wpa_supplicantMACSEC 보안 유선 채널을 설정하는 데 사용하고 있습니다 . Ubuntu x86 시스템에서는 이것이 가능합니다. 하지만 Arm64 Alpine 시스템에서는 MKA가 성공한 것으로 보이며 인터페이스가 설정되었지만 MACSEC 링크를 통과하는 IP4 트래픽이 없습니다. 카운터 InPktsNotValid가 올라갑니다. 드라이버 소스 코드를 보면 이는 프레임을 처리하는 동안 메모리 할당 실패 또는 암호 해독 실패를 의미합니다. 불행하게도 드라이버는 실제 오류를 받아들입니다.
wpa_supplicant구성 파일은 관련된 모든 시스템에서 동일합니다.
$ cat test.config
no_ctrl_interface=yes
eapol_version=3
ap_scan=0
fast_reauth=1
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
mka_cak=0123456789ABCDEF0123456789ABCDEF
mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
mka_priority=128
}
나는 다음과 같이 wpa_supplicant를 실행합니다.
sudo wpa_supplicant -ieth0 -Dmacsec_linux -ctest.config -d
다음은 wpa_supplicant 출력의 예입니다.
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 1
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:25:21
SCI Port .....: 1
Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Message Number: 34069
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
9a fa 89 4d b4 3a 6b ac 2f b9 61 52 ___M_:k_/_aR
Message Number: 34451
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 0
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA: - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:79:81
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
Message Number: 34452
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 __/_____8___
Message Number: 34068
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 1
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50789
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 1
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:25:21
SCI Port .....: 1
Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Message Number: 34070
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
9a fa 89 4d b4 3a 6b ac 2f b9 61 52 ___M_:k_/_aR
Message Number: 34452
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 0
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA: - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:79:81
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
Message Number: 34453
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 __/_____8___
Message Number: 34069
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 1
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50790
예는 다음과 같습니다 ip -s macsec show.
$ ip -s macsec show macsec0
38: macsec0: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: d425ccb079810001 on SA 1
stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
0 0 0 1112 0 0 2 0
stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
0 7 0 962
1: PN 8, state on, key 4c9085d6632af3e66b5ea34602000000
stats: OutPktsProtected OutPktsEncrypted
0 7
RXSC: d425ccb025210001, state on
stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 18722 0 0 0 0 0 253 0 0
1: PN 1, state on, key 4c9085d6632af3e66b5ea34602000000
stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 0 0 0 0
커널에는 CONFIG_MACSEC=y, CONFIG_CRYPTO_GCM=y및 가 포함됩니다 CONFIG_CRYPTO_AES=y.
또 무엇이 잘못될 수 있나요?
답변1
이는 Linux 4.9의 버그로, b3bdc3acbb44d74d0b7ba4d97169577a2b46dc88들어오는 4.10-rc9커밋에서 수정되었습니다. MACSEC 드라이버가 해독된 프레임을 차단하지 않고 대신 해독된 프레임을 비동기적으로 수신하는 경우 드라이버는 해독에 성공한 경우에도 항상 해당 프레임을 유효하지 않은 것으로 표시합니다.