summaryrefslogtreecommitdiff
path: root/python
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-21 16:09:17 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 16:09:17 +0200
commitab29e70bdd5b5a70e8e8822d521130a63055ada8 (patch)
tree8f73508e231f9de949eeec6a4b7efa1a25759bda /python
parentad44a7301c038e0a300a20fc26952e86b3b92d83 (diff)
parent5df7e8f35234497c03d504ea838dbd7044c49bb3 (diff)
downloadvyos-1x-ab29e70bdd5b5a70e8e8822d521130a63055ada8.tar.gz
vyos-1x-ab29e70bdd5b5a70e8e8822d521130a63055ada8.zip
Merge branch 'macsec-t2023' of github.com:c-po/vyos-1x into current
* 'macsec-t2023' of github.com:c-po/vyos-1x: macsec: T2023: cleanup wpa_supplicant config file name macsec: T2023: improve verify() when encryption is enabled macsec: T2023: support MACsec Key Agreement protocol actor priority macsec: T2023: rename "security key" node to "security mka" macsec: T2023: use wpa_supplicant for key management macsec: T2023: cli: move "cipher" and "encryption" under new "secutiry" node macsec: T2023: extend key generator for CAK and CKN in operation mode macsec: T2023: remove gcm-aes-256 cipher type macsec: T2023: cipher suite is mandatory macsec: T2023: use list when working with Config() macsec: T2023: add 'show interfaces macsec' op-mode tree macsec: T2023: add optional encryption command macsec: T2023: generate secure channel keys in operation mode macsec: T2023: add initial XML and Python interfaces ifconfig: T2023: add initial MACsec abstraction interface: T2023: adopt _delete() to common style interface: T2023: remove superfluous at end of list macvlan: T2023: prepare common source interface include file
Diffstat (limited to 'python')
-rw-r--r--python/vyos/ifconfig/__init__.py1
-rw-r--r--python/vyos/ifconfig/interface.py4
-rw-r--r--python/vyos/ifconfig/macsec.py73
3 files changed, 76 insertions, 2 deletions
diff --git a/python/vyos/ifconfig/__init__.py b/python/vyos/ifconfig/__init__.py
index 4d98901b7..1757adf26 100644
--- a/python/vyos/ifconfig/__init__.py
+++ b/python/vyos/ifconfig/__init__.py
@@ -42,3 +42,4 @@ from vyos.ifconfig.tunnel import SitIf
from vyos.ifconfig.tunnel import Sit6RDIf
from vyos.ifconfig.wireless import WiFiIf
from vyos.ifconfig.l2tpv3 import L2TPv3If
+from vyos.ifconfig.macsec import MACsecIf
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index 61f2c6482..07efc6d97 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -51,7 +51,7 @@ class Interface(Control):
# WireGuard to modify their display behaviour
OperationalClass = Operational
- options = ['debug', 'create',]
+ options = ['debug', 'create']
required = []
default = {
'type': '',
@@ -265,7 +265,7 @@ class Interface(Control):
# NOTE (Improvement):
# after interface removal no other commands should be allowed
# to be called and instead should raise an Exception:
- cmd = 'ip link del dev {}'.format(self.config['ifname'])
+ cmd = 'ip link del dev {ifname}'.format(**self.config)
return self._cmd(cmd)
def get_mtu(self):
diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py
new file mode 100644
index 000000000..ea8c9807e
--- /dev/null
+++ b/python/vyos/ifconfig/macsec.py
@@ -0,0 +1,73 @@
+# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <http://www.gnu.org/licenses/>.
+
+from vyos.ifconfig.interface import Interface
+
+@Interface.register
+class MACsecIf(Interface):
+ """
+ MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in
+ 2006. It defines a way to establish a protocol independent connection
+ between two hosts with data confidentiality, authenticity and/or integrity,
+ using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a
+ layer 2 protocol, which means it's designed to secure traffic within a
+ layer 2 network, including DHCP or ARP requests. It does not compete with
+ other security solutions such as IPsec (layer 3) or TLS (layer 4), as all
+ those solutions are used for their own specific use cases.
+ """
+
+ default = {
+ 'type': 'macsec',
+ 'security_cipher': '',
+ 'source_interface': ''
+ }
+ definition = {
+ **Interface.definition,
+ **{
+ 'section': 'macsec',
+ 'prefixes': ['macsec', ],
+ },
+ }
+ options = Interface.options + \
+ ['security_cipher', 'source_interface']
+
+ def _create(self):
+ """
+ Create MACsec interface in OS kernel. Interface is administrative
+ down by default.
+ """
+ # create tunnel interface
+ cmd = 'ip link add link {source_interface} {ifname} type {type}'
+ cmd += ' cipher {security_cipher}'
+ self._cmd(cmd.format(**self.config))
+
+ # interface is always A/D down. It needs to be enabled explicitly
+ self.set_admin_state('down')
+
+ @staticmethod
+ def get_config():
+ """
+ MACsec interfaces require a configuration when they are added using
+ iproute2. This static method will provide the configuration dictionary
+ used by this class.
+
+ Example:
+ >> dict = MACsecIf().get_config()
+ """
+ config = {
+ 'security_cipher': '',
+ 'source_interface': '',
+ }
+ return config