Add MACSec interface status and MKA security-policy leaf

[dplore]

Change Scope

• Add a MACSec interface status leaf
• Add a MACSec interface MKA session status leaf
• Add a MACSec MKA policy security-policy leaf with SHOULD_SECURE and MUST_SECURE options.
• As this change only adds leaves, it is backwards compatible.

Platform Implementations

MACSec MKA security-policy SHOULD_SECURE and MUST_SECURE options.

Cisco IOSXR

! Define the Key Chain
key chain MACSEC_KEYS
key 01
key-string password123
cryptographic-algorithm aes-128-cmac
! Create the MACsec Policy
macsec-policy MUST_ENCRYPT_POLICY
confidentiality-offset 0
security-policy must-secure (or should-secure)
! Apply to the Interface
interface TenGigE0/0/0/1
macsec
service-policy MUST_ENCRYPT_POLICY keychain MACSEC_KEYS
!

Arista EOS

Arista EOS is “must-secure” by default. Traffic unprotected allow enables the "should-secure" behavior.

mac security
   profile FALLBACK_PROFILE
      key 0abcd... 0 password123
      traffic unprotected allow
!
interface Ethernet1
   mac security profile FALLBACK_PROFILE

Juniper JunOS

set security macsec connectivity-association CA_NAME mka should-secure
# To enforce "must-secure", simply omit or delete that line: (Junos is “must-secure” by default)
delete security macsec connectivity-association CA_NAME mka should-secure

Policy Type	Cisco IOS-XR	Arista EOS	Juniper Junos
must-secure (drop unencrypted)	security-policy must-secure	(Default behavior)	(Default behavior)
should-secure (allow unencrypted)	security-policy should-secure	traffic unprotected allow	should-secure
Default State	Must be explicitly defined	Strict (Fail-closed)	Strict (Fail-closed)

MACSec interface status and interface MKA session status

• Cisco (IOS-XE)

show macsec interface <interface-id>
sh mka sessions

Arista (EOS)

show mac security interface <interface-id>
show mac security mka sessions interface <interface-id>

Juniper (Junos)

show security macsec connections [interface <name>]
show security macsec mka sessions [interface <name>]

Tree View

 module: openconfig-macsec
   +--rw macsec
      +--rw mka
      |  +--rw policies
      |  |  +--rw policy* [name]
      |  |     +--rw name      -> ../config/name
      |  |     +--rw config
      |  |     |  +--rw name?                          string
      |  |     |  +--rw key-server-priority?           uint8
      |  |     |  +--rw macsec-cipher-suite*           macsec-types:macsec-cipher-suite
      |  |     |  +--rw confidentiality-offset?        macsec-types:confidentiality-offset
      |  |     |  +--rw delay-protection?              boolean
      |  |     |  +--rw include-icv-indicator?         boolean
      |  |     |  +--rw include-sci?                   boolean
      |  |     |  +--rw sak-rekey-interval?            uint32
      |  |     |  +--rw sak-rekey-on-live-peer-loss?   boolean
+     |  |     |  +--rw security-policy?               enumeration
      |  |     |  +--rw use-updated-eth-header?        boolean
      |  |     +--ro state
      |  |        +--ro name?                          string
      |  |        +--ro key-server-priority?           uint8
      |  |        +--ro macsec-cipher-suite*           macsec-types:macsec-cipher-suite
      |  |        +--ro confidentiality-offset?        macsec-types:confidentiality-offset
      |  |        +--ro delay-protection?              boolean
      |  |        +--ro include-icv-indicator?         boolean
      |  |        +--ro include-sci?                   boolean
      |  |        +--ro sak-rekey-interval?            uint32
      |  |        +--ro sak-rekey-on-live-peer-loss?   boolean
+     |  |        +--ro security-policy?               enumeration
      |  |        +--ro use-updated-eth-header?        boolean
      |  +--ro state
      |     +--ro counters
      |        +--ro out-mkpdu-errors?                   oc-yang:counter64
      |        +--ro in-mkpdu-icv-verification-errors?   oc-yang:counter64
      |        +--ro in-mkpdu-validation-errors?         oc-yang:counter64
      |        +--ro in-mkpdu-bad-peer-errors?           oc-yang:counter64
      |        +--ro in-mkpdu-peer-list-errors?          oc-yang:counter64
      |        +--ro sak-generation-errors?              oc-yang:counter64
      |        +--ro sak-hash-errors?                    oc-yang:counter64
      |        +--ro sak-encryption-errors?              oc-yang:counter64
      |        +--ro sak-decryption-errors?              oc-yang:counter64
      |        +--ro sak-cipher-mismatch-errors?         oc-yang:counter64
      +--rw interfaces
         +--rw interface* [name]
            +--rw name       -> ../config/name
            +--rw config
            |  +--rw name?                oc-if:base-interface-ref
            |  +--rw enable?              boolean
            |  +--rw replay-protection?   uint16
            +--ro state
            |  +--ro name?                oc-if:base-interface-ref
            |  +--ro enable?              boolean
            |  +--ro replay-protection?   uint16
+           |  +--ro status?              enumeration
            |  +--ro counters
            |     +--ro tx-untagged-pkts?     oc-yang:counter64
            |     +--ro rx-untagged-pkts?     oc-yang:counter64
            |     +--ro rx-badtag-pkts?       oc-yang:counter64
            |     +--ro rx-unknownsci-pkts?   oc-yang:counter64
            |     +--ro rx-nosci-pkts?        oc-yang:counter64
            |     +--ro rx-late-pkts?         oc-yang:counter64
            +--ro scsa-tx
            |  +--ro scsa-tx* [sci-tx]
            |     +--ro sci-tx    -> ../state/sci-tx
            |     +--ro state
            |        +--ro sci-tx?     oc-yang:hex-string
            |        +--ro counters
            |           +--ro sc-auth-only?   oc-yang:counter64
            |           +--ro sc-encrypted?   oc-yang:counter64
            |           +--ro sa-auth-only?   oc-yang:counter64
            |           +--ro sa-encrypted?   oc-yang:counter64
            +--ro scsa-rx
            |  +--ro scsa-rx* [sci-rx]
            |     +--ro sci-rx    -> ../state/sci-rx
            |     +--ro state
            |        +--ro sci-rx?     oc-yang:hex-string
            |        +--ro counters
            |           +--ro sc-invalid?   oc-yang:counter64
            |           +--ro sc-valid?     oc-yang:counter64
            |           +--ro sa-invalid?   oc-yang:counter64
            |           +--ro sa-valid?     oc-yang:counter64
            +--rw mka
               +--rw config
               |  +--rw mka-policy?   -> /macsec/mka/policies/policy/name
               |  +--rw key-chain?    -> /oc-keychain:keychains/keychain/name
               +--ro state
                  +--ro mka-policy?   -> /macsec/mka/policies/policy/name
                  +--ro key-chain?    -> /oc-keychain:keychains/keychain/name
+                 +--ro status?       enumeration
                  +--ro counters
                     +--ro in-mkpdu?        oc-yang:counter64
                     +--ro in-sak-mkpdu?    oc-yang:counter64
                     +--ro in-cak-mkpdu?    oc-yang:counter64
                     +--ro out-mkpdu?       oc-yang:counter64
                     +--ro out-sak-mkpdu?   oc-yang:counter64
                     +--ro out-cak-mkpdu?   oc-yang:counter64

[OpenConfigBot]

No major YANG version changes in commit 3a47576

[ElodinLaarz]

Lint: Needs a description.

[ElodinLaarz]

Reviewed at OC Operators Meeting on January 27th:

Could you add some more information about the vendor support of the status enums listed? Do we know whether, e.g., INACTIVE is reported explicitly? (Or is MACSec just not enabled, etc.)

Otherwise, looks good once the lint check is fixed.

[ishwarbnaik]

We will not have a default value ?

[m26singhvi]

Traffic unprotected allow in Arista allows encrypted traffic only when there is no successful MKA session on the port. It will be good to be clear in the description about it.

[m26singhvi]

In Arista, our default traffic policy is traffic unprotected allow active-sak which means if there is any negotiated SAK, then it will continue to use that otherwise it will block the port. This means as soon as the mac security profile is configured on the port, since there is no SAK, unencrypted traffic won't be allowed however once we have a SAK negotiated, even if the MKA session goes down subsequently, it will continue to get used.

I propose to add another enum, may be OPERATIONAL_SECURE to convey the same.

[m26singhvi]

Traffic policy implementation in Arista has three configuration :

1. traffic unprotected allow active-sak - traffic is encrypted/decrypted using the last negotiated SAK, if any, otherwise unencrypted traffic is dropped.
2. traffic unprotected allow - unencrypted traffic is allowed if there are no successful MKA sessions between the Macsec peers.
3. traffic unprotected drop - unencrypted traffic is dropped as soon as mac security is applied on the interface.

Can we align the proposed enum for all three possible cases as lot of our customers use option 1.