blob: 8da7a4d39f1708da4310992d349b07a97b75a22e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
.. _macsec-interface:
######
MACsec
######
MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006.
It defines a way to establish a protocol independent connection between two
hosts with data confidentiality, authenticity and/or integrity, using
GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2
protocol, which means it's designed to secure traffic within a layer 2 network,
including DHCP or ARP requests. It does not compete with other security
solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are
used for their own specific use cases.
Configuration
#############
.. cfgcmd:: set interfaces macsec <interface> security cipher [gcm-aes-128]
Select cipher suite used for cryptographic operations. This setting is
mandatory.
.. note:: gcm-aes-256 support planned once iproute2 package is updated to
version >=5.2.
.. cfgcmd:: set interfaces macsec <interface> security encrypt
MACsec only provides authentication by default, encryption is optional. This
command will enable encryption for all outgoing packets.
.. cfgcmd:: set interfaces macsec <interface> source-interface <physical-source>
A physical interface is required to connect this MACsec instance to. Traffic
leaving this interfac will now be authenticated/encrypted.
Key Management
--------------
.. cfgcmd:: set interfaces macsec <interface> security key cak <key>
IEEE 802.1X/MACsec pre-shared key mode. This allows to configure MACsec with
a pre-shared key using a (CAK,CKN) pair.
.. cfgcmd:: set interfaces macsec <interface> security key ckn <key>
CAK Name
Operation
=========
.. opcmd:: show interfaces macsec
List all MACsec interfaces
.. code-block:: none
vyos@vyos:~$ show interfaces macsec
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
.. opcmd:: show interfaces macsec <interface>
Show specific MACsec interface information
.. code-block:: none
vyos@vyos:~$ show interfaces macsec macsec1
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
|
