Regarding MACSEC test
20 views
Skip to first unread message
Mari Muthu
Jun 17, 2024, 7:34:42 AMJun 17
to sonicp...@googlegroups.com
Team,
does any one tested macsec sonic with Ixia? how to provide SAK in SONIC? any idea / suggestion?
Judy Joseph
Jun 19, 2024, 2:33:40 AMJun 19
to sonicproject
Hello Muthu,
In SONiC today we have to specify a matching CAK/CKN in the macsec profile at the local and peer end configuration. It uses MKA protocol to generate a SAK which is exchanged between peers and programmed in h/w.
Can you share more details of what mode you selected for macsec in IXIA is it static-macsec/mka/macsec ?
I am including reference to sample macsec profiles used in sonic-mgmt tests here: sonic-mgmt/tests/macsec/profile.json at master · sonic-net/sonic-mgmt (github.com)
regards,
Judy.
Mari Muthu
Jun 19, 2024, 4:10:53 AMJun 19
to Judy Joseph, sonicproject
Thanks Judy for your response.
Using MKA in ixia.
CAK values had to be given a minimum of 66 length in SONiC.
But in standard(Ixia/any other vendor), it can be provided with 32 or 64 length only.
For example, here primary_cak has to be provided with a minimum length of 66.
"128": {
"priority": 64,
"cipher_suite": "GCM-AES-128",
"primary_cak": "35045f514b420c0e000b0b7476287f23210806564052510d5c5e56006e6d2d3c23",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"policy": "security",
"send_sci": "false"
},
"priority": 64,
"cipher_suite": "GCM-AES-128",
"primary_cak": "35045f514b420c0e000b0b7476287f23210806564052510d5c5e56006e6d2d3c23",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"policy": "security",
"send_sci": "false"
},
whereas in ixia, it can be provided for 32 lengths only.. if the cipher_suit is 128.
35045f514b420c0e000b0b7476287f23
it can be provided 64 lengths, if the cipher_suit is 256
35045f514b420c0e000b0b7476287f23210806564052510d5c5e56006e6d2d3
Hence, not able to test the interop with Ixia. I have checked a few other vendors about these PSK concepts. it's always 32 / 64 length.
How do we test with Ixia and Sonic?
--
You received this message because you are subscribed to the Google Groups "sonicproject" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonicproject...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonicproject/e8a6aa99-c50e-42ff-896f-14dee89b5d53n%40googlegroups.com.
Judy Joseph
Jun 27, 2024, 10:30:43 PM (11 days ago) Jun 27
to Mari Muthu, sonicproject
Hello Mari,
Yes, currently Sonic supports these cipher suites "GCM-AES-128|GCM-AES-256|GCM-AES-XPN-128|GCM-AES-XPN-256" and type 7 encoded CAK string of : length 66 bytes for 128 bit cipher suites and 130 bytes for 256 bit cipher suites.
With IXIA usually we use the GCM-AES-XPN-256 cipher suite. From the below definition, the 'primary_ckn' is used as is, the 'primary_cak' which is type7 encoded can be decoded to a 64 byte hex string ( there are algorithms if you google for - "type 7 decode" -) and given as input in IXIA.
"MACSEC_PROFILE": {
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"policy": "security",
"send_sci": "true",
"rekey_period": 240
}
We could take the same approach for 128 bit cipher suites as well. Let me know if you face any issues.
regards,
Judy
Mari Muthu
Jun 27, 2024, 10:36:31 PM (11 days ago) Jun 27
to Judy Joseph, sonicproject
Thanks for the info Judy Joseph! Let me check.
Reply all
Reply to author
Forward
0 new messages