lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aGeQPzULveCLU4Bq@strlen.de>
Date: Fri, 4 Jul 2025 10:26:39 +0200
From: Florian Westphal <fw@...len.de>
To: Steffen Klassert <steffen.klassert@...unet.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>, Paul Wouters <paul@...ats.ca>,
	Andreas Steffen <andreas.steffen@...ongswan.org>,
	Tobias Brunner <tobias@...ongswan.org>,
	Antony Antony <antony@...nome.org>, Tuomo Soini <tis@...bar.fi>,
	"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
	devel@...ux-ipsec.org
Subject: Re: [PATCH RFC ipsec-next] pfkey: Deprecate pfkey

Steffen Klassert <steffen.klassert@...unet.com> wrote:
> The pfkey user configuration interface was replaced by the netlink
> user configuration interface more than a decade ago. In between
> all maintained IKE implementations moved to the netlink interface.
> So let 'config NET_KEY' default to no in Kconfig. The pfkey code
> will be removed in a second step.

I'd suggest to also do something like
b144fcaf46d4 ("dccp: Print deprecation notice.")

> Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
> ---
>  net/xfrm/Kconfig | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/net/xfrm/Kconfig b/net/xfrm/Kconfig
> index f0157702718f..aedea7a892db 100644
> --- a/net/xfrm/Kconfig
> +++ b/net/xfrm/Kconfig
> @@ -110,14 +110,17 @@ config XFRM_IPCOMP
>  	select CRYPTO_DEFLATE
>  
>  config NET_KEY
> -	tristate "PF_KEY sockets"
> +	tristate "PF_KEY sockets (deprecated)"
>  	select XFRM_ALGO
> +	default n
>  	help
>  	  PF_KEYv2 socket family, compatible to KAME ones.
> -	  They are required if you are going to use IPsec tools ported
> -	  from KAME.
>  
> -	  Say Y unless you know what you are doing.
> +	  The PF_KEYv2 socket interface is deprecated and
> +	  scheduled for removal. Please use the netlink
> +	  interface (XFRM_USER) to configure IPsec.

Perhaps this should mention that all existing IKE daemons
no longer need this resp. that this is only required for
ancient/unmaintained KAME tools?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ