The following security features and enhancements have been added to the Solaris 10 5/09 release.
The Solaris 10 5/09 release contains a public API for User Datagram Protocol (UDP) sockets that act as IPsec Network Address Translator (NAT) Traversal endpoints.
The UDP_NAT_T_ENDPOINT socket option, when enabled, has UDP traffic prefixed with a zero security parameters index (SPI) value of four bytes on outbound traffic and strips zero SPIs on inbound traffic. Inbound traffic bound for such a socket with a nonzero SPI is automatically transferred to IPsec's Encapsulating Security Payload (ESP) for ESP-in-UDP decapsulation. ESP-in-UDP encapsulation is determined by a property in the IPsec Security Association (SA).
This feature enables IPsec key management software developers to create key management protocols that can transit NAT devices. The Solaris IKE daemon in iked(1M) uses this facility and such sockets are displayed using the pfiles(1M) command.
The Solaris 10 5/09 release introduces the following algorithms for IPsec and IKE:
Three larger Diffie-Hellman integer-modulus groups including 2048-bit, 3072-bit, and 4096-bit – The larger Diffie-Hellman groups are available in IKE Phase 1 and Phase 2. The groups are specified by group number 14 for 2048-bit, 15 for 3072-bit, and 16 for 4096-bit, per RFC 3526.
SHA-2 series of hashes including sha256, sha384, and sha512– SHA-2 using HMAC is available for IPsec's Authentication Header (AH) and ESP, and for IKE during its interactions. SHA-2 is used in IPsec per RFC 4868, with truncated ICV lengths of 16 bytes for SHA256, 24 bytes for SHA384, and 32 bytes for SHA512.
SHA-2 is not available for certificates generated with ikecert(1M).
This feature enables the SunSSH server and client to use Solaris Cryptographic Framework through the OpenSSL PKCS#11 engine. SunSSH uses cryptographic framework for hardware crypto acceleration of symmetric crypto algorithms which is important to the data transfer speed. This feature is aimed at UltraSPARC® T2 processor platforms with n2cp(7D) crypto driver.
UltraSPARC T1 processor platforms are not affected by this feature since the ncp(7D) driver does not support symmetric crypto algorithms. Platforms without any hardware crypto plugins are not affected by this feature, regardless of the value set for the UseOpenSSLEngine option. The default value of the UseOpenSSLEngine option is set to on and the server and client SSH configuration files need not be updated.
SunSSH should be used with Sun Crypto Accelerator 6000 board software version 1.1 with the following patches installed:
128365-02 for SPARC-based systems
128366-02 for x86-based systems
No patch is available for the Sun Crypto Accelerator 6000 board software version 1.0. To workaround this issue, remove the AES counter modes from the Ciphers option keyword on both the server and the client side.
For more information, see the ssh_config(4) and sshd_config(4)