On Tue, Dec 03, 2024 at 05:10:52AM +0000, Martínek Petr wrote:
> CISCO C3560CX (SW version 15.2(7)E8, SW image C3560CX-UNIVERSALK9-M) requires ICV Indicator to be present even when ICV is 16bytes.
> Therefore I would like to ask, if it is possible to add config option to always send ICV Indicator. (I've include my patch that adds macsec_icv_indicator config option)
That seems to be against the requirements of the IEEE 802.1X standard..
Would you happen to have any references that would describe this special
need for that device (or wider set of devices, if applicable).
A quick search seemed to find some comments on this from Cisco
documentation of the include-icv-indicator configuration parameter ("is
configuration is necessary for MACsec to interoperate with routers that
run software prior to IOS XR version 6.1.3. This configuration is also
important in a service provider WAN setup where MACsec interoperates
with other vendor MACsec implementations that expect ICV indicator to be
present in the MKPDU."). That seems to imply that is quite a bit wider
issue that just what might be implied by this description.
> diff -Naur a/src/ap/ap_config.h b/src/ap/ap_config.h
For me to be able to consider applying the proposed changes, this needs
to come with a commit message that includes a Signed-off-by: line as
described in the top level CONTRIBUTIONS file.
> /**
> + * macsec_icv_indicator - Always include ICV Indicator
> + * (for compatibility with older MACSEC switches)
> + *
> + * Range: 0-1 (default: 0)
> + */
> + int macsec_icv_indicator;
This needs matching changes in hostapd/config_file.c and
hostapd/hostapd.conf.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
