New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
networkd: Introduce MACsec #12184
networkd: Introduce MACsec #12184
Conversation
3da50ac
to
91b27c3
Compare
077a991
to
19196a5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Superficially good. But not tested. I've commented several minor points.
I will test this later.
Updated thanks for the review @yuwata |
Keys could be seen as secrets that should not be accessible to unprivileged users, so later it would be nice to add a way to use a key file (preferably in such a format that it can be shared with all hosts in the network). The administrator could chmod the netdev file to 0700, but the contents would still be visible to unprivileged users with |
Please also wrap the long lines to make it easier to review in GitHub. |
@poettering Please take a look. |
yes taken. |
8f5911b
to
1e65bea
Compare
@ssahani So, as usual, can I continue your work? Or are you still working on this? I'd like to implement Anyway, I will start to test this PR tomorrow, about 10h later :-) |
If you interested please do it. I like this mixed contribution. Feels like a team. |
This work introduces MACsec to networkd. Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. 11-macsec.netdev ``` [NetDev] Name=macsec-test Kind=macsec [MACsec] Port=11 [MACsecReceiveAssociation] Port=1234 MACAddress=c6:19:52:8f:e6:a0 PacketNumber=1 KeyId=00 Key=82828282828282828282828282828282 [MACsecReceiveChannel] Port=1234 MACAddress=c6:19:52:8f:e6:a0 [MACsecTransmitAssociation] PacketNumber=1024 KeyId=01 Key=81818181818181818181818181818181 ``` closes systemd#5754 aaa
@yuwata I have addressed what were remaining. Please take it from here. thanks. I am going to work on tc now. |
OK, I will start to test this PR from this state. |
I've opened #12222, which contains a revised version of this PR. Let's close this. |
This work introduces MACsec to networkd.
Media Access Control Security (MACsec) is an 802.1AE IEEE
industry-standard security technology that provides secure
communication for all traffic on Ethernet links.
MACsec provides point-to-point security on Ethernet links between
directly connected nodes and is capable of identifying and preventing
most security threats, including denial of service, intrusion,
man-in-the-middle, masquerading, passive wiretapping, and playback attacks.
11-macsec.netdev
closes #5754
Please see https://developers.redhat.com/blog/2016/10/14/macsec-a-different-solution-to-encrypt-network-traffic/
https://www.linux.org/docs/man8/ip-macsec.html