MACSEC 프레임이 잘못되었습니다.

MACSEC 프레임이 잘못되었습니다.

wpa_supplicantMACSEC 보안 유선 채널을 설정하는 데 사용하고 있습니다 . Ubuntu x86 시스템에서는 이것이 가능합니다. 하지만 Arm64 Alpine 시스템에서는 MKA가 성공한 것으로 보이며 인터페이스가 설정되었지만 MACSEC 링크를 통과하는 IP4 트래픽이 없습니다. 카운터 InPktsNotValid가 올라갑니다. 드라이버 소스 코드를 보면 이는 프레임을 처리하는 동안 메모리 할당 실패 또는 암호 해독 실패를 의미합니다. 불행하게도 드라이버는 실제 오류를 받아들입니다.

wpa_supplicant구성 파일은 관련된 모든 시스템에서 동일합니다.

$ cat test.config 
no_ctrl_interface=yes
eapol_version=3
ap_scan=0
fast_reauth=1

network={
    key_mgmt=NONE
    eapol_flags=0
    macsec_policy=1
    mka_cak=0123456789ABCDEF0123456789ABCDEF
    mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
    mka_priority=128
}

나는 다음과 같이 wpa_supplicant를 실행합니다.

sudo wpa_supplicant -ieth0 -Dmacsec_linux -ctest.config -d

다음은 wpa_supplicant 출력의 예입니다.

KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
    Version.......: 1
    Priority......: 128
    KeySvr........: 1
    MACSecDesired.: 1
    MACSecCapable.: 2
    Body Length...: 60
    SCI MAC.......: d4:25:cc:b0:25:21
    SCI Port .....: 1
    Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
    Message Number: 34069
    Algo Agility..: - hexdump(len=4): 00 80 c2 01
    CAK Name......: - hexdump_ascii(len=32):
     61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop
     71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35   qrstuvwxyz012345
*** Live Peer List ***
    Body Length...: 16
    Member Id.....: - hexdump_ascii(len=12):
     9a fa 89 4d b4 3a 6b ac 2f b9 61 52               ___M_:k_/_aR    
    Message Number: 34451
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN....: 0
    Old Key Tx....: No
    Old Key Rx....: No
    Plain Key Tx....: No
    Plain Key Rx....: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI....: - hexdump_ascii(len=12):
     00 00 00 00 00 00 00 00 00 00 00 00               ____________    
    Old Key Number.......: 0
    Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA:  - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
*** MKA Basic Parameter set ***
    Version.......: 1
    Priority......: 128
    KeySvr........: 0
    MACSecDesired.: 1
    MACSecCapable.: 2
    Body Length...: 60
    SCI MAC.......: d4:25:cc:b0:79:81
    SCI Port .....: 1
    Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
    Message Number: 34452
    Algo Agility..: - hexdump(len=4): 00 80 c2 01
    CAK Name......: - hexdump_ascii(len=32):
     61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop
     71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35   qrstuvwxyz012345
*** Live Peer List ***
    Body Length...: 16
    Member Id.....: - hexdump_ascii(len=12):
     ea fd 2f b9 9d f6 e2 17 38 0d d8 b1               __/_____8___    
    Message Number: 34068
*** MACsec SAK Use ***
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN....: 1
    Old Key Tx....: No
    Old Key Rx....: No
    Plain Key Tx....: No
    Plain Key Rx....: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI....: - hexdump_ascii(len=12):
     00 00 00 00 00 00 00 00 00 00 00 00               ____________    
    Old Key Number.......: 0
    Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50789
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
    Version.......: 1
    Priority......: 128
    KeySvr........: 1
    MACSecDesired.: 1
    MACSecCapable.: 2
    Body Length...: 60
    SCI MAC.......: d4:25:cc:b0:25:21
    SCI Port .....: 1
    Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
    Message Number: 34070
    Algo Agility..: - hexdump(len=4): 00 80 c2 01
    CAK Name......: - hexdump_ascii(len=32):
     61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop
     71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35   qrstuvwxyz012345
*** Live Peer List ***
    Body Length...: 16
    Member Id.....: - hexdump_ascii(len=12):
     9a fa 89 4d b4 3a 6b ac 2f b9 61 52               ___M_:k_/_aR    
    Message Number: 34452
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN....: 0
    Old Key Tx....: No
    Old Key Rx....: No
    Plain Key Tx....: No
    Plain Key Rx....: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI....: - hexdump_ascii(len=12):
     00 00 00 00 00 00 00 00 00 00 00 00               ____________    
    Old Key Number.......: 0
    Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA:  - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
*** MKA Basic Parameter set ***
    Version.......: 1
    Priority......: 128
    KeySvr........: 0
    MACSecDesired.: 1
    MACSecCapable.: 2
    Body Length...: 60
    SCI MAC.......: d4:25:cc:b0:79:81
    SCI Port .....: 1
    Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
    Message Number: 34453
    Algo Agility..: - hexdump(len=4): 00 80 c2 01
    CAK Name......: - hexdump_ascii(len=32):
     61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70   abcdefghijklmnop
     71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35   qrstuvwxyz012345
*** Live Peer List ***
    Body Length...: 16
    Member Id.....: - hexdump_ascii(len=12):
     ea fd 2f b9 9d f6 e2 17 38 0d d8 b1               __/_____8___    
    Message Number: 34069
*** MACsec SAK Use ***
    Latest Key AN....: 0
    Latest Key Tx....: Yes
    Latest Key Rx....: Yes
    Old Key AN....: 1
    Old Key Tx....: No
    Old Key Rx....: No
    Plain Key Tx....: No
    Plain Key Rx....: No
    Delay Protect....: No
    Body Length......: 40
    Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
    Key Number.......: 1
    Lowest PN........: 1
    Old Key Server MI....: - hexdump_ascii(len=12):
     00 00 00 00 00 00 00 00 00 00 00 00               ____________    
    Old Key Number.......: 0
    Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50790

예는 다음과 같습니다 ip -s macsec show.

$ ip -s macsec show macsec0
38: macsec0: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off 
    cipher suite: GCM-AES-128, using ICV length 16
    TXSC: d425ccb079810001 on SA 1
    stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
                         0              0              0        1112            0                0           2             0
    stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
                          0                7                  0                962
        1: PN 8, state on, key 4c9085d6632af3e66b5ea34602000000
    stats: OutPktsProtected OutPktsEncrypted
                          0                7
    RXSC: d425ccb025210001, state on
    stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
                           0             18722               0             0        0             0          0            253                0              0
        1: PN 1, state on, key 4c9085d6632af3e66b5ea34602000000
    stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
                  0             0              0                0              0

커널에는 CONFIG_MACSEC=y, CONFIG_CRYPTO_GCM=y및 가 포함됩니다 CONFIG_CRYPTO_AES=y.

또 무엇이 잘못될 수 있나요?

답변1

이는 Linux 4.9의 버그로, b3bdc3acbb44d74d0b7ba4d97169577a2b46dc88들어오는 4.10-rc9커밋에서 수정되었습니다. MACSEC 드라이버가 해독된 프레임을 차단하지 않고 대신 해독된 프레임을 비동기적으로 수신하는 경우 드라이버는 해독에 성공한 경우에도 항상 해당 프레임을 유효하지 않은 것으로 표시합니다.

관련 정보