| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20181014202510.GA19253@bistromath.localdomain> Date: Sun, 14 Oct 2018 22:25:10 +0200 From: Sabrina Dubroca <sd@...asysnail.net> To: Josh Coombs <jcoombs@...ff.gwi.net> Cc: netdev@...r.kernel.org Subject: Re: Bug in MACSec - stops passing traffic after approx 5TB 2018-10-14, 10:59:31 -0400, Josh Coombs wrote: > I initially mistook this for a traffic control issue, but after > stripping the test beds down to just the MACSec component, I can still > replicate the issue. After approximately 5TB of transfer / 4 billion > packets over a MACSec link it stops passing traffic. I think you're just hitting packet number exhaustion. After 2^32 packets, the packet number would wrap to 0 and start being reused, which breaks the crypto used by macsec. Before this point, you have to add a new SA, and tell the macsec device to switch to it. That's why you should be using wpa_supplicant. It will monitor the growth of the packet number, and handle the rekey for you. If you start with a PN already close to exhaustion (say, 4294967000), you should hit the "bug" very quickly. > # Bring up macsec: > echo "* Enable MACSec" > modprobe macsec > ip link add link "$dif" "$eif" type macsec > ip macsec add "$eif" tx sa 0 pn 1 on key 02 "$txkey" Keep the rest of the configuration, and replace that one with: ip macsec add "$eif" tx sa 0 pn 4294967000 on key 02 "$txkey" to trigger the issue faster. -- Sabrina
Powered by blists - more mailing lists