1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyun# 3*4882a593Smuzhiyun# XFRM configuration 4*4882a593Smuzhiyun# 5*4882a593Smuzhiyunconfig XFRM 6*4882a593Smuzhiyun bool 7*4882a593Smuzhiyun depends on INET 8*4882a593Smuzhiyun select GRO_CELLS 9*4882a593Smuzhiyun select SKB_EXTENSIONS 10*4882a593Smuzhiyun 11*4882a593Smuzhiyunconfig XFRM_OFFLOAD 12*4882a593Smuzhiyun bool 13*4882a593Smuzhiyun 14*4882a593Smuzhiyunconfig XFRM_ALGO 15*4882a593Smuzhiyun tristate 16*4882a593Smuzhiyun select XFRM 17*4882a593Smuzhiyun select CRYPTO 18*4882a593Smuzhiyun select CRYPTO_HASH 19*4882a593Smuzhiyun select CRYPTO_SKCIPHER 20*4882a593Smuzhiyun 21*4882a593Smuzhiyunif INET 22*4882a593Smuzhiyunconfig XFRM_USER 23*4882a593Smuzhiyun tristate "Transformation user configuration interface" 24*4882a593Smuzhiyun select XFRM_ALGO 25*4882a593Smuzhiyun help 26*4882a593Smuzhiyun Support for Transformation(XFRM) user configuration interface 27*4882a593Smuzhiyun like IPsec used by native Linux tools. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun If unsure, say Y. 30*4882a593Smuzhiyun 31*4882a593Smuzhiyunconfig XFRM_USER_COMPAT 32*4882a593Smuzhiyun tristate "Compatible ABI support" 33*4882a593Smuzhiyun depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \ 34*4882a593Smuzhiyun HAVE_EFFICIENT_UNALIGNED_ACCESS 35*4882a593Smuzhiyun select WANT_COMPAT_NETLINK_MESSAGES 36*4882a593Smuzhiyun help 37*4882a593Smuzhiyun Transformation(XFRM) user configuration interface like IPsec 38*4882a593Smuzhiyun used by compatible Linux applications. 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun If unsure, say N. 41*4882a593Smuzhiyun 42*4882a593Smuzhiyunconfig XFRM_INTERFACE 43*4882a593Smuzhiyun tristate "Transformation virtual interface" 44*4882a593Smuzhiyun depends on XFRM && IPV6 45*4882a593Smuzhiyun help 46*4882a593Smuzhiyun This provides a virtual interface to route IPsec traffic. 47*4882a593Smuzhiyun 48*4882a593Smuzhiyun If unsure, say N. 49*4882a593Smuzhiyun 50*4882a593Smuzhiyunconfig XFRM_SUB_POLICY 51*4882a593Smuzhiyun bool "Transformation sub policy support" 52*4882a593Smuzhiyun depends on XFRM 53*4882a593Smuzhiyun help 54*4882a593Smuzhiyun Support sub policy for developers. By using sub policy with main 55*4882a593Smuzhiyun one, two policies can be applied to the same packet at once. 56*4882a593Smuzhiyun Policy which lives shorter time in kernel should be a sub. 57*4882a593Smuzhiyun 58*4882a593Smuzhiyun If unsure, say N. 59*4882a593Smuzhiyun 60*4882a593Smuzhiyunconfig XFRM_MIGRATE 61*4882a593Smuzhiyun bool "Transformation migrate database" 62*4882a593Smuzhiyun depends on XFRM 63*4882a593Smuzhiyun help 64*4882a593Smuzhiyun A feature to update locator(s) of a given IPsec security 65*4882a593Smuzhiyun association dynamically. This feature is required, for 66*4882a593Smuzhiyun instance, in a Mobile IPv6 environment with IPsec configuration 67*4882a593Smuzhiyun where mobile nodes change their attachment point to the Internet. 68*4882a593Smuzhiyun 69*4882a593Smuzhiyun If unsure, say N. 70*4882a593Smuzhiyun 71*4882a593Smuzhiyunconfig XFRM_STATISTICS 72*4882a593Smuzhiyun bool "Transformation statistics" 73*4882a593Smuzhiyun depends on XFRM && PROC_FS 74*4882a593Smuzhiyun help 75*4882a593Smuzhiyun This statistics is not a SNMP/MIB specification but shows 76*4882a593Smuzhiyun statistics about transformation error (or almost error) factor 77*4882a593Smuzhiyun at packet processing for developer. 78*4882a593Smuzhiyun 79*4882a593Smuzhiyun If unsure, say N. 80*4882a593Smuzhiyun 81*4882a593Smuzhiyun# This option selects XFRM_ALGO along with the AH authentication algorithms that 82*4882a593Smuzhiyun# RFC 8221 lists as MUST be implemented. 83*4882a593Smuzhiyunconfig XFRM_AH 84*4882a593Smuzhiyun tristate 85*4882a593Smuzhiyun select XFRM_ALGO 86*4882a593Smuzhiyun select CRYPTO 87*4882a593Smuzhiyun select CRYPTO_HMAC 88*4882a593Smuzhiyun select CRYPTO_SHA256 89*4882a593Smuzhiyun 90*4882a593Smuzhiyun# This option selects XFRM_ALGO along with the ESP encryption and authentication 91*4882a593Smuzhiyun# algorithms that RFC 8221 lists as MUST be implemented. 92*4882a593Smuzhiyunconfig XFRM_ESP 93*4882a593Smuzhiyun tristate 94*4882a593Smuzhiyun select XFRM_ALGO 95*4882a593Smuzhiyun select CRYPTO 96*4882a593Smuzhiyun select CRYPTO_AES 97*4882a593Smuzhiyun select CRYPTO_AUTHENC 98*4882a593Smuzhiyun select CRYPTO_CBC 99*4882a593Smuzhiyun select CRYPTO_ECHAINIV 100*4882a593Smuzhiyun select CRYPTO_GCM 101*4882a593Smuzhiyun select CRYPTO_HMAC 102*4882a593Smuzhiyun select CRYPTO_SEQIV 103*4882a593Smuzhiyun select CRYPTO_SHA256 104*4882a593Smuzhiyun 105*4882a593Smuzhiyunconfig XFRM_IPCOMP 106*4882a593Smuzhiyun tristate 107*4882a593Smuzhiyun select XFRM_ALGO 108*4882a593Smuzhiyun select CRYPTO 109*4882a593Smuzhiyun select CRYPTO_DEFLATE 110*4882a593Smuzhiyun 111*4882a593Smuzhiyunconfig NET_KEY 112*4882a593Smuzhiyun tristate "PF_KEY sockets" 113*4882a593Smuzhiyun select XFRM_ALGO 114*4882a593Smuzhiyun help 115*4882a593Smuzhiyun PF_KEYv2 socket family, compatible to KAME ones. 116*4882a593Smuzhiyun They are required if you are going to use IPsec tools ported 117*4882a593Smuzhiyun from KAME. 118*4882a593Smuzhiyun 119*4882a593Smuzhiyun Say Y unless you know what you are doing. 120*4882a593Smuzhiyun 121*4882a593Smuzhiyunconfig NET_KEY_MIGRATE 122*4882a593Smuzhiyun bool "PF_KEY MIGRATE" 123*4882a593Smuzhiyun depends on NET_KEY 124*4882a593Smuzhiyun select XFRM_MIGRATE 125*4882a593Smuzhiyun help 126*4882a593Smuzhiyun Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. 127*4882a593Smuzhiyun The PF_KEY MIGRATE message is used to dynamically update 128*4882a593Smuzhiyun locator(s) of a given IPsec security association. 129*4882a593Smuzhiyun This feature is required, for instance, in a Mobile IPv6 130*4882a593Smuzhiyun environment with IPsec configuration where mobile nodes 131*4882a593Smuzhiyun change their attachment point to the Internet. Detail 132*4882a593Smuzhiyun information can be found in the internet-draft 133*4882a593Smuzhiyun <draft-sugimoto-mip6-pfkey-migrate>. 134*4882a593Smuzhiyun 135*4882a593Smuzhiyun If unsure, say N. 136*4882a593Smuzhiyun 137*4882a593Smuzhiyunconfig XFRM_ESPINTCP 138*4882a593Smuzhiyun bool 139*4882a593Smuzhiyun 140*4882a593Smuzhiyunendif # INET 141