2007-04-10 Security Link of the Day: A few security relevant ARC cases
By Darren Moffat-Oracle on Apr 09, 2007
Bonus Link Tuesday :-) instead of just one link of the day I'm going to highlight a few recent security relevant ARC cases. For information on what an "ARC Case" is see the ARC community on OpenSolaris.org, at a high level it is how we do reviews of things users/admins/developers can see and use in (Open)Solaris and document the interfaces and their interactions.
The first two are proposals that are currently still in review so they functionality they describe doesn't yet appear in any OpenSolaris distribution.
First one is a proposal (PSARC/2007/200) to change the way that IPsec is started up by making better use of SMF, this gives better fault recovery - something really important when securing your system. Plus I logged the bug for this and provided a first suggestion at the new SMF services, and I'm really glad to see the project getting implemented now. The proposal is much more complete than my original suggestion and provides a very nice set of new SMF services that shows much better how IPsec works instead of it being "hidden" as part of general networking services.
The second one (PSARC/2007/198) is related to how IPfilter and IPMP work together. I find this one quite interesting because it focuses on how statefull packet filtering works in a high availability networking configuration. It is also interesting because this proposal is actually a short term solution that is to be provided until the Clearview networking project is ready.
My third and final link for today is a really geeky and quite low level/internal feature of the Cryptographic Framework. It (PSARC/2007/093) is about sharing the context (state) of in progress multi-part crypto operations between hardware and software providers.The real end user benefit of this better performance. This is because sometimes it is actually faster to run the software version of an algorithm than to send small data sizes out to dedicated crypto hardware. I'm not aware of any other operating system with a crypto framework that goes to these extents to get the best crypto performance out of the system as a whole; I'd be very interested in learning about others (particularly open source ones) that do similar things. I've long said to my team mates in the crypto group that there is a PhD thesis to be written about crypto job scheduling for best single throughput versus best system load with different mixes of hardware and software crypto engines.That's it for day, - Darren.