Macsec support | Kernel 4.9

Hi,

After reading this article that shows how to set up wired macsec layer 2 auth / encryption, and explains how it actually works, I tried to configure it on an LEDE based router.

According to the article, macsec is natively supported as of Linux kernel 4.6.
I tried some of the commands on my linux desktop running 4.13: no issues.

But when I tried to perform the same commands on the router, it fails:

root@LEDE:~# ip link add link eth0 macsec0 type macsec encrypt on
RTNETLINK answers: Not supported

root@LEDE:~# ip macsec show
RTNETLINK answers: No such file or directory
Error talking to the kernel

Here's the snapshot version I'm using:

NAME="OpenWrt"
VERSION="SNAPSHOT"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt SNAPSHOT"
VERSION_ID="snapshot"
HOME_URL="http://lede-project.org/"
BUG_URL="http://bugs.lede-project.org/"
SUPPORT_URL="http://forum.openwrt.org/"
BUILD_ID="r7173-83483ba"
LEDE_BOARD="ar71xx/generic"
LEDE_ARCH="mips_24kc"
LEDE_TAINTS=""
LEDE_DEVICE_MANUFACTURER="OpenWrt"
LEDE_DEVICE_MANUFACTURER_URL="http://lede-project.org/"
LEDE_DEVICE_PRODUCT="Generic"
LEDE_DEVICE_REVISION="v0"
LEDE_RELEASE="OpenWrt SNAPSHOT r7173-83483ba"

Do you guys have any clues of why it fails?
Is there a way to manually enable / install missing modules to support it?

Thanks

From the link you gave and your post I'll speculate it's some kernel module missing. No idea which one. Might be more than ooe.

Yes it does seem like a missing kernel module.
I've seen somewhere "modprobe macsec", but nothing related to macsec under /lib/modules.

On my desktop tho: "/lib/modules/4.13.0-21-generic/kernel/drivers/net/macsec.ko"
-> source code: https://github.com/torvalds/linux/blob/master/drivers/net/macsec.c

You may also need to install the "full" version of the ip tools, rather than the busybox re-implementation of the "core" functionality of the ip tool set.

Thanks for your reply.
You mean the "ip-full" package? (If so, I'm already using it)

1 Like

you will need kmod-macsec

I wanted to experiment with macsec a bit, and made a simple shellscript to make it easier. NB: it is strongly recommended that the keys are changed (using 802.1x-2010) on a regular basis, so this is really just good for a proof of concept!

#!/bin/sh

die() {
  echo $1
  exit
}

if [ -z "$iface" -o -z "$mykey" -o -z "$theirkey" -o -z "$mymac" -o -z "$theirmac" -o -z "$myip" ] ; then
  die "Please set iface, mykey, theirkey, mymac, theirmac and myip before running this script"
fi

ip link set ${iface} up
ip link del macsec0 2> /dev/null
ip link add link ${iface} macsec0 type macsec encrypt on
ip macsec add macsec0 tx sa 0 pn 1 on key 00 ${mykey}
ip macsec add macsec0 rx port 1 address ${theirmac}
ip macsec add macsec0 rx port 1 address ${theirmac} sa 0 pn 1 on key 01 ${theirkey}
ip link set macsec0 up
ip addr add ${myip} dev macsec0

I ran it on each host (only two) as follows:
On HostA:

iface=eth0 mymac=d0:5f:b8:ef:44:6f mykey=1e63c81f60ee224d7d0ffa3447da955f theirmac=A0:CE:C8:17:A9:61 theirkey=7ecb7b90a10f15d2ef6fe0555b080a22 myip=10.1.0.2/24 ./macsec

On HostB:

iface=eth1 theirmac=d0:5f:b8:ef:44:6f theirkey=1e63c81f60ee224d7d0ffa3447da955f mymac=A0:CE:C8:17:A9:61 mykey=7ecb7b90a10f15d2ef6fe0555b080a22 myip=10.1.0.1/24 ./macsec

Having done so, I was able to ping the corresponding 10.1.0.x IP address from each host.

Having done so, I'm really keen to figure out how to implement an 802.1x-2010 authenticator using OpenWrt. If anyone has any tips, I'm all ears!