The IPsec Tunnel Reform project's code review is now underway. Take a look and see what it took to bring up IPsec Tunnel-Mode processing in a world where tunnels are not actions from a policy, but rather a first-class network interface (or at least after Clearview it will be).
Highlights for administrators include:
- Augmentiations to ipsecconf(1m) to specify a tunnel interface's policy, whether it's S9-style IP-in-IP transport mode, or RFC 2401-compliant Tunnel Mode.
- No changes to IKE configuration.
- You can configure tunnel security without ifconfig(1m) using just ipsecconf(1m). We put all IPsec policy in ipsecconf(1m) and let ifconfig manage interfaces (and route(1m) manage routing).
- Additions to ipseckey(1m) for manual tunnel-mode SA configuration, or monitoring of kernel interactions with Key Management.
- Better interoperability with everyone else's Tunnel Mode IPsec.
Highlights for OpenSolaris-hackers include:
- New per-tunnel policy structure: ipsec_tun_pol_t, which instantiates the existing policy-head per tunnel.
- Getting rid of IRE_DB_REQ messages for SA addition/updates. This improves SA-adding performance and reduces the complexity of the ESP and AH modules.
- New PF_KEY and PF_POLICY messages to reflect Tunnel Mode.
- Shifting of tunnel IPsec policy enforcment from the lower-instance of IP to "tun" itself. (NOTE: This will change again when we merge with Clearview.)
Share your comments on tref-discuss, and let us know what you think!
This entry brought to you by the Technorati tags IPsec, Solaris, and OpenSolaris.