summaryrefslogtreecommitdiff
path: root/docs/interfaces/macsec.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-05-21 13:42:19 +0200
committerChristian Poessinger <christian@poessinger.com>2020-05-21 13:42:19 +0200
commit361391385ab6d37ce6b699eb6ed8368355fd345f (patch)
tree1621660e4aa9d992cbb1fb97d1dd4ce25ec9c391 /docs/interfaces/macsec.rst
parent6c65fbc5f919546dcf539d30e527e754c622a6ae (diff)
downloadvyos-documentation-361391385ab6d37ce6b699eb6ed8368355fd345f.tar.gz
vyos-documentation-361391385ab6d37ce6b699eb6ed8368355fd345f.zip
macsec: add key management
Diffstat (limited to 'docs/interfaces/macsec.rst')
-rw-r--r--docs/interfaces/macsec.rst56
1 files changed, 55 insertions, 1 deletions
diff --git a/docs/interfaces/macsec.rst b/docs/interfaces/macsec.rst
index 578a1633..8da7a4d3 100644
--- a/docs/interfaces/macsec.rst
+++ b/docs/interfaces/macsec.rst
@@ -13,11 +13,65 @@ including DHCP or ARP requests. It does not compete with other security
solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are
used for their own specific use cases.
-
Configuration
#############
+.. cfgcmd:: set interfaces macsec <interface> security cipher [gcm-aes-128]
+
+ Select cipher suite used for cryptographic operations. This setting is
+ mandatory.
+
+ .. note:: gcm-aes-256 support planned once iproute2 package is updated to
+ version >=5.2.
+
+.. cfgcmd:: set interfaces macsec <interface> security encrypt
+
+ MACsec only provides authentication by default, encryption is optional. This
+ command will enable encryption for all outgoing packets.
+
+.. cfgcmd:: set interfaces macsec <interface> source-interface <physical-source>
+
+ A physical interface is required to connect this MACsec instance to. Traffic
+ leaving this interfac will now be authenticated/encrypted.
+
+
+Key Management
+--------------
+
+.. cfgcmd:: set interfaces macsec <interface> security key cak <key>
+
+ IEEE 802.1X/MACsec pre-shared key mode. This allows to configure MACsec with
+ a pre-shared key using a (CAK,CKN) pair.
+
+.. cfgcmd:: set interfaces macsec <interface> security key ckn <key>
+
+ CAK Name
+
Operation
=========
+.. opcmd:: show interfaces macsec
+
+ List all MACsec interfaces
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces macsec
+ 17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
+ cipher suite: GCM-AES-128, using ICV length 16
+ TXSC: 005056bfefaa0001 on SA 0
+ 20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
+ cipher suite: GCM-AES-128, using ICV length 16
+ TXSC: 005056bfefaa0001 on SA 0
+
+.. opcmd:: show interfaces macsec <interface>
+
+ Show specific MACsec interface information
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show interfaces macsec macsec1
+ 17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
+ cipher suite: GCM-AES-128, using ICV length 16
+ TXSC: 005056bfefaa0001 on SA 0