Page MenuHomeVyOS Platform

Macsec does not work correctly when the interface status changes.
In progress, NormalPublicBUG

Description

There are 2 bugs in the macsec module when the interface status changes.

Configuration:
VyOS1

set interfaces macsec macsec1 address '192.168.2.1/24'
set interfaces macsec macsec1 disable
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42'
set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d'
set interfaces macsec macsec1 source-interface 'eth0'

VyOS2

set interfaces macsec macsec1 address '192.168.2.2/24'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42'
set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d'
set interfaces macsec macsec1 source-interface 'eth0'

Normal macsec interface status

[email protected]:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2
        2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000
    RXSC: 0c66f88900000001, state on
        2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000
  1. If we change the status of the macsec interface, traffic can flow.
[email protected]# set interfaces macsec macsec1 disable

Interface macsec status does not change. We can ping other side.

[email protected]:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u
eth1             192.168.17.142/24                 u/u
eth2             -                                 u/D
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          192.168.2.2/24                    u/u

[email protected]:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
  1. If we change physical interface down and then up by VyOS CLI, interface macsec status does not change but we can not ping other side.
[email protected]# set interfaces ethernet eth0 disable


[email protected]:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 A/D
eth1             192.168.17.142/24                 u/u
eth2             -                                 u/D
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          192.168.2.2/24                    u/u

[email protected]:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff

[email protected]:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2

[email protected]:~$ sudo ip macsec show
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2



[email protected]# delete interfaces ethernet eth0 disable

[email protected]:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u
eth1             192.168.17.142/24                 u/u
eth2             -                                 u/D
eth3             -                                 u/D
lo               127.0.0.1/8                       u/u
                 ::1/128
macsec1          192.168.2.2/24                    u/u

[email protected]:~$ sudo ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff
6: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff

[email protected]:~$ show interfaces macsec
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2

[email protected]:~$ sudo ip macsec show
6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: 0cae540700000001 on SA 2

If we change it by Linux commands everything works fine.

sudo ip link set eth0 down
sudo ip link set eth0 up

Details

Difficulty level
Normal (likely a few hours)
Version
vyos-1.4-rolling-202207180607; vyos-1.3.1-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

c-po changed the task status from Open to In progress.Tue, Aug 2, 10:30 AM
c-po claimed this task.
c-po triaged this task as Normal priority.

Works as expected in a recent rolling (e.g. 1.4-rolling-202208021045)

I have tested on 1.4-rolling-202208080217.
The first problem was fixed.
The second problem is not fixed