On Wed, Sep 13, 2006 at 03:02:36PM -0700, Josh Fisher wrote: > The FIPS level our current proprietary IPsec meets is 140-2 however the > requirement to meet 140-3 will probably be enforced when we convert to > Solaris 10 w/ extensions. Will Sun pursue IPSec/Crypto framwork or any > other security algorithm implementations meeting FIPS 140-2 or -3?
I *think* we already meet FIPS 140-2. I'll need to be refreshed about what -2 entails. (Perhaps an EF person with more FIPS experience can help?!?) > >(Unfortunately, our IKE implementation is encumbered.) > So are you suggesting not using IKE? How whould that effect IPSec? Would we > not want to implement Sun's version of IPsec? I'm just saying it's not Open-Sourced. It certainly comes with Sun-shipped Solaris as a binary, you just can't UTSL like you can with our IPsec kernel source. > Is anyone currently using the version of IPsec/crypto framwork bundled with > Solaris 10 on a system that also has trusted extensions, LDAP, and zones > configured? Not that I'm aware of. There are issues with IPsec in that it can only be administered from the global zone, and IKE doesn't work on behalf of non-global zones. This is fixed in Nevada/OpenSolaris, and will be back in a future S10 update. > Thanks for the help. I am trying to wrap my head around how > IPsec/Crypto/IKE all work together and how it will affect our setup. If > anyone knows of any helpful links on these issues please let me know. Unless Tunnel Mode is a concern, you're going to be better-off with the one in S10 most likely. Did you roll your own proprietary IPsec from scratch? Or did you start with someone else's? Dan
