MACSEC帧无效
MACSEC帧无效
提问于 2021-02-25 10:32:50
我使用wpa_supplicant来建立一个MACSEC安全的有线信道。在Ubuntu x86系统上,这是可行的。但是在Arm64阿尔卑斯系统上,MKA似乎成功了,接口被设置好了,但是没有IP4流量通过MACSEC链路。InPktsNotValid柜台上去了。来自AFAICT的驱动程序源代码,这意味着要么是在处理帧时出现内存分配失败,要么是解密失败;不幸的是,驱动程序吞噬了实际的错误。
在所有涉及的系统上,wpa_supplicant配置文件都是相同的:
$ cat test.config
no_ctrl_interface=yes
eapol_version=3
ap_scan=0
fast_reauth=1
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
mka_cak=0123456789ABCDEF0123456789ABCDEF
mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
mka_priority=128
}我像这样运行wpa_supplicant:
sudo wpa_supplicant -ieth0 -Dmacsec_linux -ctest.config -d下面是wpa_supplicant输出的示例:
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 1
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:25:21
SCI Port .....: 1
Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Message Number: 34069
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
9a fa 89 4d b4 3a 6b ac 2f b9 61 52 ___M_:k_/_aR
Message Number: 34451
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 0
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA: - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 94 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 14 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f7 7c bc 50 24 8b bb af b0 c3 95 bc 29 ec 8c c5
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:79:81
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
Message Number: 34452
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 __/_____8___
Message Number: 34068
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 1
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50789
KaY: to enpacket and send the MKPDU
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 1
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:25:21
SCI Port .....: 1
Member Id.....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Message Number: 34070
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
9a fa 89 4d b4 3a 6b ac 2f b9 61 52 ___M_:k_/_aR
Message Number: 34452
macsec_linux: macsec_drv_get_receive_lowest_pn
macsec_linux: macsec_drv_get_receive_lowest_pn: result 1
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 0
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
l2_packet_receive: src=d4:25:cc:b0:79:81 len=152
eth0_bridge: RX EAPOL from d4:25:cc:b0:79:81
RX EAPOL - hexdump(len=152): 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
eth0_bridge: Ignored received EAPOL frame since no key management is configured
l2_packet_receive: src=d4:25:cc:b0:79:81 len=166
RX EAPOL-MKA: - hexdump(len=166): 01 68 76 68 76 68 d4 25 cc b0 79 81 5e ea 03 05 00 94 01 80 60 3c d4 25 cc b0 79 81 00 01 9a fa 89 4d b4 3a 6b ac 2f b9 61 52 00 00 86 95 00 80 c2 01 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 01 00 00 10 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 85 15 03 34 00 28 ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ff 00 00 10 f4 41 37 ff d5 59 6f 95 c6 3f 16 5a 9a 21 c6 b4
*** MKA Basic Parameter set ***
Version.......: 1
Priority......: 128
KeySvr........: 0
MACSecDesired.: 1
MACSecCapable.: 2
Body Length...: 60
SCI MAC.......: d4:25:cc:b0:79:81
SCI Port .....: 1
Member Id.....: - hexdump(len=12): 9a fa 89 4d b4 3a 6b ac 2f b9 61 52
Message Number: 34453
Algo Agility..: - hexdump(len=4): 00 80 c2 01
CAK Name......: - hexdump_ascii(len=32):
61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 abcdefghijklmnop
71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 qrstuvwxyz012345
*** Live Peer List ***
Body Length...: 16
Member Id.....: - hexdump_ascii(len=12):
ea fd 2f b9 9d f6 e2 17 38 0d d8 b1 __/_____8___
Message Number: 34069
*** MACsec SAK Use ***
Latest Key AN....: 0
Latest Key Tx....: Yes
Latest Key Rx....: Yes
Old Key AN....: 1
Old Key Tx....: No
Old Key Rx....: No
Plain Key Tx....: No
Plain Key Rx....: No
Delay Protect....: No
Body Length......: 40
Key Server MI....: - hexdump(len=12): ea fd 2f b9 9d f6 e2 17 38 0d d8 b1
Key Number.......: 1
Lowest PN........: 1
Old Key Server MI....: - hexdump_ascii(len=12):
00 00 00 00 00 00 00 00 00 00 00 00 ____________
Old Key Number.......: 0
Old Lowest PN........: 1
macsec_drv_get_transmit_next_pn
macsec_linux: macsec_drv_get_transmit_next_pn: err 0 result 50790下面是一个ip -s macsec show示例:
$ ip -s macsec show macsec0
38: macsec0: protect on validate strict sc on sa on encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: d425ccb079810001 on SA 1
stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
0 0 0 1112 0 0 2 0
stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
0 7 0 962
1: PN 8, state on, key 4c9085d6632af3e66b5ea34602000000
stats: OutPktsProtected OutPktsEncrypted
0 7
RXSC: d425ccb025210001, state on
stats: InOctetsValidated InOctetsDecrypted InPktsUnchecked InPktsDelayed InPktsOK InPktsInvalid InPktsLate InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 18722 0 0 0 0 0 253 0 0
1: PN 1, state on, key 4c9085d6632af3e66b5ea34602000000
stats: InPktsOK InPktsInvalid InPktsNotValid InPktsNotUsingSA InPktsUnusedSA
0 0 0 0 0内核有CONFIG_MACSEC=y、CONFIG_CRYPTO_GCM=y和CONFIG_CRYPTO_AES=y。
这还会有什么问题吗?
回答 1
Unix & Linux用户
回答已采纳
发布于 2021-03-03 10:51:05
这是Linux4.9中的一个bug,在提交b3bdc3acbb44d74d0b7ba4d97169577a2b46dc88中得到了修正,后者进入了4.10-rc9或类似的领域。如果MACSEC驱动程序不阻止对帧进行解密,而是异步接收解密帧,则即使解密成功,驱动程序也始终将该帧标记为无效。
页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/636336
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号