All looks perfectly reasonable and as I'd expected given I'm familiar with IPsec and the use of CCM GCM modes.
One small question though. I assume that /etc/inet/ipsecalgs will be updated by this case so that CCM and GCM are available without the admin having to run ipsecalgs(1M). I also assume that the already existing svc:/network/ipsec/ipsecalgs:default will be the SMF service doing this update - since we should no longer attempt to do this in class action or postinstall scripts. -- Darren J Moffat
