From 3872f5995644a8a52358285d682a7103b54dde04 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 21 May 2020 13:55:32 +0200 Subject: macsec: T2023: use wpa_supplicant for key management --- data/templates/macsec/wpa_supplicant.conf.tmpl | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 data/templates/macsec/wpa_supplicant.conf.tmpl (limited to 'data/templates/macsec') diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl new file mode 100644 index 000000000..b73d4b863 --- /dev/null +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -0,0 +1,53 @@ +# autogenerated by interfaces-macsec.py + +# see full documentation: +# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf + +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +ctrl_interface=/run/wpa_supplicant + +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. +eapol_version=3 + +# No need to scan for access points in MACsec mode +ap_scan=0 + +# EAP fast re-authentication +fast_reauth=1 + +network={ + key_mgmt=NONE + + # Note: When using wired authentication (including MACsec drivers), + # eapol_flags must be set to 0 for the authentication to be completed + # successfully. + eapol_flags=0 + + # macsec_policy: IEEE 802.1X/MACsec options + # This determines how sessions are secured with MACsec (only for MACsec + # drivers). + # 0: MACsec not in use (default) + # 1: MACsec enabled - Should secure, accept key server's advice to + # determine whether to use a secure session or not. + macsec_policy=1 + + # macsec_integ_only: IEEE 802.1X/MACsec transmit mode + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Encrypt traffic (default) + # 1: Integrity only + macsec_integ_only={{ '0' if security_encrypt else '1' }} + + mka_cak={{ security_key_cak }} + mka_ckn={{ security_key_ckn }} +} + -- cgit v1.2.3 From 68d54d8d79f257497c884b392a7e316e9a8e7d21 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 21 May 2020 15:04:24 +0200 Subject: macsec: T2023: rename "security key" node to "security mka" MACsec always talks about MKA (MACsec Key Agreement protocol) thus the node should reflect that. --- data/templates/macsec/wpa_supplicant.conf.tmpl | 12 ++++++++++-- interface-definitions/interfaces-macsec.xml.in | 4 ++-- op-mode-definitions/generate-macsec-key.xml | 8 ++++---- src/conf_mode/interfaces-macsec.py | 13 +++++++------ 4 files changed, 23 insertions(+), 14 deletions(-) (limited to 'data/templates/macsec') diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl index b73d4b863..df7b6f153 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -47,7 +47,15 @@ network={ # 1: Integrity only macsec_integ_only={{ '0' if security_encrypt else '1' }} - mka_cak={{ security_key_cak }} - mka_ckn={{ security_key_ckn }} + # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode + # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. + # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer + # with lower priority will become the key server and start distributing SAKs. + # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) + # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) + # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string + # (2..64 hex-digits) + mka_cak={{ security_mka_cak }} + mka_ckn={{ security_mka_ckn }} } diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index f76fef298..02e6e7b3f 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -43,9 +43,9 @@ - + - Encryption keys + MACsec Key Agreement protocol (MKA) diff --git a/op-mode-definitions/generate-macsec-key.xml b/op-mode-definitions/generate-macsec-key.xml index 003669827..40d2b9061 100644 --- a/op-mode-definitions/generate-macsec-key.xml +++ b/op-mode-definitions/generate-macsec-key.xml @@ -2,18 +2,18 @@ - + - Generate MACsec secure channel key + Generate MACsec Key - + Generate MACsec connectivity association key (CAK) /usr/bin/hexdump -n 16 -e '4/4 "%08x" 1 "\n"' /dev/random - + Generate MACsec connectivity association name (CKN) diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index e59df6f90..79c57d978 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -36,8 +36,9 @@ default_config_data = { 'disable': False, 'security_cipher': '', 'security_encrypt': False, - 'security_key_cak': '', - 'security_key_ckn': '', + 'security_mka_cak': '', + 'security_mka_ckn': '', + 'security_mka_priority': '255', 'intf': '', 'source_interface': '', 'is_bridge_member': False, @@ -87,12 +88,12 @@ def get_config(): macsec['security_encrypt'] = True # Secure Connectivity Association Key - if conf.exists(['security', 'key', 'cak']): - macsec['security_key_cak'] = conf.return_value(['security', 'key', 'cak']) + if conf.exists(['security', 'mka', 'cak']): + macsec['security_mka_cak'] = conf.return_value(['security', 'mka', 'cak']) # Secure Connectivity Association Name - if conf.exists(['security', 'key', 'ckn']): - macsec['security_key_ckn'] = conf.return_value(['security', 'key', 'ckn']) + if conf.exists(['security', 'mka', 'ckn']): + macsec['security_mka_ckn'] = conf.return_value(['security', 'mka', 'ckn']) # Physical interface if conf.exists(['source-interface']): -- cgit v1.2.3 From 2417c2feedd62a59f0caa0c7a405c60e1f3be0e8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 21 May 2020 15:06:16 +0200 Subject: macsec: T2023: support MACsec Key Agreement protocol actor priority --- data/templates/macsec/wpa_supplicant.conf.tmpl | 4 ++++ interface-definitions/interfaces-macsec.xml.in | 12 ++++++++++++ src/conf_mode/interfaces-macsec.py | 4 ++++ 3 files changed, 20 insertions(+) (limited to 'data/templates/macsec') diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl index df7b6f153..eee215418 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -57,5 +57,9 @@ network={ # (2..64 hex-digits) mka_cak={{ security_mka_cak }} mka_ckn={{ security_mka_ckn }} + + # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being + # default priority + mka_priority={{ security_mka_priority }} } diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 02e6e7b3f..af3971595 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -64,6 +64,18 @@ + + + Priority of MACsec Key Agreement protocol (MKA) actor (default: 255) + + 0-255 + MACsec Key Agreement protocol (MKA) priority + + + + + + diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 79c57d978..780ef9b5f 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -95,6 +95,10 @@ def get_config(): if conf.exists(['security', 'mka', 'ckn']): macsec['security_mka_ckn'] = conf.return_value(['security', 'mka', 'ckn']) + # MACsec Key Agreement protocol (MKA) actor priority + if conf.exists(['security', 'mka', 'priority']): + macsec['security_mka_priority'] = conf.return_value(['security', 'mka', 'priority']) + # Physical interface if conf.exists(['source-interface']): macsec['source_interface'] = conf.return_value(['source-interface']) -- cgit v1.2.3