MACSec MKA with 3 devices

Mickael Chazaux mickael.chazaux at etictelecom.com
Thu Jul 16 07:33:33 EDT 2020 

Hello,

I am testing MACSec and MKA on a small lab network.

Three devices are linked by a switch that let the 01:80:C2:00:00:03 DA pass.

What I observe is that with only two devices on, MKA and MACSec work flawlessly. 
Key distribution happens and protected traffic is able to flow.

When I add the third, by starting wpa_supplicant, problems arise. The 3rd device 
is never able to join the rest, and disrupts the others, and no traffic flows
between any of the devices. The macsec virtual interfaces are put up/down/up/down... 
This is capture.pcap. Devices :e and :f are happy, until :10 comes online and tries 
to become key_server.

An interesting observation I made is when I start the device with the lowest MAC address
first, and then add the others quickly (within a few 100ms) it works. This is 
capture-works.pcap

I think that the MKPDUs from the :e (key server) device are ignored by the :10 for 
some reason, and it starts acting as a key server as if it was alone on the network.
Here are traces from the 3 processes in non working mode : 

:e

/home/root/wpa_supplicant  -P /run/wpa_supplicant.pid -Dmacsec_linux -i sh1 -c /tmp/wpa_supplicant_sh2.conf
Successfully initialized wpa_supplicant
macsec_linux: link already exists, using it
sh1: Associated with 01:80:c2:00:00:03
sh1: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
sh1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: Life time has not elapsed since prior SAK distributed
KaY: Latest key is invalid
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: Life time has not elapsed since prior SAK distributed
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
^Csh1: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
sh1: CTRL-EVENT-TERMINATING 


:f

/home/root/wpa_supplicant  -P /run/wpa_supplicant.pid -Dmacsec_linux -i sh1 -c /tmp/wpa_supplicant_sh2.conf 
Successfully initialized wpa_supplicant
macsec_linux: link already exists, using it
sh1: Associated with 01:80:c2:00:00:03
sh1: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
sh1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: The key server is not elected
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: The key server is not elected
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected new MI - ignore MKPDU
KaY: The key server is not elected
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: The key server is not elected
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
^Csh1: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
sh1: CTRL-EVENT-TERMINATING



:10:


/home/root/wpa_supplicant  -P /run/wpa_supplicant.pid -Dmacsec_linux -i sh1 -c /tmp/wpa_supplicant_sh2.conf  
Successfully initialized wpa_supplicant
macsec_linux: link already exists, using it
sh1: Associated with 01:80:c2:00:00:03
sh1: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
sh1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Reject distributed SAK since I'm a key server
KaY: Discarding Rx MKPDU: decode of parameter set type (4) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (0411459b2b5da814c26480d4) is not my live peer - ignore MACsec SAK Use parameter set
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
^Csh1: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
sh1: CTRL-EVENT-TERMINATING

I have captures of traffic if needed.

If anyone with expertise on the subject could have a look, it would be of great help.

Thank you,
-- 
Mickael Chazaux
Software Engineer
Tel : (33) 476 042 006
Fax : (33) 476 042 001

ETIC TELECOM
13, Chemin du Vieux Chêne
38240 MEYLAN
Tel: 33 4 76 04 20 00
fax : 33 4 76 04 20 01

More information about the Hostap mailing list