11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# IP configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvaldsconfig IP_MULTICAST 51da177e4SLinus Torvalds bool "IP: multicasting" 61da177e4SLinus Torvalds help 71da177e4SLinus Torvalds This is code for addressing several networked computers at once, 81da177e4SLinus Torvalds enlarging your kernel by about 2 KB. You need multicasting if you 91da177e4SLinus Torvalds intend to participate in the MBONE, a high bandwidth network on top 101da177e4SLinus Torvalds of the Internet which carries audio and video broadcasts. More 111da177e4SLinus Torvalds information about the MBONE is on the WWW at 124960c2c6SJean Sacren <http://www.savetz.com/mbone/>. For most people, it's safe to say N. 131da177e4SLinus Torvalds 141da177e4SLinus Torvaldsconfig IP_ADVANCED_ROUTER 151da177e4SLinus Torvalds bool "IP: advanced router" 161da177e4SLinus Torvalds ---help--- 171da177e4SLinus Torvalds If you intend to run your Linux box mostly as a router, i.e. as a 181da177e4SLinus Torvalds computer that forwards and redistributes network packets, say Y; you 191da177e4SLinus Torvalds will then be presented with several options that allow more precise 201da177e4SLinus Torvalds control about the routing process. 211da177e4SLinus Torvalds 221da177e4SLinus Torvalds The answer to this question won't directly affect the kernel: 231da177e4SLinus Torvalds answering N will just cause the configurator to skip all the 241da177e4SLinus Torvalds questions about advanced routing. 251da177e4SLinus Torvalds 261da177e4SLinus Torvalds Note that your box can only act as a router if you enable IP 271da177e4SLinus Torvalds forwarding in your kernel; you can do that by saying Y to "/proc 281da177e4SLinus Torvalds file system support" and "Sysctl support" below and executing the 291da177e4SLinus Torvalds line 301da177e4SLinus Torvalds 311da177e4SLinus Torvalds echo "1" > /proc/sys/net/ipv4/ip_forward 321da177e4SLinus Torvalds 331da177e4SLinus Torvalds at boot time after the /proc file system has been mounted. 341da177e4SLinus Torvalds 35b2cc46a8SJesper Dangaard Brouer If you turn on IP forwarding, you should consider the rp_filter, which 361da177e4SLinus Torvalds automatically rejects incoming packets if the routing table entry 371da177e4SLinus Torvalds for their source address doesn't match the network interface they're 381da177e4SLinus Torvalds arriving on. This has security advantages because it prevents the 391da177e4SLinus Torvalds so-called IP spoofing, however it can pose problems if you use 401da177e4SLinus Torvalds asymmetric routing (packets from you to a host take a different path 411da177e4SLinus Torvalds than packets from that host to you) or if you operate a non-routing 421da177e4SLinus Torvalds host which has several IP addresses on different interfaces. To turn 43d7394372SDave Jones rp_filter on use: 441da177e4SLinus Torvalds 45d7394372SDave Jones echo 1 > /proc/sys/net/ipv4/conf/<device>/rp_filter 46750e9fadSNicolas Dichtel or 47d7394372SDave Jones echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 481da177e4SLinus Torvalds 49b2cc46a8SJesper Dangaard Brouer Note that some distributions enable it in startup scripts. 50d18921a0SJesper Dangaard Brouer For details about rp_filter strict and loose mode read 51d18921a0SJesper Dangaard Brouer <file:Documentation/networking/ip-sysctl.txt>. 52b2cc46a8SJesper Dangaard Brouer 531da177e4SLinus Torvalds If unsure, say N here. 541da177e4SLinus Torvalds 5566a2f7fdSStephen Hemmingerconfig IP_FIB_TRIE_STATS 5666a2f7fdSStephen Hemminger bool "FIB TRIE statistics" 573630b7c0SDavid S. Miller depends on IP_ADVANCED_ROUTER 5866a2f7fdSStephen Hemminger ---help--- 5966a2f7fdSStephen Hemminger Keep track of statistics on structure of FIB TRIE table. 6066a2f7fdSStephen Hemminger Useful for testing and measuring TRIE performance. 6166a2f7fdSStephen Hemminger 621da177e4SLinus Torvaldsconfig IP_MULTIPLE_TABLES 631da177e4SLinus Torvalds bool "IP: policy routing" 641da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 65e1ef4bf2SThomas Graf select FIB_RULES 661da177e4SLinus Torvalds ---help--- 671da177e4SLinus Torvalds Normally, a router decides what to do with a received packet based 681da177e4SLinus Torvalds solely on the packet's final destination address. If you say Y here, 691da177e4SLinus Torvalds the Linux router will also be able to take the packet's source 701da177e4SLinus Torvalds address into account. Furthermore, the TOS (Type-Of-Service) field 711da177e4SLinus Torvalds of the packet can be used for routing decisions as well. 721da177e4SLinus Torvalds 731da177e4SLinus Torvalds If you are interested in this, please see the preliminary 741da177e4SLinus Torvalds documentation at <http://www.compendium.com.ar/policy-routing.txt> 751da177e4SLinus Torvalds and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>. 761da177e4SLinus Torvalds You will need supporting software from 771da177e4SLinus Torvalds <ftp://ftp.tux.org/pub/net/ip-routing/>. 781da177e4SLinus Torvalds 791da177e4SLinus Torvalds If unsure, say N. 801da177e4SLinus Torvalds 811da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH 821da177e4SLinus Torvalds bool "IP: equal cost multipath" 831da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 841da177e4SLinus Torvalds help 851da177e4SLinus Torvalds Normally, the routing tables specify a single action to be taken in 861da177e4SLinus Torvalds a deterministic manner for a given packet. If you say Y here 871da177e4SLinus Torvalds however, it becomes possible to attach several actions to a packet 881da177e4SLinus Torvalds pattern, in effect specifying several alternative paths to travel 891da177e4SLinus Torvalds for those packets. The router considers all these paths to be of 901da177e4SLinus Torvalds equal "cost" and chooses one of them in a non-deterministic fashion 911da177e4SLinus Torvalds if a matching packet arrives. 921da177e4SLinus Torvalds 931da177e4SLinus Torvaldsconfig IP_ROUTE_VERBOSE 941da177e4SLinus Torvalds bool "IP: verbose route monitoring" 951da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 961da177e4SLinus Torvalds help 971da177e4SLinus Torvalds If you say Y here, which is recommended, then the kernel will print 981da177e4SLinus Torvalds verbose messages regarding the routing, for example warnings about 991da177e4SLinus Torvalds received packets which look strange and could be evidence of an 1001da177e4SLinus Torvalds attack or a misconfigured system somewhere. The information is 1011da177e4SLinus Torvalds handled by the klogd daemon which is responsible for kernel messages 1021da177e4SLinus Torvalds ("man klogd"). 1031da177e4SLinus Torvalds 104c7066f70SPatrick McHardyconfig IP_ROUTE_CLASSID 105c7066f70SPatrick McHardy bool 106c7066f70SPatrick McHardy 1071da177e4SLinus Torvaldsconfig IP_PNP 1081da177e4SLinus Torvalds bool "IP: kernel level autoconfiguration" 1091da177e4SLinus Torvalds help 1101da177e4SLinus Torvalds This enables automatic configuration of IP addresses of devices and 1111da177e4SLinus Torvalds of the routing table during kernel boot, based on either information 1121da177e4SLinus Torvalds supplied on the kernel command line or by BOOTP or RARP protocols. 1131da177e4SLinus Torvalds You need to say Y only for diskless machines requiring network 1141da177e4SLinus Torvalds access to boot (in which case you want to say Y to "Root file system 1151da177e4SLinus Torvalds on NFS" as well), because all other machines configure the network 1161da177e4SLinus Torvalds in their startup scripts. 1171da177e4SLinus Torvalds 1181da177e4SLinus Torvaldsconfig IP_PNP_DHCP 1191da177e4SLinus Torvalds bool "IP: DHCP support" 1201da177e4SLinus Torvalds depends on IP_PNP 1211da177e4SLinus Torvalds ---help--- 1221da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1231da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1241da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1251da177e4SLinus Torvalds discovered automatically at boot time using the DHCP protocol (a 1261da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1271da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1281da177e4SLinus Torvalds does DHCP itself, providing all necessary information on the kernel 1291da177e4SLinus Torvalds command line, you can say N here. 1301da177e4SLinus Torvalds 1311da177e4SLinus Torvalds If unsure, say Y. Note that if you want to use DHCP, a DHCP server 1321da177e4SLinus Torvalds must be operating on your network. Read 133dc7a0816SJ. Bruce Fields <file:Documentation/filesystems/nfs/nfsroot.txt> for details. 1341da177e4SLinus Torvalds 1351da177e4SLinus Torvaldsconfig IP_PNP_BOOTP 1361da177e4SLinus Torvalds bool "IP: BOOTP support" 1371da177e4SLinus Torvalds depends on IP_PNP 1381da177e4SLinus Torvalds ---help--- 1391da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1401da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1411da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1421da177e4SLinus Torvalds discovered automatically at boot time using the BOOTP protocol (a 1431da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1441da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1451da177e4SLinus Torvalds does BOOTP itself, providing all necessary information on the kernel 1461da177e4SLinus Torvalds command line, you can say N here. If unsure, say Y. Note that if you 1471da177e4SLinus Torvalds want to use BOOTP, a BOOTP server must be operating on your network. 148dc7a0816SJ. Bruce Fields Read <file:Documentation/filesystems/nfs/nfsroot.txt> for details. 1491da177e4SLinus Torvalds 1501da177e4SLinus Torvaldsconfig IP_PNP_RARP 1511da177e4SLinus Torvalds bool "IP: RARP support" 1521da177e4SLinus Torvalds depends on IP_PNP 1531da177e4SLinus Torvalds help 1541da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1551da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1561da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1571da177e4SLinus Torvalds discovered automatically at boot time using the RARP protocol (an 1581da177e4SLinus Torvalds older protocol which is being obsoleted by BOOTP and DHCP), say Y 1591da177e4SLinus Torvalds here. Note that if you want to use RARP, a RARP server must be 1606ded55daSJ. Bruce Fields operating on your network. Read 161dc7a0816SJ. Bruce Fields <file:Documentation/filesystems/nfs/nfsroot.txt> for details. 1621da177e4SLinus Torvalds 1631da177e4SLinus Torvaldsconfig NET_IPIP 1641da177e4SLinus Torvalds tristate "IP: tunneling" 165d2acc347SHerbert Xu select INET_TUNNEL 166fd58156eSPravin B Shelar select NET_IP_TUNNEL 1671da177e4SLinus Torvalds ---help--- 1681da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 1691da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 1701da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 1711da177e4SLinus Torvalds encapsulation of IP within IP, which sounds kind of pointless, but 1721da177e4SLinus Torvalds can be useful if you want to make your (or some other) machine 1731da177e4SLinus Torvalds appear on a different network than it physically is, or to use 1741da177e4SLinus Torvalds mobile-IP facilities (allowing laptops to seamlessly move between 1751da177e4SLinus Torvalds networks without changing their IP addresses). 1761da177e4SLinus Torvalds 1771da177e4SLinus Torvalds Saying Y to this option will produce two modules ( = code which can 1781da177e4SLinus Torvalds be inserted in and removed from the running kernel whenever you 1791da177e4SLinus Torvalds want). Most people won't need this and can say N. 1801da177e4SLinus Torvalds 18100959adeSDmitry Kozlovconfig NET_IPGRE_DEMUX 18200959adeSDmitry Kozlov tristate "IP: GRE demultiplexer" 18300959adeSDmitry Kozlov help 18400959adeSDmitry Kozlov This is helper module to demultiplex GRE packets on GRE version field criteria. 18500959adeSDmitry Kozlov Required by ip_gre and pptp modules. 18600959adeSDmitry Kozlov 187c5441932SPravin B Shelarconfig NET_IP_TUNNEL 188c5441932SPravin B Shelar tristate 189c5441932SPravin B Shelar default n 190c5441932SPravin B Shelar 1911da177e4SLinus Torvaldsconfig NET_IPGRE 1921da177e4SLinus Torvalds tristate "IP: GRE tunnels over IP" 19321a180cdSDavid S. Miller depends on (IPV6 || IPV6=n) && NET_IPGRE_DEMUX 194c5441932SPravin B Shelar select NET_IP_TUNNEL 1951da177e4SLinus Torvalds help 1961da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 1971da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 1981da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 1991da177e4SLinus Torvalds GRE (Generic Routing Encapsulation) and at this time allows 2001da177e4SLinus Torvalds encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 2011da177e4SLinus Torvalds This driver is useful if the other endpoint is a Cisco router: Cisco 2021da177e4SLinus Torvalds likes GRE much better than the other Linux tunneling driver ("IP 2031da177e4SLinus Torvalds tunneling" above). In addition, GRE allows multicast redistribution 2041da177e4SLinus Torvalds through the tunnel. 2051da177e4SLinus Torvalds 2061da177e4SLinus Torvaldsconfig NET_IPGRE_BROADCAST 2071da177e4SLinus Torvalds bool "IP: broadcast GRE over IP" 2081da177e4SLinus Torvalds depends on IP_MULTICAST && NET_IPGRE 2091da177e4SLinus Torvalds help 2101da177e4SLinus Torvalds One application of GRE/IP is to construct a broadcast WAN (Wide Area 2111da177e4SLinus Torvalds Network), which looks like a normal Ethernet LAN (Local Area 2121da177e4SLinus Torvalds Network), but can be distributed all over the Internet. If you want 2131da177e4SLinus Torvalds to do that, say Y here and to "IP multicast routing" below. 2141da177e4SLinus Torvalds 2151da177e4SLinus Torvaldsconfig IP_MROUTE 2161da177e4SLinus Torvalds bool "IP: multicast routing" 2171da177e4SLinus Torvalds depends on IP_MULTICAST 2181da177e4SLinus Torvalds help 2191da177e4SLinus Torvalds This is used if you want your machine to act as a router for IP 2201da177e4SLinus Torvalds packets that have several destination addresses. It is needed on the 2211da177e4SLinus Torvalds MBONE, a high bandwidth network on top of the Internet which carries 2221da177e4SLinus Torvalds audio and video broadcasts. In order to do that, you would most 2234960c2c6SJean Sacren likely run the program mrouted. If you haven't heard about it, you 2244960c2c6SJean Sacren don't need it. 2251da177e4SLinus Torvalds 226f0ad0860SPatrick McHardyconfig IP_MROUTE_MULTIPLE_TABLES 227f0ad0860SPatrick McHardy bool "IP: multicast policy routing" 22866496d49SPatrick McHardy depends on IP_MROUTE && IP_ADVANCED_ROUTER 229f0ad0860SPatrick McHardy select FIB_RULES 230f0ad0860SPatrick McHardy help 231f0ad0860SPatrick McHardy Normally, a multicast router runs a userspace daemon and decides 232f0ad0860SPatrick McHardy what to do with a multicast packet based on the source and 233f0ad0860SPatrick McHardy destination addresses. If you say Y here, the multicast router 234f0ad0860SPatrick McHardy will also be able to take interfaces and packet marks into 235f0ad0860SPatrick McHardy account and run multiple instances of userspace daemons 236f0ad0860SPatrick McHardy simultaneously, each one handling a single table. 237f0ad0860SPatrick McHardy 238f0ad0860SPatrick McHardy If unsure, say N. 239f0ad0860SPatrick McHardy 2401da177e4SLinus Torvaldsconfig IP_PIMSM_V1 2411da177e4SLinus Torvalds bool "IP: PIM-SM version 1 support" 2421da177e4SLinus Torvalds depends on IP_MROUTE 2431da177e4SLinus Torvalds help 2441da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM (Protocol Independent 2451da177e4SLinus Torvalds Multicast) version 1. This multicast routing protocol is used widely 2461da177e4SLinus Torvalds because Cisco supports it. You need special software to use it 2471da177e4SLinus Torvalds (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 2481da177e4SLinus Torvalds information about PIM. 2491da177e4SLinus Torvalds 2501da177e4SLinus Torvalds Say Y if you want to use PIM-SM v1. Note that you can say N here if 2511da177e4SLinus Torvalds you just want to use Dense Mode PIM. 2521da177e4SLinus Torvalds 2531da177e4SLinus Torvaldsconfig IP_PIMSM_V2 2541da177e4SLinus Torvalds bool "IP: PIM-SM version 2 support" 2551da177e4SLinus Torvalds depends on IP_MROUTE 2561da177e4SLinus Torvalds help 2571da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM version 2. In order to use 2581da177e4SLinus Torvalds this, you need an experimental routing daemon supporting it (pimd or 2591da177e4SLinus Torvalds gated-5). This routing protocol is not used widely, so say N unless 2601da177e4SLinus Torvalds you want to play with it. 2611da177e4SLinus Torvalds 2621da177e4SLinus Torvaldsconfig SYN_COOKIES 26357f1553eSFlorian Westphal bool "IP: TCP syncookie support" 2641da177e4SLinus Torvalds ---help--- 2651da177e4SLinus Torvalds Normal TCP/IP networking is open to an attack known as "SYN 2661da177e4SLinus Torvalds flooding". This denial-of-service attack prevents legitimate remote 2671da177e4SLinus Torvalds users from being able to connect to your computer during an ongoing 2681da177e4SLinus Torvalds attack and requires very little work from the attacker, who can 2691da177e4SLinus Torvalds operate from anywhere on the Internet. 2701da177e4SLinus Torvalds 2711da177e4SLinus Torvalds SYN cookies provide protection against this type of attack. If you 2721da177e4SLinus Torvalds say Y here, the TCP/IP stack will use a cryptographic challenge 2731da177e4SLinus Torvalds protocol known as "SYN cookies" to enable legitimate users to 2741da177e4SLinus Torvalds continue to connect, even when your machine is under attack. There 2751da177e4SLinus Torvalds is no need for the legitimate users to change their TCP/IP software; 2761da177e4SLinus Torvalds SYN cookies work transparently to them. For technical information 2771da177e4SLinus Torvalds about SYN cookies, check out <http://cr.yp.to/syncookies.html>. 2781da177e4SLinus Torvalds 2791da177e4SLinus Torvalds If you are SYN flooded, the source address reported by the kernel is 2801da177e4SLinus Torvalds likely to have been forged by the attacker; it is only reported as 2811da177e4SLinus Torvalds an aid in tracing the packets to their actual source and should not 2821da177e4SLinus Torvalds be taken as absolute truth. 2831da177e4SLinus Torvalds 2841da177e4SLinus Torvalds SYN cookies may prevent correct error reporting on clients when the 2851da177e4SLinus Torvalds server is really overloaded. If this happens frequently better turn 2861da177e4SLinus Torvalds them off. 2871da177e4SLinus Torvalds 28857f1553eSFlorian Westphal If you say Y here, you can disable SYN cookies at run time by 28957f1553eSFlorian Westphal saying Y to "/proc file system support" and 2901da177e4SLinus Torvalds "Sysctl support" below and executing the command 2911da177e4SLinus Torvalds 29257f1553eSFlorian Westphal echo 0 > /proc/sys/net/ipv4/tcp_syncookies 2931da177e4SLinus Torvalds 29457f1553eSFlorian Westphal after the /proc file system has been mounted. 2951da177e4SLinus Torvalds 2961da177e4SLinus Torvalds If unsure, say N. 2971da177e4SLinus Torvalds 2981181412cSSaurabhconfig NET_IPVTI 2991181412cSSaurabh tristate "Virtual (secure) IP: tunneling" 3001181412cSSaurabh select INET_TUNNEL 301f61dd388SPravin B Shelar select NET_IP_TUNNEL 3021181412cSSaurabh depends on INET_XFRM_MODE_TUNNEL 3031181412cSSaurabh ---help--- 3041181412cSSaurabh Tunneling means encapsulating data of one protocol type within 3051181412cSSaurabh another protocol and sending it over a channel that understands the 3061181412cSSaurabh encapsulating protocol. This can be used with xfrm mode tunnel to give 3071181412cSSaurabh the notion of a secure tunnel for IPSEC and then use routing protocol 3081181412cSSaurabh on top. 3091181412cSSaurabh 3108024e028STom Herbertconfig NET_UDP_TUNNEL 3118024e028STom Herbert tristate 3127c5df8faSAndy Zhou select NET_IP_TUNNEL 3138024e028STom Herbert default n 3148024e028STom Herbert 31523461551STom Herbertconfig NET_FOU 31623461551STom Herbert tristate "IP: Foo (IP protocols) over UDP" 31723461551STom Herbert select XFRM 31823461551STom Herbert select NET_UDP_TUNNEL 31923461551STom Herbert ---help--- 32023461551STom Herbert Foo over UDP allows any IP protocol to be directly encapsulated 32123461551STom Herbert over UDP include tunnels (IPIP, GRE, SIT). By encapsulating in UDP 32223461551STom Herbert network mechanisms and optimizations for UDP (such as ECMP 32323461551STom Herbert and RSS) can be leveraged to provide better service. 32423461551STom Herbert 32563487babSTom Herbertconfig NET_FOU_IP_TUNNELS 32663487babSTom Herbert bool "IP: FOU encapsulation of IP tunnels" 32763487babSTom Herbert depends on NET_IPIP || NET_IPGRE || IPV6_SIT 32863487babSTom Herbert select NET_FOU 32963487babSTom Herbert ---help--- 33063487babSTom Herbert Allow configuration of FOU or GUE encapsulation for IP tunnels. 33163487babSTom Herbert When this option is enabled IP tunnels can be configured to use 33263487babSTom Herbert FOU or GUE encapsulation. 33363487babSTom Herbert 3341da177e4SLinus Torvaldsconfig INET_AH 3351da177e4SLinus Torvalds tristate "IP: AH transformation" 3367e152524SJan Beulich select XFRM_ALGO 3371da177e4SLinus Torvalds select CRYPTO 3381da177e4SLinus Torvalds select CRYPTO_HMAC 3391da177e4SLinus Torvalds select CRYPTO_MD5 3401da177e4SLinus Torvalds select CRYPTO_SHA1 3411da177e4SLinus Torvalds ---help--- 3421da177e4SLinus Torvalds Support for IPsec AH. 3431da177e4SLinus Torvalds 3441da177e4SLinus Torvalds If unsure, say Y. 3451da177e4SLinus Torvalds 3461da177e4SLinus Torvaldsconfig INET_ESP 3471da177e4SLinus Torvalds tristate "IP: ESP transformation" 3487e152524SJan Beulich select XFRM_ALGO 3491da177e4SLinus Torvalds select CRYPTO 350ed58dd41SHerbert Xu select CRYPTO_AUTHENC 3511da177e4SLinus Torvalds select CRYPTO_HMAC 3521da177e4SLinus Torvalds select CRYPTO_MD5 3536b7326c8SHerbert Xu select CRYPTO_CBC 3541da177e4SLinus Torvalds select CRYPTO_SHA1 3551da177e4SLinus Torvalds select CRYPTO_DES 3561da177e4SLinus Torvalds ---help--- 3571da177e4SLinus Torvalds Support for IPsec ESP. 3581da177e4SLinus Torvalds 3591da177e4SLinus Torvalds If unsure, say Y. 3601da177e4SLinus Torvalds 3611da177e4SLinus Torvaldsconfig INET_IPCOMP 3621da177e4SLinus Torvalds tristate "IP: IPComp transformation" 363d2acc347SHerbert Xu select INET_XFRM_TUNNEL 3646fccab67SHerbert Xu select XFRM_IPCOMP 3651da177e4SLinus Torvalds ---help--- 3661da177e4SLinus Torvalds Support for IP Payload Compression Protocol (IPComp) (RFC3173), 3671da177e4SLinus Torvalds typically needed for IPsec. 3681da177e4SLinus Torvalds 3691da177e4SLinus Torvalds If unsure, say Y. 3701da177e4SLinus Torvalds 371d2acc347SHerbert Xuconfig INET_XFRM_TUNNEL 372d2acc347SHerbert Xu tristate 373d2acc347SHerbert Xu select INET_TUNNEL 374d2acc347SHerbert Xu default n 3751da177e4SLinus Torvalds 376d2acc347SHerbert Xuconfig INET_TUNNEL 377d2acc347SHerbert Xu tristate 378d2acc347SHerbert Xu default n 3791da177e4SLinus Torvalds 380b59f45d0SHerbert Xuconfig INET_XFRM_MODE_TRANSPORT 381b59f45d0SHerbert Xu tristate "IP: IPsec transport mode" 382b59f45d0SHerbert Xu default y 383b59f45d0SHerbert Xu select XFRM 384b59f45d0SHerbert Xu ---help--- 385b59f45d0SHerbert Xu Support for IPsec transport mode. 386b59f45d0SHerbert Xu 387b59f45d0SHerbert Xu If unsure, say Y. 388b59f45d0SHerbert Xu 389b59f45d0SHerbert Xuconfig INET_XFRM_MODE_TUNNEL 390b59f45d0SHerbert Xu tristate "IP: IPsec tunnel mode" 391b59f45d0SHerbert Xu default y 392b59f45d0SHerbert Xu select XFRM 393b59f45d0SHerbert Xu ---help--- 394b59f45d0SHerbert Xu Support for IPsec tunnel mode. 395b59f45d0SHerbert Xu 396b59f45d0SHerbert Xu If unsure, say Y. 397b59f45d0SHerbert Xu 3980a69452cSDiego Beltramiconfig INET_XFRM_MODE_BEET 3990a69452cSDiego Beltrami tristate "IP: IPsec BEET mode" 4000a69452cSDiego Beltrami default y 4010a69452cSDiego Beltrami select XFRM 4020a69452cSDiego Beltrami ---help--- 4030a69452cSDiego Beltrami Support for IPsec BEET mode. 4040a69452cSDiego Beltrami 4050a69452cSDiego Beltrami If unsure, say Y. 4060a69452cSDiego Beltrami 40771c87e0cSJan-Bernd Themannconfig INET_LRO 408c5d35571SBen Hutchings tristate "Large Receive Offload (ipv4/tcp)" 409bc8a5397SFrans Pop default y 41071c87e0cSJan-Bernd Themann ---help--- 41171c87e0cSJan-Bernd Themann Support for Large Receive Offload (ipv4/tcp). 41271c87e0cSJan-Bernd Themann 41371c87e0cSJan-Bernd Themann If unsure, say Y. 41471c87e0cSJan-Bernd Themann 41517b085eaSArnaldo Carvalho de Meloconfig INET_DIAG 41617b085eaSArnaldo Carvalho de Melo tristate "INET: socket monitoring interface" 4171da177e4SLinus Torvalds default y 4181da177e4SLinus Torvalds ---help--- 41973c1f4a0SArnaldo Carvalho de Melo Support for INET (TCP, DCCP, etc) socket monitoring interface used by 42073c1f4a0SArnaldo Carvalho de Melo native Linux tools such as ss. ss is included in iproute2, currently 421c996d8b9SMichael Witten downloadable at: 422c996d8b9SMichael Witten 423c996d8b9SMichael Witten http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 4241da177e4SLinus Torvalds 4251da177e4SLinus Torvalds If unsure, say Y. 4261da177e4SLinus Torvalds 42717b085eaSArnaldo Carvalho de Meloconfig INET_TCP_DIAG 42817b085eaSArnaldo Carvalho de Melo depends on INET_DIAG 42917b085eaSArnaldo Carvalho de Melo def_tristate INET_DIAG 43017b085eaSArnaldo Carvalho de Melo 431507dd796SPavel Emelyanovconfig INET_UDP_DIAG 4326d62a66eSDavid S. Miller tristate "UDP: socket monitoring interface" 4336d25886eSAnisse Astier depends on INET_DIAG && (IPV6 || IPV6=n) 4346d62a66eSDavid S. Miller default n 4356d62a66eSDavid S. Miller ---help--- 4366d62a66eSDavid S. Miller Support for UDP socket monitoring interface used by the ss tool. 4376d62a66eSDavid S. Miller If unsure, say Y. 438507dd796SPavel Emelyanov 439*c1e64e29SLorenzo Colitticonfig INET_DIAG_DESTROY 440*c1e64e29SLorenzo Colitti bool "INET: allow privileged process to administratively close sockets" 441*c1e64e29SLorenzo Colitti depends on INET_DIAG 442*c1e64e29SLorenzo Colitti default n 443*c1e64e29SLorenzo Colitti ---help--- 444*c1e64e29SLorenzo Colitti Provides a SOCK_DESTROY operation that allows privileged processes 445*c1e64e29SLorenzo Colitti (e.g., a connection manager or a network administration tool such as 446*c1e64e29SLorenzo Colitti ss) to close sockets opened by other processes. Closing a socket in 447*c1e64e29SLorenzo Colitti this way interrupts any blocking read/write/connect operations on 448*c1e64e29SLorenzo Colitti the socket and causes future socket calls to behave as if the socket 449*c1e64e29SLorenzo Colitti had been disconnected. 450*c1e64e29SLorenzo Colitti If unsure, say N. 451*c1e64e29SLorenzo Colitti 4523d2573f7SStephen Hemmingermenuconfig TCP_CONG_ADVANCED 453a6484045SDavid S. Miller bool "TCP: advanced congestion control" 454a6484045SDavid S. Miller ---help--- 455a6484045SDavid S. Miller Support for selection of various TCP congestion control 456a6484045SDavid S. Miller modules. 457a6484045SDavid S. Miller 458a6484045SDavid S. Miller Nearly all users can safely say no here, and a safe default 459597811ecSStephen Hemminger selection will be made (CUBIC with new Reno as a fallback). 460a6484045SDavid S. Miller 461a6484045SDavid S. Miller If unsure, say N. 462a6484045SDavid S. Miller 4633d2573f7SStephen Hemmingerif TCP_CONG_ADVANCED 46483803034SStephen Hemminger 46583803034SStephen Hemmingerconfig TCP_CONG_BIC 46683803034SStephen Hemminger tristate "Binary Increase Congestion (BIC) control" 467597811ecSStephen Hemminger default m 46883803034SStephen Hemminger ---help--- 46983803034SStephen Hemminger BIC-TCP is a sender-side only change that ensures a linear RTT 47083803034SStephen Hemminger fairness under large windows while offering both scalability and 47183803034SStephen Hemminger bounded TCP-friendliness. The protocol combines two schemes 47283803034SStephen Hemminger called additive increase and binary search increase. When the 47383803034SStephen Hemminger congestion window is large, additive increase with a large 47483803034SStephen Hemminger increment ensures linear RTT fairness as well as good 47583803034SStephen Hemminger scalability. Under small congestion windows, binary search 47683803034SStephen Hemminger increase provides TCP friendliness. 47783803034SStephen Hemminger See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/ 47883803034SStephen Hemminger 479df3271f3SStephen Hemmingerconfig TCP_CONG_CUBIC 480df3271f3SStephen Hemminger tristate "CUBIC TCP" 481597811ecSStephen Hemminger default y 482df3271f3SStephen Hemminger ---help--- 483df3271f3SStephen Hemminger This is version 2.0 of BIC-TCP which uses a cubic growth function 484df3271f3SStephen Hemminger among other techniques. 485df3271f3SStephen Hemminger See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/cubic-paper.pdf 486df3271f3SStephen Hemminger 48787270762SStephen Hemmingerconfig TCP_CONG_WESTWOOD 48887270762SStephen Hemminger tristate "TCP Westwood+" 48987270762SStephen Hemminger default m 49087270762SStephen Hemminger ---help--- 49187270762SStephen Hemminger TCP Westwood+ is a sender-side only modification of the TCP Reno 49287270762SStephen Hemminger protocol stack that optimizes the performance of TCP congestion 49387270762SStephen Hemminger control. It is based on end-to-end bandwidth estimation to set 49487270762SStephen Hemminger congestion window and slow start threshold after a congestion 49587270762SStephen Hemminger episode. Using this estimation, TCP Westwood+ adaptively sets a 49687270762SStephen Hemminger slow start threshold and a congestion window which takes into 49787270762SStephen Hemminger account the bandwidth used at the time congestion is experienced. 49887270762SStephen Hemminger TCP Westwood+ significantly increases fairness wrt TCP Reno in 49987270762SStephen Hemminger wired networks and throughput over wireless links. 50087270762SStephen Hemminger 501a7868ea6SBaruch Evenconfig TCP_CONG_HTCP 502a7868ea6SBaruch Even tristate "H-TCP" 503a7868ea6SBaruch Even default m 504a7868ea6SBaruch Even ---help--- 505a7868ea6SBaruch Even H-TCP is a send-side only modifications of the TCP Reno 506a7868ea6SBaruch Even protocol stack that optimizes the performance of TCP 507a7868ea6SBaruch Even congestion control for high speed network links. It uses a 508a7868ea6SBaruch Even modeswitch to change the alpha and beta parameters of TCP Reno 509a7868ea6SBaruch Even based on network conditions and in a way so as to be fair with 510a7868ea6SBaruch Even other Reno and H-TCP flows. 511a7868ea6SBaruch Even 512a628d29bSJohn Heffnerconfig TCP_CONG_HSTCP 513a628d29bSJohn Heffner tristate "High Speed TCP" 514a628d29bSJohn Heffner default n 515a628d29bSJohn Heffner ---help--- 516a628d29bSJohn Heffner Sally Floyd's High Speed TCP (RFC 3649) congestion control. 517a628d29bSJohn Heffner A modification to TCP's congestion control mechanism for use 518a628d29bSJohn Heffner with large congestion windows. A table indicates how much to 519a628d29bSJohn Heffner increase the congestion window by when an ACK is received. 520a628d29bSJohn Heffner For more detail see http://www.icir.org/floyd/hstcp.html 521a628d29bSJohn Heffner 522835b3f0cSDaniele Lacameraconfig TCP_CONG_HYBLA 523835b3f0cSDaniele Lacamera tristate "TCP-Hybla congestion control algorithm" 524835b3f0cSDaniele Lacamera default n 525835b3f0cSDaniele Lacamera ---help--- 526835b3f0cSDaniele Lacamera TCP-Hybla is a sender-side only change that eliminates penalization of 527835b3f0cSDaniele Lacamera long-RTT, large-bandwidth connections, like when satellite legs are 52844c09201SMatt LaPlante involved, especially when sharing a common bottleneck with normal 529835b3f0cSDaniele Lacamera terrestrial connections. 530835b3f0cSDaniele Lacamera 531b87d8561SStephen Hemmingerconfig TCP_CONG_VEGAS 532b87d8561SStephen Hemminger tristate "TCP Vegas" 533b87d8561SStephen Hemminger default n 534b87d8561SStephen Hemminger ---help--- 535b87d8561SStephen Hemminger TCP Vegas is a sender-side only change to TCP that anticipates 536b87d8561SStephen Hemminger the onset of congestion by estimating the bandwidth. TCP Vegas 537b87d8561SStephen Hemminger adjusts the sending rate by modifying the congestion 538b87d8561SStephen Hemminger window. TCP Vegas should provide less packet loss, but it is 539b87d8561SStephen Hemminger not as aggressive as TCP Reno. 540b87d8561SStephen Hemminger 5410e57976bSJohn Heffnerconfig TCP_CONG_SCALABLE 5420e57976bSJohn Heffner tristate "Scalable TCP" 5430e57976bSJohn Heffner default n 5440e57976bSJohn Heffner ---help--- 5450e57976bSJohn Heffner Scalable TCP is a sender-side only change to TCP which uses a 5460e57976bSJohn Heffner MIMD congestion control algorithm which has some nice scaling 5470e57976bSJohn Heffner properties, though is known to have fairness issues. 548f4b9479dSBaruch Even See http://www.deneholme.net/tom/scalable/ 549a7868ea6SBaruch Even 5507c106d7eSWong Hoi Sing Edisonconfig TCP_CONG_LP 5517c106d7eSWong Hoi Sing Edison tristate "TCP Low Priority" 5527c106d7eSWong Hoi Sing Edison default n 5537c106d7eSWong Hoi Sing Edison ---help--- 5547c106d7eSWong Hoi Sing Edison TCP Low Priority (TCP-LP), a distributed algorithm whose goal is 555cab00891SMatt LaPlante to utilize only the excess network bandwidth as compared to the 5567c106d7eSWong Hoi Sing Edison ``fair share`` of bandwidth as targeted by TCP. 5577c106d7eSWong Hoi Sing Edison See http://www-ece.rice.edu/networks/TCP-LP/ 5587c106d7eSWong Hoi Sing Edison 55976f10177SBin Zhouconfig TCP_CONG_VENO 56076f10177SBin Zhou tristate "TCP Veno" 56176f10177SBin Zhou default n 56276f10177SBin Zhou ---help--- 56376f10177SBin Zhou TCP Veno is a sender-side only enhancement of TCP to obtain better 56476f10177SBin Zhou throughput over wireless networks. TCP Veno makes use of state 56576f10177SBin Zhou distinguishing to circumvent the difficult judgment of the packet loss 56676f10177SBin Zhou type. TCP Veno cuts down less congestion window in response to random 56776f10177SBin Zhou loss packets. 568631dd1a8SJustin P. Mattock See <http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1177186> 56976f10177SBin Zhou 5705ef81475SAngelo P. Castellaniconfig TCP_CONG_YEAH 5715ef81475SAngelo P. Castellani tristate "YeAH TCP" 5722ff011efSDavid S. Miller select TCP_CONG_VEGAS 5735ef81475SAngelo P. Castellani default n 5745ef81475SAngelo P. Castellani ---help--- 5755ef81475SAngelo P. Castellani YeAH-TCP is a sender-side high-speed enabled TCP congestion control 5765ef81475SAngelo P. Castellani algorithm, which uses a mixed loss/delay approach to compute the 5775ef81475SAngelo P. Castellani congestion window. It's design goals target high efficiency, 5785ef81475SAngelo P. Castellani internal, RTT and Reno fairness, resilience to link loss while 5795ef81475SAngelo P. Castellani keeping network elements load as low as possible. 5805ef81475SAngelo P. Castellani 5815ef81475SAngelo P. Castellani For further details look here: 5825ef81475SAngelo P. Castellani http://wil.cs.caltech.edu/pfldnet2007/paper/YeAH_TCP.pdf 5835ef81475SAngelo P. Castellani 584c462238dSStephen Hemmingerconfig TCP_CONG_ILLINOIS 585c462238dSStephen Hemminger tristate "TCP Illinois" 586c462238dSStephen Hemminger default n 587c462238dSStephen Hemminger ---help--- 58801dd2fbfSMatt LaPlante TCP-Illinois is a sender-side modification of TCP Reno for 589c462238dSStephen Hemminger high speed long delay links. It uses round-trip-time to 590c462238dSStephen Hemminger adjust the alpha and beta parameters to achieve a higher average 591c462238dSStephen Hemminger throughput and maintain fairness. 592c462238dSStephen Hemminger 593c462238dSStephen Hemminger For further details see: 594c462238dSStephen Hemminger http://www.ews.uiuc.edu/~shaoliu/tcpillinois/index.html 595c462238dSStephen Hemminger 596e3118e83SDaniel Borkmannconfig TCP_CONG_DCTCP 597e3118e83SDaniel Borkmann tristate "DataCenter TCP (DCTCP)" 598e3118e83SDaniel Borkmann default n 599e3118e83SDaniel Borkmann ---help--- 600e3118e83SDaniel Borkmann DCTCP leverages Explicit Congestion Notification (ECN) in the network to 601e3118e83SDaniel Borkmann provide multi-bit feedback to the end hosts. It is designed to provide: 602e3118e83SDaniel Borkmann 603e3118e83SDaniel Borkmann - High burst tolerance (incast due to partition/aggregate), 604e3118e83SDaniel Borkmann - Low latency (short flows, queries), 605e3118e83SDaniel Borkmann - High throughput (continuous data updates, large file transfers) with 606e3118e83SDaniel Borkmann commodity, shallow-buffered switches. 607e3118e83SDaniel Borkmann 608e3118e83SDaniel Borkmann All switches in the data center network running DCTCP must support 609e3118e83SDaniel Borkmann ECN marking and be configured for marking when reaching defined switch 610e3118e83SDaniel Borkmann buffer thresholds. The default ECN marking threshold heuristic for 611e3118e83SDaniel Borkmann DCTCP on switches is 20 packets (30KB) at 1Gbps, and 65 packets 612e3118e83SDaniel Borkmann (~100KB) at 10Gbps, but might need further careful tweaking. 613e3118e83SDaniel Borkmann 614e3118e83SDaniel Borkmann For further details see: 615e3118e83SDaniel Borkmann http://simula.stanford.edu/~alizade/Site/DCTCP_files/dctcp-final.pdf 616e3118e83SDaniel Borkmann 6172b0a8c9eSKenneth Klette Jonassenconfig TCP_CONG_CDG 6182b0a8c9eSKenneth Klette Jonassen tristate "CAIA Delay-Gradient (CDG)" 6192b0a8c9eSKenneth Klette Jonassen default n 6202b0a8c9eSKenneth Klette Jonassen ---help--- 6212b0a8c9eSKenneth Klette Jonassen CAIA Delay-Gradient (CDG) is a TCP congestion control that modifies 6222b0a8c9eSKenneth Klette Jonassen the TCP sender in order to: 6232b0a8c9eSKenneth Klette Jonassen 6242b0a8c9eSKenneth Klette Jonassen o Use the delay gradient as a congestion signal. 6252b0a8c9eSKenneth Klette Jonassen o Back off with an average probability that is independent of the RTT. 6262b0a8c9eSKenneth Klette Jonassen o Coexist with flows that use loss-based congestion control. 6272b0a8c9eSKenneth Klette Jonassen o Tolerate packet loss unrelated to congestion. 6282b0a8c9eSKenneth Klette Jonassen 6292b0a8c9eSKenneth Klette Jonassen For further details see: 6302b0a8c9eSKenneth Klette Jonassen D.A. Hayes and G. Armitage. "Revisiting TCP congestion control using 6312b0a8c9eSKenneth Klette Jonassen delay gradients." In Networking 2011. Preprint: http://goo.gl/No3vdg 6322b0a8c9eSKenneth Klette Jonassen 6333d2573f7SStephen Hemmingerchoice 6343d2573f7SStephen Hemminger prompt "Default TCP congestion control" 635597811ecSStephen Hemminger default DEFAULT_CUBIC 6363d2573f7SStephen Hemminger help 6373d2573f7SStephen Hemminger Select the TCP congestion control that will be used by default 6383d2573f7SStephen Hemminger for all connections. 6393d2573f7SStephen Hemminger 6403d2573f7SStephen Hemminger config DEFAULT_BIC 6413d2573f7SStephen Hemminger bool "Bic" if TCP_CONG_BIC=y 6423d2573f7SStephen Hemminger 6433d2573f7SStephen Hemminger config DEFAULT_CUBIC 6443d2573f7SStephen Hemminger bool "Cubic" if TCP_CONG_CUBIC=y 6453d2573f7SStephen Hemminger 6463d2573f7SStephen Hemminger config DEFAULT_HTCP 6473d2573f7SStephen Hemminger bool "Htcp" if TCP_CONG_HTCP=y 6483d2573f7SStephen Hemminger 649dd2acaa7SJan Engelhardt config DEFAULT_HYBLA 650dd2acaa7SJan Engelhardt bool "Hybla" if TCP_CONG_HYBLA=y 651dd2acaa7SJan Engelhardt 6523d2573f7SStephen Hemminger config DEFAULT_VEGAS 6533d2573f7SStephen Hemminger bool "Vegas" if TCP_CONG_VEGAS=y 6543d2573f7SStephen Hemminger 6556ce1a6dfSJan Engelhardt config DEFAULT_VENO 6566ce1a6dfSJan Engelhardt bool "Veno" if TCP_CONG_VENO=y 6576ce1a6dfSJan Engelhardt 6583d2573f7SStephen Hemminger config DEFAULT_WESTWOOD 6593d2573f7SStephen Hemminger bool "Westwood" if TCP_CONG_WESTWOOD=y 6603d2573f7SStephen Hemminger 661e3118e83SDaniel Borkmann config DEFAULT_DCTCP 662e3118e83SDaniel Borkmann bool "DCTCP" if TCP_CONG_DCTCP=y 663e3118e83SDaniel Borkmann 6642b0a8c9eSKenneth Klette Jonassen config DEFAULT_CDG 6652b0a8c9eSKenneth Klette Jonassen bool "CDG" if TCP_CONG_CDG=y 6662b0a8c9eSKenneth Klette Jonassen 6673d2573f7SStephen Hemminger config DEFAULT_RENO 6683d2573f7SStephen Hemminger bool "Reno" 6693d2573f7SStephen Hemmingerendchoice 6703d2573f7SStephen Hemminger 6713d2573f7SStephen Hemmingerendif 67283803034SStephen Hemminger 673597811ecSStephen Hemmingerconfig TCP_CONG_CUBIC 6746c360767SDavid S. Miller tristate 675a6484045SDavid S. Miller depends on !TCP_CONG_ADVANCED 676a6484045SDavid S. Miller default y 677a6484045SDavid S. Miller 6783d2573f7SStephen Hemmingerconfig DEFAULT_TCP_CONG 6793d2573f7SStephen Hemminger string 6803d2573f7SStephen Hemminger default "bic" if DEFAULT_BIC 6813d2573f7SStephen Hemminger default "cubic" if DEFAULT_CUBIC 6823d2573f7SStephen Hemminger default "htcp" if DEFAULT_HTCP 683dd2acaa7SJan Engelhardt default "hybla" if DEFAULT_HYBLA 6843d2573f7SStephen Hemminger default "vegas" if DEFAULT_VEGAS 6853d2573f7SStephen Hemminger default "westwood" if DEFAULT_WESTWOOD 6866ce1a6dfSJan Engelhardt default "veno" if DEFAULT_VENO 6873d2573f7SStephen Hemminger default "reno" if DEFAULT_RENO 688e3118e83SDaniel Borkmann default "dctcp" if DEFAULT_DCTCP 6892b0a8c9eSKenneth Klette Jonassen default "cdg" if DEFAULT_CDG 690597811ecSStephen Hemminger default "cubic" 6913d2573f7SStephen Hemminger 692cfb6eeb4SYOSHIFUJI Hideakiconfig TCP_MD5SIG 69344fbe920SKees Cook bool "TCP: MD5 Signature Option support (RFC2385)" 694cfb6eeb4SYOSHIFUJI Hideaki select CRYPTO 695cfb6eeb4SYOSHIFUJI Hideaki select CRYPTO_MD5 696cfb6eeb4SYOSHIFUJI Hideaki ---help--- 6973dde6ad8SDavid Sterba RFC2385 specifies a method of giving MD5 protection to TCP sessions. 698cfb6eeb4SYOSHIFUJI Hideaki Its main (only?) use is to protect BGP sessions between core routers 699cfb6eeb4SYOSHIFUJI Hideaki on the Internet. 700cfb6eeb4SYOSHIFUJI Hideaki 701cfb6eeb4SYOSHIFUJI Hideaki If unsure, say N. 702