Am Montag, 7. Mai 2018, 13:19:47 CEST schrieb Gilad Ben-Yossef: Hi Gilad, > ah... so if I have hardware that can implement say, seqiv, I can > register "seqiv(rfc4106(gcm(aes)))" and, assuming priorities are > right, it will be used? That is the question I cannot fully answer. Seqiv is a template and thus not subjet to prios by itself. So, you hardware however could register the full seqiv(rfc....) cipher. I am not fully sure that such registered cipher is then picked up by the IPSec stack. Look into net/xfrm/xfrm_algos.c -- there you see the individual cipher names and the IV generator added separately. What I have not traced yet is whether the code assembles the IV generator name and the cipher name before making the call to crypto_alloc_aead. What I can say for sure is that the kernel crypto API knows of the seqiv(rfc...) cipher name and generates the IV for your (the invocation field that is). Ciao Stephan