Hi Jaap, Our plan was to have about at least 32-64 machines on the same ethernet. Thanks for the explanation and clarifying that I'm not imagining things though! :) Best regards, Moritz On Thu, Feb 22, 2024 at 08:15:56PM +0100, Jaap Keuter wrote: > Hi, > > Yes, I’ve seen that too. Recently it seemed to have gotten better, but the issue is still there. > Although I’ve been searching for it, I’ve only come across a single observation which lead to an idea for a change. > > --------------------------- src/pae/ieee802_1x_kay.c --------------------------- > index b0a418ef0..442d487f7 100644 > @@ -1101,9 +1101,11 @@ ieee802_1x_mka_i_in_peerlist(struct ieee802_1x_mka_participant *participant, > * values (i.e., peer having copied my MI,MN > * from either of the last two MKPDUs that I > * have sent). */ > - if (mn == participant->mn || > - (participant->mn > 1 && > - mn == participant->mn - 1)) > + /* BUG: This is shown to be too tight. > + * With packets being send/received out of > + * sequence this assumption is not valid. > + * Adjusted to three. */ > + if (participant->mn + 3 >= mn) > return true; > } > } > > > I’ve created a test setup which allows you to experiment with this on a single linux host. > https://gitlab.com/JaapKeuter/MACsec-sim > Now it works fairly well with three nodes, but increasing to eight, for instance, shows the failure. > > Hope it helps. > > > > On 21 Feb 2024, at 17:34, Moritz Wilhelmy <mw-hostap@xxxxxxxxxxx> wrote: > > > > Hello, > > > > Before I will probably have to bury this macsec project at work I want > > to report what appears to be a bug to me in wpa_supplicant's macsec key > > agreement (MKA) implementation: > > > > I have 3 machines: ed0, ed1 and ed2, they all share the same > > wpa_supplicant.conf with the same values for MKA pre-shared keys and > > systemd unit that starts wpa_supplicant. > > > > Sometimes when I reboot all machines it works fine on start up, when I > > ping the IPv6 link local multicast address ff02::1%macsec0 I get > > response packets from all three machines: > > > > ed0# ping ff02::1%macsec0 > > PING ff02::1%macsec0(ff02::1%macsec0) 56 data bytes > > 64 bytes from fe80::4801:e9ff:fe34:a268%macsec0: icmp_seq=1 ttl=64 time=0.117 ms > > 64 bytes from fe80::747f:28ff:fedc:abaa%macsec0: icmp_seq=1 ttl=64 time=2.85 ms (DUP!) > > 64 bytes from fe80::60a2:b8ff:fe98:ad8f%macsec0: icmp_seq=1 ttl=64 time=4.67 ms (DUP!) > > ^C > > > > Other times one of the machines seems to have issues with key agreement > > despite having the same shared key as the other machines (i.e. only one > > DUP! response on pinging the multicast address): > > > > $ ssh ed1 > > Warning: Permanently added 'fe80::4801:e9ff:fe34:a268%eno1' (ED25519) to the list of known hosts. > > ed1# ping ff02::1%macsec0 > > PING ff02::1%macsec0(ff02::1%macsec0) 56 data bytes > > 64 bytes from fe80::4801:e9ff:fe34:a268%macsec0: icmp_seq=1 ttl=64 time=0.112 ms > > 64 bytes from fe80::60a2:b8ff:fe98:ad8f%macsec0: icmp_seq=1 ttl=64 time=4.89 ms (DUP!) <--- second DUP! from the 3rd machine is missing > > 64 bytes from fe80::4801:e9ff:fe34:a268%macsec0: icmp_seq=2 ttl=64 time=0.098 ms > > 64 bytes from fe80::60a2:b8ff:fe98:ad8f%macsec0: icmp_seq=2 ttl=64 time=2.69 ms (DUP!) > > ^C > > --- ff02::1%macsec0 ping statistics --- > > 2 packets transmitted, 2 received, +2 duplicates, 0% packet loss, time 1001ms > > rtt min/avg/max/mdev = 0.098/1.947/4.890/1.999 ms > > ed1# systemctl status wpa_supplicant > > ● wpa_supplicant.service - WPA supplicant > > Loaded: loaded (/lib/systemd/system/wpa_supplicant.service; enabled; vendor preset: disabled) > > Active: active (running) since Sat 2024-02-10 16:07:19 UTC; 20s ago > > Main PID: 496 (wpa_supplicant) > > Tasks: 1 (limit: 404) > > Memory: 4.9M > > CGroup: /system.slice/wpa_supplicant.service > > └─496 /usr/sbin/wpa_supplicant -u -i br0 -Dmacsec_linux -c /etc/wpa_supplicant.conf > > > > Feb 10 16:07:19 hostname systemd[1]: Starting WPA supplicant... > > Feb 10 16:07:19 hostname wpa_supplicant[496]: Successfully initialized wpa_supplicant > > Feb 10 16:07:19 hostname systemd[1]: Started WPA supplicant. > > Feb 10 16:07:20 hostname wpa_supplicant[496]: br0: Associated with 01:80:c2:00:00:03 > > Feb 10 16:07:20 hostname wpa_supplicant[496]: br0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=] > > Feb 10 16:07:20 hostname wpa_supplicant[496]: br0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 > > Feb 10 16:07:26 hostname wpa_supplicant[496]: KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU > > Feb 10 16:07:28 hostname wpa_supplicant[496]: KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU > > Feb 10 16:07:30 hostname wpa_supplicant[496]: KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU > > Feb 10 16:07:33 hostname wpa_supplicant[496]: KaY: Life time has not elapsed since prior SAK distributed > > ed1# logout > > Connection to fe80::4801:e9ff:fe34:a268%eno1 closed. > > > > $ ssh ed2 > > Warning: Permanently added 'fe80::60a2:b8ff:fe98:ad8f%eno1' (ED25519) to the list of known hosts. > > ed2# systemctl status wpa_supplicant > > ● wpa_supplicant.service - WPA supplicant > > Loaded: loaded (/lib/systemd/system/wpa_supplicant.service; enabled; vendor preset: disabled) > > Active: active (running) since Sat 2024-02-10 16:01:48 UTC; 47s ago > > Main PID: 496 (wpa_supplicant) > > Tasks: 1 (limit: 404) > > Memory: 4.8M > > CGroup: /system.slice/wpa_supplicant.service > > └─496 /usr/sbin/wpa_supplicant -u -i br0 -Dmacsec_linux -c /etc/wpa_supplicant.conf > > > > Feb 10 16:01:47 hostname systemd[1]: Starting WPA supplicant... > > Feb 10 16:01:48 hostname wpa_supplicant[496]: Successfully initialized wpa_supplicant > > Feb 10 16:01:48 hostname systemd[1]: Started WPA supplicant. > > Feb 10 16:01:48 hostname wpa_supplicant[496]: br0: Associated with 01:80:c2:00:00:03 > > Feb 10 16:01:48 hostname wpa_supplicant[496]: br0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=] > > Feb 10 16:01:48 hostname wpa_supplicant[496]: br0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 > > Feb 10 16:01:54 hostname wpa_supplicant[496]: KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU > > Feb 10 16:01:56 hostname wpa_supplicant[496]: KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU > > ed2# logout > > Connection to fe80::60a2:b8ff:fe98:ad8f%eno1 closed. > > > > $ ssh ed0 > > Warning: Permanently added 'fe80::747f:28ff:fedc:abaa%eno1' (ED25519) to the list of known hosts. > > ed0# systemctl status wpa_supplicant > > ● wpa_supplicant.service - WPA supplicant > > Loaded: loaded (/lib/systemd/system/wpa_supplicant.service; enabled; vendor preset: disabled) > > Active: active (running) since Sat 2024-02-10 16:07:00 UTC; 54s ago > > Main PID: 495 (wpa_supplicant) > > Tasks: 1 (limit: 404) > > Memory: 4.8M > > CGroup: /system.slice/wpa_supplicant.service > > └─495 /usr/sbin/wpa_supplicant -u -i br0 -Dmacsec_linux -c /etc/wpa_supplicant.conf > > > > Feb 10 16:07:06 hostname wpa_supplicant[495]: KaY: The peer (73cec9c3a974289e25a335a4) is not my live peer - ignore MACsec SAK Use param> > > Feb 10 16:07:06 hostname wpa_supplicant[495]: KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed > > Feb 10 16:07:06 hostname wpa_supplicant[495]: KaY: The peer (73cec9c3a974289e25a335a4) is not my live peer - ignore MACsec SAK Use param> > > Feb 10 16:07:06 hostname wpa_supplicant[495]: KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed > > Feb 10 16:07:07 hostname wpa_supplicant[495]: KaY: The peer (73cec9c3a974289e25a335a4) is not my live peer - ignore MACsec SAK Use param> > > Feb 10 16:07:07 hostname wpa_supplicant[495]: KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed > > Feb 10 16:07:09 hostname wpa_supplicant[495]: KaY: The peer (73cec9c3a974289e25a335a4) is not my live peer - ignore MACsec SAK Use param> > > Feb 10 16:07:09 hostname wpa_supplicant[495]: KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed > > Feb 10 16:07:11 hostname wpa_supplicant[495]: KaY: The peer (73cec9c3a974289e25a335a4) is not my live peer - ignore MACsec SAK Use param> > > Feb 10 16:07:11 hostname wpa_supplicant[495]: KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed > > > > ^^^^ seems to me that the culprit in this case is ed0 that somehow fell > > out of sync with the others if I'm reading this right, but I didn't > > write this software so perhaps you tell me :) > > > > Are you aware of/have you encountered this issue before? Is there any > > known solution/software version where it's fixed? > > > > Here's some more context and diagnostical info: > > > > ed0# wpa_supplicant -v > > wpa_supplicant v2.10 > > Copyright (c) 2003-2022, Jouni Malinen <j@xxxxx> and contributors > > > > ed0# uname -a > > Linux hostname 5.4.24 #1 SMP PREEMPT Thu Oct 7 08:39:19 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux > > > > ed0# cat /sys/class/net/br0/bridge/group_fwd_mask > > 0x8 > > > > ed0# cat /etc/wpa_supplicant.conf > > ctrl_interface=/var/run/wpa_supplicant > > eapol_version=3 > > ap_scan=0 > > fast_reauth=1 > > > > network={ > > key_mgmt=NONE > > eapol_flags=0 > > macsec_policy=1 > > > > mka_cak=35659df249c7c90fcaeb675ef59eb783 > > mka_ckn=83f447da8078c18a7bae35851a0349384e9da84ab45a705f304731f3dc7fee > > } > > > > > > > > The file is left as copied from the [RedHat introduction][1] with some > > keys filled in where they belong and then copied identically to all > > three machines. > > > > Sorry I had to edit the logs to remove the hostname, I've signed an NDA. > > > > Best regards, > > > > Moritz > > > > [1]: https://developers.redhat.com/blog/2017/06/28/whats-new-in-macsec-setting-up-macsec-using-wpa_supplicant-and-optionally-networkmanager# > > > > _______________________________________________ > > Hostap mailing list > > Hostap@xxxxxxxxxxxxxxxxxxx > > http://lists.infradead.org/mailman/listinfo/hostap > > > _______________________________________________ > Hostap mailing list > Hostap@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/hostap _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
