From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: "Horia Geantă" <horia.geanta@freescale.com>,
"Steffen Klassert" <steffen.klassert@secunet.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: Lei Xu <Lei.Xu@freescale.com>,
Sandeep Malik <Sandeep.Malik@freescale.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC ipsec-next] xfrm: make sha256 icv truncation length RFC-compliant
Date: Fri, 23 May 2014 10:06:09 +0200 [thread overview]
Message-ID: <537F0171.5070902@6wind.com> (raw)
In-Reply-To: <537EEAA6.7000506@freescale.com>
Le 23/05/2014 08:28, Horia Geantă a écrit :
> On 5/22/2014 7:03 PM, Nicolas Dichtel wrote:
>> Le 22/05/2014 17:10, Horia Geanta a écrit :
>>> From: Lei Xu <Lei.Xu@freescale.com>
>>>
>>> Currently the sha256 icv truncation length is set to 96bit
>>> while the length is defined as 128bit in RFC4868.
>>> This may result in somer errors when working with other IPsec devices
>>> with the standard truncation length.
>>> Thus, change the sha256 truncation length from 96bit to 128bit.
>> The patch was already proposed, but it was kept as-is for userspace
>> compatibility.
>>
>> See: https://lkml.org/lkml/2012/3/7/431
>
> Thanks, somehow I missed that.
>
> So this just means bad luck for user space tools (for e.g. ipsec-tools - setkey,
> racoon - and any other PF_KEY-based tool) that AFAICT cannot override the
> default truncated icv size, right?
You can change the default value with the netlink attribute
XFRMA_ALG_AUTH_TRUNC (option 'auth-trunc' in iproute2).
Regards,
Nicolas
prev parent reply other threads:[~2014-05-23 8:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-22 15:10 [RFC ipsec-next] Non-standard sha256 ICV truncation size Horia Geanta
2014-05-22 15:10 ` [RFC ipsec-next] xfrm: make sha256 icv truncation length RFC-compliant Horia Geanta
2014-05-22 16:03 ` Nicolas Dichtel
2014-05-23 6:28 ` Horia Geantă
2014-05-23 8:06 ` Nicolas Dichtel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=537F0171.5070902@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=Lei.Xu@freescale.com \
--cc=Sandeep.Malik@freescale.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@freescale.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.