wpa_supplicant
MACSEC 보안 유선 채널을 설정하는 데 사용하고 있습니다 . Ubuntu x86 시스템에서는 이것이 가능합니다. 하지만 Arm64 Alpine 시스템에서는 MKA가 성공한 것으로 보이며 인터페이스가 설정되었지만 MACSEC 링크를 통과하는 IP4 트래픽이 없습니다. 카운터 InPktsNotValid
가 올라갑니다. 드라이버 소스 코드를 보면 이는 프레임을 처리하는 동안 메모리 할당 실패 또는 암호 해독 실패를 의미합니다. 불행하게도 드라이버는 실제 오류를 받아들입니다.
wpa_supplicant
구성 파일은 관련된 모든 시스템에서 동일합니다.
$ cat test.config
no_ctrl_interface=yes
eapol_version=3
ap_scan=0
fast_reauth=1
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
mka_cak=0123456789ABCDEF0123456789ABCDEF
mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
mka_priority=128
}
나는 다음과 같이 wpa_supplicant를 실행합니다.
sudo wpa_supplicant -ieth0 -Dmacsec_linux -ctest.config -d
다음은 wpa_supplicant 출력의 예입니다.
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 1
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:25:21
SCI Port .....: 1
Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Message Number: 34069
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
9a fa 89 4d b4 3a 6b ac 2f b9 61 52 ___M_:k_/_aR
Message Number: 34451
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 0
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA: - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:79:81
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
Message Number: 34452
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 __/_____8___
Message Number: 34068
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 1
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50789
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 1
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:25:21
SCI Port .....: 1
Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Message Number: 34070
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
9a fa 89 4d b4 3a 6b ac 2f b9 61 52 ___M_:k_/_aR
Message Number: 34452
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 0
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA: - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:79:81
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
Message Number: 34453
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 __/_____8___
Message Number: 34069
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 1
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50790
예는 다음과 같습니다 ip -s macsec show
.
$ ip -s macsec show macsec0
38: macsec0: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: d425ccb079810001 on SA 1
stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
0 0 0 1112 0 0 2 0
stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
0 7 0 962
1: PN 8, state on, key 4c9085d6632af3e66b5ea34602000000
stats: OutPktsProtected OutPktsEncrypted
0 7
RXSC: d425ccb025210001, state on
stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 18722 0 0 0 0 0 253 0 0
1: PN 1, state on, key 4c9085d6632af3e66b5ea34602000000
stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 0 0 0 0
커널에는 CONFIG_MACSEC=y
, CONFIG_CRYPTO_GCM=y
및 가 포함됩니다 CONFIG_CRYPTO_AES=y
.
또 무엇이 잘못될 수 있나요?
답변1
이는 Linux 4.9의 버그로, b3bdc3acbb44d74d0b7ba4d97169577a2b46dc88
들어오는 4.10-rc9
커밋에서 수정되었습니다. MACSEC 드라이버가 해독된 프레임을 차단하지 않고 대신 해독된 프레임을 비동기적으로 수신하는 경우 드라이버는 해독에 성공한 경우에도 항상 해당 프레임을 유효하지 않은 것으로 표시합니다.