xref: /linux/net/xfrm/Kconfig (revision 6aac2aa2dfae38b60f22c3dfe4103ceefbe2d761) 
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# XFRM configuration
4#
5config XFRM
6	bool
7	depends on INET
8	select GRO_CELLS
9	select SKB_EXTENSIONS
10
11config XFRM_OFFLOAD
12	bool
13
14config XFRM_ALGO
15	tristate
16	select XFRM
17	select CRYPTO
18	select CRYPTO_AEAD
19	select CRYPTO_HASH
20	select CRYPTO_SKCIPHER
21
22if INET
23config XFRM_USER
24	tristate "Transformation user configuration interface"
25	select XFRM_ALGO
26	help
27	  Support for Transformation(XFRM) user configuration interface
28	  like IPsec used by native Linux tools.
29
30	  If unsure, say Y.
31
32config XFRM_USER_COMPAT
33	tristate "Compatible ABI support"
34	depends on XFRM_USER && COMPAT_FOR_U64_ALIGNMENT && \
35		HAVE_EFFICIENT_UNALIGNED_ACCESS
36	select WANT_COMPAT_NETLINK_MESSAGES
37	help
38	  Transformation(XFRM) user configuration interface like IPsec
39	  used by compatible Linux applications.
40
41	  If unsure, say N.
42
43config XFRM_INTERFACE
44	tristate "Transformation virtual interface"
45	depends on XFRM && IPV6
46	help
47	  This provides a virtual interface to route IPsec traffic.
48
49	  If unsure, say N.
50
51config XFRM_SUB_POLICY
52	bool "Transformation sub policy support"
53	depends on XFRM
54	help
55	  Support sub policy for developers. By using sub policy with main
56	  one, two policies can be applied to the same packet at once.
57	  Policy which lives shorter time in kernel should be a sub.
58
59	  If unsure, say N.
60
61config XFRM_MIGRATE
62	bool "Transformation migrate database"
63	depends on XFRM
64	help
65	  A feature to update locator(s) of a given IPsec security
66	  association dynamically.  This feature is required, for
67	  instance, in a Mobile IPv6 environment with IPsec configuration
68	  where mobile nodes change their attachment point to the Internet.
69
70	  If unsure, say N.
71
72config XFRM_STATISTICS
73	bool "Transformation statistics"
74	depends on XFRM && PROC_FS
75	help
76	  This statistics is not a SNMP/MIB specification but shows
77	  statistics about transformation error (or almost error) factor
78	  at packet processing for developer.
79
80	  If unsure, say N.
81
82# This option selects XFRM_ALGO along with the AH authentication algorithms that
83# RFC 8221 lists as MUST be implemented.
84config XFRM_AH
85	tristate
86	select XFRM_ALGO
87	select CRYPTO
88	select CRYPTO_HMAC
89	select CRYPTO_SHA256
90
91# This option selects XFRM_ALGO along with the ESP encryption and authentication
92# algorithms that RFC 8221 lists as MUST be implemented.
93config XFRM_ESP
94	tristate
95	select XFRM_ALGO
96	select CRYPTO
97	select CRYPTO_AES
98	select CRYPTO_AUTHENC
99	select CRYPTO_CBC
100	select CRYPTO_ECHAINIV
101	select CRYPTO_GCM
102	select CRYPTO_HMAC
103	select CRYPTO_SEQIV
104	select CRYPTO_SHA256
105
106config XFRM_IPCOMP
107	tristate
108	select XFRM_ALGO
109	select CRYPTO
110	select CRYPTO_DEFLATE
111
112config NET_KEY
113	tristate "PF_KEY sockets (deprecated)"
114	select XFRM_ALGO
115	help
116	  PF_KEYv2 socket family, compatible to KAME ones.
117
118	  The PF_KEYv2 socket interface is deprecated and
119	  scheduled for removal. All maintained IKE daemons
120	  no longer need PF_KEY sockets. Please use the netlink
121	  interface (XFRM_USER) to configure IPsec.
122
123	  If unsure, say N.
124
125config NET_KEY_MIGRATE
126	bool "PF_KEY MIGRATE"
127	depends on NET_KEY
128	select XFRM_MIGRATE
129	help
130	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
131	  The PF_KEY MIGRATE message is used to dynamically update
132	  locator(s) of a given IPsec security association.
133	  This feature is required, for instance, in a Mobile IPv6
134	  environment with IPsec configuration where mobile nodes
135	  change their attachment point to the Internet.  Detail
136	  information can be found in the internet-draft
137	  <draft-sugimoto-mip6-pfkey-migrate>.
138
139	  If unsure, say N.
140
141config XFRM_IPTFS
142	tristate "IPsec IP-TFS/AGGFRAG (RFC 9347) encapsulation support"
143	depends on XFRM
144	help
145	  Information on the IP-TFS/AGGFRAG encapsulation can be found
146	  in RFC 9347. This feature supports demand driven (i.e.,
147	  non-constant send rate) IP-TFS to take advantage of the
148	  AGGFRAG ESP payload encapsulation. This payload type
149	  supports aggregation and fragmentation of the inner IP
150	  packet stream which in turn yields higher small-packet
151	  bandwidth as well as reducing MTU/PMTU issues. Congestion
152	  control is unimplementated as the send rate is demand driven
153	  rather than constant.
154
155	  If unsure, say N.
156
157config XFRM_ESPINTCP
158	bool
159
160endif # INET
161