Key server election on peer-to-peer MACsec with MKA
emond.papegaaij at gmail.com
Wed Sep 9 14:57:36 EDT 2020
> By adding a third peer you are switching from a peer-to-peer CA to a Group CA (see IEEE802.1X-2010, Clause 5.11.2 Key Server support for Group CAs). You might be the first person trying to enable Group CAs, in which case the hostap code might be incomplete and/or untested for this feature.
Actually, I was afraid I would get this answer. The lack of
documentation on this setup already gave this indication.
> The first thing that you might want to check is that each peer in your system is using a different MAC address. Next, walk through the source code, src/pae/ieee802_1x_kay.c, to see if it conforms to the Group CA rules set forth in IEEE802.1X-2010 (i.e., Clause 9.17.2 Another participant joins).
The MAC addresses were the first thing I checked, they are all
different. I also cloned the Git repo and inspected the code, but it's
a bit over my head unfortunately. My knowledge of C is limited,
especially in combination with these low level network protocol
aspects. I will try to re-read chapter 9 on MKA in IEEE802.1X-2010 and
see if I can make sense of the corresponding code in wpa_supplicant.
> BTW, I'm just a user of hostap, not an owner/developer. I think in most real world situations MACsec/MKA is deployed on point-to-point LANs so peer-to-peer CAs are sufficient.
To elaborate a bit on our use case, we want to use it to setup a
secure overlay network between nodes in an otherwise untrusted
network. We are building an IAM-solution that is delivered as a
virtual appliance. Multiple appliances can be started to provide high
availability. These appliances need to communicate among each other
(for database replication and the formation of a cluster). To keep the
requirements on the underlying network to a minimum, we cannot trust
the confidentiality of traffic on this network. With MACsec, we should
be able to create a secure network between the appliances in a very
clean way. I do understand that this is not a typical use case, but
seems to be a supported use case, at least as far as the spec is
concerned. Tooling might be a different story.
More information about the Hostap