Question on wpa_supplicant setup for MKA

Sabrina Dubroca sd at queasysnail.net
Tue Mar 28 09:03:34 PDT 2017


Hi Jaap,

2017-03-18, 23:54:03 +0100, Jaap Keuter wrote:
> Hi list,
> 
> To study MACsec and MKA I've been experimenting with a setup using the Linux
> kernel, the macsec kernel module and wpa_supplicant. So far I've managed to
> establish SA's between statically configured MACsec instances, so that works,
> and now I'm working on getting wpa_supplicant setup to handle MKA (with CAK/CKN).
> 
> The problem is that working with the Linux macsec driver
> (CONFIG_DRIVER_MACSEC_LINUX=y). I'm not getting the result I expect.
> First I use a 'normal' wired interface (eth0). When I run wpa_supplicant on that
> interface the MKPDU's don't make it out to the network.

I guess that's where your problems come from. How do you check that
the MKPDU's don't make it out? The receiving interface doesn't get
them?


[bit of reordering]
> PPS: I'm using 'normal' wired interfaces, as in I use virtual Ethernet (veth)
> interfaces to connect into two network namespaces where all the macsec and
> wpa_supplicant instances live. These are connected to a (transparent) bridge.

You're using the Linux kernel "bridge" module then? It blocks these
frames by default, until you run this:

    echo 8 > /sys/devices/virtual/net/$BRIF/bridge/group_fwd_mask

Or that, which should be equivalent:

    ip link set $BRIF type bridge group_fwd_mask 0x8


This is, sadly, not documented much :(


> Then I stack a macsec
> instance on top of eth0 (macsec0 at eth0) and run wpa_supplicant on that interface.
> Now I'm getting an additional macsec instance on top of mine (macsec1 at macsec0).

Yeah, that's the expected behavior. MACsec uses another device on top
of your link (like for VLANs), so wpa_supplicant will create it for
you if it doesn't exist yet. If you tell wpa_supplicant to use macsec0
as device, it will try to do macsec over macsec, I'm pretty sure
that's not what you want ;)

> But without SA's on macsec 0 that doesn't work either.
> 
> So the question is: how should wpa_supplicant be configured and started to make
> this work? If you need more details, please don't hesitate to ask.

I use this mka.conf file:

    eapol_version=3
    ap_scan=0
    fast_reauth=1
    
    network={
            key_mgmt=NONE
            mka_cak=<16B CAK>
            mka_ckn=<32B CKN>
            eapol_flags=0
            macsec_policy=1
    }


And run wpa_supplicant this way:

./wpa_supplicant -i eth0 -Dmacsec_linux -c mka.conf


-- 
Sabrina



More information about the Hostap mailing list