esp, ah: modernize the crypto algorithm selections

[linux-block.git] / net / ipv6 / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# IPv6 configuration
#

#   IPv6 as module will cause a CRASH if you try to unload it
menuconfig IPV6
	tristate "The IPv6 protocol"
	default y
	---help---
	  Support for IP version 6 (IPv6).

	  For general information about IPv6, see
	  <https://en.wikipedia.org/wiki/IPv6>.
	  For specific information about IPv6 under Linux, see
	  Documentation/networking/ipv6.rst and read the HOWTO at
	  <http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/>

	  To compile this protocol support as a module, choose M here: the
	  module will be called ipv6.

if IPV6

config IPV6_ROUTER_PREF
	bool "IPv6: Router Preference (RFC 4191) support"
	---help---
	  Router Preference is an optional extension to the Router
	  Advertisement message which improves the ability of hosts
	  to pick an appropriate router, especially when the hosts
	  are placed in a multi-homed network.

	  If unsure, say N.

config IPV6_ROUTE_INFO
	bool "IPv6: Route Information (RFC 4191) support"
	depends on IPV6_ROUTER_PREF
	---help---
	  Support of Route Information.

	  If unsure, say N.

config IPV6_OPTIMISTIC_DAD
	bool "IPv6: Enable RFC 4429 Optimistic DAD"
	---help---
	  Support for optimistic Duplicate Address Detection. It allows for
	  autoconfigured addresses to be used more quickly.

	  If unsure, say N.

config INET6_AH
	tristate "IPv6: AH transformation"
	select XFRM_AH
	---help---
	  Support for IPsec AH (Authentication Header).

	  AH can be used with various authentication algorithms.  Besides
	  enabling AH support itself, this option enables the generic
	  implementations of the algorithms that RFC 8221 lists as MUST be
	  implemented.  If you need any other algorithms, you'll need to enable
	  them in the crypto API.  You should also enable accelerated
	  implementations of any needed algorithms when available.

	  If unsure, say Y.

config INET6_ESP
	tristate "IPv6: ESP transformation"
	select XFRM_ESP
	---help---
	  Support for IPsec ESP (Encapsulating Security Payload).

	  ESP can be used with various encryption and authentication algorithms.
	  Besides enabling ESP support itself, this option enables the generic
	  implementations of the algorithms that RFC 8221 lists as MUST be
	  implemented.  If you need any other algorithms, you'll need to enable
	  them in the crypto API.  You should also enable accelerated
	  implementations of any needed algorithms when available.

	  If unsure, say Y.

config INET6_ESP_OFFLOAD
	tristate "IPv6: ESP transformation offload"
	depends on INET6_ESP
	select XFRM_OFFLOAD
	default n
	---help---
	  Support for ESP transformation offload. This makes sense
	  only if this system really does IPsec and want to do it
	  with high throughput. A typical desktop system does not
	  need it, even if it does IPsec.

	  If unsure, say N.

config INET6_ESPINTCP
	bool "IPv6: ESP in TCP encapsulation (RFC 8229)"
	depends on XFRM && INET6_ESP
	select STREAM_PARSER
	select NET_SOCK_MSG
	select XFRM_ESPINTCP
	help
	  Support for RFC 8229 encapsulation of ESP and IKE over
	  TCP/IPv6 sockets.

	  If unsure, say N.

config INET6_IPCOMP
	tristate "IPv6: IPComp transformation"
	select INET6_XFRM_TUNNEL
	select XFRM_IPCOMP
	---help---
	  Support for IP Payload Compression Protocol (IPComp) (RFC3173),
	  typically needed for IPsec.

	  If unsure, say Y.

config IPV6_MIP6
	tristate "IPv6: Mobility"
	select XFRM
	---help---
	  Support for IPv6 Mobility described in RFC 3775.

	  If unsure, say N.

config IPV6_ILA
	tristate "IPv6: Identifier Locator Addressing (ILA)"
	depends on NETFILTER
	select DST_CACHE
	select LWTUNNEL
	---help---
	  Support for IPv6 Identifier Locator Addressing (ILA).

	  ILA is a mechanism to do network virtualization without
	  encapsulation. The basic concept of ILA is that we split an
	  IPv6 address into a 64 bit locator and 64 bit identifier. The
	  identifier is the identity of an entity in communication
	  ("who") and the locator expresses the location of the
	  entity ("where").

	  ILA can be configured using the "encap ila" option with
	  "ip -6 route" command. ILA is described in
	  https://tools.ietf.org/html/draft-herbert-nvo3-ila-00.

	  If unsure, say N.

config INET6_XFRM_TUNNEL
	tristate
	select INET6_TUNNEL
	default n

config INET6_TUNNEL
	tristate
	default n

config IPV6_VTI
tristate "Virtual (secure) IPv6: tunneling"
	select IPV6_TUNNEL
	select NET_IP_TUNNEL
	select XFRM
	---help---
	Tunneling means encapsulating data of one protocol type within
	another protocol and sending it over a channel that understands the
	encapsulating protocol. This can be used with xfrm mode tunnel to give
	the notion of a secure tunnel for IPSEC and then use routing protocol
	on top.

config IPV6_SIT
	tristate "IPv6: IPv6-in-IPv4 tunnel (SIT driver)"
	select INET_TUNNEL
	select NET_IP_TUNNEL
	select IPV6_NDISC_NODETYPE
	default y
	---help---
	  Tunneling means encapsulating data of one protocol type within
	  another protocol and sending it over a channel that understands the
	  encapsulating protocol. This driver implements encapsulation of IPv6
	  into IPv4 packets. This is useful if you want to connect two IPv6
	  networks over an IPv4-only path.

	  Saying M here will produce a module called sit. If unsure, say Y.

config IPV6_SIT_6RD
	bool "IPv6: IPv6 Rapid Deployment (6RD)"
	depends on IPV6_SIT
	default n
	---help---
	  IPv6 Rapid Deployment (6rd; draft-ietf-softwire-ipv6-6rd) builds upon
	  mechanisms of 6to4 (RFC3056) to enable a service provider to rapidly
	  deploy IPv6 unicast service to IPv4 sites to which it provides
	  customer premise equipment.  Like 6to4, it utilizes stateless IPv6 in
	  IPv4 encapsulation in order to transit IPv4-only network
	  infrastructure.  Unlike 6to4, a 6rd service provider uses an IPv6
	  prefix of its own in place of the fixed 6to4 prefix.

	  With this option enabled, the SIT driver offers 6rd functionality by
	  providing additional ioctl API to configure the IPv6 Prefix for in
	  stead of static 2002::/16 for 6to4.

	  If unsure, say N.

config IPV6_NDISC_NODETYPE
	bool

config IPV6_TUNNEL
	tristate "IPv6: IP-in-IPv6 tunnel (RFC2473)"
	select INET6_TUNNEL
	select DST_CACHE
	select GRO_CELLS
	---help---
	  Support for IPv6-in-IPv6 and IPv4-in-IPv6 tunnels described in
	  RFC 2473.

	  If unsure, say N.

config IPV6_GRE
	tristate "IPv6: GRE tunnel"
	select IPV6_TUNNEL
	select NET_IP_TUNNEL
	depends on NET_IPGRE_DEMUX
	---help---
	  Tunneling means encapsulating data of one protocol type within
	  another protocol and sending it over a channel that understands the
	  encapsulating protocol. This particular tunneling driver implements
	  GRE (Generic Routing Encapsulation) and at this time allows
	  encapsulating of IPv4 or IPv6 over existing IPv6 infrastructure.
	  This driver is useful if the other endpoint is a Cisco router: Cisco
	  likes GRE much better than the other Linux tunneling driver ("IP
	  tunneling" above). In addition, GRE allows multicast redistribution
	  through the tunnel.

	  Saying M here will produce a module called ip6_gre. If unsure, say N.

config IPV6_FOU
	tristate
	default NET_FOU && IPV6

config IPV6_FOU_TUNNEL
	tristate
	default NET_FOU_IP_TUNNELS && IPV6_FOU
	select IPV6_TUNNEL

config IPV6_MULTIPLE_TABLES
	bool "IPv6: Multiple Routing Tables"
	select FIB_RULES
	---help---
	  Support multiple routing tables.

config IPV6_SUBTREES
	bool "IPv6: source address based routing"
	depends on IPV6_MULTIPLE_TABLES
	---help---
	  Enable routing by source address or prefix.

	  The destination address is still the primary routing key, so mixing
	  normal and source prefix specific routes in the same routing table
	  may sometimes lead to unintended routing behavior.  This can be
	  avoided by defining different routing tables for the normal and
	  source prefix specific routes.

	  If unsure, say N.

config IPV6_MROUTE
	bool "IPv6: multicast routing"
	depends on IPV6
	select IP_MROUTE_COMMON
	---help---
	  Support for IPv6 multicast forwarding.
	  If unsure, say N.

config IPV6_MROUTE_MULTIPLE_TABLES
	bool "IPv6: multicast policy routing"
	depends on IPV6_MROUTE
	select FIB_RULES
	help
	  Normally, a multicast router runs a userspace daemon and decides
	  what to do with a multicast packet based on the source and
	  destination addresses. If you say Y here, the multicast router
	  will also be able to take interfaces and packet marks into
	  account and run multiple instances of userspace daemons
	  simultaneously, each one handling a single table.

	  If unsure, say N.

config IPV6_PIMSM_V2
	bool "IPv6: PIM-SM version 2 support"
	depends on IPV6_MROUTE
	---help---
	  Support for IPv6 PIM multicast routing protocol PIM-SMv2.
	  If unsure, say N.

config IPV6_SEG6_LWTUNNEL
	bool "IPv6: Segment Routing Header encapsulation support"
	depends on IPV6
	select LWTUNNEL
	select DST_CACHE
	select IPV6_MULTIPLE_TABLES
	---help---
	  Support for encapsulation of packets within an outer IPv6
	  header and a Segment Routing Header using the lightweight
	  tunnels mechanism. Also enable support for advanced local
	  processing of SRv6 packets based on their active segment.

	  If unsure, say N.

config IPV6_SEG6_HMAC
	bool "IPv6: Segment Routing HMAC support"
	depends on IPV6
	select CRYPTO_HMAC
	select CRYPTO_SHA1
	select CRYPTO_SHA256
	---help---
	  Support for HMAC signature generation and verification
	  of SR-enabled packets.

	  If unsure, say N.

config IPV6_SEG6_BPF
	def_bool y
	depends on IPV6_SEG6_LWTUNNEL
	depends on IPV6 = y

config IPV6_RPL_LWTUNNEL
	bool "IPv6: RPL Source Routing Header support"
	depends on IPV6
	select LWTUNNEL
	---help---
	  Support for RFC6554 RPL Source Routing Header using the lightweight
	  tunnels mechanism.

	  If unsure, say N.

endif # IPV6