. BEST WAY TO SEE CODE REVIEW CHANGES.Announcements 03 Nov 2006 Tunnel Reform is in build 53 26 Oct 2006 Code Review is closed, plus new snapshots 09 Oct 2006 Nevada build 50 and Code Review 24 Aug 2006 Nevada Build 47 snapshot available 25 Jul 2006 Nevada build 45 snapshot Page Last Modified: 12 Sep 2007 Terms of Use |Privacy |Trademarks |Copyright Policy |Site Guidelines |HelpYour use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.Copyright © 1995-2008 Sun Microsystems, Inc.разделы трость доставка вытяжка крона доставка окон ipsec