lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250606131437.GH120308@horms.kernel.org>
Date: Fri, 6 Jun 2025 14:14:37 +0100
From: Simon Horman <horms@...nel.org>
To: Carlos Fernandez <carlos.fernandez@...hnica-engineering.de>
Cc: sbhatta@...vell.com, Sabrina Dubroca <sd@...asysnail.net>,
	Andrew Lunn <andrew+netdev@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Hannes Frederic Sowa <hannes@...essinduktion.org>,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net v3] macsec: MACsec SCI assignment for ES = 0

On Thu, Jun 05, 2025 at 03:21:04PM +0200, Carlos Fernandez wrote:
> Hi Sundeep, 
> 
> In order to test this scenario, ES and SC flags must be 0 and 
> port identifier should be different than 1.
> 
> In order to test it, I runned the following commands that configure
> two network interfaces on qemu over different namespaces.
> 
> After applying this configuration, MACsec ping works in the patched version 
> but fails with the original code.
> 
> I'll paste the script commands here. Hope it helps your testing.
> 
> PORT=11
> SEND_SCI="off"
> ETH1_MAC="52:54:00:12:34:57"
> ETH0_MAC="52:54:00:12:34:56"
> ENCRYPT="on"
> 
> ip netns add macsec1
> ip netns add macsec0
> ip link set eth0 netns macsec0
> ip link set eth1 netns macsec1
>   
> ip netns exec macsec0 ip link add link eth0 macsec0 type macsec port $PORT send_sci $SEND_SCI end_station off encrypt $ENCRYPT
> ip netns exec macsec0 ip macsec add macsec0 tx sa 0 pn 2 on key 01 12345678901234567890123456789012
> ip netns exec macsec0 ip macsec add macsec0 rx port $PORT address $ETH1_MAC 
> ip netns exec macsec0 ip macsec add macsec0 rx port $PORT address $ETH1_MAC sa 0 pn 2 on key 02 09876543210987654321098765432109
> ip netns exec macsec0 ip link set dev macsec0 up
> ip netns exec macsec0 ip addr add 10.10.12.1/24 dev macsec0
> 
> ip netns exec macsec1 ip link add link eth1 macsec1 type macsec port $PORT send_sci $SEND_SCI end_station off encrypt $ENCRYPT
> ip netns exec macsec1 ip macsec add macsec1 tx sa 0 pn 2 on key 02 09876543210987654321098765432109
> ip netns exec macsec1 ip macsec add macsec1 rx port $PORT address $ETH0_MAC 
> ip netns exec macsec1 ip macsec add macsec1 rx port $PORT address $ETH0_MAC sa 0 pn 2 on key 01 12345678901234567890123456789012
> ip netns exec macsec1 ip link set dev macsec1 up
> ip netns exec macsec1 ip addr add 10.10.12.2/24 dev macsec1
> 
> ip netns exec macsec1 ping 10.10.12.1 #Ping works on patched version.

It seems to me that it would be useful to include these instructions in
the commit message. Or better still, add a selftests.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ