Page MenuHomeVyOS Platform
Create Task
Maniphest T5008

MACsec CKN of 32 chars is not allowed in CLI, but works fine
Closed, ResolvedPublicBUG
Actions

Description

Our Aruba 5406R ZL2 switches require a CKN of 32 characters, while VyOS requires 64 chars.
This makes it impossible to create a working MACsec link between the two.

To test this anyway, I edited the CLI template file to allow this configuration. This seems to work just fine, with encrypted traffic flowing between the Aruba and VyOS devices.

The relevant Aruba documentation can be found here:
https://techhub.hpe.com/eginfolib/networking/docs/switches/K-KA-KB/15-18/5998-8150_access_security_guide/content/v32677644.html

Enter the CKN as a string of hexadecimal digits up to 32 characters long.

I see that smaller keys are also mentioned in the wpa_supplicant.conf template, which explains why it would work.

# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
# (2..64 hex-digits)

This is the first time I'm configuring MACsec, but it looks like this might be just a validation bug.
We won't be running this in production, but I just wanted to report this.

Details

Version
vyos-1.4-rolling-202302130317
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Event Timeline

iliessens created this task.Feb 14 2023, 9:55 AM
pasik subscribed.Feb 14 2023, 10:02 AM
a.apostoliuk claimed this task.Feb 15 2023, 1:59 PM
a.apostoliuk changed the task status from Open to In progress.Feb 15 2023, 2:40 PM
Restricted Repository Identity mentioned this in rVYOSONEX1079e10a7e1d: Merge pull request #1826 from aapostoliuk/T5008-sagitta.Feb 17 2023, 4:26 PM
a.apostoliuk mentioned this in rVYOSONEX1ea2d583d857: macsec: T5008: Changed length of CKN to (2..64 hex-digits).Feb 17 2023, 4:26 PM
a.apostoliuk changed the task status from In progress to Needs testing.Feb 20 2023, 1:45 PM
a.apostoliuk added a project: VyOS 1.3 Equuleus (1.3.3).Feb 24 2023, 9:24 AM
a.apostoliuk changed the task status from Needs testing to In progress.Feb 24 2023, 2:30 PM
Restricted Repository Identity mentioned this in rVYOSONEX35482c42691c: Merge pull request #1846 from aapostoliuk/T5008-equuleus.Feb 24 2023, 3:13 PM
a.apostoliuk mentioned this in rVYOSONEX391b7333c836: macsec: T5008: Changed length of CKN to (2..64 hex-digits).Feb 24 2023, 3:13 PM
c-po closed this task as Resolved.Feb 25 2023, 9:10 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
a.apostoliuk moved this task from Open to Finished on the VyOS 1.4 Sagitta board.Feb 27 2023, 10:08 AM
dmbaturin mentioned this in 1.3.3.May 19 2023, 1:04 PM