IPsec Policy File
To invoke IPsec security policies when you start the Solaris operating environment, you create an IPsec initialization configuration file with your specific IPsec policy entries. You should name the file /etc/inet/ipsecinit.conf. See the ipsecconf(1M) man page for details about policy entries and their format. After policies are configured, you can use the ipsecconf command to delete a policy temporarily, or to view the existing configuration.
Example—ipsecinit.conf File
The Solaris software includes a sample IPsec policy file that you can use as a template to create your own ipsecinit.conf file. This sample file is named ipsecinit.sample and it contains the following entries:
#
#ident "@(#)ipsecinit.sample 1.6 01/10/18 SMI"
#
# Copyright (c) 1999,2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# This file should be copied to /etc/inet/ipsecinit.conf to enable IPsec
# systemwide policy (and as a side-effect, load IPsec kernel modules).
# Even if this file has no entries, IPsec will be loaded if
# /etc/inet/ipsecinit.conf exists.
#
# Add entries to protect the traffic using IPsec. The entries in this
# file are currently configured using ipsecconf from inetinit script
# after /usr is mounted.
#
# For example,
#
# {rport 23} ipsec {encr_algs des encr_auth_algs md5}
#
# Or, in the older (but still usable) syntax
#
# {dport 23} apply {encr_algs des encr_auth_algs md5 sa shared}
# {sport 23} permit {encr_algs des encr_auth_algs md5}
#
# will protect the telnet traffic originating from the host with ESP using
# DES and MD5. Also:
#
# {raddr 10.5.5.0/24} ipsec {auth_algs any}
#
# Or, in the older (but still usable) syntax
#
# {daddr 10.5.5.0/24} apply {auth_algs any sa shared}
# {saddr 10.5.5.0/24} permit {auth_algs any}
#
# will protect traffic to or from the 10.5.5.0 subnet with AH
# using any available algorithm.
#
#
# To do basic filtering, a drop rule may be used. For example:
#
# {lport 23 dir in} drop {}
# {lport 23 dir out} drop {}
#
# will disallow any remote system from telnetting in.
#
#
# WARNING: This file is read before default routes are established, and
# before any naming services have been started. The
# ipsecconf(1M) command attempts to resolve names, but it will
# fail unless the machine uses files, or DNS and the DNS server
# is reachable via routing information before ipsecconf(1M)
# invocation. (that is, the DNS server is on-subnet, or DHCP
# has loaded up the default router already.)
#
# It is suggested that for this file, use hostnames only if
# they are in /etc/hosts, or use numeric IP addresses.
#
# If DNS gets used, the DNS server is implicitly trusted, which
# could lead to compromise of this machine if the DNS server
# has been compromised.
#
|
Security Considerations
If, for example, the /etc/inet/ipsecinit.conf file is sent from an NFS-mounted file system, an adversary can modify the data contained in the file. The outcome would be a change to the configured policy. Consequently, you should use extreme caution if transmitting a copy of the ipsecinit.conf file over a network.
Policy cannot be changed (is “latched”) for TCP/UDP sockets on which a connect(3SOCKET) or accept(3SOCKET) has been issued. Adding new policy entries does not affect the latched sockets. This latching feature might change in the future, so you should not depend on this feature.
Ensure that you set up the policies before starting any communications, because existing connections might be affected by the addition of new policy entries. Similarly, do not change policies in the middle of a communication.
If your source address is a host that can be looked up over the network, and your naming system itself is compromised, then any names that are used are no longer trustworthy.
Security weaknesses often lie in misapplication of tools, not the tools themselves. You should be cautious when using the ipsecconf command. Use a console or other hard-connected TTY for the safest mode of operation.
- © 2010, Oracle Corporation and/or its affiliates