1

I'm trying to do a simple task with no luck so far. I have two linux hosts communicating using macsec interfaces:

Host1:

[Expert@jaguar_macsec-s01-01:0]# ip macsec show
11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0050569ed33d0001 on SA 0
    0: PN 123787, state on, key 00000000000000000000000000000000
RXSC: 0050569e00d00001, state on
    0: PN 19308, state on, key 00000000000000000000000000000000

Host 2:

[Expert@jaguar_macsec-s01-02:0]# ip macsec show
11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0050569e00d00001 on SA 0
    0: PN 35356, state on, key 00000000000000000000000000000000
RXSC: 0050569ed33d0001, state on
    0: PN 148262, state on, key 00000000000000000000000000000000

In order to change the key, I create a new tx channel and a new rx channel on both ends, then turn off the old ones:

Host 1:

ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181
ip macsec add Sync rx sci 0050569e00d00001 sa 1 pn 1 key 01 81818181818181818181818181818181
ip macsec set Sync tx sa 1 on
ip macsec set Sync rx sci 0050569e00d00001 sa 1 on
ip macsec set Sync tx sa 0 off
ip macsec set Sync rx sci 0050569e00d00001 sa 0 off

[Expert@jaguar_macsec-s01-01:0]# ip macsec show
11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0050569ed33d0001 on SA 0
    0: PN 155609, state off, key 00000000000000000000000000000000
    1: PN 1, state on, key 01000000000000000000000000000000
RXSC: 0050569e00d00001, state on
    0: PN 39777, state off, key 00000000000000000000000000000000
    1: PN 1, state on, key 01000000000000000000000000000000

Host 2:

ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181
ip macsec add Sync rx sci 0050569ed33d0001 sa 1 pn 1 key 01 81818181818181818181818181818181
ip macsec set Sync tx sa 1 on
ip macsec set Sync rx sci 0050569ed33d0001 sa 1 on
ip macsec set Sync tx sa 0 off
ip macsec set Sync rx sci 0050569ed33d0001 sa 0 off

[Expert@jaguar_macsec-s01-02:0]# ip macsec show
11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0050569e00d00001 on SA 0
    0: PN 36370, state off, key 00000000000000000000000000000000
    1: PN 1, state on, key 01000000000000000000000000000000
RXSC: 0050569ed33d0001, state on
    0: PN 149509, state off, key 00000000000000000000000000000000
    1: PN 1, state on, key 01000000000000000000000000000000

As can be seen, even though I turned off the old channels, I still can't get the new ones to work - the PN (packet number) stays at 1, means no packets have been sent or received using these channels. Deleting the old channels completely didn't help either. I couldn't find any documentation that explains how this procedure can be done correctly. Any advice would be greatly appreciated.

Improve this question

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.