1IP-MACSEC(8) Linux IP-MACSEC(8)
2
6 ip-macsec - MACsec device configuration
7
9 ip link add link DEVICE name NAME type macsec [ [ address <lladdr> ]
10 port PORT | sci <u64> ] [ cipher { default | gcm-aes-128 | gcm-aes-256
11 | gcm-aes-xpn-128 | gcm-aes-xpn-256 } ] [ icvlen ICVLEN ] [ encrypt {
12 on | off } ] [ send_sci { on | off } ] [ end_station { on | off } ] [
13 scb { on | off } ] [ protect { on | off } ] [ replay { on | off } ] [
14 window WINDOW ] [ validate { strict | check | disabled } ] [ encodingsa
15 SA ] [ offload { off | phy | mac } ]
16 ip macsec add DEV tx sa { 0..3 } [ OPTS ] key ID KEY
18 ip macsec set DEV tx sa { 0..3 } [ OPTS ]
19 ip macsec del DEV tx sa { 0..3 }
20 ip macsec add DEV rx SCI [ on | off ]
22 ip macsec set DEV rx SCI [ on | off ]
23 ip macsec del DEV rx SCI
24 ip macsec add DEV rx SCI sa { 0..3 } [ OPTS ] key ID KEY
26 ip macsec set DEV rx SCI sa { 0..3 } [ OPTS ]
27 ip macsec del DEV rx SCI sa { 0..3 }
28 ip macsec offload DEV { off | phy | mac }
30 ip macsec show [ DEV ]
32 OPTS := [ pn { 1..2^32-1 } | xpn { 1..2^64-1 } ] [ salt SALT ] [ ssci
34 <u32> ] [ on | off ]
35 SCI := { sci <u64> | port PORT address <lladdr> }
36 PORT := { 1..2^16-1 }
37 SALT := 96-bit hex string
38
42 The ip macsec commands are used to configure transmit secure associa‐
43 tions and receive secure channels and their secure associations on a
44 MACsec device created with the ip link add command using the macsec
45 type.
46
49 Create a MACsec device on link eth0 (offload is disabled by default)
50 # ip link add link eth0 macsec0 type macsec port 11 encrypt on
51 Configure a secure association on that device
53 # ip macsec add macsec0 tx sa 0 pn 1024 on key 01 81818181818181818181818181818181
54 Configure a receive channel
56 # ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0
57 Configure a receive association
59 # ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 sa 0 pn 1 on key 00 82828282828282828282828282828282
60 Display MACsec configuration
62 # ip macsec show
63 Configure offloading on an interface
65 # ip macsec offload macsec0 phy
66 Configure offloading upon MACsec device creation
68 # ip link add link eth0 macsec0 type macsec port 11 encrypt on offload mac
69
72 Create a MACsec device on link eth0 with enabled extended packet number
73 (offload is disabled by default)
74 # ip link add link eth0 macsec0 type macsec port 11 encrypt on cipher gcm-aes-xpn-128
75 Configure a secure association on that device
77 # ip macsec add macsec0 tx sa 0 xpn 1024 on salt 838383838383838383838383 ssci 123 key 01 81818181818181818181818181818181
78 Configure a receive channel
80 # ip macsec add macsec0 rx port 11 address c6:19:52:8f:e6:a0
81 Configure a receive association
83 # ip macsec add macsec0 rx port 11 address c6:19:52:8f:e6:a0 sa 0 xpn 1 on salt 838383838383838383838383 ssci 123 key 00 82828282828282828282828282828282
84 Display MACsec configuration
86 # ip macsec show
87
89 This tool can be used to configure the 802.1AE keys of the interface.
90 Note that 802.1AE uses GCM-AES with a initialization vector (IV) de‐
91 rived from the packet number. The same key must not be used with the
92 same IV more than once. Instead, keys must be frequently regenerated
93 and distributed. This tool is thus mostly for debugging and testing,
94 or in combination with a user-space application that reconfigures the
95 keys. It is wrong to just configure the keys statically and assume them
96 to work indefinitely. The suggested and standardized way for key man‐
97 agement is 802.1X-2010, which is implemented by wpa_supplicant.
98
101 Passing cipher gcm-aes-xpn-128 or gcm-aes-xpn-256 to ip link add com‐
102 mand using the macsec type requires using the keyword 'xpn' instead of
103 'pn' in addition to providing a salt using the 'salt' keyword and ssci
104 using the 'ssci' keyword when using the ip macsec command.
105
109 ip-link(8) wpa_supplicant(8)
110
112 Sabrina Dubroca <sd@queasysnail.net>
113iproute 07 Mar 2016 IP-MACSEC(8)