diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-21 16:09:17 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-21 16:09:17 +0200 |
commit | ab29e70bdd5b5a70e8e8822d521130a63055ada8 (patch) | |
tree | 8f73508e231f9de949eeec6a4b7efa1a25759bda /python | |
parent | ad44a7301c038e0a300a20fc26952e86b3b92d83 (diff) | |
parent | 5df7e8f35234497c03d504ea838dbd7044c49bb3 (diff) | |
download | vyos-1x-ab29e70bdd5b5a70e8e8822d521130a63055ada8.tar.gz vyos-1x-ab29e70bdd5b5a70e8e8822d521130a63055ada8.zip |
Merge branch 'macsec-t2023' of github.com:c-po/vyos-1x into current
* 'macsec-t2023' of github.com:c-po/vyos-1x:
macsec: T2023: cleanup wpa_supplicant config file name
macsec: T2023: improve verify() when encryption is enabled
macsec: T2023: support MACsec Key Agreement protocol actor priority
macsec: T2023: rename "security key" node to "security mka"
macsec: T2023: use wpa_supplicant for key management
macsec: T2023: cli: move "cipher" and "encryption" under new "secutiry" node
macsec: T2023: extend key generator for CAK and CKN in operation mode
macsec: T2023: remove gcm-aes-256 cipher type
macsec: T2023: cipher suite is mandatory
macsec: T2023: use list when working with Config()
macsec: T2023: add 'show interfaces macsec' op-mode tree
macsec: T2023: add optional encryption command
macsec: T2023: generate secure channel keys in operation mode
macsec: T2023: add initial XML and Python interfaces
ifconfig: T2023: add initial MACsec abstraction
interface: T2023: adopt _delete() to common style
interface: T2023: remove superfluous at end of list
macvlan: T2023: prepare common source interface include file
Diffstat (limited to 'python')
-rw-r--r-- | python/vyos/ifconfig/__init__.py | 1 | ||||
-rw-r--r-- | python/vyos/ifconfig/interface.py | 4 | ||||
-rw-r--r-- | python/vyos/ifconfig/macsec.py | 73 |
3 files changed, 76 insertions, 2 deletions
diff --git a/python/vyos/ifconfig/__init__.py b/python/vyos/ifconfig/__init__.py index 4d98901b7..1757adf26 100644 --- a/python/vyos/ifconfig/__init__.py +++ b/python/vyos/ifconfig/__init__.py @@ -42,3 +42,4 @@ from vyos.ifconfig.tunnel import SitIf from vyos.ifconfig.tunnel import Sit6RDIf from vyos.ifconfig.wireless import WiFiIf from vyos.ifconfig.l2tpv3 import L2TPv3If +from vyos.ifconfig.macsec import MACsecIf diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 61f2c6482..07efc6d97 100644 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -51,7 +51,7 @@ class Interface(Control): # WireGuard to modify their display behaviour OperationalClass = Operational - options = ['debug', 'create',] + options = ['debug', 'create'] required = [] default = { 'type': '', @@ -265,7 +265,7 @@ class Interface(Control): # NOTE (Improvement): # after interface removal no other commands should be allowed # to be called and instead should raise an Exception: - cmd = 'ip link del dev {}'.format(self.config['ifname']) + cmd = 'ip link del dev {ifname}'.format(**self.config) return self._cmd(cmd) def get_mtu(self): diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py new file mode 100644 index 000000000..ea8c9807e --- /dev/null +++ b/python/vyos/ifconfig/macsec.py @@ -0,0 +1,73 @@ +# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see <http://www.gnu.org/licenses/>. + +from vyos.ifconfig.interface import Interface + +@Interface.register +class MACsecIf(Interface): + """ + MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in + 2006. It defines a way to establish a protocol independent connection + between two hosts with data confidentiality, authenticity and/or integrity, + using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a + layer 2 protocol, which means it's designed to secure traffic within a + layer 2 network, including DHCP or ARP requests. It does not compete with + other security solutions such as IPsec (layer 3) or TLS (layer 4), as all + those solutions are used for their own specific use cases. + """ + + default = { + 'type': 'macsec', + 'security_cipher': '', + 'source_interface': '' + } + definition = { + **Interface.definition, + **{ + 'section': 'macsec', + 'prefixes': ['macsec', ], + }, + } + options = Interface.options + \ + ['security_cipher', 'source_interface'] + + def _create(self): + """ + Create MACsec interface in OS kernel. Interface is administrative + down by default. + """ + # create tunnel interface + cmd = 'ip link add link {source_interface} {ifname} type {type}' + cmd += ' cipher {security_cipher}' + self._cmd(cmd.format(**self.config)) + + # interface is always A/D down. It needs to be enabled explicitly + self.set_admin_state('down') + + @staticmethod + def get_config(): + """ + MACsec interfaces require a configuration when they are added using + iproute2. This static method will provide the configuration dictionary + used by this class. + + Example: + >> dict = MACsecIf().get_config() + """ + config = { + 'security_cipher': '', + 'source_interface': '', + } + return config |