diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-05-22 11:06:37 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-05-22 11:06:37 +0200 |
| commit | 2005b6e98d66756eabd163d047e3ce4b365d4c30 (patch) | |
| tree | 47000ac0508ace3975f7a1a98416334e167000a3 | |
| parent | 63f9e4c0ab996b44ef88a9df20d552c5fd7f748c (diff) | |
| download | vyos-1x-2005b6e98d66756eabd163d047e3ce4b365d4c30.tar.gz vyos-1x-2005b6e98d66756eabd163d047e3ce4b365d4c30.zip | |
macsec: T2491: add replay window protection
| -rw-r--r-- | data/templates/macsec/wpa_supplicant.conf.tmpl | 19 | ||||
| -rw-r--r-- | interface-definitions/interfaces-macsec.xml.in | 16 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-macsec.py | 6 |
3 files changed, 41 insertions, 0 deletions
diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl index c3a8d9686..a614d23f5 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -63,5 +63,24 @@ network={ # default priority mka_priority={{ security_mka_priority }} {% endif %} +{% if security_replay_window %} + # macsec_replay_protect: IEEE 802.1X/MACsec replay protection + # This setting applies only when MACsec is in use, i.e., + # - macsec_policy is enabled + # - the key server has decided to enable MACsec + # 0: Replay protection disabled (default) + # 1: Replay protection enabled + macsec_replay_protect={{ '1' if security_replay_window else '0' }} + + # macsec_replay_window: IEEE 802.1X/MACsec replay protection window + # This determines a window in which replay is tolerated, to allow receipt + # of frames that have been misordered by the network. + # This setting applies only when MACsec replay protection active, i.e., + # - macsec_replay_protect is enabled + # - the key server has decided to enable MACsec + # 0: No replay window, strict check (default) + # 1..2^32-1: number of packets that could be misordered + macsec_replay_window={{ security_replay_window }} +{% endif %} } diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 3bd0a6fd5..36605ab59 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -86,6 +86,22 @@ </leafNode> </children> </node> + <leafNode name="replay-window"> + <properties> + <help>IEEE 802.1X/MACsec replay protection window</help> + <valueHelp> + <format>0</format> + <description>No replay window, strict check</description> + </valueHelp> + <valueHelp> + <format>1-4294967295</format> + <description>Number of packets that could be misordered</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 0-4294967295" /> + </constraint> + </properties> + </leafNode> </children> </node> #include <include/interface-description.xml.i> diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 690c9b745..7d6f238f3 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -39,6 +39,7 @@ default_config_data = { 'security_mka_cak': '', 'security_mka_ckn': '', 'security_mka_priority': '255', + 'security_replay_window': '', 'intf': '', 'source_interface': '', 'is_bridge_member': False, @@ -112,6 +113,11 @@ def get_config(): macsec['security_mka_priority'] = conf.return_value( ['security', 'mka', 'priority']) + # IEEE 802.1X/MACsec replay protection + if conf.exists(['security', 'replay-window']): + macsec['security_replay_window'] = conf.return_value( + ['security', 'replay-window']) + # Physical interface if conf.exists(['source-interface']): macsec['source_interface'] = conf.return_value(['source-interface']) |