Re: Question on wpa_supplicant setup for MKA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jaap,

2017-03-18, 23:54:03 +0100, Jaap Keuter wrote:
> Hi list,
> 
> To study MACsec and MKA I've been experimenting with a setup using the Linux
> kernel, the macsec kernel module and wpa_supplicant. So far I've managed to
> establish SA's between statically configured MACsec instances, so that works,
> and now I'm working on getting wpa_supplicant setup to handle MKA (with CAK/CKN).
> 
> The problem is that working with the Linux macsec driver
> (CONFIG_DRIVER_MACSEC_LINUX=y). I'm not getting the result I expect.
> First I use a 'normal' wired interface (eth0). When I run wpa_supplicant on that
> interface the MKPDU's don't make it out to the network.

I guess that's where your problems come from. How do you check that
the MKPDU's don't make it out? The receiving interface doesn't get
them?


[bit of reordering]
> PPS: I'm using 'normal' wired interfaces, as in I use virtual Ethernet (veth)
> interfaces to connect into two network namespaces where all the macsec and
> wpa_supplicant instances live. These are connected to a (transparent) bridge.

You're using the Linux kernel "bridge" module then? It blocks these
frames by default, until you run this:

    echo 8 > /sys/devices/virtual/net/$BRIF/bridge/group_fwd_mask

Or that, which should be equivalent:

    ip link set $BRIF type bridge group_fwd_mask 0x8


This is, sadly, not documented much :(


> Then I stack a macsec
> instance on top of eth0 (macsec0@eth0) and run wpa_supplicant on that interface.
> Now I'm getting an additional macsec instance on top of mine (macsec1@macsec0).

Yeah, that's the expected behavior. MACsec uses another device on top
of your link (like for VLANs), so wpa_supplicant will create it for
you if it doesn't exist yet. If you tell wpa_supplicant to use macsec0
as device, it will try to do macsec over macsec, I'm pretty sure
that's not what you want ;)

> But without SA's on macsec 0 that doesn't work either.
> 
> So the question is: how should wpa_supplicant be configured and started to make
> this work? If you need more details, please don't hesitate to ask.

I use this mka.conf file:

    eapol_version=3
    ap_scan=0
    fast_reauth=1
    
    network={
            key_mgmt=NONE
            mka_cak=<16B CAK>
            mka_ckn=<32B CKN>
            eapol_flags=0
            macsec_policy=1
    }


And run wpa_supplicant this way:

./wpa_supplicant -i eth0 -Dmacsec_linux -c mka.conf


-- 
Sabrina

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux