Change Details

There are 2 bugs in the macsec module when the interface status changes. Configuration: VyOS1 ``` set interfaces macsec macsec1 address '192.168.2.1/24' set interfaces macsec macsec1 disable set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42' set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d' set interfaces macsec macsec1 source-interface 'eth0' ``` VyOS2 ``` set interfaces macsec macsec1 address '192.168.2.2/24' set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42' set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d' set interfaces macsec macsec1 source-interface 'eth0' ``` Normal macsec interface status ``` vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000 RXSC: 0c66f88900000001, state on 2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000 ``` 1. If we change the status of the macsec interface, traffic can flow. ``` vyos@vyos# set interfaces macsec macsec1 disable ``` Interface macsec status does not change. We can ping other side. ``` vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff ``` 2. If we change physical interface down and then up by VyOS CLI, interface macsec status does not change but we can not ping other side. ``` yos@vyos# set interfaces ethernet eth0 disable vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - A/D eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos:~$ sudo ip macsec show 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos# delete interfaces ethernet eth0 disable vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos:~$ sudo ip macsec show 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 ``` If we change it by Linux commands everything works fine. ``` sudo ip link set eth0 up sudo ip link set eth0 down ```

There are 2 bugs in the macsec module when the interface status changes. Configuration: VyOS1 ``` set interfaces macsec macsec1 address '192.168.2.1/24' set interfaces macsec macsec1 disable set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42' set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d' set interfaces macsec macsec1 source-interface 'eth0' ``` VyOS2 ``` set interfaces macsec macsec1 address '192.168.2.2/24' set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42' set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d' set interfaces macsec macsec1 source-interface 'eth0' ``` Normal macsec interface status ``` vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000 RXSC: 0c66f88900000001, state on 2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000 ``` 1. If we change the status of the macsec interface, traffic can flow. ``` vyos@vyos# set interfaces macsec macsec1 disable ``` Interface macsec status does not change. We can ping other side. ``` vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff ``` 2. If we change physical interface down and then up by VyOS CLI, interface macsec status does not change but we can not ping other side. ``` yos@vyos# set interfaces ethernet eth0 disable vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - A/D eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos:~$ sudo ip macsec show 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos# delete interfaces ethernet eth0 disable vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos:~$ sudo ip macsec show 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 ``` If we change it by Linux commands everything works fine. ``` sudo ip link set eth0 down sudo ip link set eth0 up ```

There are 2 bugs in the macsec module when the interface status changes. Configuration: VyOS1 ``` set interfaces macsec macsec1 address '192.168.2.1/24' set interfaces macsec macsec1 disable set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42' set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d' set interfaces macsec macsec1 source-interface 'eth0' ``` VyOS2 ``` set interfaces macsec macsec1 address '192.168.2.2/24' set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'ff9b7c30ddbc37f4c6bc9dc26ce65b42' set interfaces macsec macsec1 security mka ckn '547ec2be513bfa4b1b14b6c1b45eae14eb73bc985aa93407895791e035d3b00d' set interfaces macsec macsec1 source-interface 'eth0' ``` Normal macsec interface status ``` vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000 RXSC: 0c66f88900000001, state on 2: PN 7, state on, key c0bce5907d67938c5e6348ca0b000000 ``` 1. If we change the status of the macsec interface, traffic can flow. ``` vyos@vyos# set interfaces macsec macsec1 disable ``` Interface macsec status does not change. We can ping other side. ``` vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff ``` 2. If we change physical interface down and then up by VyOS CLI, interface macsec status does not change but we can not ping other side. ``` yos@vyos# set interfaces ethernet eth0 disable vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - A/D eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos:~$ sudo ip macsec show 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos# delete interfaces ethernet eth0 disable vyos@vyos:~$ show interfaces Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth1 192.168.17.142/24 u/u eth2 - u/D eth3 - u/D lo 127.0.0.1/8 u/u ::1/128 macsec1 192.168.2.2/24 u/u vyos@vyos:~$ sudo ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:01 brd ff:ff:ff:ff:ff:ff 4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:02 brd ff:ff:ff:ff:ff:ff 5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:03 brd ff:ff:ff:ff:ff:ff 6: macsec1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 0c:ae:54:07:00:00 brd ff:ff:ff:ff:ff:ff vyos@vyos:~$ show interfaces macsec 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 vyos@vyos:~$ sudo ip macsec show 6: macsec1: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0cae540700000001 on SA 2 ``` If we change it by Linux commands everything works fine. ``` sudo ip link set eth0 up sudo ip link set eth0 down sudo ip link set eth0 up ```