MACsec configuration using iproute2

MACsec linux configuration using iproute2.

This is how configure the MACsec IEEE 802.1AE using linux standard toolkit iproute2. Unlike a RFC, the IEEE 802.1AE is a technical standard. MACsec was standardised in 2006 by IEEE (standard IEEE 802.1AE-2006). Using MACsec frames are switched using secure channels SC supported by secure associations SA. Each secure associations SA uses a separate randomly generated key.

The ip macsec command subset is used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the ip link add command using the macsec type. The ip macsec implementation came to linux in around the year 2016 and has been implemented by Sabrina Dubroca.

Network topology

Network topology with IP addressing:

    +-------+                                   +-------+
    |       | eth0                         eth0 |       |
    |  C1   +-----------------------------------+  C2   |
    |       | .1                             .2 |       |
    +-------+ ::a                           ::b +-------+

2 linux nodes. Point to point network. Linux nodes are directly connected. Basic setup. Both nodes are connected using the eth0 NIC.

IP addressing:

IP addressing is attached to the macsec0 interface:

  • C1 - macsec0 - 192.0.2.1/30 - 2001:db8::a/127
  • C2 - macsec0 - 192.0.2.2/30 - 2001:db8::b/127

PCAP

A random packet dump will show following sequence of headers, when using A ICMP ping test:

  • Frame
  • Ethernet II
  • Internet Protocol
  • ICMP [...]

The MACsec packet dump will show following sequence of headers. This is the same ICMP output:

  • Frame
  • Ethernet II
  • 802.1AE Security tag (SecTAG)
  • Data (payload) [...]
  • Physical Source/DestinationMAC address between both endpoints
  • the payload, including ETYPE is encrypted using GCM-AES
  • encrypted payload put between the SecTAG and ICV.
  • MACsec sends frame using own ethernet type ETYPE 0x88E5

click for more

VyOS TACACS+ configuration using TACACS+NG

In previous VyOS post Using freeRtr AAA daemon for VyOS the TACACS+ support has been added at that time, middle of the year 2023. The netlab explains the VyOS RADIUS Authentication and Authorisation method. The RADIUS service runs on a freeRtr appliance. A year later the rolling releases of VyOS include a working TACACS+ prototype.

Knowing that the VyOS TACACS+ support has been added a year ago, suspecting there is not much yet there. But for simple authentication and most simple authorization the building block should be already there.

Terms

Using term server in this context is problematic and leads to misunderstanding. These are the technical terms used here. The AAA TACACS+ server will be referred as AAA daemon:

Term Function
daemon AAA TACACS+NG server (tac_plus-ng)
NAC Client or NAC (SSH client)
NAS Device or NAS or NAD (VyOS)

Since a NAS is sometimes referred to as a server, and a daemon is also often referred to as a server, the term server has been avoided here in favor of the less ambiguous terms NAS and Daemon.

IP addressing

Basic setup. One broadcast domain, network topology with following IP addressing:

Node Function Term IP address
node-10 SSH client NAC 10.100.100.10
AAA-1 TACACS+ daemon daemon 192.0.2.1
R180 VyOS firewall NAS 10.100.100.180/24

VyOS configuration

This is the image used in the configration process, latest release.

user % Welcome to VyOS - R180 ttyS0

R180 login: vyos Password: Welcome to VyOS! ┌── ┐ . VyOS 1.5-rolling-202406060020 └ ──┘ current vyos@R180:~$ show ver Version: VyOS 1.5-rolling-202406060020 Release train: current Release flavor: generic Built by: autobuild@vyos.net Built on: Thu 06 Jun 2024 03:11 UTC ...

IP setup

Basic configration to have reachability and make VyOS managable using SSH:

config
set system host-name R180
set interfaces ethernet eth1 address 10.100.100.180/24
set protocols static route 0.0.0.0/0 next-hop 10.100.100.1
set service ssh
commit
save

Reachability established.

TACACS+ configuration

The TACACS+ configuration is short and simple

  • daemon IP and key
  • daemon TCP/IP port
  • NAS source interface

Configurations commands to get TACACS+ support working:

config
set system login tacacs server 192.0.2.1 key '123-my_tacacs_key'
set system login tacacs server 192.0.2.1 port '49'
set system login tacacs source-address '10.100.100.180'
commit
save

click for more

GNS3 QEMU vEOS appliance installation

Recent lostintransit.de blog post called Adding Arista switch to CML was a source of inspiration to the vEOS running in GNS3. The vEOS appliance runs in QEMU/KVM in GNS3. Follow lostintransit's instructins to download the Aboot and vEOS images from Arista's download portal to run. Arista offers free vEOS downloads after a email registration.

Information might be useful to other GNS3 users tinkering in GNS3 with the vEOS appliance installation starting. Having booting issues myself right at the start found following GNS3 community discussion thread called - Arista vEOS Fails to boot. This thread gives a generic overview which GNS3 appliance configuration settings are mandatory to get the installation routine of vEOS in GNS3/QEMU in first place.

📗 Hint
QEMU vEOS installation requires having a Aboot as CDROM, and target HDD available at boot time, in the correct sequence.

Local application versions running:

GNS3

user % gns3 --version 2.2.48.1

QEMU

user % qemu-system-x86_64 --version

QEMU emulator version 9.0.2 Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers

click for more