stackoom
  简体   繁体   中英

connection using Macsec via wpa_supplicant failed

 原文  2022-06-10 21:53:01       wpa-supplicant

Question

I am a novice in macsec, and appreciate any help in understanding why macsec via wpa_supplicant on Ubuntu does not work with the Ruckus ICX7850-48FS switch.

This switch does have macsec option enabled and configured with pre-shared CAK and CKN However, I cannot ping any device on my network when macsec is set in ICX and wpa_supplicant is running on Ubuntu. Do I miss something in configuration?

Thank you

Here is what ip command shows:

 $ ip -s macsec show 17: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 00e102005f280001 on SA 0 stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun 0 0 0 107 0 0 2832 0 stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted 0 11 0 1218 0: PN 12, state on, key af90ad063d4a31db48edac0d01000000 stats: OutPktsProtected OutPktsEncrypted 0 11 RXSC: 38453b3aa3730003, state on stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA 0 0 0 0 0 0 0 0 0 0 0: PN 1, state on, key af90ad063d4a31db48edac0d01000000 stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA 0 0 0 0 0

wpa_supplicant.config: 

 ctrl_interface=/var/run/wpa_supplicant eapol_version=3 ap_scan=0 #orig fast_reauth=1 fast_reauth=0 network={ key_mgmt=NONE #key_mgmt=IEEE8021X eapol_flags=0 macsec_policy=1 mka_cak=135bd758b0ee5c11c55ff6ab19fdb199 mka_ckn=96437a93ccf10d9dfe347846cce52c7d mka_priority=100 }

I run wpa_supplicant in debug mode:

wpa_supplicant -dd -K -i eth0 -Dmacsec_linux -c wpa_supplicant_ubuntu.conf

Wpa_cli status: 

 > status bssid=01:80:c2:00:00:03 freq=0 ssid= id=0 mode=station pairwise_cipher=NONE group_cipher=NONE key_mgmt=NONE wpa_state=COMPLETED ip_address=10.100.97.158 address=00:e1:02:00:5f:28 PAE KaY status=Active Authenticated=No Secured=Yes Failed=No Actor Priority=100 Key Server Priority=16 Is Key Server=No Number of Keys Distributed=0 Number of Keys Received=1 MKA Hello Time=2000 actor_sci=00:e1:02:00:5f:28@1 key_server_sci=38:45:3b:3a:a3:73@3 participant_idx=0 ckn=96437a93ccf10d9dfe347846cce52c7d mi=3dfae97ed11d9ba7013cef3d mn=6 active=Yes participant=No retain=No live_peers=1 potential_peers=0 is_key_server=No is_elected=Yes uuid=84d0be70-7d9a-5dba-b0ed-139b3414cf7d

Log of wpa_supplicant: 

# ./startWpaSupplicantUbuntu.sh 
wpa_supplicant v2.9
random: getrandom() support available
Successfully initialized wpa_supplicant
Initializing interface 'eth0' conf 'wpa_supplicant_ubuntu.conf' driver 'macsec_linux' ctrl_interface 'N/A' bridge 'N/A'
Configuration file 'wpa_supplicant_ubuntu.conf' -> '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
Reading configuration file '/home/dima/Desktop/macsec/wpa_supplicant_ubuntu.conf'
ctrl_interface='/var/run/wpa_supplicant'
eapol_version=3
ap_scan=0
fast_reauth=0
Line: 7 - start of a new network block
key_mgmt: 0x4
eapol_flags=0 (0x0)
macsec_policy=1 (0x1)
MKA-CAK - hexdump(len=16): [REMOVED]
MKA-CKN - hexdump(len=16): [REMOVED]
mka_priority=100 (0x64)
Priority group 0
   id=0 ssid=''
driver_wired_init_common: Added multicast membership with packet socket
Add interface eth0 to a new radio N/A
eth0: Own MAC address: 00:e1:02:00:5f:28
eth0: RSN: flushing PMKID list in the driver
eth0: Setting scan request: 0.100000 sec
TDLS: TDLS operation not supported by driver
TDLS: Driver uses internal link setup
TDLS: Driver does not support TDLS channel switching
eth0: WPS: UUID based on MAC address: 84d0be70-7d9a-5dba-b0ed-139b3414cf7d
ENGINE: Loading builtin engines
ENGINE: Loading builtin engines
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: Supplicant port status: Unauthorized
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
eth0: Added interface eth0
eth0: State: DISCONNECTED -> DISCONNECTED
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28@1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
eth0: Already associated with a configured network - generating associated event
eth0: Event ASSOC (0) received
eth0: Association info event
FT: Stored MDIE and FTIE from (Re)Association Response - hexdump(len=0):
eth0: State: DISCONNECTED -> ASSOCIATED
eth0: Associated to a new BSS: BSSID=01:80:c2:00:00:03
eth0: Select network based on association information
eth0: Network configuration found for the current AP
eth0: WPA: clearing AP WPA IE
eth0: WPA: clearing AP RSN IE
eth0: WPA: clearing own WPA/RSN IE
eth0: Failed to get scan results
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=ForceAuthorized
KaY: state machine removed
CP: state machine removed
macsec_drv_macsec_deinit
KaY: Initialize - ifname=eth0 addr=00:e1:02:00:5f:28 port=0 priority=100
KaY: Generated SCI: 00:e1:02:00:5f:28@1
macsec_drv_get_capability
KaY: state machine created
macsec_drv_macsec_init
macsec_linux: ifname=eth0 parent_ifi=2
KaY: secy init macsec done
CP: state machine created
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_enable_encrypt -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state INIT
macsec_drv_enable_controlled_port -> FALSE
CP: CP entering state CHANGE
macsec_drv_enable_controlled_port -> FALSE
KaY: Create MKA (ifname=eth0 mode=PSK authenticator=No)
KaY: CKN - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: CAK - hexdump(len=16): [REMOVED]
KaY: Selected random MI: 3dfae97ed11d9ba7013cef3d
KaY: Create transmit SC - SCI: 00:e1:02:00:5f:28@1
macsec_drv_enable_protect_frames -> TRUE
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: eth0: create_transmit_sc -> 00:e1:02:00:5f:28::1 (conf_offset=0)
macsec_linux: eth0: create_transmit_sc: ifi=16 ifname=macsec0
macsec_linux: macsec0: try_commit controlled_port_enabled=0
macsec_linux: macsec0: try_commit protect_frames=1
macsec_linux: macsec0: try_commit encrypt=1
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
KaY: Derived KEK - hexdump(len=16): [REMOVED]
KaY: Derived ICK - hexdump(len=16): [REMOVED]
eth0: Associated with 01:80:c2:00:00:03
eth0: WPA: Association event - clear replay counter
eth0: WPA: Clear old PTK
TDLS: Remove peers on association
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state S_FORCE_AUTH
EAPOL: Supplicant port status: Authorized
EAPOL: SUPP_BE entering state IDLE
eth0: Cancelling authentication timeout
eth0: State: ASSOCIATED -> COMPLETED
eth0: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
eth0: Cancelling scan request
eth0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=64
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: ICV - hexdump(len=16): 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
KaY: Outgoing MKPDU - hexdump(len=82): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 40 01 64 e0 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 48 1d a5 ad f5 59 23 02 a1 61 b7 84 af 5e 82 50
EAPOL: disable timer tick
l2_packet_receive: src=38:45:3b:3a:a3:73 len=92
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=92): 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=106
KaY: RX EAPOL-MKA - hexdump(len=106): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 58 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=88
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=88): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 02 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 01 ff 00 00 10 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 16
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 38:45:3b:3a:a3:73@3
    Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
    Actor's Message Number: 1
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): 37 e1 1d 33 e1 1e 79 96 71 2d bb 52 b0 c8 54 12
KaY: Potential peer created
    MI: 6961e3c6b1dddcdbd81ce04f  MN: 1  SCI: 00:00:00:00:00:00@0
Potential Peer List parameter set
    Body Length: 16
    Member Id: 3dfae97ed11d9ba7013cef3d  Message Number: 1
KaY: My MI - received MN 1, most recently transmitted MN 1
KaY: i_in_peerlist=Yes is_in_live_peer=No
KaY: Create receive SC: SCI 38:45:3b:3a:a3:73@3
KaY: Move potential peer to live peer
    MI: 6961e3c6b1dddcdbd81ce04f  MN: 1  SCI: 38:45:3b:3a:a3:73@3
macsec_linux: macsec0: create_receive_sc -> 38:45:3b:3a:a3:73::3 (conf_offset=0 validation=2)
KaY: Peer 6961e3c6b1dddcdbd81ce04f was elected as the key server
CTRL_IFACE monitor attached /tmp/wpa_ctrl_133358-44\x00
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=3
CTRL-DEBUG: ctrl_sock-sendto: sock=6 sndbuf=212992 outq=0 send_len=5
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=84
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 1
KaY: ICV - hexdump(len=16): fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
KaY: Outgoing MKPDU - hexdump(len=102): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 54 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 fb 8f 40 14 50 60 3c 1b 24 88 6f ce c1 d1 21 ca
l2_packet_receive: src=38:45:3b:3a:a3:73 len=168
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=168): 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=182
KaY: RX EAPOL-MKA - hexdump(len=182): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 a4 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=164
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=164): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 04 10 00 1c 00 00 00 01 fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4 ff 00 00 10 c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 16
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 38:45:3b:3a:a3:73@3
    Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
    Actor's Message Number: 2
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): c7 f1 51 03 81 c4 19 36 3c bc bb 87 40 65 58 cf
Live Peer List parameter set
    Body Length: 16
    Member Id: 3dfae97ed11d9ba7013cef3d  Message Number: 2
KaY: My MI - received MN 2, most recently transmitted MN 2
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: No
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: Latest key is invalid
Distributed SAK parameter set
    Distributed AN........: 0
    Confidentiality Offset: 1
    Body Length...........: 28
    Key Number............: 1
    AES Key Wrap of SAK...: - hexdump(len=24): fd f6 00 f4 87 75 41 73 0a 64 37 f2 4a 28 e4 92 0e cf 16 03 67 ee 19 f4
    AES Key Unwrap of SAK.: - hexdump(len=16): [REMOVED]
CP: CP entering state SECURED
macsec_drv_set_current_cipher_suite -> 0080020001000001
macsec_drv_enable_protect_frames -> TRUE
macsec_linux: macsec0: try_commit protect_frames=1
macsec_drv_enable_encrypt -> TRUE
macsec_linux: macsec0: try_commit encrypt=1
macsec_drv_set_replay_protect -> FALSE, 0
macsec_linux: macsec0: try_commit replay_protect=0 replay_window=0
CP: CP entering state RECEIVE
KaY: Create receive SA(an: 0 lowest_pn: 1) of SC
macsec_linux: macsec0: create_receive_sa -> 0 on 38:45:3b:3a:a3:73::3 (enable_receive=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
KaY: Create transmit SA(an: 0, next_pn: 1) of SC
macsec_linux: macsec0: create_transmit_sa -> 0 on 00:e1:02:00:5f:28::1 (enable_transmit=0 next_pn=1)
macsec_linux: SA keyid - hexdump(len=16): 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 01 00 00 00
macsec_linux: SA key - hexdump(len=16): [REMOVED]
macsec_linux: macsec0: enable_receive_sa -> 0 on 38:45:3b:3a:a3:73::3
CP: CP entering state RECEIVING
CP: CP entering state READY
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: No
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 10 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 3f 58 1e c3 42 14 f6 20 50 53 a9 81 7b 75 6f b0
CP: CP entering state TRANSMIT
macsec_drv_enable_controlled_port -> TRUE
macsec_linux: macsec0: try_commit controlled_port_enabled=1
macsec_linux: macsec0: enable_transmit_sa -> 0 on 00:e1:02:00:5f:28::1
macsec_linux: macsec0: try_commit encoding_sa=0
CP: CP entering state TRANSMITTING
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 4
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 1
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 69 b6 ef f1 6b 29 44 26 d3 40 50 2e 0a b3 e2 89
CP: CP entering state RETIRE
KaY: Participant timer (ifname=eth0)
KaY: Encode and send an MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=00:e1:02:00:5f:28 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=128
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 100
    Key Server: 0
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 00:e1:02:00:5f:28@1
    Actor's Member Identifier: 3dfae97ed11d9ba7013cef3d
    Actor's Message Number: 5
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
Live Peer List parameter set
    Body Length: 16
    Member Id: 6961e3c6b1dddcdbd81ce04f  Message Number: 2
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 2
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
KaY: ICV - hexdump(len=16): 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
KaY: Outgoing MKPDU - hexdump(len=146): 01 80 c2 00 00 03 00 e1 02 00 5f 28 88 8e 03 05 00 80 01 64 60 2c 00 e1 02 00 5f 28 00 01 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 02 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 96 2e 06 f1 a4 80 5f 24 da 41 a2 fa 73 53 5a 75
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
eth0: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=38:45:3b:3a:a3:73 len=150
KaY: RX EAPOL-MKA - hexdump(len=150): 01 80 c2 00 00 03 38 45 3b 3a a3 73 88 8e 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
KaY: Decode received MKPDU (ifname=eth0)
KaY: Ethernet header: DA=01:80:c2:00:00:03 SA=38:45:3b:3a:a3:73 Ethertype=0x888e
KaY: Common EAPOL PDU structure: Protocol Version=3 Packet Type=5 Packet Body Length=132
KaY: EAPOL-MKA Packet Body (MKPDU) - hexdump(len=132): 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 03 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
MKA Basic Parameter Set
    MKA Version Identifier: 1
    Key Server Priority: 16
    Key Server: 1
    MACsec Desired: 1
    MACsec Capability: 2
    Parameter set body length: 44
    SCI: 38:45:3b:3a:a3:73@3
    Actor's Member Identifier: 6961e3c6b1dddcdbd81ce04f
    Actor's Message Number: 3
    Algorithm Agility: 0080c201
    CAK Name - hexdump(len=16): 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d
KaY: Received ICV - hexdump(len=16): d7 5a 9c f8 26 7d 54 fc 7a 92 5f e3 36 ff 71 eb
Live Peer List parameter set
    Body Length: 16
    Member Id: 3dfae97ed11d9ba7013cef3d  Message Number: 5
KaY: My MI - received MN 5, most recently transmitted MN 5
KaY: i_in_peerlist=Yes is_in_live_peer=Yes
MACsec SAK Use parameter set
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN.......: 0
    Old Key Tx.......: No
    Old Key Rx.......: No
    Plain Tx.........: No
    Plain Rx.........: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: 6961e3c6b1dddcdbd81ce04f
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI: 000000000000000000000000
    Old Key Number...: 0
    Old Lowest PN....: 1
l2_packet_receive: src=38:45:3b:3a:a3:73 len=136
eth0: RX EAPOL from 38:45:3b:3a:a3:73
RX EAPOL - hexdump(len=136): 03 05 00 84 01 10 e0 2c 38 45 3b 3a a3 73 00 03 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 04 00 80 c2 01 96 43 7a 93 cc f1 0d 9d fe 34 78 46 cc e5 2c 7d 01 00 00 10 3d fa e9 7e d1 1d 9b a7 01 3c ef 3d 00 00 00 05 03 30 00 28 69 61 e3 c6 b1 dd dc db d8 1c e0 4f 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 a5 fc ed db e1 b4 1a 61 d8 ec 73 3a ff 9e 54 e7
eth0: Ignored received EAPOL frame since no key management is configured

Here is macsec part of ICX configuration:

 dot1x-mka-enable mka-cfg-group test key-server-priority 20 macsec cipher-suite gcm-aes-128 enable-mka ethernet 1/1/4 pre-shared-key 135bd758b0ee5c11c55ff6ab19fdb199 key-name 96437a93ccf10d9dfe347846cce52c7d !

1 answers

solution1
 0  2022-06-20 16:35:08

Your wpa_supplicant.config formatting looks odd in your question, but I'm guessing it works on your system based on the log output. I think you should have a new macsec0 device which handles the encryption and decryption, and that should be the interface you use once MACsec is properly configured on eth0. eth0 traffic will not be usable unless the switch side MACsec configuration allows unencrypted traffic as well as encrypted.

Summary:

  • eth0 is unsecure traffic (if configured to allow unsecure traffic)
  • macsec0 is secure traffic

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Hotspot using hostapd and wpa_supplicant Getting started with wpa_supplicant using C Creating an access point with wpa_supplicant via dbus interface Wifi P2P while maintaining a Wifi connection on rasperry pi 3 Raspbian using wpa_supplicant WPA_supplicant authentication implementation Create a wpa_supplicant UI How to update WIFI password in wpa_supplicant using python? How to enable periodic reauthentication with wpa_supplicant wpa_supplicant keeping print message to screen wpa_supplicant C API undefined behavior
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM