From 04d03f5bdd262bbf95f09e6ba3f211ab1d459573 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 21 May 2020 10:43:44 +0200 Subject: macsec: T2023: add optional encryption command By default MACsec only authenticates traffic but has support for optional encryption. Encryption can now be enabled using: set interfaces macsec encrypt --- interface-definitions/interfaces-macsec.xml.in | 6 ++++++ python/vyos/ifconfig/macsec.py | 7 ++++++- src/conf_mode/interfaces-macsec.py | 14 ++++++++++---- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index 79837dfb5..13448e758 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -36,6 +36,12 @@ + + + Enable optional MACsec encryption + + + #include #include #include diff --git a/python/vyos/ifconfig/macsec.py b/python/vyos/ifconfig/macsec.py index cea3f8d13..1829df4ab 100644 --- a/python/vyos/ifconfig/macsec.py +++ b/python/vyos/ifconfig/macsec.py @@ -50,12 +50,17 @@ class MACsecIf(Interface): """ # create tunnel interface cmd = 'ip link add link {source_interface} {ifname} type {type}' - cmd += ' cipher {cipher} encrypt on' + cmd += ' cipher {cipher}' self._cmd(cmd.format(**self.config)) # interface is always A/D down. It needs to be enabled explicitly self.set_admin_state('down') + def set_encryption(self, on_off): + ifname = self.config['ifname'] + cmd = f'ip link set {ifname} type macsec encrypt {on_off}' + return self._cmd(cmd) + @staticmethod def get_config(): """ diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index db605295e..fcf23ed0f 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -33,6 +33,7 @@ default_config_data = { 'deleted': False, 'description': '', 'disable': False, + 'encrypt': 'off', 'intf': '', 'source_interface': '', 'is_bridge_member': False, @@ -76,6 +77,10 @@ def get_config(): if conf.exists('disable'): macsec['disable'] = True + # Enable optional MACsec encryption + if conf.exists('encrypt'): + macsec['encrypt'] = 'on' + # Physical interface if conf.exists(['source-interface']): macsec['source_interface'] = conf.return_value(['source-interface']) @@ -143,6 +148,9 @@ def apply(macsec): # that the interface will only be create if its non existent i = MACsecIf(macsec['intf'], **conf) + # Configure optional encryption + i.set_encryption(macsec['encrypt']) + # update interface description used e.g. within SNMP i.set_alias(macsec['description']) @@ -159,10 +167,8 @@ def apply(macsec): if not macsec['is_bridge_member']: i.set_vrf(macsec['vrf']) - # disable interface on demand - if macsec['disable']: - i.set_admin_state('down') - else: + # Interface is administratively down by default, enable if desired + if not macsec['disable']: i.set_admin_state('up') return None -- cgit v1.2.3