xref: /openbmc/linux/net/xfrm/Kconfig (revision 22246614)
1#
2# XFRM configuration
3#
4config XFRM
5       bool
6       select CRYPTO
7       depends on NET
8
9config XFRM_USER
10	tristate "Transformation user configuration interface"
11	depends on INET && XFRM
12	---help---
13	  Support for Transformation(XFRM) user configuration interface
14	  like IPsec used by native Linux tools.
15
16	  If unsure, say Y.
17
18config XFRM_SUB_POLICY
19	bool "Transformation sub policy support (EXPERIMENTAL)"
20	depends on XFRM && EXPERIMENTAL
21	---help---
22	  Support sub policy for developers. By using sub policy with main
23	  one, two policies can be applied to the same packet at once.
24	  Policy which lives shorter time in kernel should be a sub.
25
26	  If unsure, say N.
27
28config XFRM_MIGRATE
29	bool "Transformation migrate database (EXPERIMENTAL)"
30	depends on XFRM && EXPERIMENTAL
31	---help---
32	  A feature to update locator(s) of a given IPsec security
33	  association dynamically.  This feature is required, for
34	  instance, in a Mobile IPv6 environment with IPsec configuration
35	  where mobile nodes change their attachment point to the Internet.
36
37	  If unsure, say N.
38
39config XFRM_STATISTICS
40	bool "Transformation statistics (EXPERIMENTAL)"
41	depends on INET && XFRM && PROC_FS && EXPERIMENTAL
42	---help---
43	  This statistics is not a SNMP/MIB specification but shows
44	  statistics about transformation error (or almost error) factor
45	  at packet processing for developer.
46
47	  If unsure, say N.
48
49config NET_KEY
50	tristate "PF_KEY sockets"
51	select XFRM
52	---help---
53	  PF_KEYv2 socket family, compatible to KAME ones.
54	  They are required if you are going to use IPsec tools ported
55	  from KAME.
56
57	  Say Y unless you know what you are doing.
58
59config NET_KEY_MIGRATE
60	bool "PF_KEY MIGRATE (EXPERIMENTAL)"
61	depends on NET_KEY && EXPERIMENTAL
62	select XFRM_MIGRATE
63	---help---
64	  Add a PF_KEY MIGRATE message to PF_KEYv2 socket family.
65	  The PF_KEY MIGRATE message is used to dynamically update
66	  locator(s) of a given IPsec security association.
67	  This feature is required, for instance, in a Mobile IPv6
68	  environment with IPsec configuration where mobile nodes
69	  change their attachment point to the Internet.  Detail
70	  information can be found in the internet-draft
71	  <draft-sugimoto-mip6-pfkey-migrate>.
72
73	  If unsure, say N.
74
75