On Wed, Jan 23, 2013 at 05:35:10PM +0200, Jussi Kivilinna wrote: > > Problem seems to be that PFKEYv2 does not quite work with IKEv2, and > XFRM API should be used instead. There is new numbers assigned for > IKEv2: https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xml#ikev2-parameters-7 > > For new SADB_X_AALG_*, I'd think you should use value from "Reserved > for private use" range. Maybe 250? This would be an option, but we have just a few slots for private algorithms. > > But maybe better solution might be to not make AES-CMAC (or other > new algorithms) available throught PFKEY API at all, just XFRM? > It is probably the best to make new algorithms unavailable for pfkey as long as they have no official ikev1 iana transform identifier. But how to do that? Perhaps we can assign SADB_X_AALG_NOPFKEY to the private value 255 and return -EINVAL if pfkey tries to register such an algorithm. The netlink interface does not use these identifiers, everything should work as expected. So it should be possible to use these algoritms with iproute2 and the most modern ike deamons. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
