-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Macsec High level design #652
Conversation
Pterosaur
commented
Jul 22, 2020
•
edited
Loading
edited
PR title | state | context |
---|---|---|
Add MACsec schema | ||
Add wpa supplicant build tool | ||
MACsec container and wpa_supplicant component | ||
Add debian rule for wpa_supplicant | ||
[SONiC plugin]: Add SONiC WPA_Supplicant Plugin | ||
Move SSCI from SC to SA and change packet number field name to adapt sai 1.7.1 | ||
Add utility for string and redis | ||
[MACsecMgr]: Add MACsec Manager | ||
[orchagent]: Add MACsec Orchagent | ||
[vslib]Add MACsec Filters | ||
[vslib]Add MACsec Forwarder | ||
[vslib]Add MACsec Manager | ||
[vslib]Add helper functions, findObjects and dumpObject | ||
[vslib] Add StateBase function for MACsec | ||
[vslib]Add MACsec forward and filters to HostInterfaceInfo | ||
Add MACsec meta methods | ||
Add FlexCounter for MACsec SA | ||
[vslib]: Add MACsec state to state base | ||
[vslib]: adapt macsec sai 1.7.1 |
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
doc/macsec/MACsec_hld.md
Outdated
| ------------ | ---------------------------------------- | | ||
| CA | Secure Connectivity Association | | ||
| CAK | Secure Connectivity Association Key | | ||
| CAN | Secure Connectivity Association Key Name | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CKN -> Connectivity Association Key Name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, please review it.
doc/macsec/MACsec_hld.md
Outdated
|
||
Virtual switch use the Linux MACsec driver to support the functionality of MACsec and the MACsec interface is imposed on Ethernet interface. | ||
|
||
Real switch use the ASIC chip as the MACsec Security Entity(SecY) which will be imposed on physic interface. And the ethernet port will be above the SecY. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
physical - typo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, please review it.
doc/macsec/MACsec_hld.md
Outdated
|
||
- Delete SA | ||
1. Monitor the DEL message from the MACsec SA Table | ||
2. Collect SA Stats |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this intended in Delete SA?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we need to finally collect SA stats from counter DB when we delete it.
doc/macsec/MACsec_hld.md
Outdated
|
||
Wpa_supplicant need to monitor the packet number for SAK refreshing. But if a copy of packet number delayed more than the preparation time of SAK, the requirement of SAK refreshing may not be realized by wpa_supplicant, which will cause the packet number to be exhausted. | ||
|
||
- MPN=maximal packet number, which indicates the maximal packet number, it should be 4,294,967,295 if packet number is 32bit |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maximum?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, please review it.
doc/macsec/MACsec_hld.md
Outdated
- MPN=maximal packet number, which indicates the maximal packet number, it should be 4,294,967,295 if packet number is 32bit | ||
- RT=refresh threshold, which indicates that the SAK should be refreshed if the packet number increases to a threshold. This number is about 75% of MPN. | ||
- MPB=maximal port bandwidth, which indicates the maximal bandwidth at the port | ||
- MMPS=minimal MACsec packet size, which indicates the minimal packet size of MACsec, it should be 44 bytes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minimum?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, please review it.
doc/macsec/MACsec_hld.md
Outdated
|
||
#### Phase I | ||
|
||
- MACsec should be supported on physical port |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May be we should also provide a reference to PortChannels
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, please review it.
doc/macsec/MACsec_hld.md
Outdated
|
||
## 2 Architecture Design | ||
|
||
This chapter shows the MACsec interface stack of virtual switch and real switch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some of the container parts are missing in design. We should provide some details on the following:
- When will the container be running
- Is the FEATURE disabled/enabled by default
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When will the container be running
Add the information at : https://github.com/Azure/SONiC/pull/652/files#diff-600ad1f148d06a6c05f027cd045d6c4fR122
Is the FEATURE disabled/enabled by default
Add the information at : https://github.com/Azure/SONiC/pull/652/files#diff-600ad1f148d06a6c05f027cd045d6c4fR198-R199
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
doc/macsec/MACsec_hld.md
Outdated
- The green means these components are in SWSS container. This container uses the SAI APIs to control the MACsec security entities(SecY) according to databases entries and to synchronize the statistics from SecY to COUNTERS_DB. | ||
- **MACsecOrch** is a module of orchagent, that uses SAI APIs to manage the SecY according to messages from databases and synchronized the statistics of SecY to COUNTERS_DB. | ||
|
||
- The blue one is MACsecSAI in SYNCD container. MACsecSAI is a set of APIs that are defined to communicate with the SecY. In the virtual switch, the SecY is Linux MACsec driver and MACsecSAI will use the ip commands to manage them. But in the real switch, the SecY is the MACsec cipher chip and the implementation of MACsecSAI will be provided by the vendor of the cipher chip. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The blue one is MACsecSAI in SYNCD container [](start = 2, length = 44)
The MACsecSAI box in the diagram is confusing. All other boxes are representing processes. And audience keep asking how many syncd processes in your design. You may draw syncd1/sync2 process as boxes, and MACsecSAI/SAI as internal boxes (like the plugin).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The blue one is MACsecSAI in SYNCD container [](start = 2, length = 44)
The MACsecSAI box in the diagram is confusing. All other boxes are representing processes. And audience keep asking how many syncd processes in your design. You may draw syncd1/sync2 process as boxes, and MACsecSAI/SAI as internal boxes (like the plugin).
Fixed, please review it.
doc/macsec/MACsec_hld.md
Outdated
|
||
This chapter shows the MACsec interface stack of virtual switch and real switch. | ||
|
||
Virtual switch use the Linux MACsec driver as the MACsec Security Entity(SecY) to support the functionality of MACsec and the SecY is imposed on the physical port. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Virtual switch [](start = 0, length = 14)
I know you are talking about SONiC. But it is easy to mislead to the virtual switch between VMs on a physical server. And in SONiC terminology, we already have a 'Virtual Switch SAI', I think your term means total different thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Virtual switch [](start = 0, length = 14)
I know you are talking about SONiC. But it is easy to mislead to the virtual switch between VMs on a physical server. And in SONiC terminology, we already have a 'Virtual Switch SAI', I think your term means total different thing.
I discussed with Guohan and change it to SAI virtual switch, please review whether it makes sense.
Signed-off-by: Ze Gan <ganze718@gmail.com>
Juniper Networks has already implemented very similar Macsec support using wpa_supplicant, and want to contribute to the community on this feature. We believe from our work, we can accelerate development on the following items. Enable wpa_supplicant supporting different Ciphersuite: GCM-AES-128, GCM-AES-256, GCM-AES-XPN-128 and GCM-AES-XPN-256 We can discuss in detail during HLD review. |
@caizhenghui, how to contact you let's have some discussion first? |
Hi, Guohan
Please use my company address zcai@juniper.net<mailto:zcai@juniper.net>..
We can have offline discussion.
Thanks
Zhenghui
From: lguohan <notifications@github.com>
Reply-To: Azure/SONiC <reply@reply.github.com>
Date: Thursday, October 22, 2020 at 10:53 AM
To: Azure/SONiC <SONiC@noreply.github.com>
Cc: Zhenghui Cai <zcai@juniper.net>, Mention <mention@noreply.github.com>
Subject: Re: [Azure/SONiC] Macsec High level design (#652)
[External Email. Be cautious of content]
@caizhenghui<https://github.com/caizhenghui>, how to contact you let's have some discussion first?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#652 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKDUQJRX36LWBT6K6SK62BDSMBBQBANCNFSM4PE2LP6A>.
Juniper Business Use Only
|
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Add MACsec schema according to SONiC MACsec HLD: sonic-net/SONiC#652 Signed-off-by: Ze Gan <ganze718@gmail.com>
As part of this MACsec effort, has there been any consideration for including a modified version of tcpdump that is capable of parsing the EAPOL exchange? |
Hi Ann, I believe Wireshark can parse the EAPOL traffic so right now, we don't have plan to modify tcpdump. |
Signed-off-by: Ze Gan <ganze718@gmail.com>
88c7ada
to
cef64db
Compare
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>
Signed-off-by: zegan <ganze718@gmail.com>