logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ip-macsec.8 (4751B)


  1. .TH IP\-MACSEC 8 "07 Mar 2016" "iproute" "Linux"
  2. .SH NAME
  3. ip-macsec \- MACsec device configuration
  4. .SH "SYNOPSIS"
  5. .BI "ip link add link " DEVICE " name " NAME " type macsec "
  6. [ [
  7. .BI address " <lladdr>"
  8. ]
  9. .BI port " PORT"
  10. |
  11. .BI sci " <u64>"
  12. ] [
  13. .BR cipher " { " default " | " gcm-aes-128 " | " gcm-aes-256 " | " gcm-aes-xpn-128 " | " gcm-aes-xpn-256 " } ] ["
  14. .BI icvlen " ICVLEN"
  15. ] [
  16. .BR encrypt " { " on " | " off " } ] ["
  17. .BR send_sci " { " on " | " off " } ] ["
  18. .BR end_station " { " on " | " off " } ] ["
  19. .BR scb " { " on " | " off " } ] ["
  20. .BR protect " { " on " | " off " } ] ["
  21. .BR replay " { " on " | " off " } ] ["
  22. .BI window " WINDOW"
  23. ] [
  24. .BR validate " { " strict " | " check " | " disabled " } ] ["
  25. .BI encodingsa " SA"
  26. ] [
  27. .BR offload " { " off " | " phy " | " mac " }"
  28. ]
  29. .BI "ip macsec add " DEV " tx sa"
  30. .RI "{ " 0..3 " } [ " OPTS " ]"
  31. .BI key " ID KEY"
  32. .br
  33. .BI "ip macsec set " DEV " tx sa"
  34. .RI "{ " 0..3 " } [ " OPTS " ]"
  35. .br
  36. .BI "ip macsec del " DEV " tx sa"
  37. .RI "{ " 0..3 " }"
  38. .BI "ip macsec add " DEV " rx " SCI
  39. .RB [ " on " | " off " ]
  40. .br
  41. .BI "ip macsec set " DEV " rx " SCI
  42. .RB [ " on " | " off " ]
  43. .br
  44. .BI "ip macsec del " DEV " rx " SCI
  45. .BI "ip macsec add " DEV " rx " SCI " sa"
  46. .RI "{ " 0..3 " } [ " OPTS " ]"
  47. .BI key " ID KEY"
  48. .br
  49. .BI "ip macsec set " DEV " rx " SCI " sa"
  50. .RI "{ " 0..3 " } [ " OPTS " ]"
  51. .br
  52. .BI "ip macsec del " DEV " rx " SCI " sa"
  53. .RI "{ " 0..3 " }"
  54. .BI "ip macsec offload " DEV
  55. .RB "{ " off " | " phy " | " mac " }"
  56. .B ip macsec show
  57. .RI [ " DEV " ]
  58. .IR OPTS " := [ "
  59. .BR pn " { "
  60. .IR 1..2^32-1 " } |"
  61. .BR xpn " { "
  62. .IR 1..2^64-1 " } ] ["
  63. .B salt
  64. .IR SALT " ] ["
  65. .B ssci
  66. .IR <u32> " ] ["
  67. .BR on " | " off " ]"
  68. .br
  69. .IR SCI " := { "
  70. .B sci
  71. .IR <u64> " | "
  72. .BI port
  73. .IR PORT
  74. .BI address " <lladdr> "
  75. }
  76. .br
  77. .IR PORT " := { " 1..2^16-1 " } "
  78. .br
  79. .IR SALT " := 96-bit hex string "
  80. .SH DESCRIPTION
  81. The
  82. .B ip macsec
  83. commands are used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the
  84. .B ip link add
  85. command using the
  86. .I macsec
  87. type.
  88. .SH EXAMPLES
  89. .PP
  90. .SS Create a MACsec device on link eth0 (offload is disabled by default)
  91. .nf
  92. # ip link add link eth0 macsec0 type macsec port 11 encrypt on
  93. .PP
  94. .SS Configure a secure association on that device
  95. .nf
  96. # ip macsec add macsec0 tx sa 0 pn 1024 on key 01 81818181818181818181818181818181
  97. .PP
  98. .SS Configure a receive channel
  99. .nf
  100. # ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0
  101. .PP
  102. .SS Configure a receive association
  103. .nf
  104. # ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 sa 0 pn 1 on key 00 82828282828282828282828282828282
  105. .PP
  106. .SS Display MACsec configuration
  107. .nf
  108. # ip macsec show
  109. .PP
  110. .SS Configure offloading on an interface
  111. .nf
  112. # ip macsec offload macsec0 phy
  113. .PP
  114. .SS Configure offloading upon MACsec device creation
  115. .nf
  116. # ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac
  117. .SH EXTENDED PACKET NUMBER EXAMPLES
  118. .PP
  119. .SS Create a MACsec device on link eth0 with enabled extended packet number (offload is disabled by default)
  120. .nf
  121. # ip link add link eth0 macsec0 type macsec port 11 encrypt on cipher gcm-aes-xpn-128
  122. .PP
  123. .SS Configure a secure association on that device
  124. .nf
  125. # ip macsec add macsec0 tx sa 0 xpn 1024 on salt 838383838383838383838383 ssci 123 key 01 81818181818181818181818181818181
  126. .PP
  127. .SS Configure a receive channel
  128. .nf
  129. # ip macsec add macsec0 rx port 11 address c6:19:52:8f:e6:a0
  130. .PP
  131. .SS Configure a receive association
  132. .nf
  133. # ip macsec add macsec0 rx port 11 address c6:19:52:8f:e6:a0 sa 0 xpn 1 on salt 838383838383838383838383 ssci 123 key 00 82828282828282828282828282828282
  134. .PP
  135. .SS Display MACsec configuration
  136. .nf
  137. # ip macsec show
  138. .PP
  139. .SH NOTES
  140. This tool can be used to configure the 802.1AE keys of the interface. Note that 802.1AE uses GCM-AES
  141. with a initialization vector (IV) derived from the packet number. The same key must not be used
  142. with the same IV more than once. Instead, keys must be frequently regenerated and distributed.
  143. This tool is thus mostly for debugging and testing, or in combination with a user-space application
  144. that reconfigures the keys. It is wrong to just configure the keys statically and assume them to work
  145. indefinitely. The suggested and standardized way for key management is 802.1X-2010, which is implemented
  146. by wpa_supplicant.
  147. .SH EXTENDED PACKET NUMBER NOTES
  148. Passing cipher
  149. .B gcm-aes-xpn-128
  150. or
  151. .B gcm-aes-xpn-256
  152. to
  153. .B ip link add
  154. command using the
  155. .I macsec
  156. type requires using the keyword
  157. .B 'xpn'
  158. instead of
  159. .B 'pn'
  160. in addition to providing a salt using the
  161. .B 'salt'
  162. keyword and ssci using the
  163. .B 'ssci'
  164. keyword when using the
  165. .B ip macsec
  166. command.
  167. .SH SEE ALSO
  168. .br
  169. .BR ip-link (8)
  170. .BR wpa_supplicant (8)
  171. .SH AUTHOR
  172. Sabrina Dubroca <sd@queasysnail.net>