*** ipsecconf.txt Wed Feb 21 17:16:26 2007 --- ipsecconf.txt.new Tue Feb 27 13:44:36 2007 *************** *** 13,18 **** --- 13,20 ---- /usr/sbin/ipsecconf -a file [-q] + /usr/sbin/ipsecconf -c file + /usr/sbin/ipsecconf -d [-i tunnel-name] {index, tunnel-name, index} /usr/sbin/ipsecconf -f [-i tunnel-name] *************** *** 111,125 **** ! Policy entries are not preserved across reboot. Thus the ! policy needs to be added everytime the machine reboots. To ! configure policies early in the boot, one can setup policies ! in the /etc/inet/ipsecinit.conf file, which are then read ! from the svc:/network/initial:default service. ! See SECURITY for issues in securing this file. --- 113,127 ---- ! Policy entries are not preserved across system restarts. ! Permanent policy entries should be added to /etc/inet/ipsecinit.conf. ! This file is read by the following smf(5) service: + svc:/network/ipsec/policy ! See SMF for more information on managing IPsec security policy ! and SECURITY for issues in securing /etc/inet/ipsecinit.conf. *************** *** 173,179 **** --- 175,187 ---- this feature. + -c file + Check the syntax of the configuration file and report + any errors without making any changes to the policy. + This option is useful when debugging configurations + and when smf(5) reports a configuration error. See + SECURITY. -d index *************** *** 1355,1361 **** --- 1363,1394 ---- network. + To prevent non-privileged users from modifying the security + policy, ensure that the configuration file is only + writable by trusted users. + The configuration file is defined by a property of the + 'policy' smf(5) service. The default configuration file, + is /etc/inet/ipsecinit.conf, this can be changed using + the svcprop(1M) command. See SMF for more details. + + The policy description language supports the use of tokens + that can be resolved via name service using functions + such as gethostbyname(3NSL). While convenient, these + functions are only secure as the name service the system is + configured to use. Great care should be taken to secure the + name service if it is used to resolve elements of the security + policy. + + If your source address is a host that can be looked up over + the network and your naming system itself is compromised, + then any names used will no longer be trustworthy. + + If the name switch is configured to use a name service which is + not local to the system, bypass policy entries may be required + to prevent the policy from preventing communication to the + name service. See nsswitch.conf(4). + Policy is latched for TCP/UDP sockets on which a connect(3SOCKET) or accept(3SOCKET) has been issued. Adding new policy entries will not have any effect on them. This *************** *** 1362,1367 **** --- 1395,1404 ---- feature of latching may change in the future. It is not advisable to depend upon this feature. + The ipsecconf command can only be run by a user who has + sufficient privilege to open pf_key(7P) socket, the appropriate + privilege can be assigned to a user with the 'Network + IPsec Management' profile. See profiles(1), rbac(5), prof_attr(4). Make sure to set up the policies before starting any commun- *************** *** 1391,1402 **** - If your source address is a host that can be looked up over - the network, and your naming system itself is compromised, - then any names used will no longer be trustworthy. - - EXAMPLES Example 1 Protecting Outbound TCP Traffic With ESP and the AES Algorithm --- 1428,1434 ---- *************** *** 1827,1842 **** /etc/inet/ipsecinit.conf ! File containing IPsec policies to be installed at the ! time the system transitions from run-level 2 or 3. If ! present, these policies are loaded after /usr is mounted ! but before any non-boot-time routing information is pro- ! cessed and before any Internet services are started, ! including naming services. - /etc/inet/ipsecinit.sample --- 1859,1870 ---- /etc/inet/ipsecinit.conf ! File containing IPsec policies to be installed at ! system restart by the 'policy' smf(5) service. See ! SMF for more information. /etc/inet/ipsecinit.sample *************** *** 1879,1885 **** gethostbyname(3XNET), getnetbyname(3XNET), getprotobyname(3XNET), getservbyname(3XNET), getaddrinfo(3SOCKET), socket(3SOCKET), attributes(5), ! smf(5), ipsecah(7P) , ipsecesp(7P), tun(7M) --- 1907,1914 ---- gethostbyname(3XNET), getnetbyname(3XNET), getprotobyname(3XNET), getservbyname(3XNET), getaddrinfo(3SOCKET), socket(3SOCKET), attributes(5), ! smf(5), svcprop(1M), ipsecah(7P) , ipsecesp(7P), tun(7M), ! rbac(5), prof_attr(4), profiles(1) *************** *** 1994,2022 **** ! NOTES ! The IPsec service is managed by the service management ! facility, smf(5), under the service identifier: ! svc:/network/initial:default ! Administrative actions on this service, such as enabling, ! disabling, or requesting restart, can be performed using ! svcadm(1M). The service's status can be queried using the ! svcs(1) command. ! This command requires sys_net_config privilege to operate ! and thus can run only in the global zone; the policy rules ! it manages affect all zones on the system. --- 2023,2102 ---- ! SMF ! IPsec policy is managed by the service management ! facility, smf(5). The following group of services manage ! the components of IPsec: ! svc:/network/ipsec/ipsecalgs (See ipsecalgs(1M)) ! svc:/network/ipsec/policy (See ipsecconf(1M)) ! svc:/network/ipsec/manual-key (See ipseckey(1M)) ! svc:/network/ipsec/ike (see ike.config(4)) + The manual-key and ike services are delivered 'disabled' + because the system administrator needs to create configuration + files for each service as described in the respective man pages. + The 'policy' smf(5) service has a dependency on the + 'ipsecalgs' service. the 'ipseclags' service should + be enabled before the 'policy' service. Failure to + do this will result in the 'policy' service entering + maintenance mode. ! Correct administrative proceedure is to create the ! configuration file for each service then enable each ! service using svcadm(1M). + If the configuration needs to be changed, edit the + configuration file then refresh the service. + example# svcadm refresh policy ! The smf(5) framework will record any errors in the service ! specific logfile. Use any of the following commands to ! examine the 'logfile' property: + example# svcs -l policy + example# svcprop policy + example# svccfg -s policy listprop + The following property is defined for the 'policy' service: + + config/config_file + + This property can be modified using svccfg(1M) by users + who have been assigned the following authorization: + + solaris.smf.value.ipsec + + See auths(1), user_attr(4), rbac(5). + + The service needs to be refreshed using svcadm(1M) before + the new property is effective. General non-modifiable properties + can be viewed with the svcprop(1M) command. + + example# svccfg -s ipsec/policy setprop config/config_file = /new/config_file + example# svcadm refresh policy + + Administrative actions on this service, such as enabling, + disabling, refreshing or requesting restart, can be performed + using svcadm(1M). A user who has been assigned the following + authorization can perform these actions: + + solaris.smf.manage.ipsec + + The service's status can be queried using the svcs(1) command. + + The ipsecconf command is designed to be mananged by the 'policy' + smf(5) service, the ipsecconf command can be run from the command + line, although this is discouraged. If the ipsecconf command is + to be run from the command line, the 'policy' smf(5) service should + be disabled first - See svcadm(1M). + +