Page MenuHomeVyOS Platform

MACsec interfaces in down state after create
Closed, InvalidPublicBUG

Description

Create macsec configuration and macsec interface by default in "admin down" state

set interfaces macsec macsec1 address '10.0.0.1/30'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf'
set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032'
set interfaces macsec macsec1 source-interface 'eth1'

Check interfaces

vyos@r1-roll:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.122.11/24                 u/u  
eth1             192.0.2.1/24                      u/u  
eth2             -                                 u/u  
lo               127.0.0.1/8                       u/u  
                 ::1/128                                
macsec1          10.0.0.1/30                       A/D 


vyos@r1-roll:~$ sudo ip link show | grep macs -A 2
11: macsec1@eth1: <BROADCAST,MULTICAST> mtu 1460 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:b2:38:2c brd ff:ff:ff:ff:ff:ff

Details

Difficulty level
Easy (less than an hour)
Version
1.3-beta-202108300342, 1.4-rolling-202109020430
Why the issue appeared?
Other
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Event Timeline

Works as designed. Note that the MACSec interface will only change its state to u/u after a successful key-exchange.

Versions used:
LR1.wue3 -> 1.4-rolling-202109060217
LR2.wue3 -> 1.3-beta-202109050342

[email protected]:~$ show ver

Version:          VyOS 1.3-beta-202109050342
Release Train:    equuleus

Built by:         [email protected]
Built on:         Sun 05 Sep 2021 03:42 UTC
Build UUID:       69d54c77-6e2c-4f0a-88fc-147842511496
Build Commit ID:  14583fc2b4dde3

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 33 79 fe 73 64 2d 62-d5 62 ab 99 5a 3e d9 6d
Hardware UUID:    fe793342-6473-622d-d562-ab995a3ed96d

Copyright:        VyOS maintainers and contributors
[email protected]:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
dum0             172.18.254.202/32                 u/u
eth0             -                                 u/u
eth0.202         172.18.202.10/24                  u/u
eth1             -                                 u/u
eth2             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          10.0.0.2/30                       u/u
[email protected]:~$ show configuration commands | grep macsec1
set interfaces macsec macsec1 address '10.0.0.2/30'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf'
set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032'
set interfaces macsec macsec1 source-interface 'eth1'
[email protected]:~$ show configuration commands | grep macsec1
set interfaces macsec macsec1 address '10.0.0.1/30'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf'
set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032'
set interfaces macsec macsec1 source-interface 'eth1'
[email protected]# sudo tcpdump -ni eth1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:31:09.306862 unknown (5) v3, len 144
21:31:09.307126 unknown (5) v3, len 144
21:31:09.772967 00:50:56:b3:38:c5 > 00:50:56:b3:cd:ba 802.1AE MACsec, an 0, pn 11, flags ECI, sci 005056b338c50001,
        0x0000:  4689 cc41 5bbc 4d85 37c0 bb4a 8dfd dcc4  F..A[.M.7..J....
        0x0010:  df06 bc66 21da 5b96 6718 d5ed 7385 fb02  ...f!.[.g...s...
        0x0020:  c25b 1cb4 6199 f734 ffc9 d69e 7d3e a09a  .[..a..4....}>..
        0x0030:  c2fe 7b04 a117 0fd4 ddec c06b db99 6546  ..{........k..eF
        0x0040:  caff 7ad2 e16a 09eb b21c bb0d e147 e6e0  ..z..j.......G..
        0x0050:  c25e e2a8 f11d 0a28 c14f 4337 f74c 8557  .^.....(.OC7.L.W
        0x0060:  974a 19db db58                           .J...X
21:31:09.773444 00:50:56:b3:cd:ba > 00:50:56:b3:38:c5 802.1AE MACsec, an 0, pn 11, flags ECI, sci 005056b3cdba0001,
        0x0000:  cc3d 81c4 a507 bb82 e51c 3a6d bef7 a818  .=........:m....
        0x0010:  b584 d3a7 2c3a 158d 8a75 5118 23fa c70f  ....,:...uQ.#...
        0x0020:  bc90 b049 649f 58c8 9272 3768 45a4 bcc2  ...Id.X..r7hE...
        0x0030:  08dd 51d9 cfdb 6202 8857 1027 27f0 a668  ..Q...b..W.''..h
        0x0040:  1e4e ed48 4b13 bb93 9fdb 0316 b708 6064  .N.HK.........`d
        0x0050:  51a4 2677 2012 a859 da04 d51e 31e7 83db  Q.&w...Y....1...
        0x0060:  ba9e f784 8558                           .....X
c-po triaged this task as High priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Other.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

It seems some bug in KVM.
I still see this bug
VyOS 1.3.0-rc6 config

[email protected]# run show conf com | match mac
set interfaces macsec macsec1 address '10.0.0.2/30'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf'
set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032'
set interfaces macsec macsec1 source-interface 'eth1'

1.4 config:

vyos@r1-roll# run show conf com | match mac
set interfaces macsec macsec1 address '10.0.0.1/30'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf'
set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032'
set interfaces macsec macsec1 source-interface 'eth1'

VyOS 1.3.0-rc6 interfaces:

[email protected]# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.122.14/24                 u/u  FOO-BAR
eth1             -                                 u/u  FOO
eth2             -                                 u/u  
lo               127.0.0.1/8                       u/u  
                 ::1/128                                
macsec1          10.0.0.2/30                       A/D

VyOS 1.4-rolling-202109061053 interfaces:

vyos@r1-roll# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.122.11/24                 u/u  
eth1             -                                 u/u  
eth2             -                                 u/u  
lo               127.0.0.1/8                       u/u  
                 ::1/128                                
macsec1          10.0.0.1/30                       A/D

But I can set up link with ip:

[email protected]# sudo ip link set dev macsec1 up 
[edit]
[email protected]# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.122.14/24                 u/u  FOO-BAR
eth1             -                                 u/u  FOO
eth2             -                                 u/u  
lo               127.0.0.1/8                       u/u  
                 ::1/128                                
macsec1          10.0.0.2/30                       u/u