I've revised the project proposal based on the first round of comments.
I would like endorsement of this project by the security and networking
communities under the current project creation policy [1].
Despite not asking for it in the first round, I got explicit endorsement
from:
James.Hughes at sun.com
Darren.Moffat at sun.com
- Bill
-- OPENSOLARIS PROJECT PROPOSAL --
Project Name: Labeled IPsec (txipsec)
Project Synopsis:
Bring together IPsec and Trusted Networking.
Project Purpose (and commentary):
Currently OpenSolaris contains an IPsec component and a Trusted
Networking component that solve closely related problems but which
currently operate entirely independently of each other.
This project proposes to bring the two together in a way which
preserves all existing capabilities of the individual components but
which allows the capabilities to be combined to increase the
usefulness, applicability, and security of both components.
Trusted Networking will gain on-the-wire integrity and
confidentiality protection of sensitivity labels and an optional
more-compact on-the-wire representation of the label (as an implicit
property of the security association), making it less reliant on
physically secured network paths. Implicit labelling will be able
to be used both with other MLS systems, and also with non-MLS
systems using a single label per system assigned by policy.
IPsec will gain from be able to use network repositories for policy
configuration, allowing even unlabelled networks (which is to say,
those not using TX) to benefit from this project.
Note:
On Solaris, IPsec key management is considered a modular,
replaceable component, with open interfaces.
The IKE key management daemon for IPsec, in.iked, is not open
source. Correcting this is not part of this project. Changes
to interfaces used by key management will be specified by this
project to permit an open reimplementation of key management.
Proposed Sponsors: Networking and Security
Participants:
Initial set of proposed project leads:
Bill Sommerfeld <sommerfeld at sun.com> [point of contact]
Dan McDonald <danmcd at sun.com>
Other Participants:
Jarrett Lu <jarrett.lu at sun.com>
Other interested participants: please speak up, or join the project
list once we have it running. Contributions of both code and review
time are obviously quite welcome; there's a lot of work to be done
here.
[1]
http://www.opensolaris.org/os/community/ogb/policies/project-instantiation.t
xt
