# SPDX-License-Identifier: GPL-2.0-only # # XFRM configuration # config XFRM bool depends on INET select GRO_CELLS select SKB_EXTENSIONS config XFRM_OFFLOAD bool config XFRM_ALGO tristate select XFRM select CRYPTO select CRYPTO_HASH select CRYPTO_SKCIPHER if INET config XFRM_USER tristate "Transformation user configuration interface" select XFRM_ALGO help Support for Transformation(XFRM) user configuration interface like IPsec used by native Linux tools. If unsure, say Y. config XFRM_USER_COMPAT tristate "Compatible ABI support" depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ HAVE_EFFICIENT_UNALIGNED_ACCESS select WANT_COMPAT_NETLINK_MESSAGES help Transformation(XFRM) user configuration interface like IPsec used by compatible Linux applications. If unsure, say N. config XFRM_INTERFACE tristate "Transformation virtual interface" depends on XFRM && IPV6 help This provides a virtual interface to route IPsec traffic. If unsure, say N. config XFRM_SUB_POLICY bool "Transformation sub policy support" depends on XFRM help Support sub policy for developers. By using sub policy with main one, two policies can be applied to the same packet at once. Policy which lives shorter time in kernel should be a sub. If unsure, say N. config XFRM_MIGRATE bool "Transformation migrate database" depends on XFRM help A feature to update locator(s) of a given IPsec security association dynamically. This feature is required, for instance, in a Mobile IPv6 environment with IPsec configuration where mobile nodes change their attachment point to the Internet. If unsure, say N. config XFRM_STATISTICS bool "Transformation statistics" depends on XFRM && PROC_FS help This statistics is not a SNMP/MIB specification but shows statistics about transformation error (or almost error) factor at packet processing for developer. If unsure, say N. # This option selects XFRM_ALGO along with the AH authentication algorithms that # RFC 8221 lists as MUST be implemented. config XFRM_AH tristate select XFRM_ALGO select CRYPTO select CRYPTO_HMAC select CRYPTO_SHA256 # This option selects XFRM_ALGO along with the ESP encryption and authentication # algorithms that RFC 8221 lists as MUST be implemented. config XFRM_ESP tristate select XFRM_ALGO select CRYPTO select CRYPTO_AES select CRYPTO_AUTHENC select CRYPTO_CBC select CRYPTO_ECHAINIV select CRYPTO_GCM select CRYPTO_HMAC select CRYPTO_SEQIV select CRYPTO_SHA256 config XFRM_IPCOMP tristate select XFRM_ALGO select CRYPTO select CRYPTO_DEFLATE config NET_KEY tristate "PF_KEY sockets" select XFRM_ALGO help PF_KEYv2 socket family, compatible to KAME ones. They are required if you are going to use IPsec tools ported from KAME. Say Y unless you know what you are doing. config NET_KEY_MIGRATE bool "PF_KEY MIGRATE" depends on NET_KEY select XFRM_MIGRATE help Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. The PF_KEY MIGRATE message is used to dynamically update locator(s) of a given IPsec security association. This feature is required, for instance, in a Mobile IPv6 environment with IPsec configuration where mobile nodes change their attachment point to the Internet. Detail information can be found in the internet-draft <draft-sugimoto-mip6-pfkey-migrate>. If unsure, say N. config XFRM_ESPINTCP bool endif # INET