Page MenuHomeVyOS Platform

Allow static MACsec keys with peers
Closed, ResolvedPublicFEATURE REQUEST

Description

Some virtual environments do not allow the forwarding of EAPOL packets. In order to provide for encryption in transit for high security compliance environments, it would be useful to be able to implement MACsec in those cloud environments where MKA is not functional.

While this is not easily scalable, unless possibly through API automation, it would fill a potential gap in capability.

The proposal would be to statically define a TX key, and then define RX peers with MAC address and key. This could maybe be a similar config syntax to that of Wireguard peers.

Linux command line syntax for TX key would be similar to the following:

ip macsec add macsec0 tx sa 0 pn 1 on key <KEY ID> <KEY>

Linux command line syntax for each RX key would be similar to the following:

ip macsec add macsec0 rx port 1 address <PEER MAC ADDRESS> sa 0 pn 1 on key <KEY ID> <KEY>

Configuration for static configuration could potentially be as follows, where either "mka" or "static" must be defined

interfaces {
    macsec macsec0 {
        address 192.168.1.1/24
        security {
            cipher gcm-aes-128
            encrypt
            static {
                tx-key <keyID> <KEY>
                peer <friendly name> {
                    mac-address <MAC ADDRESS>
                    rx-key <keyID> <KEY>
                }
            }
        }
        source-interface eth0
    }
}

Manual key rotation would need to be explored as well, so tx-key and rx-key statements would need to allow for multiple entries I think.

Details

Version
1.3.3
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Related Objects

Mentioned In
rVYOSONEXa1c558b8762d: Merge pull request #3686 from vyos/mergify/bp/sagitta/pr-3685
rVYOSONEX1ee62b2c951a: Merge pull request #3687 from vyos/mergify/bp/sagitta-stream/pr-3685
rVYOSONEX59db78630176: Merge pull request #3688 from vyos/mergify/bp/circinus-stream/pr-3685
rVYOSONEX8d913f29f52b: macsec: T5447: fix error message syntax - there is no tx and rx key, only key
rVYOSONEX53e628e9b2c9: macsec: T5447: fix error message syntax - there is no tx and rx key, only key
rVYOSONEX0ef709dc082c: macsec: T5447: fix error message syntax - there is no tx and rx key, only key
rVYOSONEX608ee44be6c6: Merge pull request #3685 from c-po/macsec-error-message
rVYOSONEXf29caa824c02: macsec: T5447: fix error message syntax - there is no tx and rx key, only key
rVYOSONEX4ea1b1506940: smoketest: T5447: wpa_supplicant is only run if required
rVYOSONEX33b9bc55f9e3: T5447: Initial support for MACsec static keys
rVYOSONEXcb68cc29733e: T5447: MACsec static tx-key validation
rVYOSONEXd110af71cb1c: T5447: Add verification of peer rx-key length
rVYOSONEX94e8d4ad1fd4: T5447: Add smoketest for MACsec static keys
rVYOSONEX525beb3202bb: T5447: Implement maintainer feedback
rVYOSONEX69c60327ab44: T5447: Corrected comment for interface down
rVYOSONEX0910cc09c465: T5447: Corrected comment in _create header
rVYOSONEXb4bacbaa2b57: T5447: Remove redundant self.set_admin_state
rVYOSONEXae6b46b3eef3: T5447: Update copyright years
rVYOSONEX007942130b3e: T5447: Adjust to positive logic in generare()
rVYOSONEX8c7fbec24f8b: Merge pull request #2156 from giga1699/T5447

Event Timeline

Viacheslav changed the subtype of this task from "Task" to "Feature Request".Aug 8 2023, 7:48 AM
giga1699 changed the task status from Open to In progress.Aug 18 2023, 1:26 AM
giga1699 claimed this task.
Viacheslav changed the task status from In progress to Needs testing.Aug 23 2023, 9:02 AM
Viacheslav subscribed.

Already implemented

vyos@r4# set interfaces macsec macsec0 security static 
Possible completions:
   key                  MACsec static key
+> peer                 MACsec peer name