Page MenuHomeVyOS Platform
Create Task
Maniphest T5447

Allow static MACsec keys with peers
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Some virtual environments do not allow the forwarding of EAPOL packets. In order to provide for encryption in transit for high security compliance environments, it would be useful to be able to implement MACsec in those cloud environments where MKA is not functional.

While this is not easily scalable, unless possibly through API automation, it would fill a potential gap in capability.

The proposal would be to statically define a TX key, and then define RX peers with MAC address and key. This could maybe be a similar config syntax to that of Wireguard peers.

Linux command line syntax for TX key would be similar to the following:

ip macsec add macsec0 tx sa 0 pn 1 on key <KEY ID> <KEY>

Linux command line syntax for each RX key would be similar to the following:

ip macsec add macsec0 rx port 1 address <PEER MAC ADDRESS> sa 0 pn 1 on key <KEY ID> <KEY>

Configuration for static configuration could potentially be as follows, where either "mka" or "static" must be defined

interfaces {
    macsec macsec0 {
        address 192.168.1.1/24
        security {
            cipher gcm-aes-128
            encrypt
            static {
                tx-key <keyID> <KEY>
                peer <friendly name> {
                    mac-address <MAC ADDRESS>
                    rx-key <keyID> <KEY>
                }
            }
        }
        source-interface eth0
    }
}

Manual key rotation would need to be explored as well, so tx-key and rx-key statements would need to allow for multiple entries I think.

Details

Difficulty level
Easy (less than an hour)
Version
1.3.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Feature (new functionality)

Event Timeline

giga1699 created this task.Aug 8 2023, 1:25 AM
giga1699 created this object in space S1 VyOS Public.
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Aug 8 2023, 7:48 AM
pasik added a subscriber: pasik.Aug 8 2023, 10:51 AM
giga1699 changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).Aug 16 2023, 12:46 AM
giga1699 changed the task status from Open to In progress.Aug 18 2023, 1:26 AM
giga1699 claimed this task.

Pull request #2156 opened
https://github.com/vyos/vyos-1x/pull/2156

Viacheslav changed the task status from In progress to Needs testing.Aug 23 2023, 9:02 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:17 AM
Viacheslav closed this task as Resolved.Fri, Apr 12, 2:30 PM
Viacheslav removed a project: VyOS 1.3 Equuleus (1.3.7).
Viacheslav added a subscriber: Viacheslav.

Already implemented

vyos@r4# set interfaces macsec macsec0 security static 
Possible completions:
   key                  MACsec static key
+> peer                 MACsec peer name