Mark Fenwick wrote: > See note inline: > >>> One small question though. I assume that /etc/inet/ipsecalgs will be >>> updated by this case so that CCM and GCM are available without the admin >>> having to run ipsecalgs(1M). I also assume that the already existing >>> svc:/network/ipsec/ipsecalgs:default will be the SMF service doing this >>> update - since we should no longer attempt to do this in class action or >>> postinstall scripts. >> /etc/inet/ipsecalgs will be updated, this means that new installs will get >> this file with GCM/CCM already in place. The class action script has been >> updated so that BFU and upgrade using SVR4 packages will do the right thing. >> Existing IPS installs will NOT get the new file when they do an >> image-update, they will have to run ipsecalgs(1m), but only if they want to >> use these new ciphers. IPsec will work just fine with the old ipsecalgs file >> for the existing ciphers. > > I stand corrected, for an IPS install, image-update will replace the existing > /etc/inet/ipsecalgs with the new one (which will include the new definitions > for CCM/GCM), *provided* the user didn't modify this file with ipsecalgs(1m) > after it was originally installed. This will probably cover almost all > existing installations, the use of ipsecalgs(1m) to modify the definitions is > not typical, usually only required for third-party algorithm support.
with that I gladly give the case my +1. -- Darren J Moffat
