On Mon, Dec 29, 2008 at 02:05:19PM +0100, Martin Willi wrote:

In PF_KEY, SADB_X_AALG_SHA2_256HMAC (5) was defined in
draft-ietf-ipsec-ciph-sha-256-00 to 96 bit truncation (what is currently
implemented). draft-ietf-ipsec-ciph-sha-256-01 defined it to 128 bit
truncation (what is now RFC 4868).
Those numbers starting from 12 are IKEv2 algorithm identifiers and are
never passed to the kernel.

What are you talking about? Neither of those two drafts talks
about the ID used between the KM and the kernel.  So the PF_KEY
ID is simply irrelevant.

What is important though is what's deployed in the field with
respect to IKE.  All the BSDs support 96-bit truncation so we
should continue to do that as well.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt