Re: [RFC ipsec-next] xfrm: make sha256 icv truncation length RFC-compliant
Le 23/05/2014 08:28, Horia Geantă a écrit : On 5/22/2014 7:03 PM, Nicolas Dichtel wrote: Le 22/05/2014 17:10, Horia Geanta a écrit : From: Lei Xu Currently the sha256 icv truncation length is set to 96bit while the length is defined as 128bit in RFC4868. This may result in somer errors when working with other IPsec devices with the standard truncation length. Thus, change the sha256 truncation length from 96bit to 128bit. The patch was already proposed, but it was kept as-is for userspace compatibility. See: https://lkml.org/lkml/2012/3/7/431 Thanks, somehow I missed that. So this just means bad luck for user space tools (for e.g. ipsec-tools - setkey, racoon - and any other PF_KEY-based tool) that AFAICT cannot override the default truncated icv size, right? You can change the default value with the netlink attribute XFRMA_ALG_AUTH_TRUNC (option 'auth-trunc' in iproute2). Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RFC ipsec-next] xfrm: make sha256 icv truncation length RFC-compliant
On 5/22/2014 7:03 PM, Nicolas Dichtel wrote: Le 22/05/2014 17:10, Horia Geanta a écrit : From: Lei Xu Currently the sha256 icv truncation length is set to 96bit while the length is defined as 128bit in RFC4868. This may result in somer errors when working with other IPsec devices with the standard truncation length. Thus, change the sha256 truncation length from 96bit to 128bit. The patch was already proposed, but it was kept as-is for userspace compatibility. See: https://lkml.org/lkml/2012/3/7/431 Thanks, somehow I missed that. So this just means bad luck for user space tools (for e.g. ipsec-tools - setkey, racoon - and any other PF_KEY-based tool) that AFAICT cannot override the default truncated icv size, right? Thanks, Horia -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [RFC ipsec-next] xfrm: make sha256 icv truncation length RFC-compliant
Le 22/05/2014 17:10, Horia Geanta a écrit : From: Lei Xu Currently the sha256 icv truncation length is set to 96bit while the length is defined as 128bit in RFC4868. This may result in somer errors when working with other IPsec devices with the standard truncation length. Thus, change the sha256 truncation length from 96bit to 128bit. The patch was already proposed, but it was kept as-is for userspace compatibility. See: https://lkml.org/lkml/2012/3/7/431 Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/