# /etc/conf.d/net_macsec: config file for /etc/init.d/net_macsec # Source Interface (host) IFSRC=interface_host # Network init service dependency from Source Interface #IFDEP=net.interface_host # Destination Interface (macsec/guest) IFDST=interface_macsec # Set custom parameters on MACsec Interface IFCTD= # Extra parameters: # * Port (with/without hardware address - first TXSC) or SCI (SCI on first TXSC) # (Address - system identifier component of secure channel for this MACsec) # (Port - port number component of secure channel for this MACsec) # address <00:00:00:00:00:00 to ff:ff:ff:ff:ff:ff (hexadecimal)> port <1 to 65535 (decimal)> # port <1 to 65535 (decimal)> # (SCI - Secure Channel Identifier for this MACsec) # sci <0 to ffffffffffffffff (hexadecimal)> # * Cipher suite: gcm-aes-128, gcm-aes-256, gcm-aes-xpn-128, gcm-aes-xpn-256 # (Linux-libre 4.9 support: gcm-aes-128 only) # cipher gcm-aes-128 # * Length of the Integrity Check Value (ICV): 8 to 16 (decimal) # icvlen 16 # * Authenticated encryption or authenticity mode only: on, off # encrypt on # * SCI is included in every packet or only when it is necessary: on, off # send_sci on # * End Station bit: on, off # end_station off # * Single Copy Broadcast bit (SCB): on, off # scb off # * MACsec protection: on, off # protect on # * Replay protection: on, off # replay on # * Size of the replay window (if the replay protection is enabled): 0 to 4294967295 (decimal) # replay on window 130 # * Validation mode: strict, check, disabled # validate strict # * Active secure association for transmitssion (SA on first TXSC): 0 to 3 (decimal) # encodingsa 0 IFPAR="cipher gcm-aes-128 icvlen 16 encrypt on protect off replay off send_sci on validate strict" # Generate key (GCM-AES-128): # dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%02x"' # Add receive channels and/or receive association keys (RXSC), examples: # # [sci_<0..ffffffffffffffff(hex)>|port_<1..65535(dec)>_address_<00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)>][_] # # sci_0 # sci_ffffffffffffffff_on # port_1_address_00:00:00:00:00:00 # port_2_address_ff:ff:ff:ff:ff:ff_off # # [sci_<0..ffffffffffffffff(hex)>_|port_<1..65535(dec)>_address_<00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)>_]sa_<0..3(dec)>_[pn_<1..4294967295(dec)>_][_]key_<00..ff(hex)>_<00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)> # # sa_0_key_00_00000000000000000000000000000000 # sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0 # sa_2_key_on_32_de_de00de00de00de00de00de00de00de00 # sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1 # sci_0_sa_0_key_00_00000000000000000000000000000000 # sci_32_sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0 # sci_451_sa_2_key_on_32_de_de00de00de00de00de00de00de00de00 # sci_7438f_sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1 # port_1_address_00:00:00:00:00:00_sa_0_key_00_00000000000000000000000000000000 # port_2_address_ff:ff:ff:ff:ff:ff_sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0 # port_3_address_00:00:00:ff:ff:ff_sa_2_key_on_32_de_de00de00de00de00de00de00de00de00 # port_4_address_ff:ff:ff:00:00:00_sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1 IFRSC=() # Add trasmition association keys (TXSC) , examples: # sa_<0..3(dec)>_[pn_<1..4294967295(dec)>_][_]key_<00..ff(hex)>_<00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)> # # sa_0_key_00_00000000000000000000000000000000 # sa_1_key_pn_1_01_f00f00f00f00f00f00f00f00f00f00f0 # sa_2_key_on_32_de_de00de00de00de00de00de00de00de00 # sa_3_key_pn_16345_off_a1_fca1fca1fca1fca1fca1fca1fca1fca1 IFTSC=()