MACsec
MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It defines a way to establish a protocol independent connection between two hosts with data confidentiality, authenticity and/or integrity, using GCM-AES-128. MACsec operates on the Ethernet layer and as such is a layer 2 protocol, which means it’s designed to secure traffic within a layer 2 network, including DHCP or ARP requests. It does not compete with other security solutions such as IPsec (layer 3) or TLS (layer 4), as all those solutions are used for their own specific use cases.
Configuration
Common interface configuration
Configure interface <interface> with one or more interface addresses.
address can be specified multiple times as IPv4 and/or IPv6 address, e.g. 192.0.2.1/24 and/or 2001:db8::1/64
dhcp interface address is received by DHCP from a DHCP server on this segment.
dhcpv6 interface address is received by DHCPv6 from a DHCPv6 server on this segment.
Note
When using DHCP to retrieve IPv4 address and if local customizations are needed, they should be possible using the enter and exit hooks provided. The hook dirs are:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces macsec macsec0 address 192.0.2.1/24
set interfaces macsec macsec0 address 2001:db8::1/64
set interfaces macsec macsec0 address dhcp
set interfaces macsec macsec0 address dhcpv6
Set a human readable, descriptive alias for this connection. Alias is used by
e.g. the show interfaces command or SNMP based monitoring tools.
Example:
set interfaces macsec macsec0 description 'This is an awesome interface running on VyOS'
Disable given <interface>. It will be placed in administratively down
(A/D) state.
Example:
set interfaces macsec macsec0 disable
Ethernet flow control is a mechanism for temporarily stopping the transmission of data on Ethernet family computer networks. The goal of this mechanism is to ensure zero packet loss in the presence of network congestion.
The first flow control mechanism, the pause frame, was defined by the IEEE 802.3x standard.
A sending station (computer or network switch) may be transmitting data faster than the other end of the link can accept it. Using flow control, the receiving station can signal the sender requesting suspension of transmissions until the receiver catches up.
Use this command to disable the generation of Ethernet flow control (pause frames).
Example:
set interfaces macsec macsec0 disable-flow-control
Use this command to direct an interface to not detect any physical state changes on a link, for example, when the cable is unplugged.
Default is to detects physical link state changes.
Example:
set interfaces macsec macsec0 disable-link-detect
Configure user defined MAC address on given <interface>.
Example:
set interfaces macsec macsec0 mac '00:01:02:03:04:05'
Configure MTU on given <interface>. It is the size (in bytes) of the largest ethernet frame sent on this link.
Example:
set interfaces macsec macsec0 mtu 1600
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss <value>
Hint
MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Once a neighbor has been found, the entry is considered to be valid for at least for this specific time. An entry’s validity will be extended if it receives positive feedback from higher level protocols.
This defaults to 30 seconds.
Example:
set interfaces macsec macsec0 ip arp-cache-timeout 180
If set the kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
If not set (default) allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP’d IP out that interface (therefore you must use source based routing for this to work).
In other words it allows control of which cards (usually 1) will respond to an arp request.
Example:
set interfaces macsec macsec0 ip disable-arp-filter
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
set interfaces macsec macsec0 ip disable-forwarding
Define different modes for IP directed broadcast forwarding as described in RFC 1812 and RFC 2644.
If configured, incoming IP directed broadcast packets on this interface will be forwarded.
If this option is unset (default), incoming IP directed broadcast packets will not be forwarded.
set interfaces macsec macsec0 ip enable-directed-broadcast
Define behavior for gratuitous ARP frames who’s IP is not already present in the ARP table. If configured create new entries in the ARP table.
Both replies and requests type gratuitous arp will trigger the ARP table to be updated, if this setting is on.
If the ARP table already contains the IP address of the gratuitous arp frame, the arp table will be updated regardless if this setting is on or off.
set interfaces macsec macsec0 ip enable-arp-accept
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface.
Use any local address, configured on any interface if this is not set.
If configured, try to avoid local addresses that are not in the target’s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.
set interfaces macsec macsec0 ip enable-arp-announce
Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
If configured, reply only if the target IP address is local address configured on the incoming interface.
If this option is unset (default), reply for any local target IP address, configured on any interface.
set interfaces macsec macsec0 ip enable-arp-ignore
Use this command to enable proxy Address Resolution Protocol (ARP) on this interface. Proxy ARP allows an Ethernet interface to respond with its own MAC address to ARP requests for destination IP addresses on subnets attached to other interfaces on the system. Subsequent packets sent to those destination IP addresses are forwarded appropriately by the system.
Example:
set interfaces macsec macsec0 ip enable-proxy-arp
Private VLAN proxy arp. Basically allow proxy arp replies back to the same interface (from which the ARP request/solicitation was received).
This is done to support (ethernet) switch features, like RFC 3069, where the individual ports are NOT allowed to communicate with each other, but they are allowed to talk to the upstream router. As described in RFC 3069, it is possible to allow these hosts to communicate through the upstream router by proxy_arp’ing.
Note
Does not need to be used together with proxy_arp.
This technology is known by different names:
In RFC 3069 it is called VLAN Aggregation
Cisco and Allied Telesyn call it Private VLAN
Hewlett-Packard call it Source-Port filtering or port-isolation
Ericsson call it MAC-Forced Forwarding (RFC Draft)
Enable policy for source validation by reversed path, as specified in RFC 3704. Current recommended practice in RFC 3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
strict: Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
loose: Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.
disable: No source validation
SLAAC RFC 4862. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface in question.
Example:
set interfaces macsec macsec0 ipv6 address autoconf
EUI-64 as specified in RFC 4291 allows a host to assign iteslf a unique 64-Bit IPv6 address.
Example:
set interfaces macsec macsec0 ipv6 address eui64 2001:db8:beef::/64
Do not assign a link-local IPv6 address to this interface.
Example:
set interfaces macsec macsec0 ipv6 address no-default-link-local
Configure interface-specific Host/Router behaviour. If set, the interface will switch to host mode and IPv6 forwarding will be disabled on this interface.
Example:
set interfaces macsec macsec0 ipv6 disable-forwarding
As Internet wide PMTU discovery rarely works, we sometimes need to clamp our TCP MSS value to a specific value. This is a field in the TCP options part of a SYN packet. By setting the MSS value, you are telling the remote side unequivocally ‘do not try to send me packets bigger than this value’.
Note
This command was introduced in VyOS 1.4 - it was previously called:
set firewall options interface <name> adjust-mss6 <value>
Hint
MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in 1432 bytes on a 1492 byte MTU.
Instead of a numerical MSS value clamp-mss-to-pmtu can be used to automatically set the proper value.
Whether to accept DAD (Duplicate Address Detection).
0: Disable DAD
1: Enable DAD (default)
2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.
Example:
set interfaces macsec macsec0 ipv6 accept-dad 2
The amount of Duplicate Address Detection probes to send.
Default: 1
Example:
set interfaces macsec macsec0 ipv6 dup-addr-detect-transmits 5
Place interface in given VRF instance.
See also
There is an entire chapter about how to configure a VRF, please check this for additional information.
Example:
set interfaces macsec macsec0 vrf red
DHCP(v6)
RFC 2131 states: The client MAY choose to explicitly provide the identifier through the ‘client identifier’ option. If the client supplies a ‘client identifier’, the client MUST use the same ‘client identifier’ in all subsequent messages, and the server MUST use that identifier to identify the client.
Example:
set interfaces macsec macsec0 dhcp-options client-id 'foo-bar'
Instead of sending the real system hostname to the DHCP server, overwrite the host-name with this given-value.
Example:
set interfaces macsec macsec0 dhcp-options host-name 'VyOS'
This option is used by some DHCP clients to identify the vendor type and possibly the configuration of a DHCP client. The information is a string of bytes whose contents are specific to the vendor and are not specified in a standard.
The vendor-class-id option can be used to request a specific class of vendor options from the server.
Example:
set interfaces macsec macsec0 dhcp-options vendor-class-id 'VyOS'
Only request an address from the DHCP server but do not request a default gateway.
Example:
set interfaces macsec macsec0 dhcp-options no-default-route
Set the distance for the default gateway sent by the DHCP server.
Example:
set interfaces macsec macsec0 dhcp-options default-route-distance 220
Reject DHCP leases from a given address or range. This is useful when a modem gives a local IP when first starting.
address can be specified multiple times, e.g. 192.168.100.1 and/or 192.168.100.0/24
Example:
set interfaces macsec macsec0 dhcp-options reject 192.168.100.0/24
This option is used by some DHCP clients as a way for users to specify identifying information to the client. This can be used in a similar way to the vendor-class-identifier option, but the value of the option is specified by the user, not the vendor.
Example:
set interfaces macsec macsec0 dhcp-options user-class VyOS
The DHCP unique identifier (DUID) is used by a client to get an IP address from a DHCPv6 server. It has a 2-byte DUID type field, and a variable-length identifier field up to 128 bytes. Its actual length depends on its type. The server compares the DUID with its database and delivers configuration data (address, lease times, DNS servers, etc.) to the client.
set interfaces macsec macsec0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
When no-release is specified, dhcp6c will send a release message on client exit to prevent losing an assigned address or prefix.
set interfaces macsec macsec0 dhcpv6-options no-release
This statement specifies dhcp6c to only exchange informational configuration parameters with servers. A list of DNS server addresses is an example of such parameters. This statement is useful when the client does not need stateful configuration parameters such as IPv6 addresses or prefixes.
set interfaces macsec macsec0 dhcpv6-options parameters-only
When rapid-commit is specified, dhcp6c will include a rapid-commit option in solicit messages and wait for an immediate reply instead of advertisements.
set interfaces macsec macsec0 dhcpv6-options rapid-commit
Request only a temporary address and not form an IA_NA (Identity Association for Non-temporary Addresses) partnership.
set interfaces macsec macsec0 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS 1.3 (equuleus) supports DHCPv6-PD (RFC 3633). DHCPv6 Prefix Delegation is supported by most ISPs who provide native IPv6 for consumers on fixed networks.
Some ISPs by default only delegate a /64 prefix. To request for a specific prefix size use this option to request for a bigger delegation for this pd <id>. This value is in the range from 32 - 64 so you could request up to a /32 prefix (if your ISP allows this) down to a /64 delegation.
The default value corresponds to 64.
To request a /56 prefix from your ISP use:
set interfaces macsec macsec0 dhcpv6-options pd 0 length 56
Specify the interface address used locally on the interface where the prefix has been delegated to. ID must be a decimal integer.
It will be combined with the delegated prefix and the sla-id to form a complete interface address. The default is to use the EUI-64 address of the interface.
Example: Delegate a /64 prefix to interface eth8 which will use a local
address on this router of <prefix>::ffff, as the address 65534 will
correspond to ffff in hexadecimal notation.
set interfaces macsec macsec0 dhcpv6-options pd 0 interface eth8 address 65534
Specify the identifier value of the site-level aggregator (SLA) on the interface. ID must be a decimal number greater then 0 which fits in the length of SLA IDs (see below).
Example: If ID is 1 and the client is delegated an IPv6 prefix 2001:db8:ffff::/48, dhcp6c will combine the two values into a single IPv6 prefix, 2001:db8:ffff:1::/64, and will configure the prefix on the specified interface.
set interfaces macsec macsec0 dhcpv6-options pd 0 interface eth8 sla-id 1
MACsec options
Select cipher suite used for cryptographic operations. This setting is mandatory.
MACsec only provides authentication by default, encryption is optional. This command will enable encryption for all outgoing packets.
A physical interface is required to connect this MACsec instance to. Traffic leaving this interface will now be authenticated/encrypted.
Static Keys
Static SAK mode can be configured manually on each device wishing to use MACsec. Keys must be set statically on all devices for traffic to flow properly. Key rotation is dependent on the administrator updating all keys manually across connected devices. Static SAK mode can not be used with MKA.
Set the device’s transmit (TX) key. This key must be a hex string that is 16-bytes (GCM-AES-128) or 32-bytes (GCM-AES-256).
Set the peer’s MAC address
Set the peer’s key used to receive (RX) traffic
Key Management
MKA is used to synchronize keys between individual peers.
IEEE 802.1X/MACsec pre-shared key mode. This allows configuring MACsec with a pre-shared key using a CAK and CKN pair.
Replay protection
IEEE 802.1X/MACsec replay protection window. This determines a window in which replay is tolerated, to allow receipt of frames that have been misordered by the network.
0: No replay window, strict check1-4294967295: Number of packets that could be misordered
Operation
Generate MKA CAK key 128 or 256 bits.
vyos@vyos:~$ generate macsec mka cak gcm-aes-128
20693b6e08bfa482703a563898c9e3ad
Generate MKA CAK key.
vyos@vyos:~$ generate macsec mka ckn
88737efef314ee319b2cbf30210a5f164957d884672c143aefdc0f5f6bc49eb2
List all MACsec interfaces.
vyos@vyos:~$ show interfaces macsec
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
Show specific MACsec interface information
vyos@vyos:~$ show interfaces macsec macsec1
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
Examples
Two routers connected both via eth1 through an untrusted switch
R1 has 192.0.2.1/24 & 2001:db8::1/64
R2 has 192.0.2.2/24 & 2001:db8::2/64
R1
set interfaces macsec macsec1 address '192.0.2.1/24'
set interfaces macsec macsec1 address '2001:db8::1/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'
set interfaces macsec macsec1 source-interface 'eth1'
R2
set interfaces macsec macsec1 address '192.0.2.2/24'
set interfaces macsec macsec1 address '2001:db8::2/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'
set interfaces macsec macsec1 source-interface 'eth1'
Pinging (IPv6) the other host and intercepting the traffic in eth1 will
show you the content is encrypted.
17:35:44.586668 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150:
0x0000: 2c00 0000 000a 0050 56bf efaa 0001 d9fb ,......PV.......
0x0010: 920a 8b8d 68ed 9609 29dd e767 25a4 4466 ....h...)..g%.Df
0x0020: 5293 487b 9990 8517 3b15 22c7 ea5c ac83 R.H{....;."..\..
0x0030: 4c6e 13cf 0743 f917 2c4e 694e 87d1 0f09 Ln...C..,NiN....
0x0040: 0f77 5d53 ed75 cfe1 54df 0e5a c766 93cb .w]S.u..T..Z.f..
0x0050: c4f2 6e23 f200 6dfe 3216 c858 dcaa a73b ..n#..m.2..X...;
0x0060: 4dd1 9358 d9e4 ed0e 072f 1acc 31c4 f669 M..X...../..1..i
0x0070: e93a 9f38 8a62 17c6 2857 6ac5 ec11 8b0e .:.8.b..(Wj.....
0x0080: 6b30 92a5 7ccc 720b k0..|.r.
Disabling the encryption on the link by removing security encrypt will show
the unencrypted but authenticated content.
17:37:00.746155 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150:
0x0000: 2000 0000 0009 0050 56bf efaa 0001 86dd .......PV.......
0x0010: 6009 86f3 0040 3a40 2001 0db8 0000 0000 `....@:@........
0x0020: 0000 0000 0000 0001 2001 0db8 0000 0000 ................
0x0030: 0000 0000 0000 0002 8100 d977 0f30 0003 ...........w.0..
0x0040: 1ca0 c65e 0000 0000 8d93 0b00 0000 0000 ...^............
0x0050: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
0x0060: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./
0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+
0x0080: a282 c842 5254 ef28 ...BRT.(
R1 Static Key
set interfaces macsec macsec1 address '192.0.2.1/24'
set interfaces macsec macsec1 address '2001:db8::1/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 source-interface 'eth1'
R2 Static Key
set interfaces macsec macsec1 address '192.0.2.2/24'
set interfaces macsec macsec1 address '2001:db8::2/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
set interfaces macsec macsec1 source-interface 'eth1'