Skip to content

macsec clarification for PF-1.17 README #4837

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
steve-goog wants to merge 54 commits into from
Closed

macsec clarification for PF-1.17 README #4837

Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
d01de32
macsec clarification for readme
steve-goog Nov 20, 2025
b456116
rename subtitles, update text, and keep OC config in-line with text
steve-goog Nov 21, 2025
d3e88e2
updated to clarify the macsec test cases
steve-goog Dec 8, 2025
8d125e6
update timestamps
steve-goog Dec 9, 2025
1037e35
replace json with regenerated version
steve-goog Dec 9, 2025
e2425e4
Add gemini code assist config and styleguide (#4824)
dplore Nov 21, 2025
d59536e
Fix issues in CNTR-2 tests (#4810)
goabhinav Nov 21, 2025
3660a0e
Add single topology deviation handling for ISIS. (#4751)
ElodinLaarz Nov 21, 2025
fd04fa0
Implement AFT Atomic Test (#4703)
ElodinLaarz Nov 22, 2025
b25acfd
Update bgp_2byte_4byte_asn_policy_test.go (#4831)
AmrNJ Nov 24, 2025
0db1a57
Update ondatra version (#4846)
singhavnish2516 Nov 24, 2025
c9e08f1
Add README: Feature: <Telemetry: Firewall High Availability> (#4845)
nsadhasivam Nov 24, 2025
2a4c482
Fix sshfs volume source path and default image name of cntrsrv (#4811)
goabhinav Nov 24, 2025
8348c02
Fix sampling_and_subscription_check_test import (#4848)
singhavnish2516 Nov 24, 2025
f8edd22
Plt 1.1 breakout (#4843)
AmrNJ Nov 24, 2025
317cd23
Implement carrier-transitions FNT (#4803)
ElodinLaarz Nov 25, 2025
e1d2d88
Geokamel/isis scale multi adj test (#4834)
geokamel-eg Nov 25, 2025
5e51569
Create README for AFT-1.3: AFTs collector Flap (#4816)
paramasivamn1 Nov 25, 2025
2a26ee7
add aft reboot test (#4849)
ElodinLaarz Nov 25, 2025
d391ea9
Add disk space cleanup step in workflow (#4862)
dplore Nov 27, 2025
2325589
internal/cfgplugin/qos.go - issue with Arista configs using runCliCo…
ram-mac Nov 27, 2025
204701a
RT-2.12 code changes (#4764)
karthikeya-remilla Nov 27, 2025
5091f50
Update base_vrf_selection_test.go (#4857)
AmrNJ Nov 27, 2025
adc39d0
adding deviation to bgp_multipath_wecmp_test as multipath under afi_s…
ram-mac Nov 27, 2025
c664ed1
Cisco DP-1.14: Add deviation for sampling QoS counters (#4847)
karthikeya-remilla Nov 27, 2025
9b52eb5
Fixing the configureQoSGlobalParams function (#4856)
ram-mac Nov 27, 2025
9b7920e
updated the featureprofile path as per oc path format (#4863)
nsadhasivam Nov 28, 2025
b9e1538
Update PF-1.7.1 - MPLS in GRE decapsulation README (#4538)
balaji6 Nov 28, 2025
b8b4c97
Add test to validate ciscoxr-lagmac-ft (#4867)
singhavnish2516 Dec 2, 2025
995386d
Slow collector (#4851)
paramasivamn1 Dec 2, 2025
31111e2
Update and rename isisscalehelpers.go to isisscale.go (#4869)
singhavnish2516 Dec 2, 2025
bc6d132
Enrollz TPM 1.2 RotateAIK() enrollment flow README (#4836)
muntazirsal Dec 2, 2025
4c6c7c1
add enrollz tpm 2.0 hmac flow readme (#4827)
gh4683 Dec 2, 2025
853366e
Add Test : PF-2.3: Multiple VRFs and GUE DECAP in Default VRF (#4552)
desaimg1 Dec 3, 2025
25bd798
Update defaults_test.go (#4871)
AmrNJ Dec 3, 2025
ca0fcd7
Adding new test RT-7.9 (#4868)
ram-mac Dec 3, 2025
c7fbb9f
Update parent_component_validation_test.go (#4875)
AmrNJ Dec 4, 2025
1a2b25c
Adding gnmi-1.6 Test files to fix conflict on PR #4842 (#4876)
danielbarney Dec 4, 2025
f734c86
Add Collector Flap Test (#4866)
ashishpawar-google Dec 9, 2025
3e572a5
Automation for RT-10.1: Default Route Generation based on 192.0.0.0/8…
crc-kt Dec 9, 2025
2461311
Update gribi_scaling_test.go (#4855)
AmrNJ Dec 9, 2025
f444446
Update to Ondatra v0.14.0 (#4886)
bstoll Dec 9, 2025
1827dec
remove security-policy as it's not yet in OC
steve-goog Dec 9, 2025
31f9908
Merge branch 'main' into steve-goog/mpls_gre_udp_macsec
steve-goog Dec 9, 2025
fc09c71
syntax update
steve-goog Dec 9, 2025
8b721f6
change key-id to a hexstring
steve-goog Dec 9, 2025
7b17d96
update keychain names
steve-goog Dec 10, 2025
6f3c562
add state name
steve-goog Dec 10, 2025
628e0ee
Merge branch 'main' into steve-goog/mpls_gre_udp_macsec
steve-goog Dec 10, 2025
026c2e6
Merge branch 'main' into steve-goog/mpls_gre_udp_macsec
dplore Dec 12, 2025
fc5678f
revise canonical OC for macsec and keychain
dplore Dec 12, 2025
6970b41
add interfaces so leafref will resolve in validator
dplore Dec 12, 2025
13e3a91
fix curly brace in JSON
dplore Dec 12, 2025
678e1f2
add test case for longer SAK key expiration time
steve-goog Dec 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
218 changes: 112 additions & 106 deletions feature/policy_forwarding/otg_tests/mpls_gre_udp_macsec/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,27 +22,26 @@ Test uses aggregate 802.3ad bundled interfaces (Aggregate).
* Send bidirectional traffic:
* IP to Encap Traffic: The IP to Encap traffic is from ATE Ports [1,2] to ATE Ports [3,4,5,6].

* Encap to IP Traffic: The Encap traffic to IP traffic is from ATE Ports [3,4,5,6] to ATE Ports [1,2].
* Encap to IP Traffic: The Encap traffic to IP traffic is from ATE Ports [3,4,5,6] to ATE Ports [1,2].

Please refer to the MPLSoGRE [encapsulation PF-1.14](feature/policy_forwarding/otg_tests/mpls_gre_ipv4_encap_test/README.md) and [decapsulation PF-1.12](feature/policy_forwarding/otg_tests/mpls_gre_ipv4_decap_test/README.md) READMEs for additional information on the test traffic environment setup.

## PF-1.17.1: Generate DUT Configuration
### MACsec
* Configure MACsec Static Connectivity Association Key (CAK) Mode on both ends of the aggregate bundle links connecting ATE ports 1,2 and DUT:
* Define first Policy(1) to cover must-secure scenario
* Define second Policy(2) to cover should-secure scenario
* Define first Policy(1) to cover must-secure scenario, as defined below
* Define second Policy(2) to cover should-secure scenario, as defined below
Comment on lines +32 to +33
Copy link
Copy Markdown

@m26singhvi m26singhvi Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The leaf for traffic policy isn't present in public openconfig model for Macsec. Can we please get them added.

* Define 5 pre-shared keys (with overlapping time of 1 minute and lifetime of 2 minutes) for both Policy(1) and Policy(2)
* Each pre-shared key mush have a unique Connectivity Association Key Name(CKN) and Connectivity Association Key(CAK)
* Set CKN as encrypted/hidden in the running configuration
* Set CAK as encrypted/hidden in the running configuration
* Use 256 bit cipher GCM-AES-256-XPN and an associated 64 char CAK-CKN pair
* Set Key server priority: 15
* Set Security association key rekey interval: 28800 seconds
* Set Security association key rekey interval: 30 seconds (test only)
* Set MACsec confidentiality offset: 0
* Set Replay Protection Window size: 64
* Set ICV enabled:True
* Set Replay Protection Window (out-of-sequence protection) size: 64
Copy link
Copy Markdown

@m26singhvi m26singhvi Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are still keeping this as 64 ?

Copy link
Copy Markdown
Contributor Author

@steve-goog steve-goog Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to change it?

Copy link
Copy Markdown

@m26singhvi m26singhvi Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the offiline discussion, it was mentioned that the macsec peers are directly connected and there is no possibility of reordering.

Copy link
Copy Markdown
Contributor Author

@steve-goog steve-goog Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the normal case, yes - we don't actually expect reordering. But we don't control the link (the far end does) and we are recommending to the far-end that they use 64, so if we don't also use 64 that may be unexpected by that end. (64 allows a tiny bit of reordering, but also works when there is no reordering at all...)

* Include ICV indicator:True
* Set SCI enabled:True
* Set Out of sequence protection window size:64
* Set maximum value of Association Number: 3 (NOTE: This is currently not configurable)
* Set maximum value of Association Number: 3 (NOTE: This is currently not configurable and is not included in the test cases)

## PF-1.17.2: Verify PF MPLSoGRE and MPLSoGUE traffic forwarding with MACSec must-secure policy
* Generate bidirectional traffic as highlighted in the test environment setup section:
Expand All @@ -57,7 +56,7 @@ Verify:
* No packet loss while forwarding at line rate
* Traffic equally load-balanced across bundle interfaces in both directions
* Header fields are as expected in both directions
* Traffic is dropped (100 percent) when the must-secure MACSec sessions are down by disabling MACsec on ATE ports
* Traffic is dropped (100 percent) when the must-secure MACSec sessions are down by changing a key on one side to a mismatch & forcing renegotiation on ATE ports
Copy link
Copy Markdown

@m26singhvi m26singhvi Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn't take care of a scenario where due to connection issues - MKA session goes down. I think the comment should be generic to say that if there are no successful MKA session on the port, then all the traffic will be dropped.


## PF-1.17.3: Verify PF MPLSoGRE and MPLSoGUE traffic forwarding with MACSec should-secure policy
* Generate bidirectional traffic as highlighted in the test environment setup section:
Expand All @@ -72,7 +71,7 @@ Verify:
* No packet loss while forwarding at line rate
* Traffic equally load-balanced across bundle interfaces in both directions
* Header fields are as expected in both directions
* Traffic is not dropped when the should-secure MACSec sessions are down by disabling MACsec on ATE ports
* Traffic is not dropped when the should-secure MACSec sessions are down by changing a key on one side to a mismatch & forcing renegotiation on ATE ports
Copy link
Copy Markdown

@m26singhvi m26singhvi Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unencrypted traffic is allowed when all the MKA sessions are down.


## PF-1.17.4: Verify MACSec key rotation
* Generate bidirectional traffic as highlighted in the test environment setup section:
Expand All @@ -90,113 +89,120 @@ Verify:
* No packet loss when keys one through five expires as configured
* 100 percent packet loss after all the keys configured expires

## PF-1.17.5: Verify standard Security-Association timer
* Generate bidirectional traffic as highlighted in the test environment setup section:
* MPLSoGRE traffic with IPV4 and IPV6 payloads from ATE ports 3,4,5,6
* MPLSoGUE traffic with IPV4 and IPV6 payloads from ATE ports 3,4,5,6
* IPV4 and IPV6 traffic from ATE ports 1,2
* Use 64, 128, 256, 512, 1024.. MTU bytes frame size.
* Enable must secure policy (Policy(1)) on both interfaces ATE ports 1,2 and DUT
* Set the security association key rekey interval to 28800 seconds

## Canonical OpenConfig for MACsec configuration
Verify:
* Verify the SAK key value is accepted by the DUT
* Verify that MACsec sessions are up
* No packet loss while forwarding at line rate

## Definitions
* *must-secure:* All non-macsec-control packets must be encrypted. On transmit (tx), packets are dropped if encryption is not used or if keys have expired. On receive (rx), unencrypted packets that should be secure or encrypted with expired keys are dropped.
* *should-secure:* Unencrypted packets are permitted. On receive (rx), it's recommended but not required to drop unencrypted packets if a macsec session is active. On transmit (tx), it's recommended but not required to send unencrypted packets if macsec session negotiation has failed.

## Canonical OC

```json
{
"macsec": {
"interfaces": {
"interface": [
{
"config": {
"enable": true,
"name": "Ethernet12/1",
"replay-protection": 64
},
"mka": {
"config": {
"key-chain": "my_macsec_keychain",
"mka-policy": "must_secure_policy"
}
},
"name": "Ethernet12/1"
},
{
"config": {
"enable": true,
"name": "Ethernet11/1",
"replay-protection": 64
},
"mka": {
"config": {
"key-chain": "my_macsec_keychain",
"mka-policy": "must_secure_policy"
}
},
"name": "Ethernet11/1"
}
]
"interfaces": {
"interface": [
{
"config": {
"name": "Ethernet1/1"
},
"name": "Ethernet1/1"
},
{
"config": {
"name": "Ethernet1/2"
},
"mka": {
"policies": {
"policy": [
{
"config": {
"confidentiality-offset": "0_BYTES",
"include-icv-indicator": true,
"include-sci": true,
"key-server-priority": 15,
"macsec-cipher-suite": [
"GCM_AES_XPN_256"
],
"name": "must_secure_policy",
"sak-rekey-interval": 28800,
"security-policy": "MUST_SECURE"
},
"name": "must_secure_policy"
},
{
"config": {
"confidentiality-offset": "0_BYTES",
"include-icv-indicator": true,
"include-sci": true,
"key-server-priority": 15,
"macsec-cipher-suite": [
"GCM_AES_XPN_256"
],
"name": "should_secure_policy",
"sak-rekey-interval": 28800,
"security-policy": "SHOULD_SECURE"
},
"name": "should_secure_policy"
}
]
"name": "Ethernet1/2"
}
]
},
"keychains": {
"keychain": [
{
"config": {
"name": "keychain1"
},
"keys": {
"key": [
{
"config": {
"crypto-algorithm": "AES_256_CMAC",
"key-id": "0xabcd111122223333444455556666777788889999000011112222333344445555",
"secret-key": "ad4rf10kn85fc0adk5dfcsnr1or4cm08q"
},
"key-id": "0xabcd111122223333444455556666777788889999000011112222333344445555"
}
]
},
"name": "keychain1"
}
]
},
"macsec": {
"interfaces": {
"interface": [
{
"config": {
"enable": true,
"name": "Ethernet1/1"
},
"mka": {
"config": {
"key-chain": "keychain1",
"mka-policy": "must_secure"
}
},
"name": "Ethernet1/1"
},
{
"config": {
"enable": true,
"name": "Ethernet1/2"
},
"mka": {
"config": {
"key-chain": "keychain1",
"mka-policy": "must_secure"
Copy link
Copy Markdown

@m26singhvi m26singhvi Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be good if we can include mka policy definition as well here.

Copy link
Copy Markdown
Member

@dplore dplore Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is policy name references the policy later in the JSON:

featureprofiles/feature/policy_forwarding/otg_tests/mpls_gre_udp_macsec/README.md

Lines 183 to 202 in 678e1f2

"mka": {
"policies": {
"policy": [
{
"config": {
"confidentiality-offset": "0_BYTES",
"include-icv-indicator": true,
"include-sci": true,
"key-server-priority": 15,
"macsec-cipher-suite": [
"GCM_AES_XPN_256"
],
"name": "must_secure",
"sak-rekey-interval": 30
},
"name": "must_secure"
}
]
}
}

}
},
"name": "Ethernet1/2"
}
]
},
"keychains": {
"keychain": {
"mka": {
"policies": {
"policy": [
{
"config": {
"name": "my_macsec_keychain"
"confidentiality-offset": "0_BYTES",
"include-icv-indicator": true,
"include-sci": true,
"key-server-priority": 15,
"macsec-cipher-suite": [
"GCM_AES_XPN_256"
],
"name": "must_secure",
"sak-rekey-interval": 30
},
"keys": {
"key": [
{
"config": {
"secret-key": "sercret password/CAK",
"key-id": "key-id/CKN",
"crypto-algorithm": "AES_256_CMAC",
"send-lifetime": {
"config": {
"start-time": "my_start_time",
"end-time": "my_end_time"
}
},
"receive-lifetime": {
"config": {
"start-time": "my_start_time",
"end-time": "my_end_time"
}
}
}
}
]
}
}
"name": "must_secure"
}
]
}
}
}
}
```
```

## OpenConfig Path and RPC Coverage
TODO: Finalize and update the below paths after the review and testing on any vendor device.
Expand Down
Loading