堆栈内存溢出
  简体   繁体   English

通过 wpa_supplicant 使用 Macsec 的连接失败

[英]connection using Macsec via wpa_supplicant failed

 原文  2022-06-10 21:53:01       wpa-supplicant

问题描述

I am a novice in macsec, and appreciate any help in understanding why macsec via wpa_supplicant on Ubuntu does not work with the Ruckus ICX7850-48FS switch.我是 macsec 的新手,感谢任何帮助理解为什么在 Ubuntu 上通过 wpa_supplicant 的 macsec 不适用于 Ruckus ICX7850-48FS 交换机。

This switch does have macsec option enabled and configured with pre-shared CAK and CKN However, I cannot ping any device on my network when macsec is set in ICX and wpa_supplicant is running on Ubuntu.此开关确实启用了 macsec 选项并配置了预共享的 CAK 和 CKN 但是,当在 ICX 中设置 macsec 并且 wpa_supplicant 在 Ubuntu 上运行时,我无法 ping 网络上的任何设备。 Do I miss something in configuration?我错过了配置中的某些内容吗?

Thank you谢谢

Here is what ip command shows:这是 ip 命令显示的内容:

 $ ip -s macsec show 17: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 00e102005f280001 on SA 0 stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun 0 0 0 107 0 0 2832 0 stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted 0 11 0 1218 0: PN 12, state on, key af90ad063d4a31db48edac0d01000000 stats: OutPktsProtected OutPktsEncrypted 0 11 RXSC: 38453b3aa3730003, state on stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA 0 0 0 0 0 0 0 0 0 0 0: PN 1, state on, key af90ad063d4a31db48edac0d01000000 stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA 0 0 0 0 0

wpa_supplicant.config: wpa_supplicant.config:

 ctrl_interface=/var/run/wpa_supplicant eapol_version=3 ap_scan=0 #orig fast_reauth=1 fast_reauth=0 network={ key_mgmt=NONE #key_mgmt=IEEE8021X eapol_flags=0 macsec_policy=1 mka_cak=135bd758b0ee5c11c55ff6ab19fdb199 mka_ckn=96437a93ccf10d9dfe347846cce52c7d mka_priority=100 }

I run wpa_supplicant in debug mode:我在调试模式下运行 wpa_supplicant:

wpa_supplicant -dd -K -i eth0 -Dmacsec_linux -c wpa_supplicant_ubuntu.conf wpa_supplicant -dd -K -i eth0 -Dmacsec_l​​inux -c wpa_supplicant_ubuntu.conf

Wpa_cli status: wpa_cli 状态:

 > status bssid=01:80:c2:00:00:03 freq=0 ssid= id=0 mode=station pairwise_cipher=NONE group_cipher=NONE key_mgmt=NONE wpa_state=COMPLETED ip_address=10.100.97.158 address=00:e1:02:00:5f:28 PAE KaY status=Active Authenticated=No Secured=Yes Failed=No Actor Priority=100 Key Server Priority=16 Is Key Server=No Number of Keys Distributed=0 Number of Keys Received=1 MKA Hello Time=2000 actor_sci=00:e1:02:00:5f:28@1 key_server_sci=38:45:3b:3a:a3:73@3 participant_idx=0 ckn=96437a93ccf10d9dfe347846cce52c7d mi=3dfae97ed11d9ba7013cef3d mn=6 active=Yes participant=No retain=No live_peers=1 potential_peers=0 is_key_server=No is_elected=Yes uuid=84d0be70-7d9a-5dba-b0ed-139b3414cf7d

Log of wpa_supplicant: wpa_supplicant 的日志:

# ./startWpaSupplicantUbuntu.sh 
wpa_supplicant v2.9
random: getrandom() support available
Successfully initialized wpa_supplicant
Initializing interface 'eth0' conf 'wpa_supplicant_ubuntu.conf' driver 'macsec_linux' ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant_ubuntu.conf' -> '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
Reading configuration file '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
ctrl_interface='/var/run/wpa_supplicant'
eapol_version=3
ap_scan=0
fast_reauth=0
Line: 7 - start of a new network block
key_mgmt: 0x4
eapol_flags=0 (0x0)
macsec_policy=1 (0x1)
MKA-CAK - hexdump(len=16): [REMOVED]
MKA-CKN - hexdump(len=16): [REMOVED]
mka_priority=100 (0x64)
Priority group 0
   id=0 ssid=''
driver_wired_init_common: Added multicast membership with packet socket
Add interface eth0 to a new radio N/A
eth0: Own MAC address: 00:e1:02:00:5f:28
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0.100000 sec
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
eth0: WPS: UUID based on MAC address: 84d0be70-7d9a-5dba-b0ed-139b3414cf7d
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
eth0: Added interface eth0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28@1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
eth0: Already associated with a configured network - generating associated event
eth0: Event ASSOC (0) received
eth0: Association info event
FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0):
eth0: State: DISCONNECTED -> ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing own WPA/RSN IE
eth0: Failed to get scan results
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=ForceAuthorized
KaY: state machine removed
CP: state machine removed
macsec_drv_macsec_deinit
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28@1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
KaY: Create MKA (ifname=eth0 mode=PSK authenticator=No)
KaY: CKN - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: CAK - hexdump(len=16): [REMOVED]
KaY: Selected random MI: 3dfae97ed11d9ba7013cef3d
KaY: Create transmit SC - SCI: 00:e1:02:00:5f:28@1
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: eth0: create_transmit_sc -> 00:e1:02:00:5f:28::1 (conf_offset=0)
macsec_linux: eth0: create_transmit_sc: ifi=16 ifname=macsec0
macsec_linux: macsec0: try_commit controlled_port_enabled=0
macsec_linux: macsec0: try_commit protect_frames=1
macsec_linux: macsec0: try_commit encrypt=1
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
KaY: Derived KEK - hexdump(len=16): [REMOVED]
KaY: Derived ICK - hexdump(len=16): [REMOVED]
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
TDLS: Remove peers on association
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state S_FORCE_AUTH
EAPOL: Supplicant port status: Authorized
EAPOL: SUPP_BE entering state IDLE
eth0: Cancelling authentication timeout
eth0: State: ASSOCIATED -> COMPLETED
eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
eth0: Cancelling scan request
eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: ICV - hexdump(len=16): 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
KaY: Outgoing MKPDU - hexdump(len=82): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 40 01 64 e0 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
EAPOL: disable timer tick
l2_packet_receive: src=38:45:3b:3a:a3:73 len=92
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=92): 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=106
KaY: RX EAPOL-MKA - hexdump(len=106): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=88
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=88): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 16
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 38:45:3b:3a:a3:73@3
    Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Potential peer created
    MI: 6961e3c6b1dddcdbd81ce04f  MN: 1  SCI: 00:00:00:00:00:00@0
Potential Peer List parameter set
    Body Length: 16
    Member Id: 3dfae97ed11d9ba7013cef3d  Message Number: 1
KaY: My MI - received MN 1, most recently transmitted MN 1
KaY: i_in_peerlist=Yes is_in_live_peer=No
KaY: Create receive SC: SCI 38:45:3b:3a:a3:73@3
KaY: Move potential peer to live peer
    MI: 6961e3c6b1dddcdbd81ce04f  MN: 1  SCI: 38:45:3b:3a:a3:73@3
macsec_linux: macsec0: create_receive_sc -> 38:45:3b:3a:a3:73::3 (conf_offset=0 validation=2)
KaY: Peer 6961e3c6b1dddcdbd81ce04f was elected as the key server
CTRL_IFACE monitor attached /tmp/wpa_ctrl_133358-44\x00
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=3
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=5
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=84
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 1
KaY: ICV - hexdump(len=16): fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
KaY: Outgoing MKPDU - hexdump(len=102): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 54 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
l2_packet_receive: src=38:45:3b:3a:a3:73 len=168
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=168): 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=182
KaY: RX EAPOL-MKA - hexdump(len=182): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=164
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=164): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 16
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 38:45:3b:3a:a3:73@3
    Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
Live Peer List parameter set
    Body Length: 16
    Member Id: 3dfae97ed11d9ba7013cef3d  Message Number: 2
KaY: My MI - received MN 2, most recently transmitted MN 2
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: No
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: Latest key is invalid
Distributed SAK parameter set
    Distributed AN........: 0
    Confidentiality Offset: 1
    Body Length...........: 28
    Key Number............: 1
    AES Key Wrap of SAK...: - hexdump(len=24): fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4
    AES Key Unwrap of SAK.: - hexdump(len=16): [REMOVED]
CP: CP entering state SECURED
macsec_drv_set_current_cipher_suite -> 0080020001000001
macsec_drv_enable_protect_frames -> TRUE
macsec_linux: macsec0: try_commit protect_frames=1
macsec_drv_enable_encrypt -> TRUE
macsec_linux: macsec0: try_commit encrypt=1
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
CP: CP entering state RECEIVE
KaY: Create receive SA(an: 0 lowest_pn: 1) of SC
macsec_linux: macsec0: create_receive_sa -> 0 on 38:45:3b:3a:a3:73::3 (enable_receive=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
KaY: Create transmit SA(an: 0, next_pn: 1) of SC
macsec_linux: macsec0: create_transmit_sa -> 0 on 00:e1:02:00:5f:28::1 (enable_transmit=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
macsec_linux: macsec0: enable_receive_sa -> 0 on 38:45:3b:3a:a3:73::3
CP: CP entering state RECEIVING
CP: CP entering state READY
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: No
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
CP: CP entering state TRANSMIT
macsec_drv_enable_controlled_port -> TRUE
macsec_linux: macsec0: try_commit controlled_port_enabled=1
macsec_linux: macsec0: enable_transmit_sa -> 0 on 00:e1:02:00:5f:28::1
macsec_linux: macsec0: try_commit encoding_sa=0
CP: CP entering state TRANSMITTING
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 4
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
CP: CP entering state RETIRE
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 5
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 2
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=150
KaY: RX EAPOL-MKA - hexdump(len=150): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=132
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=132): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 16
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 38:45:3b:3a:a3:73@3
    Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
Live Peer List parameter set
    Body Length: 16
    Member Id: 3dfae97ed11d9ba7013cef3d  Message Number: 5
KaY: My MI - received MN 5, most recently transmitted MN 5
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 a5 fc ed db e1 b4 1a 61 d8 ec 73 3a ff 9e 54 e7
eth0: Ignored received EAPOL frame since no key management is configured

Here is macsec part of ICX configuration:这是 ICX 配置的 macsec 部分:

 dot1x-mka-enable mka-cfg-group test key-server-priority 20 macsec cipher-suite gcm-aes-128 enable-mka ethernet 1/1/4 pre-shared-key 135bd758b0ee5c11c55ff6ab19fdb199 key-name 96437a93ccf10d9dfe347846cce52c7d !

1 个解决方案

解决方案1
 0  2022-06-20 16:35:08

Your wpa_supplicant.config formatting looks odd in your question, but I'm guessing it works on your system based on the log output.您的 wpa_supplicant.config 格式在您的问题中看起来很奇怪,但我猜它可以根据日志输出在您的系统上运行。 I think you should have a new macsec0 device which handles the encryption and decryption, and that should be the interface you use once MACsec is properly configured on eth0.我认为你应该有一个新的 macsec0 设备来处理加密和解密,这应该是你在 eth0 上正确配置 MACsec 后使用的接口。 eth0 traffic will not be usable unless the switch side MACsec configuration allows unencrypted traffic as well as encrypted.除非交换机端 MACsec 配置允许未加密的流量以及加密的流量,否则 eth0 流量将无法使用。

Summary:概括:

  • eth0 is unsecure traffic (if configured to allow unsecure traffic) eth0 是不安全的流量(如果配置为允许不安全的流量)
  • macsec0 is secure traffic macsec0 是安全流量

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用hostapd和wpa_supplicant的热点 - Hotspot using hostapd and wpa_supplicant 使用 C 开始使用 wpa_supplicant - Getting started with wpa_supplicant using C 通过 dbus 接口使用 wpa_supplicant 创建接入点 - Creating an access point with wpa_supplicant via dbus interface Wifi P2P 同时使用 wpa_supplicant 在 rasperry pi 3 Raspbian 上保持 Wifi 连接 - Wifi P2P while maintaining a Wifi connection on rasperry pi 3 Raspbian using wpa_supplicant WPA_supplicant身份验证实现 - WPA_supplicant authentication implementation 创建一个wpa_supplicant UI - Create a wpa_supplicant UI 如何使用python更新wpa_supplicant中的WIFI密码? - How to update WIFI password in wpa_supplicant using python? 如何使用wpa_supplicant启用定期重新认证 - How to enable periodic reauthentication with wpa_supplicant wpa_supplicant 保持打印消息到屏幕 - wpa_supplicant keeping print message to screen wpa_supplicant C API未定义行为 - wpa_supplicant C API undefined behavior
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM