From b26fc590ce6272835da35c016f6a99f5f43d6a88 Mon Sep 17 00:00:00 2001 From: Sabrina Dubroca Date: Wed, 8 Jun 2016 09:34:21 -0700 Subject: ip: add MACsec support Extend ip-link to create MACsec devices ip link add link type macsec [options] Add `ip macsec` command to configure receive-side secure channels and secure associations within a macsec netdevice. Signed-off-by: Sabrina Dubroca Acked-by: Phil Sutter --- man/man8/ip-macsec.8 | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 man/man8/ip-macsec.8 (limited to 'man/man8/ip-macsec.8') diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 new file mode 100644 index 00000000..e8455d77 --- /dev/null +++ b/man/man8/ip-macsec.8 @@ -0,0 +1,98 @@ +.TH IP\-MACSEC 8 "07 Mar 2016" "iproute" "Linux" +.SH NAME +ip-macsec \- MACsec device configuration +.SH "SYNOPSIS" +.BI "ip link add link " DEVICE " name " NAME " type macsec " +[ [ +.BR cipher " { " default " | " gcm-aes-128 " } ] " +.BI icvlen " ICVLEN" +] [ [ +.BR encrypt " { " on " | " off " } ] [" +.BR send_sci " { " on " | " off " } ] [" +.BR end_station " { " on " | " off " } ] [" +.BR scb " { " on " | " off " } ] [" +.BR protect " { " on " | " off " } ] [" +.BR replay " { " on " | " off " } ] [" +.BI window " WINDOW" +] [ +.BI encodingsa " SA" +] + +.BI "ip macsec add " DEV " tx sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.BI key " ID KEY" +.br +.BI "ip macsec set " DEV " tx sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.br +.BI "ip macsec del " DEV " tx sa" +.RI "{ " 0..3 " }" + +.BI "ip macsec add " DEV " rx " SCI +.RB [ " on " | " off " ] +.br +.BI "ip macsec set " DEV " rx " SCI +.RB [ " on " | " off " ] +.br +.BI "ip macsec del " DEV " rx " SCI + +.BI "ip macsec add " DEV " rx " SCI " sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.BI key " ID KEY" +.br +.BI "ip macsec set " DEV " rx " SCI " sa" +.RI "{ " 0..3 " } [ " OPTS " ]" +.br +.BI "ip macsec del " DEV " rx " SCI " sa" +.RI "{ " 0..3 " }" + +.B ip macsec show +.RI [ " DEV " ] + +.IR OPTS " := [ " +.BR pn " { " +.IR 1..2^32-1 " } ] [" +.BR on " | " off " ]" +.br +.IR SCI " := { " +.B sci +.IR " | " +.BI port " " address " " +} + + +.SH DESCRIPTION +The +.B ip macsec +commands are used to configure transmit secure associations and receive secure channels and their secure associations on a MACsec device created with the +.B ip link add +command using the +.I macsec +type. + +.SH EXAMPLES +.PP +.SS Create a MACsec device on link eth0 +.nf +# ip link add device eth0 macsec0 type macsec port 11 encrypt on +.PP +.SS Configure a secure association on that device +.nf +# ip macsec add macsec0 tx sa 0 pn 1024 on key 01 81818181818181818181818181818181 +.PP +.SS Configure a receive channel +.nf +# ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 +.PP +.SS Configure a receive association +.nf +# ip macsec add macsec0 rx port 1234 address c6:19:52:8f:e6:a0 sa 0 pn 1 on key 00 82828282828282828282828282828282 +.PP +.SS Display MACsec configuration +.nf +# ip macsec show +.SH SEE ALSO +.br +.BR ip-link (8) +.SH AUTHOR +Sabrina Dubroca -- cgit v1.2.3 From c0ab80a4907a102e48b3a8f4150e77671e5af81d Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Tue, 26 Jul 2016 11:03:18 +0200 Subject: man: macsec: fix macsec related typos - ip-macsec.8: fix wrong 'device' keyword in 'ip link add device eth0'; add missing description of 'validate' keyword; remove spurious bracket near 'encrypt' keyword; add missing reference to configuration of 'port' and 'sci' - ip-link.8 fix wrong 'es' and 'encoding' keywords in MACsec section Signed-off-by: Davide Caratti --- man/man8/ip-macsec.8 | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'man/man8/ip-macsec.8') diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 index e8455d77..f928c43f 100644 --- a/man/man8/ip-macsec.8 +++ b/man/man8/ip-macsec.8 @@ -3,10 +3,14 @@ ip-macsec \- MACsec device configuration .SH "SYNOPSIS" .BI "ip link add link " DEVICE " name " NAME " type macsec " -[ [ +[ +.BI port " PORT" +| +.BI sci " SCI" +] [ [ .BR cipher " { " default " | " gcm-aes-128 " } ] " .BI icvlen " ICVLEN" -] [ [ +] [ .BR encrypt " { " on " | " off " } ] [" .BR send_sci " { " on " | " off " } ] [" .BR end_station " { " on " | " off " } ] [" @@ -15,6 +19,7 @@ ip-macsec \- MACsec device configuration .BR replay " { " on " | " off " } ] [" .BI window " WINDOW" ] [ +.BR validate " { " strict " | " check " | " disabled " } ] [" .BI encodingsa " SA" ] @@ -74,7 +79,7 @@ type. .PP .SS Create a MACsec device on link eth0 .nf -# ip link add device eth0 macsec0 type macsec port 11 encrypt on +# ip link add link eth0 macsec0 type macsec port 11 encrypt on .PP .SS Configure a secure association on that device .nf -- cgit v1.2.3 From 89bb6e673a6ae9dd9b6845ed95358dd6653c167e Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Tue, 26 Jul 2016 11:03:20 +0200 Subject: macsec: cipher and icvlen can be set separately since kernel driver has valid default values for 'cipher' and 'icvlen', there is no need for requiring users to specify both of them when a new link is added. Also, prompt an error message and exit with appropriate exit status in case of unsupported cipher suite. Signed-off-by: Davide Caratti --- man/man8/ip-macsec.8 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'man/man8/ip-macsec.8') diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 index f928c43f..105aeecd 100644 --- a/man/man8/ip-macsec.8 +++ b/man/man8/ip-macsec.8 @@ -7,8 +7,8 @@ ip-macsec \- MACsec device configuration .BI port " PORT" | .BI sci " SCI" -] [ [ -.BR cipher " { " default " | " gcm-aes-128 " } ] " +] [ +.BR cipher " { " default " | " gcm-aes-128 " } ] [" .BI icvlen " ICVLEN" ] [ .BR encrypt " { " on " | " off " } ] [" -- cgit v1.2.3 From 5898bd667a483c12ba0ca53aa0ef39f9b98d2fc9 Mon Sep 17 00:00:00 2001 From: Davide Caratti Date: Tue, 30 Aug 2016 13:23:12 +0200 Subject: macsec: fix input of 'port', improve documentation of 'address' remove hardcoded base 10 parsing of 'port' parameter, update man page and fix usage() functions as well. Fix misleading line in man page that theoretically allowed specifying 'port' keyword right after 'sci' keyword. Provide documentation of 'address' parameter in man pages and in usage() functions as well. Signed-off-by: Davide Caratti --- man/man8/ip-macsec.8 | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'man/man8/ip-macsec.8') diff --git a/man/man8/ip-macsec.8 b/man/man8/ip-macsec.8 index 105aeecd..1aca3bdc 100644 --- a/man/man8/ip-macsec.8 +++ b/man/man8/ip-macsec.8 @@ -3,10 +3,12 @@ ip-macsec \- MACsec device configuration .SH "SYNOPSIS" .BI "ip link add link " DEVICE " name " NAME " type macsec " -[ +[ [ +.BI address " " +] .BI port " PORT" | -.BI sci " SCI" +.BI sci " " ] [ .BR cipher " { " default " | " gcm-aes-128 " } ] [" .BI icvlen " ICVLEN" @@ -62,8 +64,12 @@ ip-macsec \- MACsec device configuration .IR SCI " := { " .B sci .IR " | " -.BI port " " address " " +.BI port +.IR PORT +.BI address " " } +.br +.IR PORT " := { " 1..2^16-1 " } " .SH DESCRIPTION -- cgit v1.2.3