After reading this article that shows how to set up wired macsec layer 2 auth / encryption, and explains how it actually works, I tried to configure it on an LEDE based router.
According to the article, macsec is natively supported as of Linux kernel 4.6.
I tried some of the commands on my linux desktop running 4.13: no issues.
But when I tried to perform the same commands on the router, it fails:
root@LEDE:~# ip link add link eth0 macsec0 type macsec encrypt on
RTNETLINK answers: Not supported
root@LEDE:~# ip macsec show
RTNETLINK answers: No such file or directory
Error talking to the kernel
You may also need to install the "full" version of the ip tools, rather than the busybox re-implementation of the "core" functionality of the ip tool set.
I wanted to experiment with macsec a bit, and made a simple shellscript to make it easier. NB: it is strongly recommended that the keys are changed (using 802.1x-2010) on a regular basis, so this is really just good for a proof of concept!
#!/bin/sh
die() {
echo $1
exit
}
if [ -z "$iface" -o -z "$mykey" -o -z "$theirkey" -o -z "$mymac" -o -z "$theirmac" -o -z "$myip" ] ; then
die "Please set iface, mykey, theirkey, mymac, theirmac and myip before running this script"
fi
ip link set ${iface} up
ip link del macsec0 2> /dev/null
ip link add link ${iface} macsec0 type macsec encrypt on
ip macsec add macsec0 tx sa 0 pn 1 on key 00 ${mykey}
ip macsec add macsec0 rx port 1 address ${theirmac}
ip macsec add macsec0 rx port 1 address ${theirmac} sa 0 pn 1 on key 01 ${theirkey}
ip link set macsec0 up
ip addr add ${myip} dev macsec0
I ran it on each host (only two) as follows:
On HostA: