MACsec linux configuration using iproute2.
This is how configure the MACsec IEEE 802.1AE using linux standard toolkit iproute2. Unlike a RFC, the IEEE 802.1AE is a technical standard. MACsec was standardised in 2006 by IEEE (standard IEEE 802.1AE-2006). Using MACsec frames are switched using secure channels SC supported by secure associations SA. Each secure associations SA uses a separate randomly generated key.
The ip macsec command subset is used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the ip link add command using the macsec type. The ip macsec implementation came to linux in around the year 2016 and has been implemented by Sabrina Dubroca.
Network topology
Network topology with IP addressing:
+-------+ +-------+
| | eth0 eth0 | |
| C1 +-----------------------------------+ C2 |
| | .1 .2 | |
+-------+ ::a ::b +-------+
2 linux nodes. Point to point network. Linux nodes are directly connected. Basic setup. Both nodes are connected using the eth0 NIC.
IP addressing:
IP addressing is attached to the macsec0 interface:
- C1 - macsec0 - 192.0.2.1/30 - 2001:db8::a/127
- C2 - macsec0 - 192.0.2.2/30 - 2001:db8::b/127
PCAP
A random packet dump will show following sequence of headers, when using A ICMP ping test:
- Frame
- Ethernet II
- Internet Protocol
- ICMP [...]
The MACsec packet dump will show following sequence of headers. This is the same ICMP output:
- Frame
- Ethernet II
- 802.1AE Security tag (SecTAG)
- Data (payload) [...]
- Physical Source/DestinationMAC address between both endpoints
- the payload, including ETYPE is encrypted using
GCM-AES - encrypted payload put between the
SecTAGandICV. - MACsec sends frame using own ethernet type ETYPE
0x88E5
In previous VyOS post Using freeRtr AAA daemon for VyOS the TACACS+ support has been added at that time, middle of the year 2023. The netlab explains the VyOS RADIUS Authentication and Authorisation method. The RADIUS service runs on a freeRtr appliance. A year later the rolling releases of VyOS include a working TACACS+ prototype.
Knowing that the VyOS TACACS+ support has been added a year ago, suspecting there is not much yet there. But for simple authentication and most simple authorization the building block should be already there.
Terms
Using term server in this context is problematic and leads to misunderstanding. These are the technical terms used here. The AAA TACACS+ server will be referred as AAA daemon:
| Term | Function |
|---|---|
| daemon | AAA TACACS+NG server (tac_plus-ng) |
| NAC | Client or NAC (SSH client) |
| NAS | Device or NAS or NAD (VyOS) |
Since a NAS is sometimes referred to as a server, and a daemon is also often referred to as a server, the term server has been avoided here in favor of the less ambiguous terms NAS and Daemon.
IP addressing
Basic setup. One broadcast domain, network topology with following IP addressing:
| Node | Function | Term | IP address |
|---|---|---|---|
| node-10 | SSH client | NAC | 10.100.100.10 |
| AAA-1 | TACACS+ daemon | daemon | 192.0.2.1 |
| R180 | VyOS firewall | NAS | 10.100.100.180/24 |
VyOS configuration
This is the image used in the configration process, latest release.
R180 login: vyos Password: Welcome to VyOS! ┌── ┐ . VyOS 1.5-rolling-202406060020 └ ──┘ current vyos@R180:~$ show ver Version: VyOS 1.5-rolling-202406060020 Release train: current Release flavor: generic Built by: autobuild@vyos.net Built on: Thu 06 Jun 2024 03:11 UTC ...
IP setup
Basic configration to have reachability and make VyOS managable using SSH:
config
set system host-name R180
set interfaces ethernet eth1 address 10.100.100.180/24
set protocols static route 0.0.0.0/0 next-hop 10.100.100.1
set service ssh
commit
save
Reachability established.
TACACS+ configuration
The TACACS+ configuration is short and simple
- daemon IP and key
- daemon TCP/IP port
- NAS source interface
Configurations commands to get TACACS+ support working:
config
set system login tacacs server 192.0.2.1 key '123-my_tacacs_key'
set system login tacacs server 192.0.2.1 port '49'
set system login tacacs source-address '10.100.100.180'
commit
save
Recent lostintransit.de blog post called Adding Arista switch to CML was a source of inspiration to the vEOS running in GNS3. The vEOS appliance runs in QEMU/KVM in GNS3. Follow lostintransit's instructins to download the Aboot and vEOS images from Arista's download portal to run. Arista offers free vEOS downloads after a email registration.
Information might be useful to other GNS3 users tinkering in GNS3 with the vEOS appliance installation starting. Having booting issues myself right at the start found following GNS3 community discussion thread called - Arista vEOS Fails to boot. This thread gives a generic overview which GNS3 appliance configuration settings are mandatory to get the installation routine of vEOS in GNS3/QEMU in first place.
QEMU vEOS installation requires having a Aboot as CDROM, and target HDD available at boot time, in the correct sequence.
Local application versions running:
GNS3
QEMU
QEMU emulator version 9.0.2 Copyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers