Page MenuHomeVyOS Platform

Add support for 802.1ae MACsec
Closed, ResolvedPublicFEATURE REQUEST



MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It defines a way to establish a protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it’s designed to secure traffic within a layer 2 network, including DHCP or ARP requests. It does not compete with other security solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are used for their own specific use cases.

Thank you Bootlin!

Intro Video:


VyOS Documentation


Difficulty level
Hard (possibly days)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects


Event Timeline

c-po triaged this task as Low priority.Feb 9 2020, 5:12 PM
c-po created this task.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed Difficulty level from Normal (likely a few hours) to Hard (possibly days).
c-po changed the task status from Open to In progress.May 20 2020, 2:32 PM

This is a 1300 byte ping running through a MACsec connection with wpa_supplicant for key management.

12:06:04.072046 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 1374:
        0x0000:  2c00 0000 0033 0050 56bf efaa 0001 3740  ,....3.PV.....7@
        0x0010:  5254 e3cf ff19 854f 1b3f b455 16b6 ff74  RT.....O.?.U...t
        0x0020:  c2ef 4288 0b5a 09cc cbe6 2033 cb81 be99  ..B..Z.....3....
        0x0030:  fd86 2ea0 58f7 7147 56fa 0c78 ba64 40d2  ....X.qGV..x.d@.
        0x0040:  6905 4a48 cdf4 2cdf 5e8b 266a 8918 5fdd  i.JH..,.^.&j.._.
        0x0050:  4596 ba72 cb10 d5f4 da24 3675 9625 30f6  E..r.....$6u.%0.
        0x0060:  d9f7 2d40 668a 2af7 17ee 631e e3dc 9a3a  ..-@f.*...c....:
        0x0070:  5c6e c440 0560 dea9 6d0a 2810 aec6 4b7a  \n.@.`..m.(...Kz
        0x0080:  6f4c dd99 dc5a a566 0827 4f32 07f4 fa03  oL...Z.f.'O2....

This is a regular ICMP ping

12:08:20.263609 00:50:56:b3:ad:d6 > 00:50:56:bf:ef:aa, ethertype Unknown (0x88e5), length 130:
        0x0000:  2c00 0000 003a 0050 56b3 add6 0001 5df2  ,....:.PV.....].
        0x0010:  f066 d65b aa66 f81a 82a1 5f93 56ca 3ae7  .f.[.f...._.V.:.
        0x0020:  e9da 9444 473a fa15 bac9 04f9 b0cc 271f  ...DG:........'.
        0x0030:  5ada 73e4 5b7a 26ca 7b7e 9aa0 3e50 0957  Z.s.[z&.{~..>P.W
        0x0040:  a2b1 bb65 ad15 fe70 e80f 1c8c 7e48 6c2b  ...e...p....~Hl+
        0x0050:  5b85 c774 3e0e de41 2c7f 136c cf0b b051  [..t>..A,..l...Q
        0x0060:  504b 9f31 ce7e bf96 c989 0627 7fe1 074b  PK.1.~.....'...K
        0x0070:  540b ae62                                T..b

And an IPv6 ping

12:09:05.127969 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150:
        0x0000:  2c00 0000 0041 0050 56bf efaa 0001 d8a2  ,....A.PV.......
        0x0010:  336d 4e3d 6477 7a48 23b0 9f1e 67c0 0e7a  3mN=dwzH#...g..z
        0x0020:  d96b 9228 4d3f c3cc 2797 0bd4 925f a759  .k.(M?..'...._.Y
        0x0030:  0756 28c2 0e31 8530 1269 f2ba b095 412b  .V(..1.0.i....A+
        0x0040:  5744 91e9 9068 2cf8 1d91 fbfb 795b c828  WD...h,.....y[.(
        0x0050:  101a 9101 a414 c4cd 3d94 2fe8 1605 5b38  ........=./...[8
        0x0060:  2ca6 3b6d 8522 0221 759e 1285 573b c31b  ,.;m.".!u...W;..
        0x0070:  d188 57b0 852e a8e8 dcd4 1d81 f1ad 67d2  ..W...........g.
        0x0080:  f422 dd8a a9a4 eacb                      ."......

wpa_supplicant is used for key management else the ey would need to be "auto renewed" by hand once the packet number wrapps (32-bit)

erkin set Issue type to Feature (new functionality).Aug 31 2021, 5:44 PM