Key server election on peer-to-peer MACsec with MKA

Emond Papegaaij emond.papegaaij at gmail.com
Tue Sep 8 05:39:53 EDT 2020


Hi all,

For the past week, I've been trying to setup a peer-to-peer MACsec
with MKA with a pre-shared CAK/CKN but I'm having trouble with (I
think) the key server election. My setup consists of multiple VMs in
the same LAN. Everything is working fine with 2 VMs: they detect each
other, one is elected as key server, the SAK is exchanged and the SAs
are added to the link. When I assign an IP address to macsec0, they
are able to communicate with each other.

The trouble starts when I add a third VM to the setup. The logging
suggests they start fighting for the role as key server, but I'm not
enough at home in this matter to fully make sense of the logging. All
three VMs start logging messages like these:

KaY: duplicated SCI detected - maybe active attacker or peer selected
new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected
new MI - ignore MKPDU
KaY: Life time has not elapsed since prior SAK distributed
KaY: duplicated SCI detected - maybe active attacker or peer selected
new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected
new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected
new MI - ignore MKPDU
KaY: duplicated SCI detected - maybe active attacker or peer selected
new MI - ignore MKPDU
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (e8bbaafbcecadf4e3c51931b) is not my live peer - ignore
MACsec SAK Use parameter set
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: Latest key is invalid
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed
KaY: The peer (e8bbaafbcecadf4e3c51931b) is not my live peer - ignore
MACsec SAK Use parameter set
KaY: Discarding Rx MKPDU: decode of parameter set type (3) failed

I'm running wpa_supplicant (v2.9 on Ubuntu) like this:
wpa_supplicant -i enp0s3 -D macsec_linux -c wpa.conf

With the following configuration file:
ctrl_interface=/var/run/wpa_supplicant
eapol_version=3
ap_scan=0
fast_reauth=1
network={
       key_mgmt=NONE
       eapol_flags=0
       macsec_policy=1
       mka_cak=00112233445566778899001122334455
       mka_ckn=5544332211009988776655443322110055443322110099887766554433221100
       mka_priority=1 # 1 for vm1, 2 for vm2, 3 for vm3, etc
}

I've got the feeling I'm missing some crucial part here, but
documentation on this is very scarce. Online guides either use 'ip
macsec' directly or only describe MKA with a switch with MACsec
support. I hope someone here can shed some light on this.

Best regards,
Emond Papegaaij



More information about the Hostap mailing list