networkd: Introduce MACsec #12184

ssahani · 2019-04-02T08:55:44Z

This work introduces MACsec to networkd.

Media Access Control Security (MACsec) is an 802.1AE IEEE
industry-standard security technology that provides secure
communication for all traffic on Ethernet links.
MACsec provides point-to-point security on Ethernet links between
directly connected nodes and is capable of identifying and preventing
most security threats, including denial of service, intrusion,
man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

11-macsec.netdev

File Edit Options Buffers Tools Help                                                                                                                                                          
[NetDev]
Name=macsec-test
Kind=macsec

[MACsec]
Port=11


[MACsecReceiveChannel]
Port=1234
MACAddress=c6:19:52:8f:e6:a0

[MACsecReceiveChannel]
Port=21
MACAddress=8c:16:45:6c:83:a9

[MACsecTransmitAssociation]
PacketNumber=1024
KeyId=01
Key=81818181818181818181818181818181

[MACsecReceiveAssociation]
Port=1234
MACAddress=c6:19:52:8f:e6:a0
PacketNumber=1
KeyId=00
Key=82828282828282828282828282828282

closes #5754

Please see https://developers.redhat.com/blog/2016/10/14/macsec-a-different-solution-to-encrypt-network-traffic/

https://www.linux.org/docs/man8/ip-macsec.html

yuwata

Superficially good. But not tested. I've commented several minor points.

I will test this later.

src/network/netdev/macsec.c

src/network/netdev/netdev-gperf.gperf

ssahani · 2019-04-03T03:58:02Z

Updated thanks for the review @yuwata

man/systemd.netdev.xml

src/libsystemd/sd-netlink/netlink-types.c

src/network/netdev/netdev.c

src/basic/parse-util.c

man/systemd.netdev.xml

src/basic/parse-util.c

man/systemd.netdev.xml

topimiettinen · 2019-04-03T07:28:29Z

Keys could be seen as secrets that should not be accessible to unprivileged users, so later it would be nice to add a way to use a key file (preferably in such a format that it can be shared with all hosts in the network). The administrator could chmod the netdev file to 0700, but the contents would still be visible to unprivileged users with systemctl show.

topimiettinen · 2019-04-03T07:29:36Z

Please also wrap the long lines to make it easier to review in GitHub.

ssahani · 2019-04-03T08:58:44Z

@poettering Please take a look.

ssahani · 2019-04-03T08:59:32Z

Keys could be seen as secrets that should not be accessible to unprivileged users, so later it would be nice to add a way to use a key file (preferably in such a format that it can be shared with all hosts in the network). The administrator could chmod the netdev file to 0700, but the contents would still be visible to unprivileged users with systemctl show.

yes taken.

man/systemd.netdev.xml

src/network/netdev/macsec.c

src/network/netdev/macsec.h

src/network/netdev/macsec.c

yuwata · 2019-04-03T14:59:55Z

@ssahani So, as usual, can I continue your work? Or are you still working on this? I'd like to implement KeyFile= to hide key from .netdev files, as similar to WireGuard.PrivateKeyFile=. And I'd like to add testcases for this.

Anyway, I will start to test this PR tomorrow, about 10h later :-)

ssahani · 2019-04-03T15:23:46Z

If you interested please do it. I like this mixed contribution. Feels like a team.

This work introduces MACsec to networkd. Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. 11-macsec.netdev ``` [NetDev] Name=macsec-test Kind=macsec [MACsec] Port=11 [MACsecReceiveAssociation] Port=1234 MACAddress=c6:19:52:8f:e6:a0 PacketNumber=1 KeyId=00 Key=82828282828282828282828282828282 [MACsecReceiveChannel] Port=1234 MACAddress=c6:19:52:8f:e6:a0 [MACsecTransmitAssociation] PacketNumber=1024 KeyId=01 Key=81818181818181818181818181818181 ``` closes systemd#5754 aaa

ssahani · 2019-04-04T05:30:18Z

@yuwata I have addressed what were remaining. Please take it from here. thanks. I am going to work on tc now.

yuwata · 2019-04-04T05:34:17Z

OK, I will start to test this PR from this state.

yuwata · 2019-04-05T07:29:22Z

I've opened #12222, which contains a revised version of this PR. Let's close this.

ssahani force-pushed the macsec branch 3 times, most recently from 3da50ac to 91b27c3 Compare April 2, 2019 11:51

ssahani changed the title ~~networkd: Introduce MACsec (WIP)~~ networkd: Introduce MACsec Apr 2, 2019

ssahani force-pushed the macsec branch 2 times, most recently from 077a991 to 19196a5 Compare April 2, 2019 13:31

yuwata added network new-feature labels Apr 2, 2019

yuwata requested changes Apr 2, 2019

View reviewed changes

yuwata added the reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks label Apr 2, 2019

ssahani force-pushed the macsec branch from 19196a5 to ab6002e Compare April 3, 2019 03:57

ssahani force-pushed the macsec branch from ab6002e to 63e3965 Compare April 3, 2019 04:14