130 lines
3.1 KiB
Plaintext
130 lines
3.1 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# XFRM configuration
|
|
#
|
|
config XFRM
|
|
bool
|
|
depends on INET
|
|
select GRO_CELLS
|
|
select SKB_EXTENSIONS
|
|
|
|
config XFRM_OFFLOAD
|
|
bool
|
|
|
|
config XFRM_ALGO
|
|
tristate
|
|
select XFRM
|
|
select CRYPTO
|
|
select CRYPTO_HASH
|
|
select CRYPTO_SKCIPHER
|
|
|
|
if INET
|
|
config XFRM_USER
|
|
tristate "Transformation user configuration interface"
|
|
select XFRM_ALGO
|
|
help
|
|
Support for Transformation(XFRM) user configuration interface
|
|
like IPsec used by native Linux tools.
|
|
|
|
If unsure, say Y.
|
|
|
|
config XFRM_INTERFACE
|
|
tristate "Transformation virtual interface"
|
|
depends on XFRM && IPV6
|
|
help
|
|
This provides a virtual interface to route IPsec traffic.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_SUB_POLICY
|
|
bool "Transformation sub policy support"
|
|
depends on XFRM
|
|
help
|
|
Support sub policy for developers. By using sub policy with main
|
|
one, two policies can be applied to the same packet at once.
|
|
Policy which lives shorter time in kernel should be a sub.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_MIGRATE
|
|
bool "Transformation migrate database"
|
|
depends on XFRM
|
|
help
|
|
A feature to update locator(s) of a given IPsec security
|
|
association dynamically. This feature is required, for
|
|
instance, in a Mobile IPv6 environment with IPsec configuration
|
|
where mobile nodes change their attachment point to the Internet.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_STATISTICS
|
|
bool "Transformation statistics"
|
|
depends on XFRM && PROC_FS
|
|
help
|
|
This statistics is not a SNMP/MIB specification but shows
|
|
statistics about transformation error (or almost error) factor
|
|
at packet processing for developer.
|
|
|
|
If unsure, say N.
|
|
|
|
# This option selects XFRM_ALGO along with the AH authentication algorithms that
|
|
# RFC 8221 lists as MUST be implemented.
|
|
config XFRM_AH
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA256
|
|
|
|
# This option selects XFRM_ALGO along with the ESP encryption and authentication
|
|
# algorithms that RFC 8221 lists as MUST be implemented.
|
|
config XFRM_ESP
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_AES
|
|
select CRYPTO_AUTHENC
|
|
select CRYPTO_CBC
|
|
select CRYPTO_ECHAINIV
|
|
select CRYPTO_GCM
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SEQIV
|
|
select CRYPTO_SHA256
|
|
|
|
config XFRM_IPCOMP
|
|
tristate
|
|
select XFRM_ALGO
|
|
select CRYPTO
|
|
select CRYPTO_DEFLATE
|
|
|
|
config NET_KEY
|
|
tristate "PF_KEY sockets"
|
|
select XFRM_ALGO
|
|
help
|
|
PF_KEYv2 socket family, compatible to KAME ones.
|
|
They are required if you are going to use IPsec tools ported
|
|
from KAME.
|
|
|
|
Say Y unless you know what you are doing.
|
|
|
|
config NET_KEY_MIGRATE
|
|
bool "PF_KEY MIGRATE"
|
|
depends on NET_KEY
|
|
select XFRM_MIGRATE
|
|
help
|
|
Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
|
|
The PF_KEY MIGRATE message is used to dynamically update
|
|
locator(s) of a given IPsec security association.
|
|
This feature is required, for instance, in a Mobile IPv6
|
|
environment with IPsec configuration where mobile nodes
|
|
change their attachment point to the Internet. Detail
|
|
information can be found in the internet-draft
|
|
<draft-sugimoto-mip6-pfkey-migrate>.
|
|
|
|
If unsure, say N.
|
|
|
|
config XFRM_ESPINTCP
|
|
bool
|
|
|
|
endif # INET
|