lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250605131835.3883275-1-carlos.fernandez@technica-engineering.de>
Date: Thu,  5 Jun 2025 15:17:15 +0200
From: Carlos Fernandez <carlos.fernandez@...hnica-engineering.de>
To:
Cc: carlos.fernandez@...hnica-engineering.de,
	sbhatta@...vell.com,
	Sabrina Dubroca <sd@...asysnail.net>,
	Andrew Lunn <andrew+netdev@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Paolo Abeni <pabeni@...hat.com>,
	Hannes Frederic Sowa <hannes@...essinduktion.org>,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] macsec: MACsec SCI assignment for ES = 0

Hi Sundeep, 

In order to test this scenario, ES and SC flags must be 0 and 
port identifier should be different than 1.

In order to test it, I runned the following commands that configure
two network interfaces on qemu over different namespaces.

After applying this configuration, MACsec ping works in the patched version 
but fails with the original code.

I'll paste the script commands here. Hope it helps your testing.

PORT=11
SEND_SCI="off"
ETH1_MAC="52:54:00:12:34:57"
ETH0_MAC="52:54:00:12:34:56"
ENCRYPT="on"

ip netns add macsec1
ip netns add macsec0
ip link set eth0 netns macsec0
ip link set eth1 netns macsec1
  
ip netns exec macsec0 ip link add link eth0 macsec0 type macsec port $PORT send_sci $SEND_SCI end_station off encrypt $ENCRYPT
ip netns exec macsec0 ip macsec add macsec0 tx sa 0 pn 2 on key 01 12345678901234567890123456789012
ip netns exec macsec0 ip macsec add macsec0 rx port $PORT address $ETH1_MAC 
ip netns exec macsec0 ip macsec add macsec0 rx port $PORT address $ETH1_MAC sa 0 pn 2 on key 02 09876543210987654321098765432109
ip netns exec macsec0 ip link set dev macsec0 up
ip netns exec macsec0 ip addr add 10.10.12.1/24 dev macsec0

ip netns exec macsec1 ip link add link eth1 macsec1 type macsec port $PORT send_sci $SEND_SCI end_station off encrypt $ENCRYPT
ip netns exec macsec1 ip macsec add macsec1 tx sa 0 pn 2 on key 02 09876543210987654321098765432109
ip netns exec macsec1 ip macsec add macsec1 rx port $PORT address $ETH0_MAC 
ip netns exec macsec1 ip macsec add macsec1 rx port $PORT address $ETH0_MAC sa 0 pn 2 on key 01 12345678901234567890123456789012
ip netns exec macsec1 ip link set dev macsec1 up
ip netns exec macsec1 ip addr add 10.10.12.2/24 dev macsec1

ip netns exec macsec1 ping 10.10.12.1 #Ping works on patched version.

Thanks, 
Carlos

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ