[PATCH] MACsec: Add option to always include ICV Indicator
Jouni Malinen
j at w1.fi
Sun Mar 2 09:35:53 PST 2025
On Tue, Feb 25, 2025 at 08:18:06AM +0000, Martínek Petr wrote:
> [PATCH] MACsec: Add option to always include ICV Indicator
>
> Some older MACsec switches incorrectly require ICV Indicator to be present even
> when ICV has default length (CISCO C3560CX). To allow communication with such
> devices option include-icv-indicator was added to always include ICV Indicator.
>
> Similar option is found in configuration of some other switches:
> Cisco:
> include-icv-indicator - this parameter configures inclusion of the optional ICV
> Indicator as part of the transmitted MACsec Key Agreement PDU (MKPDU). This
> configuration is necessary for MACsec to interoperate with routers that run
> software prior to IOS XR version 6.1.3. This configuration is also important
> in a service provider WAN setup where MACsec interoperates with other vendor
> MACsec implementations that expect ICV indicator to be present in the MKPDU.
>
> fortiswitch:
> include-mka-icv-ind: The MACsec Key Agreement (MKA) integrity check value (ICV)
> indicator is always included. (enabled by default)
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list