Solaris 10 What's New

Security Enhancements

The following security features and enhancements have been added to the Solaris 10 5/09 release.

NAT-Traversal for IPsec Key Management Developers

The Solaris 10 5/09 release contains a public API for User Datagram Protocol (UDP) sockets that act as IPsec Network Address Translator (NAT) Traversal endpoints.

The UDP_NAT_T_ENDPOINT socket option, when enabled, has UDP traffic prefixed with a zero security parameters index (SPI) value of four bytes on outbound traffic and strips zero SPIs on inbound traffic. Inbound traffic bound for such a socket with a nonzero SPI is automatically transferred to IPsec's Encapsulating Security Payload (ESP) for ESP-in-UDP decapsulation. ESP-in-UDP encapsulation is determined by a property in the IPsec Security Association (SA).

This feature enables IPsec key management software developers to create key management protocols that can transit NAT devices. The Solaris IKE daemon in iked(1M) uses this facility and such sockets are displayed using the pfiles(1M) command.

Stronger Algorithms for IPsec

The Solaris 10 5/09 release introduces the following algorithms for IPsec and IKE:

SunSSH With OpenSSL PKCS#11 Engine Support

This feature enables the SunSSH server and client to use Solaris Cryptographic Framework through the OpenSSL PKCS#11 engine. SunSSH uses cryptographic framework for hardware crypto acceleration of symmetric crypto algorithms which is important to the data transfer speed. This feature is aimed at UltraSPARC® T2 processor platforms with n2cp(7D) crypto driver.

UltraSPARC T1 processor platforms are not affected by this feature since the ncp(7D) driver does not support symmetric crypto algorithms. Platforms without any hardware crypto plugins are not affected by this feature, regardless of the value set for the UseOpenSSLEngine option. The default value of the UseOpenSSLEngine option is set to on and the server and client SSH configuration files need not be updated.

SunSSH should be used with Sun Crypto Accelerator 6000 board software version 1.1 with the following patches installed:

Note –

No patch is available for the Sun Crypto Accelerator 6000 board software version 1.0. To workaround this issue, remove the AES counter modes from the Ciphers option keyword on both the server and the client side.

For more information, see the ssh_config(4) and sshd_config(4)