| # SPDX-License-Identifier: GPL-2.0-only |
| # |
| # XFRM configuration |
| # |
| config XFRM |
| bool |
| depends on INET |
| select GRO_CELLS |
| select SKB_EXTENSIONS |
| |
| config XFRM_OFFLOAD |
| bool |
| |
| config XFRM_ALGO |
| tristate |
| select XFRM |
| select CRYPTO |
| select CRYPTO_HASH |
| select CRYPTO_SKCIPHER |
| |
| if INET |
| config XFRM_USER |
| tristate "Transformation user configuration interface" |
| select XFRM_ALGO |
| help |
| Support for Transformation(XFRM) user configuration interface |
| like IPsec used by native Linux tools. |
| |
| If unsure, say Y. |
| |
| config XFRM_INTERFACE |
| tristate "Transformation virtual interface" |
| depends on XFRM && IPV6 |
| help |
| This provides a virtual interface to route IPsec traffic. |
| |
| If unsure, say N. |
| |
| config XFRM_SUB_POLICY |
| bool "Transformation sub policy support" |
| depends on XFRM |
| help |
| Support sub policy for developers. By using sub policy with main |
| one, two policies can be applied to the same packet at once. |
| Policy which lives shorter time in kernel should be a sub. |
| |
| If unsure, say N. |
| |
| config XFRM_MIGRATE |
| bool "Transformation migrate database" |
| depends on XFRM |
| help |
| A feature to update locator(s) of a given IPsec security |
| association dynamically. This feature is required, for |
| instance, in a Mobile IPv6 environment with IPsec configuration |
| where mobile nodes change their attachment point to the Internet. |
| |
| If unsure, say N. |
| |
| config XFRM_STATISTICS |
| bool "Transformation statistics" |
| depends on XFRM && PROC_FS |
| help |
| This statistics is not a SNMP/MIB specification but shows |
| statistics about transformation error (or almost error) factor |
| at packet processing for developer. |
| |
| If unsure, say N. |
| |
| # This option selects XFRM_ALGO along with the AH authentication algorithms that |
| # RFC 8221 lists as MUST be implemented. |
| config XFRM_AH |
| tristate |
| select XFRM_ALGO |
| select CRYPTO |
| select CRYPTO_HMAC |
| select CRYPTO_SHA256 |
| |
| # This option selects XFRM_ALGO along with the ESP encryption and authentication |
| # algorithms that RFC 8221 lists as MUST be implemented. |
| config XFRM_ESP |
| tristate |
| select XFRM_ALGO |
| select CRYPTO |
| select CRYPTO_AES |
| select CRYPTO_AUTHENC |
| select CRYPTO_CBC |
| select CRYPTO_ECHAINIV |
| select CRYPTO_GCM |
| select CRYPTO_HMAC |
| select CRYPTO_SEQIV |
| select CRYPTO_SHA256 |
| |
| config XFRM_IPCOMP |
| tristate |
| select XFRM_ALGO |
| select CRYPTO |
| select CRYPTO_DEFLATE |
| |
| config NET_KEY |
| tristate "PF_KEY sockets" |
| select XFRM_ALGO |
| help |
| PF_KEYv2 socket family, compatible to KAME ones. |
| They are required if you are going to use IPsec tools ported |
| from KAME. |
| |
| Say Y unless you know what you are doing. |
| |
| config NET_KEY_MIGRATE |
| bool "PF_KEY MIGRATE" |
| depends on NET_KEY |
| select XFRM_MIGRATE |
| help |
| Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. |
| The PF_KEY MIGRATE message is used to dynamically update |
| locator(s) of a given IPsec security association. |
| This feature is required, for instance, in a Mobile IPv6 |
| environment with IPsec configuration where mobile nodes |
| change their attachment point to the Internet. Detail |
| information can be found in the internet-draft |
| <draft-sugimoto-mip6-pfkey-migrate>. |
| |
| If unsure, say N. |
| |
| config XFRM_ESPINTCP |
| bool |
| |
| endif # INET |