mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
78 lines
2.5 KiB
ReStructuredText
78 lines
2.5 KiB
ReStructuredText
.. _macsec-interface:
|
|
|
|
######
|
|
MACsec
|
|
######
|
|
|
|
MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006.
|
|
It defines a way to establish a protocol independent connection between two
|
|
hosts with data confidentiality, authenticity and/or integrity, using
|
|
GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2
|
|
protocol, which means it's designed to secure traffic within a layer 2 network,
|
|
including DHCP or ARP requests. It does not compete with other security
|
|
solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are
|
|
used for their own specific use cases.
|
|
|
|
Configuration
|
|
#############
|
|
|
|
.. cfgcmd:: set interfaces macsec <interface> security cipher [gcm-aes-128]
|
|
|
|
Select cipher suite used for cryptographic operations. This setting is
|
|
mandatory.
|
|
|
|
.. note:: gcm-aes-256 support planned once iproute2 package is updated to
|
|
version >=5.2.
|
|
|
|
.. cfgcmd:: set interfaces macsec <interface> security encrypt
|
|
|
|
MACsec only provides authentication by default, encryption is optional. This
|
|
command will enable encryption for all outgoing packets.
|
|
|
|
.. cfgcmd:: set interfaces macsec <interface> source-interface <physical-source>
|
|
|
|
A physical interface is required to connect this MACsec instance to. Traffic
|
|
leaving this interfac will now be authenticated/encrypted.
|
|
|
|
|
|
Key Management
|
|
--------------
|
|
|
|
.. cfgcmd:: set interfaces macsec <interface> security key cak <key>
|
|
|
|
IEEE 802.1X/MACsec pre-shared key mode. This allows to configure MACsec with
|
|
a pre-shared key using a (CAK,CKN) pair.
|
|
|
|
.. cfgcmd:: set interfaces macsec <interface> security key ckn <key>
|
|
|
|
CAK Name
|
|
|
|
Operation
|
|
=========
|
|
|
|
.. opcmd:: show interfaces macsec
|
|
|
|
List all MACsec interfaces
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show interfaces macsec
|
|
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
|
|
cipher suite: GCM-AES-128, using ICV length 16
|
|
TXSC: 005056bfefaa0001 on SA 0
|
|
20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
|
|
cipher suite: GCM-AES-128, using ICV length 16
|
|
TXSC: 005056bfefaa0001 on SA 0
|
|
|
|
.. opcmd:: show interfaces macsec <interface>
|
|
|
|
Show specific MACsec interface information
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show interfaces macsec macsec1
|
|
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
|
|
cipher suite: GCM-AES-128, using ICV length 16
|
|
TXSC: 005056bfefaa0001 on SA 0
|
|
|