1# SPDX-License-Identifier: GPL-2.0-only 2# 3# XFRM configuration 4# 5config XFRM 6 bool 7 depends on INET 8 select GRO_CELLS 9 select SKB_EXTENSIONS 10 11config XFRM_OFFLOAD 12 bool 13 14config XFRM_ALGO 15 tristate 16 select XFRM 17 select CRYPTO 18 select CRYPTO_HASH 19 select CRYPTO_SKCIPHER 20 21if INET 22config XFRM_USER 23 tristate "Transformation user configuration interface" 24 select XFRM_ALGO 25 help 26 Support for Transformation(XFRM) user configuration interface 27 like IPsec used by native Linux tools. 28 29 If unsure, say Y. 30 31config XFRM_INTERFACE 32 tristate "Transformation virtual interface" 33 depends on XFRM && IPV6 34 help 35 This provides a virtual interface to route IPsec traffic. 36 37 If unsure, say N. 38 39config XFRM_SUB_POLICY 40 bool "Transformation sub policy support" 41 depends on XFRM 42 help 43 Support sub policy for developers. By using sub policy with main 44 one, two policies can be applied to the same packet at once. 45 Policy which lives shorter time in kernel should be a sub. 46 47 If unsure, say N. 48 49config XFRM_MIGRATE 50 bool "Transformation migrate database" 51 depends on XFRM 52 help 53 A feature to update locator(s) of a given IPsec security 54 association dynamically. This feature is required, for 55 instance, in a Mobile IPv6 environment with IPsec configuration 56 where mobile nodes change their attachment point to the Internet. 57 58 If unsure, say N. 59 60config XFRM_STATISTICS 61 bool "Transformation statistics" 62 depends on XFRM && PROC_FS 63 help 64 This statistics is not a SNMP/MIB specification but shows 65 statistics about transformation error (or almost error) factor 66 at packet processing for developer. 67 68 If unsure, say N. 69 70# This option selects XFRM_ALGO along with the AH authentication algorithms that 71# RFC 8221 lists as MUST be implemented. 72config XFRM_AH 73 tristate 74 select XFRM_ALGO 75 select CRYPTO 76 select CRYPTO_HMAC 77 select CRYPTO_SHA256 78 79# This option selects XFRM_ALGO along with the ESP encryption and authentication 80# algorithms that RFC 8221 lists as MUST be implemented. 81config XFRM_ESP 82 tristate 83 select XFRM_ALGO 84 select CRYPTO 85 select CRYPTO_AES 86 select CRYPTO_AUTHENC 87 select CRYPTO_CBC 88 select CRYPTO_ECHAINIV 89 select CRYPTO_GCM 90 select CRYPTO_HMAC 91 select CRYPTO_SEQIV 92 select CRYPTO_SHA256 93 94config XFRM_IPCOMP 95 tristate 96 select XFRM_ALGO 97 select CRYPTO 98 select CRYPTO_DEFLATE 99 100config NET_KEY 101 tristate "PF_KEY sockets" 102 select XFRM_ALGO 103 help 104 PF_KEYv2 socket family, compatible to KAME ones. 105 They are required if you are going to use IPsec tools ported 106 from KAME. 107 108 Say Y unless you know what you are doing. 109 110config NET_KEY_MIGRATE 111 bool "PF_KEY MIGRATE" 112 depends on NET_KEY 113 select XFRM_MIGRATE 114 help 115 Add a PF_KEY MIGRATE message to PF_KEYv2 socket family. 116 The PF_KEY MIGRATE message is used to dynamically update 117 locator(s) of a given IPsec security association. 118 This feature is required, for instance, in a Mobile IPv6 119 environment with IPsec configuration where mobile nodes 120 change their attachment point to the Internet. Detail 121 information can be found in the internet-draft 122 <draft-sugimoto-mip6-pfkey-migrate>. 123 124 If unsure, say N. 125 126config XFRM_ESPINTCP 127 bool 128 129endif # INET 130