summaryrefslogtreecommitdiff
path: root/python/vyos/ifconfig/macsec.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-20 21:09:31 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 11:58:57 +0200
commit2e8bd0ced8967644b0ad361df9b375075276593a (patch)
tree72862143508cb0edf6abadcc4017a06ab378f496 /python/vyos/ifconfig/macsec.py
parent0f98642dfbc6fd4b5eb9059abbb6e9767e0e0a8f (diff)
downloadvyos-1x-2e8bd0ced8967644b0ad361df9b375075276593a.tar.gz
vyos-1x-2e8bd0ced8967644b0ad361df9b375075276593a.zip
ifconfig: T2023: add initial MACsec abstraction
Diffstat (limited to 'python/vyos/ifconfig/macsec.py')
-rw-r--r--python/vyos/ifconfig/macsec.py73
1 files changed, 73 insertions, 0 deletions
diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py
new file mode 100644
index 000000000..cea3f8d13
--- /dev/null
+++ b/python/vyos/ifconfig/macsec.py
@@ -0,0 +1,73 @@
+# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.ifconfig.interface import Interface
+
+@Interface.register
+class MACsecIf(Interface):
+ """
+ MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in
+ 2006. It defines a way to establish a protocol independent connection
+ between two hosts with data confidentiality, authenticity and/or integrity,
+ using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a
+ layer 2 protocol, which means it's designed to secure traffic within a
+ layer 2 network, including DHCP or ARP requests. It does not compete with
+ other security solutions such as IPsec (layer 3) or TLS (layer 4), as all
+ those solutions are used for their own specific use cases.
+ """
+
+ default = {
+ 'type': 'macsec',
+ 'cipher': '',
+ 'source_interface': ''
+ }
+ definition = {
+ **Interface.definition,
+ **{
+ 'section': 'macsec',
+ 'prefixes': ['macsec', ],
+ },
+ }
+ options = Interface.options + \
+ ['cipher', 'source_interface']
+
+ def _create(self):
+ """
+ Create MACsec interface in OS kernel. Interface is administrative
+ down by default.
+ """
+ # create tunnel interface
+ cmd = 'ip link add link {source_interface} {ifname} type {type}'
+ cmd += ' cipher {cipher} encrypt on'
+ self._cmd(cmd.format(**self.config))
+
+ # interface is always A/D down. It needs to be enabled explicitly
+ self.set_admin_state('down')
+
+ @staticmethod
+ def get_config():
+ """
+ MACsec interfaces require a configuration when they are added using
+ iproute2. This static method will provide the configuration dictionary
+ used by this class.
+
+ Example:
+ >> dict = MACsecIf().get_config()
+ """
+ config = {
+ 'cipher': '',
+ 'source_interface': '',
+ }
+ return config