forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
140 lines
3.4 KiB
140 lines
3.4 KiB
# SPDX-License-Identifier: GPL-2.0-only |
|
# |
|
# XFRM configuration |
|
# |
|
config XFRM |
|
bool |
|
depends on INET |
|
select GRO_CELLS |
|
select SKB_EXTENSIONS |
|
|
|
config XFRM_OFFLOAD |
|
bool |
|
|
|
config XFRM_ALGO |
|
tristate |
|
select XFRM |
|
select CRYPTO |
|
select CRYPTO_HASH |
|
select CRYPTO_SKCIPHER |
|
|
|
if INET |
|
config XFRM_USER |
|
tristate "Transformation user configuration interface" |
|
select XFRM_ALGO |
|
help |
|
Support for Transformation(XFRM) user configuration interface |
|
like IPsec used by native Linux tools. |
|
|
|
If unsure, say Y. |
|
|
|
config XFRM_USER_COMPAT |
|
tristate "Compatible ABI support" |
|
depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ |
|
HAVE_EFFICIENT_UNALIGNED_ACCESS |
|
select WANT_COMPAT_NETLINK_MESSAGES |
|
help |
|
Transformation(XFRM) user configuration interface like IPsec |
|
used by compatible Linux applications. |
|
|
|
If unsure, say N. |
|
|
|
config XFRM_INTERFACE |
|
tristate "Transformation virtual interface" |
|
depends on XFRM && IPV6 |
|
help |
|
This provides a virtual interface to route IPsec traffic. |
|
|
|
If unsure, say N. |
|
|
|
config XFRM_SUB_POLICY |
|
bool "Transformation sub policy support" |
|
depends on XFRM |
|
help |
|
Support sub policy for developers. By using sub policy with main |
|
one, two policies can be applied to the same packet at once. |
|
Policy which lives shorter time in kernel should be a sub. |
|
|
|
If unsure, say N. |
|
|
|
config XFRM_MIGRATE |
|
bool "Transformation migrate database" |
|
depends on XFRM |
|
help |
|
A feature to update locator(s) of a given IPsec security |
|
association dynamically. This feature is required, for |
|
instance, in a Mobile IPv6 environment with IPsec configuration |
|
where mobile nodes change their attachment point to the Internet. |
|
|
|
If unsure, say N. |
|
|
|
config XFRM_STATISTICS |
|
bool "Transformation statistics" |
|
depends on XFRM && PROC_FS |
|
help |
|
This statistics is not a SNMP/MIB specification but shows |
|
statistics about transformation error (or almost error) factor |
|
at packet processing for developer. |
|
|
|
If unsure, say N. |
|
|
|
# This option selects XFRM_ALGO along with the AH authentication algorithms that |
|
# RFC 8221 lists as MUST be implemented. |
|
config XFRM_AH |
|
tristate |
|
select XFRM_ALGO |
|
select CRYPTO |
|
select CRYPTO_HMAC |
|
select CRYPTO_SHA256 |
|
|
|
# This option selects XFRM_ALGO along with the ESP encryption and authentication |
|
# algorithms that RFC 8221 lists as MUST be implemented. |
|
config XFRM_ESP |
|
tristate |
|
select XFRM_ALGO |
|
select CRYPTO |
|
select CRYPTO_AES |
|
select CRYPTO_AUTHENC |
|
select CRYPTO_CBC |
|
select CRYPTO_ECHAINIV |
|
select CRYPTO_GCM |
|
select CRYPTO_HMAC |
|
select CRYPTO_SEQIV |
|
select CRYPTO_SHA256 |
|
|
|
config XFRM_IPCOMP |
|
tristate |
|
select XFRM_ALGO |
|
select CRYPTO |
|
select CRYPTO_DEFLATE |
|
|
|
config NET_KEY |
|
tristate "PF_KEY sockets" |
|
select XFRM_ALGO |
|
help |
|
PF_KEYv2 socket family, compatible to KAME ones. |
|
They are required if you are going to use IPsec tools ported |
|
from KAME. |
|
|
|
Say Y unless you know what you are doing. |
|
|
|
config NET_KEY_MIGRATE |
|
bool "PF_KEY MIGRATE" |
|
depends on NET_KEY |
|
select XFRM_MIGRATE |
|
help |
|
Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. |
|
The PF_KEY MIGRATE message is used to dynamically update |
|
locator(s) of a given IPsec security association. |
|
This feature is required, for instance, in a Mobile IPv6 |
|
environment with IPsec configuration where mobile nodes |
|
change their attachment point to the Internet. Detail |
|
information can be found in the internet-draft |
|
<draft-sugimoto-mip6-pfkey-migrate>. |
|
|
|
If unsure, say N. |
|
|
|
config XFRM_ESPINTCP |
|
bool |
|
|
|
endif # INET
|
|
|