summaryrefslogtreecommitdiff
path: root/python/vyos/ifconfig/macsec.py
blob: e14f22c589be526c9ccd49666af2ccf3bf0b5ed9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Copyright 2020-2021 VyOS maintainers and contributors <maintainers@vyos.io>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library.  If not, see <http://www.gnu.org/licenses/>.

from vyos.ifconfig.interface import Interface

@Interface.register
class MACsecIf(Interface):
    """
    MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in
    2006. It defines a way to establish a protocol independent connection
    between two hosts with data confidentiality, authenticity and/or integrity,
    using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a
    layer 2 protocol, which means it's designed to secure traffic within a
    layer 2 network, including DHCP or ARP requests. It does not compete with
    other security solutions such as IPsec (layer 3) or TLS (layer 4), as all
    those solutions are used for their own specific use cases.
    """
    iftype = 'macsec'
    definition = {
        **Interface.definition,
        **{
            'section': 'macsec',
            'prefixes': ['macsec', ],
        },
    }

    def _create(self):
        """
        Create MACsec interface in OS kernel. Interface is administrative
        down by default when not using static keys.
        """

        # create tunnel interface
        cmd  = 'ip link add link {source_interface} {ifname} type {type}'.format(**self.config)
        cmd += f' cipher {self.config["security"]["cipher"]}'
        self._cmd(cmd)

        # Check if using static keys
        if 'static' in self.config["security"]:
            # Set static TX key
            cmd = 'ip macsec add {ifname} tx sa 0 pn 1 on key 00'.format(**self.config)
            cmd += f' {self.config["security"]["static"]["key"]}'
            self._cmd(cmd)

            for peer, peer_config in self.config["security"]["static"]["peer"].items():
                if 'disable' in peer_config:
                    continue

                # Create the address
                cmd = 'ip macsec add {ifname} rx port 1 address'.format(**self.config)
                cmd += f' {peer_config["mac"]}'
                self._cmd(cmd)
                # Add the rx-key to the address
                cmd += f' sa 0 pn 1 on key 01 {peer_config["key"]}'
                self._cmd(cmd)

            # Set admin state to up
            self.set_admin_state('down')

        else:
            # interface is always A/D down. It needs to be enabled explicitly
            self.set_admin_state('down')