# /etc/conf.d/net_macsec: config file for /etc/init.d/net_macsec # Source Interface (host), example: IFSRC=eth0 IFSRC=eth0 # Network init service dependency from Source Interface, example: IFDEP=net.eth0 IFDEP= # Destination Interface (macsec/guest), example: IFDST=macsec0 IFDST=macsec0 # Set custom parameters on MACsec Interface IFCTD= # Extra parameters: # * Port (with/without hardware address - first TXSC) or SCI (SCI on first TXSC) # (Address - system identifier component of secure channel for this MACsec) # (Port - port number component of secure channel for this MACsec) # address <00:00:00:00:00:00 to ff:ff:ff:ff:ff:ff (hexadecimal)> port <1 to 65535 (decimal)> # port <1 to 65535 (decimal)> # (SCI - Secure Channel Identifier for this MACsec) # sci <0 to ffffffffffffffff (hexadecimal)> # * Cipher suite: gcm-aes-128, gcm-aes-256, gcm-aes-xpn-128, gcm-aes-xpn-256 # (Linux-libre 4.9 support: gcm-aes-128 only) # cipher gcm-aes-128 # * Length of the Integrity Check Value (ICV): 8 to 16 (decimal) # icvlen 16 # * Authenticated encryption or authenticity mode only: on, off # encrypt on # * SCI is included in every packet or only when it is necessary: on, off # send_sci on # * End Station bit: on, off # end_station off # * Single Copy Broadcast bit (SCB): on, off # scb off # * MACsec protection: on, off # protect on # * Replay protection: on, off # replay on # * Size of the replay window (if the replay protection is enabled): 0 to 4294967295 (decimal) # replay on window 130 # * Validation mode: strict, check, disabled # validate strict # * Active secure association for transmitssion (SA on first TXSC): 0 to 3 (decimal) # encodingsa 0 IFPAR="cipher gcm-aes-128 icvlen 16 encrypt on protect off replay off send_sci on validate disabled" # Generate key (GCM-AES-128): # dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%02x"' # Add receive channels and/or receive association keys (RXSC), examples: # # "[sci <0..ffffffffffffffff(hex)>|port <1..65535(dec)> address <00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)>][ ]" # # "sci 0" # "sci ffffffffffffffff on" # "port 1 address 00:00:00:00:00:00" # "port 2 address ff:ff:ff:ff:ff:ff off" # # "[sci <0..ffffffffffffffff(hex)> |port <1..65535(dec)> address <00:00:00:00:00:00..ff:ff:ff:ff:ff:ff(hex)> ]sa <0..3(dec)> [pn <1..4294967295(dec)> ][ ]key <00..ff(hex)> <00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)>" # # "sci 0 sa 0 key 00 00000000000000000000000000000000" # "sci 32 sa 1 pn 1 key 01 f00f00f00f00f00f00f00f00f00f00f0" # "sci 451 sa 2 on key de de00de00de00de00de00de00de00de00" # "sci 7438f sa 3 pn 16345 off key a1 fca1fca1fca1fca1fca1fca1fca1fca1" # "port 1 address 00:00:00:00:00:00 sa 0 key 00 00000000000000000000000000000000" # "port 2 address ff:ff:ff:ff:ff:ff sa 1 pn 1 key 01 f00f00f00f00f00f00f00f00f00f00f0" # "port 3 address 00:00:00:ff:ff:ff sa 2 on key de de00de00de00de00de00de00de00de00" # "port 4 address ff:ff:ff:00:00:00 sa 3 pn 16345 off key a1 fca1fca1fca1fca1fca1fca1fca1fca1" # # IFRSC=("port 1 address 00:00:00:00:00:00 on" # "port 1 address 00:00:00:00:00:00 sa 0 pn 1 on key 00 00000000000000000000000000000000" # "sci ffffffffffff0001 on" # "sci ffffffffffff0001 sa 0 pn 1 on key 00 ffffffffffffffffffffffffffffffff") IFRSC=() # Add trasmition association keys (TXSC) , examples: # "sa <0..3(dec)> [pn <1..4294967295(dec)> ][ ]key <00..ff(hex)> <00000000000000000000000000000000..ffffffffffffffffffffffffffffffff(hex)>" # # "sa 0 key 00 00000000000000000000000000000000" # "sa 1 pn 1 key 01 f00f00f00f00f00f00f00f00f00f00f0" # "sa 2 on key de de00de00de00de00de00de00de00de00" # "sa 3 pn 16345 off key a1 fca1fca1fca1fca1fca1fca1fca1fca1" # # IFTSC=("sa 0 pn 1 on key 00 00000000000000000000000000000000") IFTSC=()