Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec

From: Martin Willi
Date: Thu Jun 05 2008 - 10:45:45 EST

Next message: FUJITA Tomonori: "Re: Intel IOMMU (and IOMMU for Virtualization) performances"
Previous message: Olaf Hering: "Re: [PATCH] libata: fix G5 SATA broken on -rc5"
In reply to: Adrian-Ken RÃegsegger: "Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec"
Next in thread: Adrian-Ken RÃegsegger: "Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> You could register a new SADB algorithm id in pfkeyv2.h and add a new
> entry to the aalg_list analogous to how GCM is doing that in the aead_list.
>
> Adrian

We could do that, but ïSADB_X_AALG_SHA2_256HMAC (5) actually refers to
128 bit truncation. 96 bit truncation is a leftover of
draft-ietf-ipsec-ciph-sha-256-00 and has been replaced by 128 bit
truncation in draft-ietf-ipsec-ciph-sha-256-01.

dïraft-kelly-ipsec-ciph-sha2 and the resulting RFC4868 define 128 bit
truncation for ïSADB_X_AALG_SHA2_256HMAC (5), so 96 bit truncation is
really obsolete. We could define a new PF_KEY algorithm for 96 bit
truncation, but it is not really usable as it is not standardized.

Martin

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: FUJITA Tomonori: "Re: Intel IOMMU (and IOMMU for Virtualization) performances"
Previous message: Olaf Hering: "Re: [PATCH] libata: fix G5 SATA broken on -rc5"
In reply to: Adrian-Ken RÃegsegger: "Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec"
Next in thread: Adrian-Ken RÃegsegger: "Re: [PATCH 2.6.26rc5] xfrm: SHA-256/384/512 HMAC support for IPsec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]