MACSec MKA with 3 devices

Mickael Chazaux mickael.chazaux at etictelecom.com
Mon Jul 20 10:54:01 EDT 2020 

On 16/07/2020 13:33, Mickael Chazaux wrote:
> Hello,
> 
> I am testing MACSec and MKA on a small lab network.
> 
> Three devices are linked by a switch that let the 01:80:C2:00:00:03 DA pass.
> 
> What I observe is that with only two devices on, MKA and MACSec work flawlessly. 
> Key distribution happens and protected traffic is able to flow.
> 

Here are my findings after a day.

There are a few points I think are worth investigating : 

 - MKPDU should not be discarded as a whole when a parameter group encounters an error,
	This seems to break the election process.
 - A fresh SAK should be generated when a new member joins, ie. when the key server adds 
	a new live peer. The call is made to ieee802_1x_kay_generate_sak, but seems to exit
	at the KaY: Life time has not elapsed since prior SAK distributed. This causes the
	key server to not install keys in the SA, breaking connectivity.


With the changes below I have more reliable operation with 3 devices but not perfect. For
some reason killing and restarting a wpa_supplicant quickly on one if the devices causes 
no installation of the RXSA. 

I don't know about the security properties of the below patch : 

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index a330d0cf4..fd8093cb5 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -2108,7 +2108,7 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
        if ((time(NULL) - kay->dist_time) < MKA_LIFE_TIME / 1000) {
                wpa_printf(MSG_ERROR,
                           "KaY: Life time has not elapsed since prior SAK distributed");
-               return -1;
+               /*return -1;*/
        }
 
        cs = &cipher_suite_tbl[kay->macsec_csindex];
@@ -3269,7 +3269,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                                        wpa_printf(MSG_INFO,
                                                   "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
                                                   body_type);
-                                       return -1;
+                                       /*return -1;*/
                                }
 
                                /* Ideally DIST-SAK should be processed before
@@ -3289,7 +3289,7 @@ static int ieee802_1x_kay_decode_mkpdu(struct ieee802_1x_kay *kay,
                }
        }
 
-       if (bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) {
+       if (0 && bad_sak_use && !handled[MKA_DISTRIBUTED_SAK]) {
                wpa_printf(MSG_INFO,
                           "KaY: Discarding Rx MKPDU: decode of parameter set type (%d) failed",
                           MKA_SAK_USE);



-- 
Mickael Chazaux
Software Engineer
Tel : (33) 476 042 006
Fax : (33) 476 042 001

ETIC TELECOM
13, Chemin du Vieux Chêne
38240 MEYLAN
Tel: 33 4 76 04 20 00
fax : 33 4 76 04 20 01

More information about the Hostap mailing list