Age | Commit message (Collapse) | Author |
|
|
|
* 'macsec-t2023' of github.com:c-po/vyos-1x:
macsec: T2023: cleanup wpa_supplicant config file name
macsec: T2023: improve verify() when encryption is enabled
macsec: T2023: support MACsec Key Agreement protocol actor priority
macsec: T2023: rename "security key" node to "security mka"
macsec: T2023: use wpa_supplicant for key management
macsec: T2023: cli: move "cipher" and "encryption" under new "secutiry" node
macsec: T2023: extend key generator for CAK and CKN in operation mode
macsec: T2023: remove gcm-aes-256 cipher type
macsec: T2023: cipher suite is mandatory
macsec: T2023: use list when working with Config()
macsec: T2023: add 'show interfaces macsec' op-mode tree
macsec: T2023: add optional encryption command
macsec: T2023: generate secure channel keys in operation mode
macsec: T2023: add initial XML and Python interfaces
ifconfig: T2023: add initial MACsec abstraction
interface: T2023: adopt _delete() to common style
interface: T2023: remove superfluous at end of list
macvlan: T2023: prepare common source interface include file
|
|
|
|
With enabled encryption keys must be configured.
|
|
|
|
MACsec always talks about MKA (MACsec Key Agreement protocol) thus the node
should reflect that.
|
|
|
|
This is best suited as a key is required, too.
|
|
CAK - Connectivity Association Key
CKN - Connectivity Association Name
|
|
Cipher type gcm-aes-256 is supported by Linux 4.19 but it is not available in
iproute2 4.19. We could backport it of course but the plan is to Upgrade to a
more recent 5.x series kernel anyway once all out-of-tree module issues are
resolved, mainly Intel QAT.
gcm-aes-256 support was added to iproute2 package with commit b16f5253233 ("Add
support for configuring MACsec gcm-aes-256 cipher type.") which made it into
the 5.2 release of iproute2.
|
|
|
|
|
|
vyos@vyos# run show interfaces macsec
13: macsec1: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bf19260001 on SA 0
14: macsec2: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
vyos@vyos# run show interfaces macsec macsec2
14: macsec2: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
|
|
By default MACsec only authenticates traffic but has support for optional
encryption. Encryption can now be enabled using:
set interfaces macsec <interface> encrypt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
util: T2467: fix missing import
|
|
|
|
T2465: Permissions on vyos-hostsd socket incorrect
|
|
Revert "T2465: vyos-hostsd-client needs sudo"
|
|
The DHCP server is unable to apply entries to the hosts file because the permissions on the socket are getting created wrong.
```
$ ls -al /run/vyos-hostsd.sock
srwxrwxrwx 1 root vyattacfg 0 May 20 01:38 /run/vyos-hostsd.sock
```
This gives it the correct permissions so that the nobody/nobody user/group can change it.
|
|
|
|
It is not possible to simply remove the node.def file in a tag node. Rather
rename the tag node to take it out of order by default. Upcoming BGP developers
simply need to remove this line in the Makefile added by the commit.
|
|
util: T2467: automatically add sudo to known commands
|
|
bgp-xml: T2387:Commands in XML for [conf_mode] bgp
|
|
|
|
|
|
|
|
That warning made no sense as the destination address where we forward a port
to is by design not locally connected.
|
|
T2465: vyos-hostsd-client needs sudo
|
|
Add support for prefix delegation when receiving the prefix via ethernet,
bridge, bond, wireless.
|
|
This is to remove the amount of duplicated entries in dictionaries. It's one
more part to move to a unified interface management.
|
|
There have been a number of complaints about DHCP not getting inserted into the `/etc/hosts` file. This should correct that problem.
|
|
|
|
|
|
Dictionary is used to remove the amount of duplicated code by e.g. ethernet
or bridge interface.
|
|
|
|
flake8: T2475: fix a number of issue reported by flake8
|
|
|
|
|
|
|
|
* 'ipv6-pd' of github.com:c-po/vyos-1x:
pppoe: dhcpv6-pd: T421: change system type to forking
pppoe: dhcpv6-pd: T421: stop service when config is removed
pppoe: dhcpv6-pd: T421: start/stop delegation with interface status
pppoe: dhcpv6-pd: T421: initial support
dhcpv6-pd: T421: migrate from ISC dhclient to wide-dhcpv6-client
|
|
Wide dhcp client forks by itself
|
|
|
|
|
|
The following configuration will assign a /64 prefix out of a /56 delegation
to eth0. The IPv6 address assigned to eth0 will be <prefix>::ffff/64.
If you do not know the prefix size delegated to you, start with sla-len 0.
pppoe pppoe0 {
authentication {
password vyos
user vyos
}
description sadfas
dhcpv6-options {
delegate eth0 {
interface-id 65535
sla-id 0
sla-len 8
}
}
ipv6 {
address {
autoconf
}
enable
}
source-interface eth1
}
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 2001:db8:8003:400::ffff/64 u/u
|