Page MenuHomeVyOS Platform
Create Task
Maniphest T4538

Macsec does not work correctly when the interface status changes.
Closed, ResolvedPublicBUG
Actions

Description

There are 2 bugs in the macsec module when the interface status changes.

Configuration:
VyOS1

set interfaces macsec macsec1 address '192.168.2.1/24'
set interfaces macsec macsec1 disable
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42'
set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d'
set interfaces macsec macsec1 source-interface 'eth0'

VyOS2

set interfaces macsec macsec1 address '192.168.2.2/24'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42'
set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d'
set interfaces macsec macsec1 source-interface 'eth0'

Normal macsec interface status

vyos@vyos:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2
        2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000
    RXSC: 0c66f88900000001, state on
        2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000
  1. If we change the status of the macsec interface, traffic can flow.
vyos@vyos# set interfaces macsec macsec1 disable

Interface macsec status does not change. We can ping other side.

vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u
eth1             192.168.17.142/24                 u/u
eth2             -                                 u/D
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          192.168.2.2/24                    u/u

vyos@vyos:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
  1. If we change physical interface down and then up by VyOS CLI, interface macsec status does not change but we can not ping other side.
yos@vyos# set interfaces ethernet eth0 disable


vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 A/D
eth1             192.168.17.142/24                 u/u
eth2             -                                 u/D
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          192.168.2.2/24                    u/u

vyos@vyos:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff

vyos@vyos:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2

vyos@vyos:~$ sudo ip macsec show
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2



vyos@vyos# delete interfaces ethernet eth0 disable

vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u
eth1             192.168.17.142/24                 u/u
eth2             -                                 u/D
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          192.168.2.2/24                    u/u

vyos@vyos:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff

vyos@vyos:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2

vyos@vyos:~$ sudo ip macsec show
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2

If we change it by Linux commands everything works fine.

sudo ip link set eth0 down
sudo ip link set eth0 up

Details

Difficulty level
Normal (likely a few hours)
Version
vyos-1.4-rolling-202207180607; vyos-1.3.1-S1
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.3.2
1.3.2

Event Timeline

a.apostoliuk created this task.Jul 18 2022, 11:17 AM
a.apostoliuk updated the task description. (Show Details)
c-po changed the task status from Open to In progress.Aug 2 2022, 10:30 AM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po added a comment.Aug 2 2022, 11:27 AM

Works as expected in a recent rolling (e.g. 1.4-rolling-202208021045)

a.apostoliuk added a comment.Aug 8 2022, 7:49 AM

I have tested on 1.4-rolling-202208080217.
The first problem was fixed.
The second problem is not fixed

syncer edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus, VyOS 1.4 Sagitta.Aug 14 2022, 1:05 PM
c-po edited projects, added VyOS 1.3 Equuleus (1.3.3), VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.2).Aug 16 2022, 6:06 PM
pasik added a subscriber: pasik.Aug 17 2022, 5:58 AM
c-po added a comment.Aug 19 2022, 6:05 PM

PR for vyos 1.3 (equuleus) https://github.com/vyos/vyos-1x/pull/1479

c-po changed the task status from In progress to Needs testing.Aug 19 2022, 6:13 PM
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Aug 22 2022, 4:42 PM
c-po closed this task as Resolved.Aug 23 2022, 5:40 AM
c-po edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus (1.3.3).
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.2) board.
dmbaturin mentioned this in 1.3.2.Sep 5 2022, 3:14 PM
dmbaturin mentioned this in 1.3.2.Sep 15 2022, 10:42 AM