1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 21da177e4SLinus Torvalds# 31da177e4SLinus Torvalds# IP configuration 41da177e4SLinus Torvalds# 51da177e4SLinus Torvaldsconfig IP_MULTICAST 61da177e4SLinus Torvalds bool "IP: multicasting" 71da177e4SLinus Torvalds help 81da177e4SLinus Torvalds This is code for addressing several networked computers at once, 91da177e4SLinus Torvalds enlarging your kernel by about 2 KB. You need multicasting if you 101da177e4SLinus Torvalds intend to participate in the MBONE, a high bandwidth network on top 111da177e4SLinus Torvalds of the Internet which carries audio and video broadcasts. More 121da177e4SLinus Torvalds information about the MBONE is on the WWW at 137a6498ebSAlexander A. Klimov <https://www.savetz.com/mbone/>. For most people, it's safe to say N. 141da177e4SLinus Torvalds 151da177e4SLinus Torvaldsconfig IP_ADVANCED_ROUTER 161da177e4SLinus Torvalds bool "IP: advanced router" 17a7f7f624SMasahiro Yamada help 181da177e4SLinus Torvalds If you intend to run your Linux box mostly as a router, i.e. as a 191da177e4SLinus Torvalds computer that forwards and redistributes network packets, say Y; you 201da177e4SLinus Torvalds will then be presented with several options that allow more precise 211da177e4SLinus Torvalds control about the routing process. 221da177e4SLinus Torvalds 231da177e4SLinus Torvalds The answer to this question won't directly affect the kernel: 241da177e4SLinus Torvalds answering N will just cause the configurator to skip all the 251da177e4SLinus Torvalds questions about advanced routing. 261da177e4SLinus Torvalds 271da177e4SLinus Torvalds Note that your box can only act as a router if you enable IP 281da177e4SLinus Torvalds forwarding in your kernel; you can do that by saying Y to "/proc 291da177e4SLinus Torvalds file system support" and "Sysctl support" below and executing the 301da177e4SLinus Torvalds line 311da177e4SLinus Torvalds 321da177e4SLinus Torvalds echo "1" > /proc/sys/net/ipv4/ip_forward 331da177e4SLinus Torvalds 341da177e4SLinus Torvalds at boot time after the /proc file system has been mounted. 351da177e4SLinus Torvalds 36b2cc46a8SJesper Dangaard Brouer If you turn on IP forwarding, you should consider the rp_filter, which 371da177e4SLinus Torvalds automatically rejects incoming packets if the routing table entry 381da177e4SLinus Torvalds for their source address doesn't match the network interface they're 391da177e4SLinus Torvalds arriving on. This has security advantages because it prevents the 401da177e4SLinus Torvalds so-called IP spoofing, however it can pose problems if you use 411da177e4SLinus Torvalds asymmetric routing (packets from you to a host take a different path 421da177e4SLinus Torvalds than packets from that host to you) or if you operate a non-routing 431da177e4SLinus Torvalds host which has several IP addresses on different interfaces. To turn 44d7394372SDave Jones rp_filter on use: 451da177e4SLinus Torvalds 46d7394372SDave Jones echo 1 > /proc/sys/net/ipv4/conf/<device>/rp_filter 47750e9fadSNicolas Dichtel or 48d7394372SDave Jones echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 491da177e4SLinus Torvalds 50b2cc46a8SJesper Dangaard Brouer Note that some distributions enable it in startup scripts. 51d18921a0SJesper Dangaard Brouer For details about rp_filter strict and loose mode read 521cec2cacSMauro Carvalho Chehab <file:Documentation/networking/ip-sysctl.rst>. 53b2cc46a8SJesper Dangaard Brouer 541da177e4SLinus Torvalds If unsure, say N here. 551da177e4SLinus Torvalds 5666a2f7fdSStephen Hemmingerconfig IP_FIB_TRIE_STATS 5766a2f7fdSStephen Hemminger bool "FIB TRIE statistics" 583630b7c0SDavid S. Miller depends on IP_ADVANCED_ROUTER 59a7f7f624SMasahiro Yamada help 6066a2f7fdSStephen Hemminger Keep track of statistics on structure of FIB TRIE table. 6166a2f7fdSStephen Hemminger Useful for testing and measuring TRIE performance. 6266a2f7fdSStephen Hemminger 631da177e4SLinus Torvaldsconfig IP_MULTIPLE_TABLES 641da177e4SLinus Torvalds bool "IP: policy routing" 651da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 66e1ef4bf2SThomas Graf select FIB_RULES 67a7f7f624SMasahiro Yamada help 681da177e4SLinus Torvalds Normally, a router decides what to do with a received packet based 691da177e4SLinus Torvalds solely on the packet's final destination address. If you say Y here, 701da177e4SLinus Torvalds the Linux router will also be able to take the packet's source 711da177e4SLinus Torvalds address into account. Furthermore, the TOS (Type-Of-Service) field 721da177e4SLinus Torvalds of the packet can be used for routing decisions as well. 731da177e4SLinus Torvalds 7412ed3772SStephen Hemminger If you need more information, see the Linux Advanced 7512ed3772SStephen Hemminger Routing and Traffic Control documentation at 767a6498ebSAlexander A. Klimov <https://lartc.org/howto/lartc.rpdb.html> 771da177e4SLinus Torvalds 781da177e4SLinus Torvalds If unsure, say N. 791da177e4SLinus Torvalds 801da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH 811da177e4SLinus Torvalds bool "IP: equal cost multipath" 821da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 831da177e4SLinus Torvalds help 841da177e4SLinus Torvalds Normally, the routing tables specify a single action to be taken in 851da177e4SLinus Torvalds a deterministic manner for a given packet. If you say Y here 861da177e4SLinus Torvalds however, it becomes possible to attach several actions to a packet 871da177e4SLinus Torvalds pattern, in effect specifying several alternative paths to travel 881da177e4SLinus Torvalds for those packets. The router considers all these paths to be of 891da177e4SLinus Torvalds equal "cost" and chooses one of them in a non-deterministic fashion 901da177e4SLinus Torvalds if a matching packet arrives. 911da177e4SLinus Torvalds 921da177e4SLinus Torvaldsconfig IP_ROUTE_VERBOSE 931da177e4SLinus Torvalds bool "IP: verbose route monitoring" 941da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 951da177e4SLinus Torvalds help 961da177e4SLinus Torvalds If you say Y here, which is recommended, then the kernel will print 971da177e4SLinus Torvalds verbose messages regarding the routing, for example warnings about 981da177e4SLinus Torvalds received packets which look strange and could be evidence of an 991da177e4SLinus Torvalds attack or a misconfigured system somewhere. The information is 1001da177e4SLinus Torvalds handled by the klogd daemon which is responsible for kernel messages 1011da177e4SLinus Torvalds ("man klogd"). 1021da177e4SLinus Torvalds 103c7066f70SPatrick McHardyconfig IP_ROUTE_CLASSID 104c7066f70SPatrick McHardy bool 105c7066f70SPatrick McHardy 1061da177e4SLinus Torvaldsconfig IP_PNP 1071da177e4SLinus Torvalds bool "IP: kernel level autoconfiguration" 1081da177e4SLinus Torvalds help 1091da177e4SLinus Torvalds This enables automatic configuration of IP addresses of devices and 1101da177e4SLinus Torvalds of the routing table during kernel boot, based on either information 1111da177e4SLinus Torvalds supplied on the kernel command line or by BOOTP or RARP protocols. 1121da177e4SLinus Torvalds You need to say Y only for diskless machines requiring network 1131da177e4SLinus Torvalds access to boot (in which case you want to say Y to "Root file system 1141da177e4SLinus Torvalds on NFS" as well), because all other machines configure the network 1151da177e4SLinus Torvalds in their startup scripts. 1161da177e4SLinus Torvalds 1171da177e4SLinus Torvaldsconfig IP_PNP_DHCP 1181da177e4SLinus Torvalds bool "IP: DHCP support" 1191da177e4SLinus Torvalds depends on IP_PNP 120a7f7f624SMasahiro Yamada help 1211da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1221da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1231da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1241da177e4SLinus Torvalds discovered automatically at boot time using the DHCP protocol (a 1251da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1261da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1271da177e4SLinus Torvalds does DHCP itself, providing all necessary information on the kernel 1281da177e4SLinus Torvalds command line, you can say N here. 1291da177e4SLinus Torvalds 1301da177e4SLinus Torvalds If unsure, say Y. Note that if you want to use DHCP, a DHCP server 1311da177e4SLinus Torvalds must be operating on your network. Read 1323eb30c51SNiklas Söderlund <file:Documentation/admin-guide/nfs/nfsroot.rst> for details. 1331da177e4SLinus Torvalds 1341da177e4SLinus Torvaldsconfig IP_PNP_BOOTP 1351da177e4SLinus Torvalds bool "IP: BOOTP support" 1361da177e4SLinus Torvalds depends on IP_PNP 137a7f7f624SMasahiro Yamada help 1381da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1391da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1401da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1411da177e4SLinus Torvalds discovered automatically at boot time using the BOOTP protocol (a 1421da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1431da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1441da177e4SLinus Torvalds does BOOTP itself, providing all necessary information on the kernel 1451da177e4SLinus Torvalds command line, you can say N here. If unsure, say Y. Note that if you 1461da177e4SLinus Torvalds want to use BOOTP, a BOOTP server must be operating on your network. 1473eb30c51SNiklas Söderlund Read <file:Documentation/admin-guide/nfs/nfsroot.rst> for details. 1481da177e4SLinus Torvalds 1491da177e4SLinus Torvaldsconfig IP_PNP_RARP 1501da177e4SLinus Torvalds bool "IP: RARP support" 1511da177e4SLinus Torvalds depends on IP_PNP 1521da177e4SLinus Torvalds help 1531da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1541da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1551da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1561da177e4SLinus Torvalds discovered automatically at boot time using the RARP protocol (an 1571da177e4SLinus Torvalds older protocol which is being obsoleted by BOOTP and DHCP), say Y 1581da177e4SLinus Torvalds here. Note that if you want to use RARP, a RARP server must be 1596ded55daSJ. Bruce Fields operating on your network. Read 1603eb30c51SNiklas Söderlund <file:Documentation/admin-guide/nfs/nfsroot.rst> for details. 1611da177e4SLinus Torvalds 1621da177e4SLinus Torvaldsconfig NET_IPIP 1631da177e4SLinus Torvalds tristate "IP: tunneling" 164d2acc347SHerbert Xu select INET_TUNNEL 165fd58156eSPravin B Shelar select NET_IP_TUNNEL 166a7f7f624SMasahiro Yamada help 1671da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 1681da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 1691da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 1701da177e4SLinus Torvalds encapsulation of IP within IP, which sounds kind of pointless, but 1711da177e4SLinus Torvalds can be useful if you want to make your (or some other) machine 1721da177e4SLinus Torvalds appear on a different network than it physically is, or to use 1731da177e4SLinus Torvalds mobile-IP facilities (allowing laptops to seamlessly move between 1741da177e4SLinus Torvalds networks without changing their IP addresses). 1751da177e4SLinus Torvalds 1761da177e4SLinus Torvalds Saying Y to this option will produce two modules ( = code which can 1771da177e4SLinus Torvalds be inserted in and removed from the running kernel whenever you 1781da177e4SLinus Torvalds want). Most people won't need this and can say N. 1791da177e4SLinus Torvalds 18000959adeSDmitry Kozlovconfig NET_IPGRE_DEMUX 18100959adeSDmitry Kozlov tristate "IP: GRE demultiplexer" 18200959adeSDmitry Kozlov help 18300959adeSDmitry Kozlov This is helper module to demultiplex GRE packets on GRE version field criteria. 18400959adeSDmitry Kozlov Required by ip_gre and pptp modules. 18500959adeSDmitry Kozlov 186c5441932SPravin B Shelarconfig NET_IP_TUNNEL 187c5441932SPravin B Shelar tristate 188e09acddfSPaolo Abeni select DST_CACHE 18997e219b7SEric Dumazet select GRO_CELLS 190c5441932SPravin B Shelar default n 191c5441932SPravin B Shelar 1921da177e4SLinus Torvaldsconfig NET_IPGRE 1931da177e4SLinus Torvalds tristate "IP: GRE tunnels over IP" 19421a180cdSDavid S. Miller depends on (IPV6 || IPV6=n) && NET_IPGRE_DEMUX 195c5441932SPravin B Shelar select NET_IP_TUNNEL 1961da177e4SLinus Torvalds help 1971da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 1981da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 1991da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 2001da177e4SLinus Torvalds GRE (Generic Routing Encapsulation) and at this time allows 2011da177e4SLinus Torvalds encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 2021da177e4SLinus Torvalds This driver is useful if the other endpoint is a Cisco router: Cisco 2031da177e4SLinus Torvalds likes GRE much better than the other Linux tunneling driver ("IP 2041da177e4SLinus Torvalds tunneling" above). In addition, GRE allows multicast redistribution 2051da177e4SLinus Torvalds through the tunnel. 2061da177e4SLinus Torvalds 2071da177e4SLinus Torvaldsconfig NET_IPGRE_BROADCAST 2081da177e4SLinus Torvalds bool "IP: broadcast GRE over IP" 2091da177e4SLinus Torvalds depends on IP_MULTICAST && NET_IPGRE 2101da177e4SLinus Torvalds help 2111da177e4SLinus Torvalds One application of GRE/IP is to construct a broadcast WAN (Wide Area 2121da177e4SLinus Torvalds Network), which looks like a normal Ethernet LAN (Local Area 2131da177e4SLinus Torvalds Network), but can be distributed all over the Internet. If you want 2141da177e4SLinus Torvalds to do that, say Y here and to "IP multicast routing" below. 2151da177e4SLinus Torvalds 2166853f21fSYuval Mintzconfig IP_MROUTE_COMMON 2176853f21fSYuval Mintz bool 2186853f21fSYuval Mintz depends on IP_MROUTE || IPV6_MROUTE 2196853f21fSYuval Mintz 2201da177e4SLinus Torvaldsconfig IP_MROUTE 2211da177e4SLinus Torvalds bool "IP: multicast routing" 2221da177e4SLinus Torvalds depends on IP_MULTICAST 2236853f21fSYuval Mintz select IP_MROUTE_COMMON 2241da177e4SLinus Torvalds help 2251da177e4SLinus Torvalds This is used if you want your machine to act as a router for IP 2261da177e4SLinus Torvalds packets that have several destination addresses. It is needed on the 2271da177e4SLinus Torvalds MBONE, a high bandwidth network on top of the Internet which carries 2281da177e4SLinus Torvalds audio and video broadcasts. In order to do that, you would most 2294960c2c6SJean Sacren likely run the program mrouted. If you haven't heard about it, you 2304960c2c6SJean Sacren don't need it. 2311da177e4SLinus Torvalds 232f0ad0860SPatrick McHardyconfig IP_MROUTE_MULTIPLE_TABLES 233f0ad0860SPatrick McHardy bool "IP: multicast policy routing" 23466496d49SPatrick McHardy depends on IP_MROUTE && IP_ADVANCED_ROUTER 235f0ad0860SPatrick McHardy select FIB_RULES 236f0ad0860SPatrick McHardy help 237f0ad0860SPatrick McHardy Normally, a multicast router runs a userspace daemon and decides 238f0ad0860SPatrick McHardy what to do with a multicast packet based on the source and 239f0ad0860SPatrick McHardy destination addresses. If you say Y here, the multicast router 240f0ad0860SPatrick McHardy will also be able to take interfaces and packet marks into 241f0ad0860SPatrick McHardy account and run multiple instances of userspace daemons 242f0ad0860SPatrick McHardy simultaneously, each one handling a single table. 243f0ad0860SPatrick McHardy 244f0ad0860SPatrick McHardy If unsure, say N. 245f0ad0860SPatrick McHardy 2461da177e4SLinus Torvaldsconfig IP_PIMSM_V1 2471da177e4SLinus Torvalds bool "IP: PIM-SM version 1 support" 2481da177e4SLinus Torvalds depends on IP_MROUTE 2491da177e4SLinus Torvalds help 2501da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM (Protocol Independent 2511da177e4SLinus Torvalds Multicast) version 1. This multicast routing protocol is used widely 2521da177e4SLinus Torvalds because Cisco supports it. You need special software to use it 2531da177e4SLinus Torvalds (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 2541da177e4SLinus Torvalds information about PIM. 2551da177e4SLinus Torvalds 2561da177e4SLinus Torvalds Say Y if you want to use PIM-SM v1. Note that you can say N here if 2571da177e4SLinus Torvalds you just want to use Dense Mode PIM. 2581da177e4SLinus Torvalds 2591da177e4SLinus Torvaldsconfig IP_PIMSM_V2 2601da177e4SLinus Torvalds bool "IP: PIM-SM version 2 support" 2611da177e4SLinus Torvalds depends on IP_MROUTE 2621da177e4SLinus Torvalds help 2631da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM version 2. In order to use 2641da177e4SLinus Torvalds this, you need an experimental routing daemon supporting it (pimd or 2651da177e4SLinus Torvalds gated-5). This routing protocol is not used widely, so say N unless 2661da177e4SLinus Torvalds you want to play with it. 2671da177e4SLinus Torvalds 2681da177e4SLinus Torvaldsconfig SYN_COOKIES 26957f1553eSFlorian Westphal bool "IP: TCP syncookie support" 270a7f7f624SMasahiro Yamada help 2711da177e4SLinus Torvalds Normal TCP/IP networking is open to an attack known as "SYN 2721da177e4SLinus Torvalds flooding". This denial-of-service attack prevents legitimate remote 2731da177e4SLinus Torvalds users from being able to connect to your computer during an ongoing 2741da177e4SLinus Torvalds attack and requires very little work from the attacker, who can 2751da177e4SLinus Torvalds operate from anywhere on the Internet. 2761da177e4SLinus Torvalds 2771da177e4SLinus Torvalds SYN cookies provide protection against this type of attack. If you 2781da177e4SLinus Torvalds say Y here, the TCP/IP stack will use a cryptographic challenge 2791da177e4SLinus Torvalds protocol known as "SYN cookies" to enable legitimate users to 2801da177e4SLinus Torvalds continue to connect, even when your machine is under attack. There 2811da177e4SLinus Torvalds is no need for the legitimate users to change their TCP/IP software; 2821da177e4SLinus Torvalds SYN cookies work transparently to them. For technical information 2837a6498ebSAlexander A. Klimov about SYN cookies, check out <https://cr.yp.to/syncookies.html>. 2841da177e4SLinus Torvalds 2851da177e4SLinus Torvalds If you are SYN flooded, the source address reported by the kernel is 2861da177e4SLinus Torvalds likely to have been forged by the attacker; it is only reported as 2871da177e4SLinus Torvalds an aid in tracing the packets to their actual source and should not 2881da177e4SLinus Torvalds be taken as absolute truth. 2891da177e4SLinus Torvalds 2901da177e4SLinus Torvalds SYN cookies may prevent correct error reporting on clients when the 2911da177e4SLinus Torvalds server is really overloaded. If this happens frequently better turn 2921da177e4SLinus Torvalds them off. 2931da177e4SLinus Torvalds 29457f1553eSFlorian Westphal If you say Y here, you can disable SYN cookies at run time by 29557f1553eSFlorian Westphal saying Y to "/proc file system support" and 2961da177e4SLinus Torvalds "Sysctl support" below and executing the command 2971da177e4SLinus Torvalds 29857f1553eSFlorian Westphal echo 0 > /proc/sys/net/ipv4/tcp_syncookies 2991da177e4SLinus Torvalds 30057f1553eSFlorian Westphal after the /proc file system has been mounted. 3011da177e4SLinus Torvalds 3021da177e4SLinus Torvalds If unsure, say N. 3031da177e4SLinus Torvalds 3041181412cSSaurabhconfig NET_IPVTI 3051181412cSSaurabh tristate "Virtual (secure) IP: tunneling" 306f1ed1026SNicolas Dichtel depends on IPV6 || IPV6=n 3071181412cSSaurabh select INET_TUNNEL 308f61dd388SPravin B Shelar select NET_IP_TUNNEL 3094c145dceSFlorian Westphal select XFRM 310a7f7f624SMasahiro Yamada help 3111181412cSSaurabh Tunneling means encapsulating data of one protocol type within 3121181412cSSaurabh another protocol and sending it over a channel that understands the 3131181412cSSaurabh encapsulating protocol. This can be used with xfrm mode tunnel to give 3141181412cSSaurabh the notion of a secure tunnel for IPSEC and then use routing protocol 3151181412cSSaurabh on top. 3161181412cSSaurabh 3178024e028STom Herbertconfig NET_UDP_TUNNEL 3188024e028STom Herbert tristate 3197c5df8faSAndy Zhou select NET_IP_TUNNEL 3208024e028STom Herbert default n 3218024e028STom Herbert 32223461551STom Herbertconfig NET_FOU 32323461551STom Herbert tristate "IP: Foo (IP protocols) over UDP" 32423461551STom Herbert select NET_UDP_TUNNEL 325a7f7f624SMasahiro Yamada help 32623461551STom Herbert Foo over UDP allows any IP protocol to be directly encapsulated 32723461551STom Herbert over UDP include tunnels (IPIP, GRE, SIT). By encapsulating in UDP 32823461551STom Herbert network mechanisms and optimizations for UDP (such as ECMP 32923461551STom Herbert and RSS) can be leveraged to provide better service. 33023461551STom Herbert 33163487babSTom Herbertconfig NET_FOU_IP_TUNNELS 33263487babSTom Herbert bool "IP: FOU encapsulation of IP tunnels" 33363487babSTom Herbert depends on NET_IPIP || NET_IPGRE || IPV6_SIT 33463487babSTom Herbert select NET_FOU 335a7f7f624SMasahiro Yamada help 33663487babSTom Herbert Allow configuration of FOU or GUE encapsulation for IP tunnels. 33763487babSTom Herbert When this option is enabled IP tunnels can be configured to use 33863487babSTom Herbert FOU or GUE encapsulation. 33963487babSTom Herbert 3401da177e4SLinus Torvaldsconfig INET_AH 3411da177e4SLinus Torvalds tristate "IP: AH transformation" 3427d4e3919SEric Biggers select XFRM_AH 343a7f7f624SMasahiro Yamada help 344be013698SEric Biggers Support for IPsec AH (Authentication Header). 345be013698SEric Biggers 346be013698SEric Biggers AH can be used with various authentication algorithms. Besides 347be013698SEric Biggers enabling AH support itself, this option enables the generic 348be013698SEric Biggers implementations of the algorithms that RFC 8221 lists as MUST be 349be013698SEric Biggers implemented. If you need any other algorithms, you'll need to enable 350be013698SEric Biggers them in the crypto API. You should also enable accelerated 351be013698SEric Biggers implementations of any needed algorithms when available. 3521da177e4SLinus Torvalds 3531da177e4SLinus Torvalds If unsure, say Y. 3541da177e4SLinus Torvalds 3551da177e4SLinus Torvaldsconfig INET_ESP 3561da177e4SLinus Torvalds tristate "IP: ESP transformation" 3577d4e3919SEric Biggers select XFRM_ESP 358a7f7f624SMasahiro Yamada help 359be013698SEric Biggers Support for IPsec ESP (Encapsulating Security Payload). 360be013698SEric Biggers 361be013698SEric Biggers ESP can be used with various encryption and authentication algorithms. 362be013698SEric Biggers Besides enabling ESP support itself, this option enables the generic 363be013698SEric Biggers implementations of the algorithms that RFC 8221 lists as MUST be 364be013698SEric Biggers implemented. If you need any other algorithms, you'll need to enable 365be013698SEric Biggers them in the crypto API. You should also enable accelerated 366be013698SEric Biggers implementations of any needed algorithms when available. 3671da177e4SLinus Torvalds 3681da177e4SLinus Torvalds If unsure, say Y. 3691da177e4SLinus Torvalds 3707785bba2SSteffen Klassertconfig INET_ESP_OFFLOAD 3717785bba2SSteffen Klassert tristate "IP: ESP transformation offload" 3727785bba2SSteffen Klassert depends on INET_ESP 3737785bba2SSteffen Klassert select XFRM_OFFLOAD 3747785bba2SSteffen Klassert default n 375a7f7f624SMasahiro Yamada help 3767785bba2SSteffen Klassert Support for ESP transformation offload. This makes sense 3777785bba2SSteffen Klassert only if this system really does IPsec and want to do it 3787785bba2SSteffen Klassert with high throughput. A typical desktop system does not 3797785bba2SSteffen Klassert need it, even if it does IPsec. 3807785bba2SSteffen Klassert 3817785bba2SSteffen Klassert If unsure, say N. 3827785bba2SSteffen Klassert 383e27cca96SSabrina Dubrocaconfig INET_ESPINTCP 384e27cca96SSabrina Dubroca bool "IP: ESP in TCP encapsulation (RFC 8229)" 385e27cca96SSabrina Dubroca depends on XFRM && INET_ESP 386e27cca96SSabrina Dubroca select STREAM_PARSER 387e27cca96SSabrina Dubroca select NET_SOCK_MSG 38826333c37SSabrina Dubroca select XFRM_ESPINTCP 389e27cca96SSabrina Dubroca help 390e27cca96SSabrina Dubroca Support for RFC 8229 encapsulation of ESP and IKE over 391e27cca96SSabrina Dubroca TCP/IPv4 sockets. 392e27cca96SSabrina Dubroca 393e27cca96SSabrina Dubroca If unsure, say N. 394e27cca96SSabrina Dubroca 3951da177e4SLinus Torvaldsconfig INET_IPCOMP 3961da177e4SLinus Torvalds tristate "IP: IPComp transformation" 397d2acc347SHerbert Xu select INET_XFRM_TUNNEL 3986fccab67SHerbert Xu select XFRM_IPCOMP 399a7f7f624SMasahiro Yamada help 4001da177e4SLinus Torvalds Support for IP Payload Compression Protocol (IPComp) (RFC3173), 4011da177e4SLinus Torvalds typically needed for IPsec. 4021da177e4SLinus Torvalds 4031da177e4SLinus Torvalds If unsure, say Y. 4041da177e4SLinus Torvalds 405aeac4ec8SGleb Mazovetskiyconfig INET_TABLE_PERTURB_ORDER 406aeac4ec8SGleb Mazovetskiy int "INET: Source port perturbation table size (as power of 2)" if EXPERT 407aeac4ec8SGleb Mazovetskiy default 16 408aeac4ec8SGleb Mazovetskiy help 409aeac4ec8SGleb Mazovetskiy Source port perturbation table size (as power of 2) for 410aeac4ec8SGleb Mazovetskiy RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm. 411aeac4ec8SGleb Mazovetskiy 412aeac4ec8SGleb Mazovetskiy The default is almost always what you want. 413aeac4ec8SGleb Mazovetskiy Only change this if you know what you are doing. 414aeac4ec8SGleb Mazovetskiy 415d2acc347SHerbert Xuconfig INET_XFRM_TUNNEL 416d2acc347SHerbert Xu tristate 417d2acc347SHerbert Xu select INET_TUNNEL 418d2acc347SHerbert Xu default n 4191da177e4SLinus Torvalds 420d2acc347SHerbert Xuconfig INET_TUNNEL 421d2acc347SHerbert Xu tristate 422d2acc347SHerbert Xu default n 4231da177e4SLinus Torvalds 42417b085eaSArnaldo Carvalho de Meloconfig INET_DIAG 42517b085eaSArnaldo Carvalho de Melo tristate "INET: socket monitoring interface" 4261da177e4SLinus Torvalds default y 427a7f7f624SMasahiro Yamada help 42873c1f4a0SArnaldo Carvalho de Melo Support for INET (TCP, DCCP, etc) socket monitoring interface used by 42973c1f4a0SArnaldo Carvalho de Melo native Linux tools such as ss. ss is included in iproute2, currently 430c996d8b9SMichael Witten downloadable at: 431c996d8b9SMichael Witten 432c996d8b9SMichael Witten http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 4331da177e4SLinus Torvalds 4341da177e4SLinus Torvalds If unsure, say Y. 4351da177e4SLinus Torvalds 43617b085eaSArnaldo Carvalho de Meloconfig INET_TCP_DIAG 43717b085eaSArnaldo Carvalho de Melo depends on INET_DIAG 43817b085eaSArnaldo Carvalho de Melo def_tristate INET_DIAG 43917b085eaSArnaldo Carvalho de Melo 440507dd796SPavel Emelyanovconfig INET_UDP_DIAG 4416d62a66eSDavid S. Miller tristate "UDP: socket monitoring interface" 4426d25886eSAnisse Astier depends on INET_DIAG && (IPV6 || IPV6=n) 4436d62a66eSDavid S. Miller default n 444a7f7f624SMasahiro Yamada help 4456d62a66eSDavid S. Miller Support for UDP socket monitoring interface used by the ss tool. 4466d62a66eSDavid S. Miller If unsure, say Y. 447507dd796SPavel Emelyanov 448432490f9SCyrill Gorcunovconfig INET_RAW_DIAG 449432490f9SCyrill Gorcunov tristate "RAW: socket monitoring interface" 450432490f9SCyrill Gorcunov depends on INET_DIAG && (IPV6 || IPV6=n) 451432490f9SCyrill Gorcunov default n 452a7f7f624SMasahiro Yamada help 453432490f9SCyrill Gorcunov Support for RAW socket monitoring interface used by the ss tool. 454432490f9SCyrill Gorcunov If unsure, say Y. 455432490f9SCyrill Gorcunov 456c1e64e29SLorenzo Colitticonfig INET_DIAG_DESTROY 457c1e64e29SLorenzo Colitti bool "INET: allow privileged process to administratively close sockets" 458c1e64e29SLorenzo Colitti depends on INET_DIAG 459c1e64e29SLorenzo Colitti default n 460a7f7f624SMasahiro Yamada help 461c1e64e29SLorenzo Colitti Provides a SOCK_DESTROY operation that allows privileged processes 462c1e64e29SLorenzo Colitti (e.g., a connection manager or a network administration tool such as 463c1e64e29SLorenzo Colitti ss) to close sockets opened by other processes. Closing a socket in 464c1e64e29SLorenzo Colitti this way interrupts any blocking read/write/connect operations on 465c1e64e29SLorenzo Colitti the socket and causes future socket calls to behave as if the socket 466c1e64e29SLorenzo Colitti had been disconnected. 467c1e64e29SLorenzo Colitti If unsure, say N. 468c1e64e29SLorenzo Colitti 4693d2573f7SStephen Hemmingermenuconfig TCP_CONG_ADVANCED 470a6484045SDavid S. Miller bool "TCP: advanced congestion control" 471a7f7f624SMasahiro Yamada help 472a6484045SDavid S. Miller Support for selection of various TCP congestion control 473a6484045SDavid S. Miller modules. 474a6484045SDavid S. Miller 475a6484045SDavid S. Miller Nearly all users can safely say no here, and a safe default 476597811ecSStephen Hemminger selection will be made (CUBIC with new Reno as a fallback). 477a6484045SDavid S. Miller 478a6484045SDavid S. Miller If unsure, say N. 479a6484045SDavid S. Miller 4803d2573f7SStephen Hemmingerif TCP_CONG_ADVANCED 48183803034SStephen Hemminger 48283803034SStephen Hemmingerconfig TCP_CONG_BIC 48383803034SStephen Hemminger tristate "Binary Increase Congestion (BIC) control" 484597811ecSStephen Hemminger default m 485a7f7f624SMasahiro Yamada help 48683803034SStephen Hemminger BIC-TCP is a sender-side only change that ensures a linear RTT 48783803034SStephen Hemminger fairness under large windows while offering both scalability and 48883803034SStephen Hemminger bounded TCP-friendliness. The protocol combines two schemes 48983803034SStephen Hemminger called additive increase and binary search increase. When the 49083803034SStephen Hemminger congestion window is large, additive increase with a large 49183803034SStephen Hemminger increment ensures linear RTT fairness as well as good 49283803034SStephen Hemminger scalability. Under small congestion windows, binary search 49383803034SStephen Hemminger increase provides TCP friendliness. 49483803034SStephen Hemminger See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/ 49583803034SStephen Hemminger 496df3271f3SStephen Hemmingerconfig TCP_CONG_CUBIC 497df3271f3SStephen Hemminger tristate "CUBIC TCP" 498597811ecSStephen Hemminger default y 499a7f7f624SMasahiro Yamada help 500df3271f3SStephen Hemminger This is version 2.0 of BIC-TCP which uses a cubic growth function 501df3271f3SStephen Hemminger among other techniques. 502df3271f3SStephen Hemminger See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/cubic-paper.pdf 503df3271f3SStephen Hemminger 50487270762SStephen Hemmingerconfig TCP_CONG_WESTWOOD 50587270762SStephen Hemminger tristate "TCP Westwood+" 50687270762SStephen Hemminger default m 507a7f7f624SMasahiro Yamada help 50887270762SStephen Hemminger TCP Westwood+ is a sender-side only modification of the TCP Reno 50987270762SStephen Hemminger protocol stack that optimizes the performance of TCP congestion 51087270762SStephen Hemminger control. It is based on end-to-end bandwidth estimation to set 51187270762SStephen Hemminger congestion window and slow start threshold after a congestion 51287270762SStephen Hemminger episode. Using this estimation, TCP Westwood+ adaptively sets a 51387270762SStephen Hemminger slow start threshold and a congestion window which takes into 51487270762SStephen Hemminger account the bandwidth used at the time congestion is experienced. 51587270762SStephen Hemminger TCP Westwood+ significantly increases fairness wrt TCP Reno in 51687270762SStephen Hemminger wired networks and throughput over wireless links. 51787270762SStephen Hemminger 518a7868ea6SBaruch Evenconfig TCP_CONG_HTCP 519a7868ea6SBaruch Even tristate "H-TCP" 520a7868ea6SBaruch Even default m 521a7f7f624SMasahiro Yamada help 522a7868ea6SBaruch Even H-TCP is a send-side only modifications of the TCP Reno 523a7868ea6SBaruch Even protocol stack that optimizes the performance of TCP 524a7868ea6SBaruch Even congestion control for high speed network links. It uses a 525a7868ea6SBaruch Even modeswitch to change the alpha and beta parameters of TCP Reno 526a7868ea6SBaruch Even based on network conditions and in a way so as to be fair with 527a7868ea6SBaruch Even other Reno and H-TCP flows. 528a7868ea6SBaruch Even 529a628d29bSJohn Heffnerconfig TCP_CONG_HSTCP 530a628d29bSJohn Heffner tristate "High Speed TCP" 531a628d29bSJohn Heffner default n 532a7f7f624SMasahiro Yamada help 533a628d29bSJohn Heffner Sally Floyd's High Speed TCP (RFC 3649) congestion control. 534a628d29bSJohn Heffner A modification to TCP's congestion control mechanism for use 535a628d29bSJohn Heffner with large congestion windows. A table indicates how much to 536a628d29bSJohn Heffner increase the congestion window by when an ACK is received. 5377a6498ebSAlexander A. Klimov For more detail see https://www.icir.org/floyd/hstcp.html 538a628d29bSJohn Heffner 539835b3f0cSDaniele Lacameraconfig TCP_CONG_HYBLA 540835b3f0cSDaniele Lacamera tristate "TCP-Hybla congestion control algorithm" 541835b3f0cSDaniele Lacamera default n 542a7f7f624SMasahiro Yamada help 543835b3f0cSDaniele Lacamera TCP-Hybla is a sender-side only change that eliminates penalization of 544835b3f0cSDaniele Lacamera long-RTT, large-bandwidth connections, like when satellite legs are 54544c09201SMatt LaPlante involved, especially when sharing a common bottleneck with normal 546835b3f0cSDaniele Lacamera terrestrial connections. 547835b3f0cSDaniele Lacamera 548b87d8561SStephen Hemmingerconfig TCP_CONG_VEGAS 549b87d8561SStephen Hemminger tristate "TCP Vegas" 550b87d8561SStephen Hemminger default n 551a7f7f624SMasahiro Yamada help 552b87d8561SStephen Hemminger TCP Vegas is a sender-side only change to TCP that anticipates 553b87d8561SStephen Hemminger the onset of congestion by estimating the bandwidth. TCP Vegas 554b87d8561SStephen Hemminger adjusts the sending rate by modifying the congestion 555b87d8561SStephen Hemminger window. TCP Vegas should provide less packet loss, but it is 556b87d8561SStephen Hemminger not as aggressive as TCP Reno. 557b87d8561SStephen Hemminger 558699fafafSLawrence Brakmoconfig TCP_CONG_NV 559699fafafSLawrence Brakmo tristate "TCP NV" 560699fafafSLawrence Brakmo default n 561a7f7f624SMasahiro Yamada help 562699fafafSLawrence Brakmo TCP NV is a follow up to TCP Vegas. It has been modified to deal with 563699fafafSLawrence Brakmo 10G networks, measurement noise introduced by LRO, GRO and interrupt 564699fafafSLawrence Brakmo coalescence. In addition, it will decrease its cwnd multiplicatively 565699fafafSLawrence Brakmo instead of linearly. 566699fafafSLawrence Brakmo 567699fafafSLawrence Brakmo Note that in general congestion avoidance (cwnd decreased when # packets 568699fafafSLawrence Brakmo queued grows) cannot coexist with congestion control (cwnd decreased only 569699fafafSLawrence Brakmo when there is packet loss) due to fairness issues. One scenario when they 570699fafafSLawrence Brakmo can coexist safely is when the CA flows have RTTs << CC flows RTTs. 571699fafafSLawrence Brakmo 572699fafafSLawrence Brakmo For further details see http://www.brakmo.org/networking/tcp-nv/ 573699fafafSLawrence Brakmo 5740e57976bSJohn Heffnerconfig TCP_CONG_SCALABLE 5750e57976bSJohn Heffner tristate "Scalable TCP" 5760e57976bSJohn Heffner default n 577a7f7f624SMasahiro Yamada help 5780e57976bSJohn Heffner Scalable TCP is a sender-side only change to TCP which uses a 5790e57976bSJohn Heffner MIMD congestion control algorithm which has some nice scaling 5800e57976bSJohn Heffner properties, though is known to have fairness issues. 581f4b9479dSBaruch Even See http://www.deneholme.net/tom/scalable/ 582a7868ea6SBaruch Even 5837c106d7eSWong Hoi Sing Edisonconfig TCP_CONG_LP 5847c106d7eSWong Hoi Sing Edison tristate "TCP Low Priority" 5857c106d7eSWong Hoi Sing Edison default n 586a7f7f624SMasahiro Yamada help 5877c106d7eSWong Hoi Sing Edison TCP Low Priority (TCP-LP), a distributed algorithm whose goal is 588cab00891SMatt LaPlante to utilize only the excess network bandwidth as compared to the 5897c106d7eSWong Hoi Sing Edison ``fair share`` of bandwidth as targeted by TCP. 5907c106d7eSWong Hoi Sing Edison See http://www-ece.rice.edu/networks/TCP-LP/ 5917c106d7eSWong Hoi Sing Edison 59276f10177SBin Zhouconfig TCP_CONG_VENO 59376f10177SBin Zhou tristate "TCP Veno" 59476f10177SBin Zhou default n 595a7f7f624SMasahiro Yamada help 59676f10177SBin Zhou TCP Veno is a sender-side only enhancement of TCP to obtain better 59776f10177SBin Zhou throughput over wireless networks. TCP Veno makes use of state 59876f10177SBin Zhou distinguishing to circumvent the difficult judgment of the packet loss 59976f10177SBin Zhou type. TCP Veno cuts down less congestion window in response to random 60076f10177SBin Zhou loss packets. 601631dd1a8SJustin P. Mattock See <http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1177186> 60276f10177SBin Zhou 6035ef81475SAngelo P. Castellaniconfig TCP_CONG_YEAH 6045ef81475SAngelo P. Castellani tristate "YeAH TCP" 6052ff011efSDavid S. Miller select TCP_CONG_VEGAS 6065ef81475SAngelo P. Castellani default n 607a7f7f624SMasahiro Yamada help 6085ef81475SAngelo P. Castellani YeAH-TCP is a sender-side high-speed enabled TCP congestion control 6095ef81475SAngelo P. Castellani algorithm, which uses a mixed loss/delay approach to compute the 6105ef81475SAngelo P. Castellani congestion window. It's design goals target high efficiency, 6115ef81475SAngelo P. Castellani internal, RTT and Reno fairness, resilience to link loss while 6125ef81475SAngelo P. Castellani keeping network elements load as low as possible. 6135ef81475SAngelo P. Castellani 6145ef81475SAngelo P. Castellani For further details look here: 6155ef81475SAngelo P. Castellani http://wil.cs.caltech.edu/pfldnet2007/paper/YeAH_TCP.pdf 6165ef81475SAngelo P. Castellani 617c462238dSStephen Hemmingerconfig TCP_CONG_ILLINOIS 618c462238dSStephen Hemminger tristate "TCP Illinois" 619c462238dSStephen Hemminger default n 620a7f7f624SMasahiro Yamada help 62101dd2fbfSMatt LaPlante TCP-Illinois is a sender-side modification of TCP Reno for 622c462238dSStephen Hemminger high speed long delay links. It uses round-trip-time to 623c462238dSStephen Hemminger adjust the alpha and beta parameters to achieve a higher average 624c462238dSStephen Hemminger throughput and maintain fairness. 625c462238dSStephen Hemminger 626c462238dSStephen Hemminger For further details see: 627c462238dSStephen Hemminger http://www.ews.uiuc.edu/~shaoliu/tcpillinois/index.html 628c462238dSStephen Hemminger 629e3118e83SDaniel Borkmannconfig TCP_CONG_DCTCP 630e3118e83SDaniel Borkmann tristate "DataCenter TCP (DCTCP)" 631e3118e83SDaniel Borkmann default n 632a7f7f624SMasahiro Yamada help 633e3118e83SDaniel Borkmann DCTCP leverages Explicit Congestion Notification (ECN) in the network to 634e3118e83SDaniel Borkmann provide multi-bit feedback to the end hosts. It is designed to provide: 635e3118e83SDaniel Borkmann 636e3118e83SDaniel Borkmann - High burst tolerance (incast due to partition/aggregate), 637e3118e83SDaniel Borkmann - Low latency (short flows, queries), 638e3118e83SDaniel Borkmann - High throughput (continuous data updates, large file transfers) with 639e3118e83SDaniel Borkmann commodity, shallow-buffered switches. 640e3118e83SDaniel Borkmann 641e3118e83SDaniel Borkmann All switches in the data center network running DCTCP must support 642e3118e83SDaniel Borkmann ECN marking and be configured for marking when reaching defined switch 643e3118e83SDaniel Borkmann buffer thresholds. The default ECN marking threshold heuristic for 644e3118e83SDaniel Borkmann DCTCP on switches is 20 packets (30KB) at 1Gbps, and 65 packets 645e3118e83SDaniel Borkmann (~100KB) at 10Gbps, but might need further careful tweaking. 646e3118e83SDaniel Borkmann 647e3118e83SDaniel Borkmann For further details see: 648e3118e83SDaniel Borkmann http://simula.stanford.edu/~alizade/Site/DCTCP_files/dctcp-final.pdf 649e3118e83SDaniel Borkmann 6502b0a8c9eSKenneth Klette Jonassenconfig TCP_CONG_CDG 6512b0a8c9eSKenneth Klette Jonassen tristate "CAIA Delay-Gradient (CDG)" 6522b0a8c9eSKenneth Klette Jonassen default n 653a7f7f624SMasahiro Yamada help 6542b0a8c9eSKenneth Klette Jonassen CAIA Delay-Gradient (CDG) is a TCP congestion control that modifies 6552b0a8c9eSKenneth Klette Jonassen the TCP sender in order to: 6562b0a8c9eSKenneth Klette Jonassen 6572b0a8c9eSKenneth Klette Jonassen o Use the delay gradient as a congestion signal. 6582b0a8c9eSKenneth Klette Jonassen o Back off with an average probability that is independent of the RTT. 6592b0a8c9eSKenneth Klette Jonassen o Coexist with flows that use loss-based congestion control. 6602b0a8c9eSKenneth Klette Jonassen o Tolerate packet loss unrelated to congestion. 6612b0a8c9eSKenneth Klette Jonassen 6622b0a8c9eSKenneth Klette Jonassen For further details see: 6632b0a8c9eSKenneth Klette Jonassen D.A. Hayes and G. Armitage. "Revisiting TCP congestion control using 664*0a658d08SDr. David Alan Gilbert delay gradients." In Networking 2011. Preprint: 665*0a658d08SDr. David Alan Gilbert http://caia.swin.edu.au/cv/dahayes/content/networking2011-cdg-preprint.pdf 6662b0a8c9eSKenneth Klette Jonassen 6670f8782eaSNeal Cardwellconfig TCP_CONG_BBR 6680f8782eaSNeal Cardwell tristate "BBR TCP" 6690f8782eaSNeal Cardwell default n 670a7f7f624SMasahiro Yamada help 6710f8782eaSNeal Cardwell 6720f8782eaSNeal Cardwell BBR (Bottleneck Bandwidth and RTT) TCP congestion control aims to 6730f8782eaSNeal Cardwell maximize network utilization and minimize queues. It builds an explicit 674ad664118SColin Ian King model of the bottleneck delivery rate and path round-trip propagation 675ad664118SColin Ian King delay. It tolerates packet loss and delay unrelated to congestion. It 676ad664118SColin Ian King can operate over LAN, WAN, cellular, wifi, or cable modem links. It can 677ad664118SColin Ian King coexist with flows that use loss-based congestion control, and can 678ad664118SColin Ian King operate with shallow buffers, deep buffers, bufferbloat, policers, or 679ad664118SColin Ian King AQM schemes that do not provide a delay signal. It requires the fq 680ad664118SColin Ian King ("Fair Queue") pacing packet scheduler. 6810f8782eaSNeal Cardwell 6823d2573f7SStephen Hemmingerchoice 6833d2573f7SStephen Hemminger prompt "Default TCP congestion control" 684597811ecSStephen Hemminger default DEFAULT_CUBIC 6853d2573f7SStephen Hemminger help 6863d2573f7SStephen Hemminger Select the TCP congestion control that will be used by default 6873d2573f7SStephen Hemminger for all connections. 6883d2573f7SStephen Hemminger 6893d2573f7SStephen Hemminger config DEFAULT_BIC 6903d2573f7SStephen Hemminger bool "Bic" if TCP_CONG_BIC=y 6913d2573f7SStephen Hemminger 6923d2573f7SStephen Hemminger config DEFAULT_CUBIC 6933d2573f7SStephen Hemminger bool "Cubic" if TCP_CONG_CUBIC=y 6943d2573f7SStephen Hemminger 6953d2573f7SStephen Hemminger config DEFAULT_HTCP 6963d2573f7SStephen Hemminger bool "Htcp" if TCP_CONG_HTCP=y 6973d2573f7SStephen Hemminger 698dd2acaa7SJan Engelhardt config DEFAULT_HYBLA 699dd2acaa7SJan Engelhardt bool "Hybla" if TCP_CONG_HYBLA=y 700dd2acaa7SJan Engelhardt 7013d2573f7SStephen Hemminger config DEFAULT_VEGAS 7023d2573f7SStephen Hemminger bool "Vegas" if TCP_CONG_VEGAS=y 7033d2573f7SStephen Hemminger 7046ce1a6dfSJan Engelhardt config DEFAULT_VENO 7056ce1a6dfSJan Engelhardt bool "Veno" if TCP_CONG_VENO=y 7066ce1a6dfSJan Engelhardt 7073d2573f7SStephen Hemminger config DEFAULT_WESTWOOD 7083d2573f7SStephen Hemminger bool "Westwood" if TCP_CONG_WESTWOOD=y 7093d2573f7SStephen Hemminger 710e3118e83SDaniel Borkmann config DEFAULT_DCTCP 711e3118e83SDaniel Borkmann bool "DCTCP" if TCP_CONG_DCTCP=y 712e3118e83SDaniel Borkmann 7132b0a8c9eSKenneth Klette Jonassen config DEFAULT_CDG 7142b0a8c9eSKenneth Klette Jonassen bool "CDG" if TCP_CONG_CDG=y 7152b0a8c9eSKenneth Klette Jonassen 7160f8782eaSNeal Cardwell config DEFAULT_BBR 7170f8782eaSNeal Cardwell bool "BBR" if TCP_CONG_BBR=y 7180f8782eaSNeal Cardwell 7193d2573f7SStephen Hemminger config DEFAULT_RENO 7203d2573f7SStephen Hemminger bool "Reno" 7213d2573f7SStephen Hemmingerendchoice 7223d2573f7SStephen Hemminger 7233d2573f7SStephen Hemmingerendif 72483803034SStephen Hemminger 725597811ecSStephen Hemmingerconfig TCP_CONG_CUBIC 7266c360767SDavid S. Miller tristate 727a6484045SDavid S. Miller depends on !TCP_CONG_ADVANCED 728a6484045SDavid S. Miller default y 729a6484045SDavid S. Miller 7303d2573f7SStephen Hemmingerconfig DEFAULT_TCP_CONG 7313d2573f7SStephen Hemminger string 7323d2573f7SStephen Hemminger default "bic" if DEFAULT_BIC 7333d2573f7SStephen Hemminger default "cubic" if DEFAULT_CUBIC 7343d2573f7SStephen Hemminger default "htcp" if DEFAULT_HTCP 735dd2acaa7SJan Engelhardt default "hybla" if DEFAULT_HYBLA 7363d2573f7SStephen Hemminger default "vegas" if DEFAULT_VEGAS 7373d2573f7SStephen Hemminger default "westwood" if DEFAULT_WESTWOOD 7386ce1a6dfSJan Engelhardt default "veno" if DEFAULT_VENO 7393d2573f7SStephen Hemminger default "reno" if DEFAULT_RENO 740e3118e83SDaniel Borkmann default "dctcp" if DEFAULT_DCTCP 7412b0a8c9eSKenneth Klette Jonassen default "cdg" if DEFAULT_CDG 7424df21dfcSJulian Wollrath default "bbr" if DEFAULT_BBR 743597811ecSStephen Hemminger default "cubic" 7443d2573f7SStephen Hemminger 7458c73b263SDmitry Safonovconfig TCP_SIGPOOL 7468c73b263SDmitry Safonov tristate 7478c73b263SDmitry Safonov 748c845f5f3SDmitry Safonovconfig TCP_AO 749c845f5f3SDmitry Safonov bool "TCP: Authentication Option (RFC5925)" 750c845f5f3SDmitry Safonov select CRYPTO 751c845f5f3SDmitry Safonov select TCP_SIGPOOL 752c845f5f3SDmitry Safonov depends on 64BIT && IPV6 != m # seq-number extension needs WRITE_ONCE(u64) 753c845f5f3SDmitry Safonov help 754c845f5f3SDmitry Safonov TCP-AO specifies the use of stronger Message Authentication Codes (MACs), 755c845f5f3SDmitry Safonov protects against replays for long-lived TCP connections, and 756c845f5f3SDmitry Safonov provides more details on the association of security with TCP 757c845f5f3SDmitry Safonov connections than TCP MD5 (See RFC5925) 758c845f5f3SDmitry Safonov 759c845f5f3SDmitry Safonov If unsure, say N. 760c845f5f3SDmitry Safonov 761cfb6eeb4SYOSHIFUJI Hideakiconfig TCP_MD5SIG 76244fbe920SKees Cook bool "TCP: MD5 Signature Option support (RFC2385)" 763cfb6eeb4SYOSHIFUJI Hideaki select CRYPTO 764cfb6eeb4SYOSHIFUJI Hideaki select CRYPTO_MD5 7658c73b263SDmitry Safonov select TCP_SIGPOOL 766a7f7f624SMasahiro Yamada help 7673dde6ad8SDavid Sterba RFC2385 specifies a method of giving MD5 protection to TCP sessions. 768cfb6eeb4SYOSHIFUJI Hideaki Its main (only?) use is to protect BGP sessions between core routers 769cfb6eeb4SYOSHIFUJI Hideaki on the Internet. 770cfb6eeb4SYOSHIFUJI Hideaki 771cfb6eeb4SYOSHIFUJI Hideaki If unsure, say N. 772