Andreas
/
Demo_MACsec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit - moved from https://git.intrepidcs.de/Andreas/Demos

felix
Andreas Kirsch 2025-02-13 10:43:40 +01:00
commit 1b9f39910b
31 changed files with 34113 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
MACsec_Utilitie/MACSec.zap 100644
View File

Binary file not shown.

32
MACsec_Utilitie/README.md 100644
View File

@ -0,0 +1,32 @@
Installing Dependencies
The following dependencies are required:
- python_ics
- pyyaml
# Running MACSec utility
Provide arguments for:
- RADGigastar serial number
- sfp
- config_netid
- `NETID_I2C2` for RADGigastar SFP1 port
- `NETID_I2C3` for RADGigastar SFP2 port
- 'NETID_MDIO_02' for RAD-Comet2 Ethernet1
- yaml
- MACsec configuration yaml file name
- *Assumes .yml is located in "/yaml/" directory
See `-h` for help text.
Example:
```
python test_sfp_macsec_util.py GS0694 --sfp --config_netid NETID_I2C2 --yaml test_sfp_macsec_Rule_wildcard_SecY_256_strip_noEncrypt_onlyCheck_sci_SA_sak0.yml
```
# Reset/Clear the MACsec configuration
Add `--reset` argument. Any MACsec configuration will be cleared and MACsec will be disabled on the device/port.
*Make sure to remove `--reset` argument before configuring MACsec on the module again.
# New MACsec configuration
"/yaml/" folder contains 8 existing MACsec yaml configurations to showcase specific use cases of MACsec.
To add a new/custom MACsec configuration, add a new .yml file to the "/yaml/" folder in the same format as any of the existing files and edit the MACsec parameters.

1
MACsec_Utilitie/Reset_SFP1_GS0728.bat 100644
View File

@ -0,0 +1 @@
python test_sfp_macsec_util.py GS0728 --sfp --config_netid NETID_I2C2 --reset

1
MACsec_Utilitie/Reset_SFP1_GS0733.bat 100644
View File

@ -0,0 +1 @@
python test_sfp_macsec_util.py GS0733 --sfp --config_netid NETID_I2C2 --reset

1
MACsec_Utilitie/Reset_SFP2_GS0728.bat 100644
View File

@ -0,0 +1 @@
python test_sfp_macsec_util.py GS0728 --sfp --config_netid NETID_I2C3 --reset

1
MACsec_Utilitie/Reset_SFP2_GS0733.bat 100644
View File

@ -0,0 +1 @@
python test_sfp_macsec_util.py GS0733 --sfp --config_netid NETID_I2C3 --reset

1
MACsec_Utilitie/Set_SFP1_GS0733.bat 100644
View File

@ -0,0 +1 @@
python test_sfp_macsec_util.py GS0733 --sfp --config_netid NETID_I2C2 --yaml test_sfp_macsec_Rule_macda_SecY_128_strip_strict_sci_SA_sak0.yml

1
MACsec_Utilitie/Set_SFP2_GS0733.bat 100644
View File

@ -0,0 +1 @@
python test_sfp_macsec_util.py GS0733 --sfp --config_netid NETID_I2C3 --yaml test_sfp_macsec_Rule_macda_SecY_128_strip_strict_sci_SA_sak0.yml

133
MACsec_Utilitie/test_sfp_macsec_util.py 100644
View File

@ -0,0 +1,133 @@
from util import (
MyArgParseHelpFormatter,
open_device,
get_hwnetid,
dict_align_str,
)
from util_eth import (
load_macsec_from_yaml,
)
from util_sfp import (
read_macsec_rx_secy_stats,
read_macsec_tx_secy_stats,
read_macsec_rx_sc_stats,
read_macsec_tx_sc_stats,
sfp_query_verify_macsec_support,
)
import ics
import argparse
###############################################################################
# This loads a single macsec configuration from selected yaml into supported
# devices and exits
###############################################################################
DESCRIPTION = "MACSec utility"
def main():
parser = get_parser()
args = parser.parse_args()
run_test(args, None)
def run_test(args, power_supply):
print(f"Attempting to load {args.yaml}...")
fail = 0
# connect to test device1 and set network settings for the macsec test
with open_device(args.serial_number) as device:
# Just load default every time in case we get some crazy stuff
ics.load_default_settings(device)
# if sfp module, query for mdio i2c address
if args.sfp:
sfp_i2c_mdio_address = sfp_query_verify_macsec_support(
device, args.config_netid, args.reset
)
# if we only want reset, exit here
if args.reset:
exit(0)
# if we only want the phy macsec counters, read then exit
if args.counters:
# Read secy, sc stats
print("\nReading PHY MACsec rx/tx stats...\n")
rx_secy_stats = read_macsec_rx_secy_stats(
device, get_hwnetid(args.config_netid), sfp_i2c_mdio_address
)
tx_secy_stats = read_macsec_tx_secy_stats(
device, get_hwnetid(args.config_netid), sfp_i2c_mdio_address
)
rx_sc_stats = read_macsec_rx_sc_stats(
device, get_hwnetid(args.config_netid), sfp_i2c_mdio_address
)
tx_sc_stats = read_macsec_tx_sc_stats(
device, get_hwnetid(args.config_netid), sfp_i2c_mdio_address
)
# print non-zero macsec counts
print("rx_secy_stats:\n")
print(dict_align_str(rx_secy_stats, False, True))
print("tx_secy_stats:\n")
print(dict_align_str(tx_secy_stats, False, True))
print("rx_sc_stats:\n")
print(dict_align_str(rx_sc_stats, False, True))
print("tx_sc_stats:\n")
print(dict_align_str(tx_sc_stats, False, True))
exit(0)
# load yaml macsec config
load_macsec_from_yaml(device, args.config_netid, args.yaml, args.sfp)
if fail: # bail out if something fails
print(f"{fail} tests failed.")
exit(1)
def get_parser():
parser = argparse.ArgumentParser(
description="MACsec utility script",
formatter_class=MyArgParseHelpFormatter,
)
parser.add_argument(
"serial_number",
help="The serial number of the device to connect to",
)
parser.add_argument(
"--yaml",
help="yaml file name to be loaded/configured.",
default="test_sfp_macsec_Rule_wildcard_SecY_128_strip_strict_sci_SA_sak0.yml",
)
parser.add_argument(
"--sfp",
help="sfp module.",
default=False,
action="store_true",
)
parser.add_argument(
"--config_netid",
help="netid to config the sfp module.",
default="NETID_I2C2",
)
parser.add_argument(
"--reset",
help="Only reset and clear and disable macsec on the device, then exit.",
default=False,
action="store_true",
)
parser.add_argument(
"--counters",
help="Only read the phy macsec counters, then exit.",
default=False,
action="store_true",
)
return parser
if __name__ == "__main__":
main()

289
MACsec_Utilitie/util.py 100644
View File

@ -0,0 +1,289 @@
from contextlib import contextmanager
import ics
import time
import argparse
def serial_base36enc(ser_no):
"""
Encode serial as base36 if needed and return the string representation of the serial number
Args:
ser_no: Serial number integer
"""
if int("AA0000", 36) < ser_no < int("ZZZZZZ", 36):
return ics.base36enc(ser_no)
else:
return str(ser_no) # Old devices don't do base36
def serial_base36dec(ser_no):
"""
Decode serial as base36 if needed and return the integer representation of the serial number
Args:
ser_no: Serial number string
"""
serial36 = int(ser_no, 36)
if int("AA0000", 36) < serial36 < int("ZZZZZZ", 36):
return serial36
else:
return int(ser_no, 10) # Old devices don't do base36
def filter_by_netid(msgs, netid):
"""
Filters the list of messages by netid
Args:
msgs: A list of spy messages, likely from ics.get_messages
netid: The desired netid
Returns:
The filtered message list
"""
netids = [netid]
return filter_by_netids(msgs, netids)
def filter_by_netids(msgs, netids):
"""
Filters the provided messages by those that match the provided netids
Args:
msgs: The messages to filter
netids: The valid netids to keep
Returns:
All messages with the provided netids
"""
ret = [msg for msg in msgs if get_netid(msg) in netids]
return ret
def get_netid(msg):
"""
Gets the netid for the message
Args:
msg: The message to check
Returns:
The netid (the number) for the message
"""
netid = (msg.NetworkID2 << 8) | (msg.NetworkID & 0xFF)
return netid
@contextmanager
def open_device(ser_no, tries=10, delay=1.0):
"""
Context manager for a neovi device. Opens the device, then auto-closes
once the context manager falls out of scope
Args:
ser_no: Serial number string of a connected device, will be validated
Yields:
an open device
Examples:
with open("GS0137") as device:
ics_do_stuff(device)
"""
device = None
serial = serial_base36dec(ser_no)
for i in range(tries):
try:
found = False
# work around for supporting neovi server connections
# ics.open_device will not work if already open in Vspy with server
devices = ics.find_devices()
for d in devices:
if d.SerialNumber == serial:
device = ics.open_device(d)
found = True
break
if found:
# successfully opened
break
else:
raise Exception(f"Could not find device to open {ser_no}")
except Exception:
device = None
print(f"Failed to Open {ser_no}, Trying again... ({i+1}/{tries})")
time.sleep(delay)
if device is None:
# could not find device and multiple retries
devices = ics.find_devices()
print("ERROR: Device not found. Known devices are:")
print([serial_base36enc(dev.SerialNumber) for dev in devices])
exit(1)
try:
yield device
except Exception as e:
print("ERROR: Open device succeeded, but yielding failed?")
raise e
finally:
if device is not None:
ics.close_device(device)
def get_hwnetid(name):
"""
Get hardware network ID from string name in one of the following forms:
COREMINI_NETWORK_ETHERNET, NETID_ETHERNET, or ETHERNET
Args:
name: Network name
Returns:
Hardware network ID
"""
# NETID_XXX, use as is
if name.startswith("NETID_"):
if hasattr(ics, name):
return getattr(ics, name)
# COREMINI_NETWORK_XXX, convert
if name.startswith("COREMINI_NETWORK_"):
newname = "NETID_" + name[len("COREMINI_NETWORK_") :]
if hasattr(ics, newname):
return getattr(ics, newname)
# assume no prefix, so try adding it
newname = "NETID_" + name
if hasattr(ics, newname):
return getattr(ics, newname)
raise AttributeError(f"Could not match network for {name}")
class MyArgParseHelpFormatter(argparse.ArgumentDefaultsHelpFormatter):
def _split_lines(self, text, width):
if text.startswith("R|"):
lines = text.splitlines()[1:]
return lines
return super()._split_lines(text, width)
def set_process_priority(pid=None, priority=2):
"""
Set The Priority of a Process. Priority is a value between 0-5 where
2 is normal priority, 5 is highest priority. Default sets the priority of the current
python process but can take any valid process ID.
"""
import sys
try:
sys.getwindowsversion()
except AttributeError:
isWindows = False
else:
isWindows = True
if isWindows:
# Based on:
# "Recipe 496767: Set Process Priority In Windows" on ActiveState
# http://code.activestate.com/recipes/496767/
import win32api
import win32process
import win32con
priorityclasses = [
win32process.IDLE_PRIORITY_CLASS,
win32process.BELOW_NORMAL_PRIORITY_CLASS,
win32process.NORMAL_PRIORITY_CLASS,
win32process.ABOVE_NORMAL_PRIORITY_CLASS,
win32process.HIGH_PRIORITY_CLASS,
win32process.REALTIME_PRIORITY_CLASS,
]
if pid is None:
pid = win32api.GetCurrentProcessId()
handle = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, True, pid)
win32process.SetPriorityClass(handle, priorityclasses[priority])
else:
# untested!
import os
nice_levels = [19, 9, 0, -7, -14, -20]
os.nice(nice_levels[priority])
def dict_align_str(d, sort=False, nz=False):
"""
Prints a dict nicely and key value pairs in aligned rows
Primarily limited to simple "a": "b" dicts, might not look nice for complex value types
Args:
d: Some dictionary
sort: Sort dictionary items
nz: Excludes key value pairs with int value = 0
Returns:
A string that looks like this:
aardvark: banana
monkey: apple
ant: pear
"""
strings = []
longest_key_len = len(max(d.keys(), key=len))
if sort:
d = dict(sorted(d.items()))
for k, v in d.items():
key_len = len(k)
diff = longest_key_len - key_len
spaces = " " * diff
string = f"{k}:{spaces} {v}"
if nz:
if not isinstance(v, int) or v > 0:
strings.append(string)
else:
strings.append(string)
ret = "\n".join(strings) + "\n"
return ret
# Print iterations progress
# https://stackoverflow.com/questions/3173320/text-progress-bar-in-terminal-with-block-characters
def print_progress_bar(
iteration,
total,
prefix="",
suffix="",
decimals=1,
length=100,
fill="",
printEnd="\r",
start=None,
):
"""
Call in a loop to create terminal progress bar
@params:
iteration - Required : current iteration (Int)
total - Required : total iterations (Int)
prefix - Optional : prefix string (Str)
suffix - Optional : suffix string (Str)
decimals - Optional : positive number of decimals in percent complete (Int)
length - Optional : character length of bar (Int)
fill - Optional : bar fill character (Str)
printEnd - Optional : end character (e.g. "\r", "\r\n") (Str)
"""
percent = ("{0:." + str(decimals) + "f}").format(100 * (iteration / float(total)))
filledLength = int(length * iteration // total)
bar = fill * filledLength + "-" * (length - filledLength)
if iteration == total:
if start is not None:
timestr = str(timedelta(seconds=time.time() - start))
suffix = f"{suffix} -- {timestr}"
print(f"\r{prefix} |{bar}| {percent}% {suffix}", end=printEnd)
# Print New Line on Complete
if iteration == total:
print()

180
MACsec_Utilitie/util_eth.py 100644
View File

@ -0,0 +1,180 @@
from util import (
get_hwnetid,
)
from util_sfp import (
sfp_ics_send_macsec_rule,
sfp_ics_send_macsec_map,
sfp_ics_send_macsec_secy,
sfp_ics_send_macsec_sc,
sfp_ics_send_macsec_sa,
sfp_ics_update_macsec,
)
import time
import yaml
ETH_SPEED_STRINGS = [
"ETH_SPEED_10",
"ETH_SPEED_100",
"ETH_SPEED_1000",
"ETH_SPEED_2500",
"ETH_SPEED_5000",
"ETH_SPEED_10000",
"ETH_SPEED_AUTO",
]
ETH_DUPLEX_STRINGS = [
"ETH_DUPLEX_FULL",
"ETH_DUPLEX_HALF",
]
ETH_MODE_STRINGS = [
"ETH_MODE_MASTER",
"ETH_MODE_SLAVE",
"ETH_MODE_AUTO",
]
ETH_REPORT_LINK_UP_IDX = 0
ETH_REPORT_SPEED_IDX = 1
ETH_REPORT_DUPLEX_IDX = 2
ETH_REPORT_NETID_LSB_IDX = 3
ETH_REPORT_NETID_MSB_IDX = 4
ETH_REPORT_MODE_IDX = 5
def load_macsec_from_yaml(device, netid_name, yml, sfp):
netid = get_hwnetid(netid_name)
with open("yaml/" + yml, "r") as file:
macsec_cfg = yaml.safe_load(file) # read macsec configuration from yaml
if sfp: # ics sfp module - load over i2c with ics config subcommands
en = 1
rx = 0
rule = 0
map = 0
secy = 0
sc = 0
sa = 0
nvm = 1
clr = 0
rst = 1
# clear/reset any current macsec configuration
sfp_ics_update_macsec(
device, netid, rx, rule, map, secy, sc, sa, nvm, en, clr, rst
)
time.sleep(
1
) # allow time for sfp to write macsec configuration to phy over mdio
# tx config
if macsec_cfg["tx"]:
rx = 0
rst = 0
if macsec_cfg["tx"]["rule"]:
rule = 1
sfp_ics_send_macsec_rule(
device, netid, macsec_cfg["tx"]["rule"]
) # write macsec rule to sfp
if macsec_cfg["tx"]["map"]:
map = 1
sfp_ics_send_macsec_map(
device, netid, macsec_cfg["tx"]["map"]
) # write macsec map to sfp
if macsec_cfg["tx"]["secy"]:
secy = 1
sfp_ics_send_macsec_secy(
device, netid, macsec_cfg["tx"]["secy"]
) # write macsec secy to sfp
if macsec_cfg["tx"]["sc"]:
sc = 1
sfp_ics_send_macsec_sc(
device, netid, macsec_cfg["tx"]["sc"]
) # write macsec sc to sfp
if macsec_cfg["tx"]["sa0"] and macsec_cfg["tx"]["sa1"]:
sa = 1
sfp_ics_send_macsec_sa(
device, netid, macsec_cfg["tx"]["sa0"]
) # write macsec sa0 to sfp
sfp_ics_update_macsec(
device, netid, rx, 0, 0, 0, 0, sa, 0, en, clr, rst
) # push macsec sa config to phy
time.sleep(
0.5
) # allow time for sfp to write macsec configuration to phy over mdio
sfp_ics_send_macsec_sa(
device, netid, macsec_cfg["tx"]["sa1"]
) # write macsec sa1 to sfp
sfp_ics_update_macsec(
device,
netid,
rx,
rule,
map,
secy,
sc,
sa,
nvm,
en,
clr,
rst,
) # push entire macsec config to phy
time.sleep(
1
) # allow time for sfp to write entire macsec configuration to phy over mdio
# rx config
if macsec_cfg["rx"]:
rx = 1
rst = 0
if macsec_cfg["rx"]["rule"]:
rule = 1
sfp_ics_send_macsec_rule(
device, netid, macsec_cfg["rx"]["rule"]
) # write macsec rule to sfp
if macsec_cfg["rx"]["map"]:
map = 1
sfp_ics_send_macsec_map(
device, netid, macsec_cfg["rx"]["map"]
) # write macsec map to sfp
if macsec_cfg["rx"]["secy"]:
secy = 1
sfp_ics_send_macsec_secy(
device, netid, macsec_cfg["rx"]["secy"]
) # write macsec secy to sfp
if macsec_cfg["rx"]["sc"]:
sc = 1
sfp_ics_send_macsec_sc(
device, netid, macsec_cfg["rx"]["sc"]
) # write macsec sc to sfp
if macsec_cfg["rx"]["sa0"] and macsec_cfg["rx"]["sa1"]:
sa = 1
sfp_ics_send_macsec_sa(
device, netid, macsec_cfg["rx"]["sa0"]
) # write macsec sa0 to sfp
sfp_ics_update_macsec(
device, netid, rx, 0, 0, 0, 0, sa, 0, en, clr, rst
) # push macsec sa config to phy
time.sleep(
0.5
) # allow time for sfp to write macsec configuration to phy over mdio
sfp_ics_send_macsec_sa(
device, netid, macsec_cfg["rx"]["sa1"]
) # write macsec sa1 to sfp
sfp_ics_update_macsec(
device,
netid,
rx,
rule,
map,
secy,
sc,
sa,
nvm,
en,
clr,
rst,
) # push entire macsec config to phy
time.sleep(
1
) # allow time for sfp to write entire macsec configuration to phy over mdio
else: # non-sfp module
pass # TODO write device settings with the macsec config
# print macsec confirmation
print(f"\nSuccessfully configured MACsec on {netid_name}.")

108
MACsec_Utilitie/util_i2c.py 100644
View File

@ -0,0 +1,108 @@
import ics
import time
def transmit_i2c(
device, netid, read, slave_addr, control_len, controldata, data_len, data
):
msg = ics.SpyMessage()
msg.NetworkID = netid & 0xFF
msg.NetworkID2 = (netid >> 8) & 0xFF
msg.Protocol = ics.SPY_PROTOCOL_I2C
msg.StatusBitField = 0
msg.StatusBitField2 = 0
msg.StatusBitField |= ics.SPY_STATUS_NETWORK_MESSAGE_TYPE
msg.StatusBitField |= ics.SPY_STATUS_TX_MSG
if slave_addr & 0x380: # if 10-bit address
msg.StatusBitField |= ics.SPY_STATUS_XTD_FRAME
if read:
msg.StatusBitField2 |= ics.SPY_STATUS2_I2C_DIR_READ
msg.ArbIDOrHeader = 0x10000000
msg.DescriptionID = 0x6869 # arbitrary tx msg "key"
msg.NodeID = 0
msg.ArbIDOrHeader |= slave_addr
msg.NumberBytesHeader = control_len
msg.MiscData = (data_len >> 8) & 0xFF
msg.NumberBytesData = data_len & 0xFF
if data_len:
for x in data[:data_len]:
controldata.append(x)
msg.ExtraDataPtr = tuple(controldata)
msg.ExtraDataPtrEnabled = 1
ics.transmit_messages(device, msg)
return msg
def are_errors_present(msg):
error_flags = 0
error_flags |= ics.SPY_STATUS_GLOBAL_ERR
error_flags |= ics.SPY_STATUS_CRC_ERROR
error_flags |= ics.SPY_STATUS_CAN_ERROR_PASSIVE
error_flags |= ics.SPY_STATUS_HEADERCRC_ERROR
error_flags |= ics.SPY_STATUS_INCOMPLETE_FRAME
error_flags |= ics.SPY_STATUS_LOST_ARBITRATION
error_flags |= ics.SPY_STATUS_UNDEFINED_ERROR
error_flags |= ics.SPY_STATUS_CAN_BUS_OFF
error_flags |= ics.SPY_STATUS_BUS_RECOVERED
error_flags |= ics.SPY_STATUS_BUS_SHORTED_PLUS
error_flags |= ics.SPY_STATUS_BUS_SHORTED_GND
error_flags |= ics.SPY_STATUS_CHECKSUM_ERROR
error_flags |= ics.SPY_STATUS_BAD_MESSAGE_BIT_TIME_ERROR
error_flags |= ics.SPY_STATUS_TX_NOMATCH
error_flags |= ics.SPY_STATUS_COMM_IN_OVERFLOW
error_flags |= ics.SPY_STATUS_EXPECTED_LEN_MISMATCH
error_flags |= ics.SPY_STATUS_MSG_NO_MATCH
error_flags |= ics.SPY_STATUS_BREAK
error_flags |= ics.SPY_STATUS_AVSI_REC_OVERFLOW
if (msg.StatusBitField & error_flags) != 0:
return True
error_flags = 0
error_flags |= ics.SPY_STATUS2_I2C_ERR_TIMEOUT
error_flags |= ics.SPY_STATUS2_I2C_ERR_NACK
if (msg.StatusBitField2 & error_flags) != 0:
return True
return False
def find_i2c_message(msg, msgs):
for msg_rx in msgs:
if msg.NetworkID == msg_rx.NetworkID and msg.NetworkID2 == msg_rx.NetworkID2:
# check for any possible errors
if are_errors_present(msg_rx):
return None
data = msg_rx.ExtraDataPtr
return data
return None
def wait_for_i2c_msg(device, msg, timeout=2):
start = time.time()
while time.time() - start <= timeout:
time.sleep(0.01)
msgs, errors = ics.get_messages(device)
data = find_i2c_message(msg, msgs)
if data is not None:
return data
return None
def i2c_read(
device, netid, slave_addr, control_len, controldata, data_len, data, timeout=2
):
msg = transmit_i2c(
device, netid, 1, slave_addr, control_len, controldata, data_len, data
)
return wait_for_i2c_msg(device, msg, timeout)
def i2c_write(
device, netid, slave_addr, control_len, controldata, data_len, data, timeout=2
):
msg = transmit_i2c(
device, netid, 0, slave_addr, control_len, controldata, data_len, data
)
return wait_for_i2c_msg(device, msg, timeout)

888
MACsec_Utilitie/util_sfp.py 100644
View File

@ -0,0 +1,888 @@
from util import (
get_hwnetid,
dict_align_str,
)
from util_i2c import (
i2c_read,
i2c_write,
)
import time
import datetime
import struct
from collections import namedtuple
from enum import Enum
# ICS SFP MODULE SLAVE ADDRESSES
ICS_SFP_SLAVE_ADDR_MSA = 0x50
ICS_SFP_SLAVE_ADDR_DMI = 0x51
ICS_SFP_SLAVE_ADDR_MDIO_BRIDGE = 0x56
ICS_SFP_SLAVE_ADDR_MDIO_BRIDGE_TECHNICA = 0x40
ICS_SFP_SLAVE_ADDR_ICS_CONTROL = 0x1C
ICS_SFP_SLAVE_ADDR_ICS_BOOTLOADER = 0x57
# ICS SFP MODULE BOOTLOADER COMMANDS
ICS_SFP_BL_GET_STATUS = 0x00
ICS_SFP_BL_GET_VERSION = 0x12
ICS_SFP_BL_SEND_FW = 0x14
ICS_SFP_BL_RESET_TO_BL = 0x15
ICS_SFP_BL_FLASH_VALIDATE = 0x16
ICS_SFP_BL_FLASH_INIT = 0x17
ICS_SFP_BL_FLASH_START = 0x18
ICS_SFP_BL_FLASH_ERASE = 0x20
ICS_SFP_BL_RESET_TO_APP = 0x21
ICS_SFP_BL_VALIDATE_SW_VERS = 0x27
ICS_SFP_BL_GET_ERROR = 0x28
# ICS SFP MODULE ICS CONTROL BYTE OFFSETS
ICS_SFP_CONFIG_REG_SLEEP_OFFSET = 0
ICS_SFP_CONFIG_REG_BL_OFFSET = 1
ICS_SFP_CONFIG_REG_MDIO_SPEED_OFFSET = 2
ICS_SFP_CONFIG_REG_MDIO_LINKMODE_OFFSET = 3
ICS_SFP_CONFIG_REG_MDIO_PHYMODE_OFFSET = 4
ICS_SFP_CONFIG_REG_MDIO_AUTONEG_OFFSET = 5
ICS_SFP_CONFIG_REG_MDIO_ENABLE_OFFSET = 6
ICS_SFP_CONFIG_REG_PHY_TEMPERATURE_OFFSET = 7
ICS_SFP_CONFIG_REG_FW_MINOR_VERS_OFFSET = 8
ICS_SFP_CONFIG_REG_FW_MAJOR_VERS_OFFSET = 9
ICS_SFP_CONFIG_REG_WRITE_MACSEC_CFG_OFFSET = 10
ICS_SFP_CONFIG_REG_CONFIGURE_MACSEC_RULE_OFFSET = 11
ICS_SFP_CONFIG_REG_CONFIGURE_MACSEC_MAP_OFFSET = 12
ICS_SFP_CONFIG_REG_CONFIGURE_MACSEC_SECY_OFFSET = 13
ICS_SFP_CONFIG_REG_CONFIGURE_MACSEC_SC_OFFSET = 14
ICS_SFP_CONFIG_REG_CONFIGURE_MACSEC_SA_OFFSET = 15
# vendor fields in MSA table
ICS_SFP_VENDOR_BRIDGE_ADDR_OVERRIDE_N_MASK = 0x01
ICS_SFP_VENDOR_SOFT_OPTIONS_OVERRIDE_N_MASK = 0x02
ICS_SFP_VENDOR_ROTARY_SWITCH_OVERRIDE_N_MASK = 0x04
# MACsec definitions
MRVL_Q222X_MAC_DEV = 0x1F
MRVL_Q222X_MMAC_READ_LOW = 0x97FE
MRVL_Q222X_MMAC_READ_HIGH = 0x97FF
MRVL_Q222X_MSEC_CSE_CLR_ON_RD = 0x588
MRVL_Q222X_MSEC_CSE_CLR_ON_RD_Tx = 0x5A0
MRVL_Q222X_MSEC_IN_OCETS_SECY_DECRYPTED = 0x3400
MRVL_Q222X_MSEC_IN_OCETS_SECY_VALIDATE = 0x33F0
MRVL_Q222X_MSEC_IN_PKTS_SECY_NO_SA = 0x33D0
MRVL_Q222X_MSEC_IN_PKTS_SECY_NO_SA_ERROR = 0x33E0
MRVL_Q222X_MSEC_IN_PKTS_SECY_BAD_TAG = 0x33C0
MRVL_Q222X_MSEC_IN_PKTS_SECY_NO_TAG = 0x33B0
MRVL_Q222X_MSEC_IN_PKTS_SECY_UNTAGGED = 0x33A0
MRVL_Q222X_MSEC_IN_PKTS_CTRL_PORT_DISABLE = 0x3390
MRVL_Q222X_MSEC_IN_CTRL_PORT_OCETS = 0x3300
MRVL_Q222X_MSEC_IN_CTRL_PORT_UC_PKTS = 0x3310
MRVL_Q222X_MSEC_IN_CTRL_PORT_MC_PKTS = 0x3320
MRVL_Q222X_MSEC_IN_CTRL_PORT_BC_PKTS = 0x3330
MRVL_Q222X_MSEC_IN_UNCTRL_PORT_OCETS = 0x3340
MRVL_Q222X_MSEC_IN_UNCTRL_PORT_UC_PKTS = 0x3350
MRVL_Q222X_MSEC_IN_UNCTRL_PORT_MC_PKTS = 0x3360
MRVL_Q222X_MSEC_IN_UNCTRL_PORT_BC_PKTS = 0x3370
MRVL_Q222X_MSEC_OUT_PKTS_CTRL_PORT_DISABLE = 0x3520
MRVL_Q222X_MSEC_OUT_PKTS_SECY_UNTAGGED = 0x3530
MRVL_Q222X_MSEC_OUT_PKTS_SECY_NO_ACTIVE_SA = 0x3540
MRVL_Q222X_MSEC_OUT_PKTS_SECY_TOO_LONG = 0x3550
MRVL_Q222X_MSEC_OUT_OCETS_SECY_PROTECTED = 0x3560
MRVL_Q222X_MSEC_OUT_OCETS_SECY_ENCRYPTED = 0x3570
MRVL_Q222X_MSEC_OUT_CTRL_PORT_OCETS = 0x34A0
MRVL_Q222X_MSEC_OUT_CTRL_PORT_UC_PKTS = 0x34B0
MRVL_Q222X_MSEC_OUT_CTRL_PORT_MC_PKTS = 0x34C0
MRVL_Q222X_MSEC_OUT_CTRL_PORT_BC_PKTS = 0x34D0
MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_OCETS = 0x34E0
MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_UC_PKTS = 0x34F0
MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_MC_PKTS = 0x3500
MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_BC_PKTS = 0x3510
MRVL_Q222X_MSEC_IN_PKTS_SC_CAM_HIT = 0x3620
MRVL_Q222X_MSEC_IN_PKTS_SC_LATE = 0x3420
MRVL_Q222X_MSEC_IN_PKTS_SC_NOT_VALID = 0x3430
MRVL_Q222X_MSEC_IN_PKTS_SC_INVALID = 0x3440
MRVL_Q222X_MSEC_IN_PKTS_SC_DELAYED = 0x3450
MRVL_Q222X_MSEC_IN_PKTS_SC_UNCHECKED = 0x3460
MRVL_Q222X_MSEC_IN_PKTS_SC_OK = 0x3470
MRVL_Q222X_MSEC_OUT_PKTS_SC_PROTECTED = 0x3580
MRVL_Q222X_MSEC_OUT_PKTS_SC_ENCRYPTED = 0x3590
class MRVL_Q222X_MSEC_PACKET_TYPE(Enum):
MRVL_Q222X_MSEC_PACKET_NO_VLAN_OR_MPLS = 0
MRVL_Q222X_MSEC_PACKET_SINGLE_VLAN = 1
MRVL_Q222X_MSEC_PACKET_DUAL_VLAN = 2
MRVL_Q222X_MSEC_PACKET_MPLS = 3
MRVL_Q222X_MSEC_PACKET_SINGLE_VLAN_FOLLOW_BY_MPLS = 4
MRVL_Q222X_MSEC_PACKET_DUAL_VLAN_FOLLOW_BY_MPLS = 5
MRVL_Q222X_MSEC_PACKET_UNSUPPORTED_TYPE = 6
class MRVL_Q222X_MSEC_VALIDATEFRAME(Enum):
MRVL_Q222X_MSEC_VF_DISABLED = 0
MRVL_Q222X_MSEC_VF_CHECK = 1
MRVL_Q222X_MSEC_VF_STRICT = 2
MRVL_Q222X_MSEC_VF_NA = 3
class MRVL_Q222X_MSEC_STRIP_SECTAG_ICV(Enum):
MRVL_Q222X_MSEC_SECTAG_ICV_BOTH_STRIP = 0
MRVL_Q222X_MSEC_SECTAG_ICV_RESERVED = 1
MRVL_Q222X_MSEC_SECTAG_ICV_STRIP_ICV_ONLY = 2
MRVL_Q222X_MSEC_SECTAG_ICV_NO_STRIP = 3
class MRVL_Q222X_MSEC_CIPHER_SUITE(Enum):
MRVL_Q222X_MSEC_CIPHER_GCM_AES_128 = 0
MRVL_Q222X_MSEC_CIPHER_GCM_AES_256 = 1
MRVL_Q222X_MSEC_CIPHER_GCM_AES_128_XPN = 2
MRVL_Q222X_MSEC_CIPHER_GCM_AES_256_XPN = 3
class SFP_ICS_CONFIG_SUBCOMMANDS(Enum):
CMD_WRITE_SLEEP = 0
CMD_WRITE_BOOTLOADER = 1
CMD_WRITE_MDIO_PHY_UPDATE = 2
CMD_WRITE_TC10_WAKEUP = 3
CMD_RESERVED_4 = 4
CMD_RESERVED_5 = 5
CMD_RESERVED_6 = 6
CMD_READ_PHY_TEMPERATURE = 7
CMD_READ_FW_MINOR = 8
CMD_READ_FW_MAJOR = 9
CMD_WRITE_MACSEC_UPDATE = 10
CMD_WRITE_MACSEC_CFG_RULE = 11
CMD_WRITE_MACSEC_CFG_MAP = 12
CMD_WRITE_MACSEC_CFG_SECY = 13
CMD_WRITE_MACSEC_CFG_SC = 14
CMD_WRITE_MACSEC_CFG_SA = 15
def transmit_i2c_ICSSFP_UPDATE_MACSEC(device, netid, data):
return i2c_write(
device,
netid,
ICS_SFP_SLAVE_ADDR_ICS_CONTROL,
1,
[SFP_ICS_CONFIG_SUBCOMMANDS.CMD_WRITE_MACSEC_UPDATE.value],
2,
data,
)
def transmit_i2c_ICSSFP_CONFIG_MACSEC_RULE(device, netid, len, data):
return i2c_write(
device,
netid,
ICS_SFP_SLAVE_ADDR_ICS_CONTROL,
1,
[SFP_ICS_CONFIG_SUBCOMMANDS.CMD_WRITE_MACSEC_CFG_RULE.value],
len,
data,
)
def transmit_i2c_ICSSFP_CONFIG_MACSEC_MAP(device, netid, len, data):
return i2c_write(
device,
netid,
ICS_SFP_SLAVE_ADDR_ICS_CONTROL,
1,
[SFP_ICS_CONFIG_SUBCOMMANDS.CMD_WRITE_MACSEC_CFG_MAP.value],
len,
data,
)
def transmit_i2c_ICSSFP_CONFIG_MACSEC_SECY(device, netid, len, data):
return i2c_write(
device,
netid,
ICS_SFP_SLAVE_ADDR_ICS_CONTROL,
1,
[SFP_ICS_CONFIG_SUBCOMMANDS.CMD_WRITE_MACSEC_CFG_SECY.value],
len,
data,
)
def transmit_i2c_ICSSFP_CONFIG_MACSEC_SC(device, netid, len, data):
return i2c_write(
device,
netid,
ICS_SFP_SLAVE_ADDR_ICS_CONTROL,
1,
[SFP_ICS_CONFIG_SUBCOMMANDS.CMD_WRITE_MACSEC_CFG_SC.value],
len,
data,
)
def transmit_i2c_ICSSFP_CONFIG_MACSEC_SA(device, netid, len, data):
return i2c_write(
device,
netid,
ICS_SFP_SLAVE_ADDR_ICS_CONTROL,
1,
[SFP_ICS_CONFIG_SUBCOMMANDS.CMD_WRITE_MACSEC_CFG_SA.value],
len,
data,
)
def transmit_i2c_ICSSFP_READ_MACSEC_32B_REG(
device, netid, data, i2c_mdio_addr, regaddr
):
data_lower16b = None
data_upper16b = None
while data_lower16b is None or data_upper16b is None:
# load macsec read reg addr
i2c_read(
device,
netid,
i2c_mdio_addr,
3,
[
((0x1 << 5) | MRVL_Q222X_MAC_DEV),
((regaddr & 0xFF00) >> 8),
(regaddr & 0xFF),
],
2,
[0, 0],
)
# read out lower 16b
data_lower16b = i2c_read(
device,
netid,
i2c_mdio_addr,
3,
[
((0x1 << 5) | MRVL_Q222X_MAC_DEV),
((MRVL_Q222X_MMAC_READ_LOW & 0xFF00) >> 8),
(MRVL_Q222X_MMAC_READ_LOW & 0xFF),
],
2,
[0, 0],
)
# read out upper 16b
data_upper16b = i2c_read(
device,
netid,
i2c_mdio_addr,
3,
[
((0x1 << 5) | MRVL_Q222X_MAC_DEV),
((MRVL_Q222X_MMAC_READ_HIGH & 0xFF00) >> 8),
(MRVL_Q222X_MMAC_READ_HIGH & 0xFF),
],
2,
[0, 0],
)
# return 32b reg data
data.append(data_upper16b[3])
data.append(data_upper16b[4])
data.append(data_lower16b[3])
data.append(data_lower16b[4])
return data
def transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_addr, regaddr
):
# read out upper 32b
transmit_i2c_ICSSFP_READ_MACSEC_32B_REG(
device, netid, data, i2c_mdio_addr, regaddr + 2
)
# read out lower 32b
transmit_i2c_ICSSFP_READ_MACSEC_32B_REG(device, netid, data, i2c_mdio_addr, regaddr)
def transmit_i2c_ICSSFP_WRITE_MACSEC_32B_REG(
device, netid, data, i2c_mdio_addr, regaddr
):
# write lower 16b
i2c_write(
device,
netid,
i2c_mdio_addr,
3,
[MRVL_Q222X_MAC_DEV, ((regaddr & 0xFF00) >> 8), (regaddr & 0xFF)],
2,
[(data & 0xFF00) >> 8, data & 0xFF],
)
regaddr += 1
# write upper 16b
i2c_write(
device,
netid,
i2c_mdio_addr,
3,
[MRVL_Q222X_MAC_DEV, ((regaddr & 0xFF00) >> 8), (regaddr & 0xFF)],
2,
[(data & 0xFF000000) >> 24, (data & 0xFF0000) >> 16],
)
def sfp_msa_decode(data):
table = namedtuple(
"msa",
"identifier ext_identifier connector transceiver encoding br_nominal l1 l2 l3 l4 l5 vendor_name vendor_oui vendor_pn vendor_rev cc_base options br_max br_min vendor_sn date_year date_month date_day date_lot diag_mon_type enh_options sff8472_compl cc_ext ics_mdio_bridge_addr vendor_data ics_pcb_serial ics_app_id ics_overrides",
)
data = bytes(data)
x = struct.unpack(
">BBBQBB1xBBBBB1x16s1x3s16s4s3xBHBB16s2s2s2s2sBBBBB13s16sBB", data
)
n = 16 * 2
hex_str = data.hex()
hex_str = "\n".join(hex_str[i : i + n] for i in range(0, len(hex_str), n))
print("MSA table raw:\n" + hex_str)
table = table._asdict(table._make(x))
try:
# verify CC_BASE, 8-bit sum of bytes 64-94
cc_base = 0
for i in range(0, 63):
cc_base += data[i]
table["cc_base_valid"] = 1 if (cc_base & 0xFF) == table["cc_base"] else 0
# verify CC_EXT, 8-bit sum of bytes 64-94
cc_ext = 0
for i in range(64, 95):
cc_ext += data[i]
table["cc_ext_valid"] = 1 if (cc_ext & 0xFF) == table["cc_ext"] else 0
# convert types of some items
table["vendor_name"] = (
table["vendor_name"].decode("utf-8", errors="ignore").strip()
)
table["vendor_pn"] = table["vendor_pn"].decode("utf-8", errors="ignore").strip()
table["vendor_rev"] = (
table["vendor_rev"].decode("utf-8", errors="ignore").strip()
)
table["vendor_sn"] = table["vendor_sn"].decode("utf-8", errors="ignore").strip()
table["ics_pcb_serial"] = (
table["ics_pcb_serial"].decode("utf-8", errors="ignore").strip()
)
year = table["date_year"].decode("utf-8", errors="ignore").strip()
if year.isdigit():
table["date_year"] = int(year) + 2000
month = table["date_month"].decode("utf-8", errors="ignore").strip()
if month.isdigit():
table["date_month"] = int(month)
day = table["date_day"].decode("utf-8", errors="ignore").strip()
if day.isdigit():
table["date_day"] = int(day)
except Exception:
pass
return table
def i2c_read_macsec_rx_secy_stats(device, netid, i2c_mdio_address):
data = []
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_OCETS_SECY_DECRYPTED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_OCETS_SECY_VALIDATE
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SECY_NO_SA
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SECY_NO_SA_ERROR
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SECY_BAD_TAG
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SECY_NO_TAG
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SECY_UNTAGGED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_CTRL_PORT_DISABLE
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_CTRL_PORT_OCETS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_CTRL_PORT_UC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_CTRL_PORT_MC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_CTRL_PORT_BC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_UNCTRL_PORT_OCETS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_UNCTRL_PORT_UC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_UNCTRL_PORT_MC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_UNCTRL_PORT_BC_PKTS
)
table = namedtuple(
"rx_secy_stats",
"inOctetsSecYDecrypted inOctetsSecYValidate inPktsSecYNoSAError inPktsSecYNoSA inPktsSecYBadTag inPktsSecYNoTag inPktsSecYUntagged inPktsCtrlPortDisable inCtrlPortOctets inCtrlPortUCPkts inCtrlPortMCPkts inCtrlPortBCPkts inUnCtrlPortOctets inUnCtrlPortUCPkts inUnCtrlPortMCPkts inUnCtrlPortBCPkts",
)
data = bytes(data)
x = struct.unpack(">QQQQQQQQQQQQQQQQ", data)
table = table._asdict(table._make(x))
return table
def read_macsec_rx_secy_stats(device, netid, i2c_mdio_address):
data = i2c_read_macsec_rx_secy_stats(device, netid, i2c_mdio_address)
if data is None:
return None
return data
def i2c_read_macsec_tx_secy_stats(device, netid, i2c_mdio_address):
data = []
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device,
netid,
data,
i2c_mdio_address,
MRVL_Q222X_MSEC_OUT_PKTS_CTRL_PORT_DISABLE,
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_PKTS_SECY_UNTAGGED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device,
netid,
data,
i2c_mdio_address,
MRVL_Q222X_MSEC_OUT_PKTS_SECY_NO_ACTIVE_SA,
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_PKTS_SECY_TOO_LONG
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_OCETS_SECY_PROTECTED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_OCETS_SECY_ENCRYPTED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_CTRL_PORT_OCETS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_CTRL_PORT_UC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_CTRL_PORT_MC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_CTRL_PORT_BC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_OCETS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_UC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_MC_PKTS
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_UNCTRL_PORT_BC_PKTS
)
table = namedtuple(
"tx_secy_stats",
"outPktsCtrlPortDisable outPktsSecYUntagged outPktsSecYNoActiveSA outPktSecYTooLong outOCTETSSecYProtected outOCTETSSecYEncrypted outCtrlPortOctets outCtrlPortUCPkts outCtrlPortMCPkts outCtrlPortBCPkts outUnCtrlPortOctets outUnCtrlPortUCPkts outUnCtrlPortMCPkts outUnCtrlPortBCPkts",
)
data = bytes(data)
x = struct.unpack(">QQQQQQQQQQQQQQ", data)
table = table._asdict(table._make(x))
return table
def read_macsec_tx_secy_stats(device, netid, i2c_mdio_address):
data = i2c_read_macsec_tx_secy_stats(device, netid, i2c_mdio_address)
if data is None:
return None
return data
def i2c_read_macsec_rx_sc_stats(device, netid, i2c_mdio_address):
data = []
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_CAM_HIT
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_LATE
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_NOT_VALID
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_INVALID
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_DELAYED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_UNCHECKED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_IN_PKTS_SC_OK
)
table = namedtuple(
"rx_sc_stats",
"inPktsSCCamHit inPktsSCLate inPktsSCNotValid inPktsSCInvalid inPktsSCDelayed inPktsSCUnchecked inPktsSCOK",
)
data = bytes(data)
x = struct.unpack(">QQQQQQQ", data)
table = table._asdict(table._make(x))
return table
def read_macsec_rx_sc_stats(device, netid, i2c_mdio_address):
data = i2c_read_macsec_rx_sc_stats(device, netid, i2c_mdio_address)
if data is None:
return None
return data
def i2c_read_macsec_tx_sc_stats(device, netid, i2c_mdio_address):
data = []
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_PKTS_SC_PROTECTED
)
transmit_i2c_ICSSFP_READ_MACSEC_64B_REG(
device, netid, data, i2c_mdio_address, MRVL_Q222X_MSEC_OUT_PKTS_SC_ENCRYPTED
)
table = namedtuple(
"tx_sc_stats",
"outPktsProtected outPktsEncrypted",
)
data = bytes(data)
x = struct.unpack(">QQ", data)
table = table._asdict(table._make(x))
return table
def read_macsec_tx_sc_stats(device, netid, i2c_mdio_address):
data = i2c_read_macsec_tx_sc_stats(device, netid, i2c_mdio_address)
if data is None:
return None
return data
def write_macsec_stats_clear_on_read(device, netid, i2c_mdio_address):
transmit_i2c_ICSSFP_WRITE_MACSEC_32B_REG(
device, netid, 1, i2c_mdio_address, MRVL_Q222X_MSEC_CSE_CLR_ON_RD
)
transmit_i2c_ICSSFP_WRITE_MACSEC_32B_REG(
device, netid, 1, i2c_mdio_address, MRVL_Q222X_MSEC_CSE_CLR_ON_RD_Tx
)
def write_macsec_stats_reinit(device, netid, i2c_mdio_address):
transmit_i2c_ICSSFP_WRITE_MACSEC_32B_REG(
device, netid, 0, i2c_mdio_address, MRVL_Q222X_MSEC_CSE_CLR_ON_RD
)
transmit_i2c_ICSSFP_WRITE_MACSEC_32B_REG(
device, netid, 0, i2c_mdio_address, MRVL_Q222X_MSEC_CSE_CLR_ON_RD_Tx
)
def macsec_clear_phy_counters(device, netid, i2c_mdio_address):
# Set counters to clear on read
write_macsec_stats_clear_on_read(device, netid, i2c_mdio_address)
write_macsec_stats_clear_on_read(device, netid, i2c_mdio_address)
time.sleep(0.1)
# Read secy, sc stats
read_macsec_rx_secy_stats(device, netid, i2c_mdio_address)
read_macsec_tx_secy_stats(device, netid, i2c_mdio_address)
read_macsec_rx_sc_stats(device, netid, i2c_mdio_address)
read_macsec_tx_sc_stats(device, netid, i2c_mdio_address)
read_macsec_rx_secy_stats(device, netid, i2c_mdio_address)
read_macsec_tx_secy_stats(device, netid, i2c_mdio_address)
read_macsec_rx_sc_stats(device, netid, i2c_mdio_address)
read_macsec_tx_sc_stats(device, netid, i2c_mdio_address)
time.sleep(0.1)
# Re-init counters
write_macsec_stats_reinit(device, netid, i2c_mdio_address)
write_macsec_stats_reinit(device, netid, i2c_mdio_address)
def sfp_query_module(device, netid):
"""
Look for an SFP module on an I2C network.
"""
data = i2c_read(device, netid, ICS_SFP_SLAVE_ADDR_MSA, 1, [0x00], 128, [0] * 128)
if data is None:
return None
msa = sfp_msa_decode(data[1:])
return msa
BL_FLAGS_FW_VALID_OFFSET = 0
BL_FLAGS_APP_ERROR_OFFSET = 1
BL_FLAGS_ERASE_IN_PROGRESS_OFFSET = 2
BL_FLAGS_FLASH_IN_PROGRESS_OFFSET = 3
BL_FLAGS_RESET_IN_PROGRESS_OFFSET = 4
BL_FLAGS_BL_READY_OFFSET = 5
BL_FLAGS_FLASH_READY_OFFSET = 6
BL_FLAGS_ENABLE_XTEA_OFFSET = 7
def sfp_ics_send_macsec_rule(device, netid, rule):
data = []
data.append(rule["index"])
for x in range(6):
data.append(rule["key_MAC_DA"][x])
for x in range(6):
data.append(rule["mask_MAC_DA"][x])
for x in range(6):
data.append(rule["key_MAC_SA"][x])
for x in range(6):
data.append(rule["mask_MAC_SA"][x])
for x in bytearray(rule["key_Ethertype"].to_bytes(2, "little")):
data.append(x)
for x in bytearray(rule["mask_Ethertype"].to_bytes(2, "little")):
data.append(x)
for x in bytearray(rule["key_outer1"]["vlanTag"]["VID"].to_bytes(2, "little")):
data.append(x)
data.append(rule["key_outer1"]["vlanTag"]["PRI_CFI"])
for x in bytearray(rule["key_outer1"]["mpls"]["MPLS_label"].to_bytes(4, "little")):
data.append(x)
data.append(rule["key_outer1"]["mpls"]["exp"])
for x in bytearray(rule["mask_outer1"]["vlanTag"]["VID"].to_bytes(2, "little")):
data.append(x)
data.append(rule["mask_outer1"]["vlanTag"]["PRI_CFI"])
for x in bytearray(rule["mask_outer1"]["mpls"]["MPLS_label"].to_bytes(4, "little")):
data.append(x)
data.append(rule["mask_outer1"]["mpls"]["exp"])
for x in bytearray(rule["key_outer2"]["vlanTag"]["VID"].to_bytes(2, "little")):
data.append(x)
data.append(rule["key_outer2"]["vlanTag"]["PRI_CFI"])
for x in bytearray(rule["key_outer2"]["mpls"]["MPLS_label"].to_bytes(4, "little")):
data.append(x)
data.append(rule["key_outer2"]["mpls"]["exp"])
for x in bytearray(rule["mask_outer2"]["vlanTag"]["VID"].to_bytes(2, "little")):
data.append(x)
data.append(rule["mask_outer2"]["vlanTag"]["PRI_CFI"])
for x in bytearray(rule["mask_outer2"]["mpls"]["MPLS_label"].to_bytes(4, "little")):
data.append(x)
data.append(rule["mask_outer2"]["mpls"]["exp"])
for x in bytearray(rule["key_bonus_data"].to_bytes(2, "little")):
data.append(x)
for x in bytearray(rule["mask_bonus_data"].to_bytes(2, "little")):
data.append(x)
data.append(rule["key_tag_match_bitmap"])
data.append(rule["mask_tag_match_bitmap"])
data.append(rule["key_packet_type"])
data.append(rule["mask_packet_type"])
for x in bytearray(rule["key_inner_vlan_type"].to_bytes(2, "little")):
data.append(x)
for x in bytearray(rule["mask_inner_vlan_type"].to_bytes(2, "little")):
data.append(x)
for x in bytearray(rule["key_outer_vlan_type"].to_bytes(2, "little")):
data.append(x)
for x in bytearray(rule["mask_outer_vlan_type"].to_bytes(2, "little")):
data.append(x)
data.append(rule["key_num_tags"])
data.append(rule["mask_num_tags"])
data.append(rule["key_express"])
data.append(rule["mask_express"])
for x in bytearray(rule["isMPLS"].to_bytes(1, "little")):
data.append(x)
for x in range(5):
data.append(rule["reserved"][x])
for x in bytearray(rule["enable"].to_bytes(1, "little")):
data.append(x)
transmit_i2c_ICSSFP_CONFIG_MACSEC_RULE(device, netid, len(data), data)
def sfp_ics_send_macsec_map(device, netid, map):
data = []
data.append(map["index"])
for x in bytearray(map["sectag_sci"].to_bytes(8, "little")):
data.append(x)
data.append(map["secYIndex"])
for x in bytearray(map["isControlPacket"].to_bytes(1, "little")):
data.append(x)
data.append(map["scIndex"])
for x in bytearray(map["auxiliary_plcy"].to_bytes(1, "little")):
data.append(x)
data.append(map["ruleId"])
for x in range(5):
data.append(map["reserved"][x])
for x in bytearray(map["enable"].to_bytes(1, "little")):
data.append(x)
transmit_i2c_ICSSFP_CONFIG_MACSEC_MAP(device, netid, len(data), data)
def sfp_ics_send_macsec_secy(device, netid, secy):
data = []
data.append(secy["index"])
for x in bytearray(secy["controlled_port_enabled"].to_bytes(1, "little")):
data.append(x)
data.append(secy["validate_frames"])
data.append(secy["strip_sectag_icv"])
data.append(secy["cipher"])
data.append(secy["confidential_offset"])
for x in bytearray(secy["icv_includes_da_sa"].to_bytes(1, "little")):
data.append(x)
for x in bytearray(secy["replay_protect"].to_bytes(1, "little")):
data.append(x)
for x in bytearray(secy["replay_window"].to_bytes(4, "little")):
data.append(x)
for x in bytearray(secy["protect_frames"].to_bytes(1, "little")):
data.append(x)
data.append(secy["sectag_offset"])
data.append(secy["sectag_tci"])
for x in bytearray(secy["mtu"].to_bytes(2, "little")):
data.append(x)
for x in range(6):
data.append(secy["reserved"][x])
for x in bytearray(secy["enable"].to_bytes(1, "little")):
data.append(x)
transmit_i2c_ICSSFP_CONFIG_MACSEC_SECY(device, netid, len(data), data)
def sfp_ics_send_macsec_sc(device, netid, sc):
data = []
data.append(sc["index"])
data.append(sc["secYIndex"])
for x in bytearray(sc["sci"].to_bytes(8, "little")):
data.append(x)
data.append(sc["sa_index0"])
data.append(sc["sa_index1"])
for x in bytearray(sc["sa_index0_in_use"].to_bytes(1, "little")):
data.append(x)
for x in bytearray(sc["sa_index1_in_use"].to_bytes(1, "little")):
data.append(x)
for x in bytearray(sc["enable_auto_rekey"].to_bytes(1, "little")):
data.append(x)
for x in bytearray(sc["isActiveSA1"].to_bytes(1, "little")):
data.append(x)
for x in range(7):
data.append(sc["reserved"][x])
for x in bytearray(sc["enable"].to_bytes(1, "little")):
data.append(x)
transmit_i2c_ICSSFP_CONFIG_MACSEC_SC(device, netid, len(data), data)
def sfp_ics_send_macsec_sa(device, netid, sa):
data = []
data.append(sa["index"])
for x in range(32):
data.append(sa["sak"][x])
for x in range(16):
data.append(sa["hashKey"][x])
for x in range(12):
data.append(sa["salt"][x])
for x in bytearray(sa["ssci"].to_bytes(4, "little")):
data.append(x)
data.append(sa["AN"])
for x in bytearray(sa["nextPN"].to_bytes(8, "little")):
data.append(x)
for x in range(5):
data.append(sa["reserved"][x])
for x in bytearray(sa["enable"].to_bytes(1, "little")):
data.append(x)
transmit_i2c_ICSSFP_CONFIG_MACSEC_SA(device, netid, len(data), data)
def sfp_ics_update_macsec(
device, netid, rx, rule, map, secy, sc, sa, nvm, en, clr, rst
):
data = []
byte0 = rule << 0
byte0 |= map << 1
byte0 |= secy << 2
byte0 |= sc << 3
byte0 |= sa << 4
byte0 |= rx << 5
byte0 |= nvm << 6
byte0 |= en << 7
data.append(byte0)
byte1 = clr << 0
byte1 |= rst << 1
data.append(byte1)
transmit_i2c_ICSSFP_UPDATE_MACSEC(device, netid, data)
def sfp_query_verify_macsec_support(device, netid_config, reset):
netid = get_hwnetid(netid_config)
# query for MACSec supproted SFP module
print("Checking for SFP modules...")
msa = sfp_query_module(device, netid)
if msa is None:
print(f"\nNo SFP module found on port {netid_config}... exiting.")
if not reset: # dont exit if we only want to reset
exit(1)
# add information to dictionary
d = {}
d["Vendor PN"] = msa["vendor_pn"]
d["Vendor"] = msa["vendor_name"]
d["Vendor Revision"] = msa["vendor_rev"]
d["Vendor SN"] = msa["vendor_sn"]
try:
man_date = datetime.date(msa["date_year"], msa["date_month"], msa["date_day"])
x = man_date.strftime("%Y/%m/%d")
except Exception:
x = f"{msa['date_year']}/{msa['date_month']}/{msa['date_day']} -- invalid"
d["Manufacture date"] = f"{x}"
d["Supports LOS Pin"] = 1 if msa["options"] & 0x02 else 0
d["Supports LOS Pin (inverted)"] = 1 if (msa["options"] & 0x04) else 0
d["Supports TX Fault Pin"] = 1 if msa["options"] & 0x08 else 0
d["Supports TX Disable Pin"] = 1 if msa["options"] & 0x10 else 0
d["Supports Rate Select Pin"] = 1 if msa["options"] & 0x20 else 0
d["Supports Soft LOS"] = 1 if msa["enh_options"] & 0x10 else 0
d["Supports Soft TX Fault"] = 1 if msa["enh_options"] & 0x20 else 0
d["Supports Soft TX Disable"] = 1 if msa["enh_options"] & 0x40 else 0
d["Supports Soft Rate Select"] = 1 if msa["enh_options"] & 0x08 else 0
d["Supports Soft Alarm/Warning Flags"] = 1 if msa["enh_options"] & 0x80 else 0
d["Supports Diagnostic Monitoring Interface"] = (
1 if msa["diag_mon_type"] & 0x40 else 0
)
if not msa["cc_base_valid"]:
d["Check Code"] = hex(msa["cc_base"]) + " -- invalid"
if not msa["cc_ext_valid"]:
d["Check Code"] = hex(msa["cc_ext"]) + " -- invalid"
i2c_mdio_address = 0x40
if not (msa["ics_overrides"] & 0x1): # MDIO address override
i2c_mdio_address = msa["ics_mdio_bridge_addr"]
# print all information
print(dict_align_str(d))
# verify macsec supported part
if d["Vendor PN"] != "SFP-MV2221M-B1":
print(f"\nNo SFP-MV2221M-B1 module found on port {netid_config}... exiting.")
exit(1)
if reset: # clear macsec config for this module
print(
f"\nClearing and Disabling MACSec on SFP module found on port {netid_config}..."
)
# clear/reset any current macsec configuration
sfp_ics_update_macsec(device, netid, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1)
time.sleep(1)
print(
f"\nCleared and Disabled MACSec on SFP module found on port {netid_config}..."
)
return i2c_mdio_address

BIN
MACsec_Utilitie/yaml.zip 100644
View File

Binary file not shown.

271
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_macda_SecY_128_strip_strict_sci_SA_sak0.yml 100644
View File

@ -0,0 +1,271 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - MAC DA = 00:FC:70:XX:XX:XX (IntrepidCS OUI) packets authenticated and encrypted
# - other packets dropped
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Always Authenticate, Replay Protect, and Encrypt/Decrypt
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - MAC DA = 00:FC:70:XX:XX:XX (IntrepidCS OUI) packets authenticated, replay protected, and decrypted
# - other packets dropped
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Drop invalid frames
# - Always Authenticate, Replay Protect, and Decrypt User Data
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0x00, 0xFC, 0x70, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0x00, 0xFC, 0x70, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

271
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_macsa_SecY_128_strip_strict_sci_SA_sak0.yml 100644
View File

@ -0,0 +1,271 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - MAC SA = 00:FC:70:XX:XX:XX (IntrepidCS OUI) packets authenticated and encrypted
# - other packets dropped
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Always Authenticate, Replay Protect, and Encrypt/Decrypt
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - MAC SA = 00:FC:70:XX:XX:XX (IntrepidCS OUI) packets authenticated, replay protected, and decrypted
# - other packets dropped
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Drop invalid frames
# - Always Authenticate, Replay Protect, and Decrypt User Data
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0x00, 0xFC, 0x70, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0x00, 0xFC, 0x70, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

271
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_txmacsa_rxmacda_SecY_128_strip_strict_sci_SA_sak0.yml 100644
View File

@ -0,0 +1,271 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - MAC SA = 00:FC:70:XX:XX:XX (IntrepidCS OUI) packets authenticated and encrypted
# - other packets dropped
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Always Authenticate, Replay Protect, and Encrypt/Decrypt
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - MAC DA = 00:FC:70:XX:XX:XX (IntrepidCS OUI) packets authenticated, replay protected, and decrypted
# - other packets dropped
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Drop invalid frames
# - Always Authenticate, Replay Protect, and Decrypt User Data
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0x00, 0xFC, 0x70, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0x00, 0xFC, 0x70, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

269
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_wildcard_SecY_128_strip_strict_sci_SA_sak0.yml 100644
View File

@ -0,0 +1,269 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - wildcard / all packets authenticated and encrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Always Authenticate, Replay Protect, and Encrypt/Decrypt
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - wildcard / all packets authenticated, replay protected, and decrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Drop invalid frames
# - Always Authenticate, Replay Protect, and Decrypt User Data
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

269
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_wildcard_SecY_128_strip_strict_sci_SA_sak1.yml 100644
View File

@ -0,0 +1,269 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - wildcard / all packets authenticated and encrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Always Authenticate, Replay Protect, and Encrypt/Decrypt
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - wildcard / all packets authenticated, replay protected, and decrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_128
# - Drop invalid frames
# - Always Authenticate, Replay Protect, and Decrypt User Data
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 8 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 9, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 9 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 0 # GCM_AES_128 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 8 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 9, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 9 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

269
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_wildcard_SecY_256_strip_noEncrypt_onlyCheck_sci_SA_sak0.yml 100644
View File

@ -0,0 +1,269 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - wildcard / all packets authenticated and encrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_256
# - No Encryption, Only Authenticate and Replay Protect
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - wildcard / all packets authenticated, replay protected, and decrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_256
# - No Decryption, Only Authenticate and Replay Protect
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV\
# - Non-strict validation
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 1 # Validate Frame = CHECK; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 1 # GCM_AES_256 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x08 # SCI included, auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 1 # Validate Frame = CHECK; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 1 # GCM_AES_256 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x08 # SCI included, auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

269
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_wildcard_SecY_256_strip_noEncrypt_onlyCheck_sci_SA_sak1.yml 100644
View File

@ -0,0 +1,269 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - wildcard / all packets authenticated and encrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_256
# - No Encryption, Only Authenticate and Replay Protect
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - wildcard / all packets authenticated, replay protected, and decrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_256
# - No Decryption, Only Authenticate and Replay Protect
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV\
# - Non-strict validation
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 1 # Validate Frame = CHECK; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 1 # GCM_AES_256 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x08 # SCI included, auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 8 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 8 ] # 128b Hash Key: Key used for authentication
salt: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 8 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 8, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 8 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 8, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 8 ] # 128b Hash Key: Key used for authentication
salt: [ 8, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 8 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 1 # Validate Frame = CHECK; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 1 # GCM_AES_256 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x08 # SCI included, auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 8 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 8 ] # 128b Hash Key: Key used for authentication
salt: [ 8, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 8 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 8, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 8 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 8, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 8 ] # 128b Hash Key: Key used for authentication
salt: [ 8, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 8 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

269
MACsec_Utilitie/yaml/test_sfp_macsec_Rule_wildcard_SecY_256_strip_strict_sci_SA_sak0.yml 100644
View File

@ -0,0 +1,269 @@
---
###############################################################################
# This is intended to be used as an example yaml for loading a MACsec
# configuration to ICS SFP-MV2221M-B1 module
#
# MACsec configuration:
# tx:
# rule:
# - wildcard / all packets authenticated and encrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Use SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_256
# - Always Authenticate, Replay Protect, and Encrypt/Decrypt
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
# rx:
# rule:
# - wildcard / all packets authenticated, replay protected, and decrypted
# map:
# - Map Rule 0 to SecY 0 and SC 0
# - Check SCI = 0xAFAFAFAFAFAFFFFF
# secy:
# - Cipher = GCM_AES_256
# - Drop invalid frames
# - Always Authenticate, Replay Protect, and Decrypt User Data
# - Strip ICV and SecTag from incoming frames
# - Include the MAC DA and SA in the ICV
# sc:
# - Assign 2 x SA's
# - SA 0 is Active
# - Enable auto rekey
# 2 x sa:
# - Define Keys
# - Assign indices 0,1
# - Next PN = 1
###############################################################################
tx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 1 # GCM_AES_256 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
rx:
rule:
index: 0
key_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC DA field extracted from the packet
mask_MAC_DA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # MAC SA field extracted from the packet
mask_MAC_SA: [ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ] # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_Ethertype: 0xFFFF # First E-Type found in the packet that doesn't match one of the preconfigured custom tag
mask_Ethertype: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer1: # outermost/1st VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer1: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_outer2: # 2nd outermost VLAN ID {8'd0, VLAN_ID[11:0]}, or 20-bit MPLS label
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
mask_outer2: # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
vlanTag:
VID: 0xFFFF
PRI_CFI: 0xFF
mpls:
MPLS_label: 0xFFFFFFFF
exp: 0xFF
key_bonus_data: 0xFFFF # 2 bytes of additional bonus data extracted from one of the custom tags
mask_bonus_data: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_tag_match_bitmap: 0xFF # 8 bits total. Maps 1 to 1 bitwise with the set of custom tags. (set bit[N]=1 if check Nth custom tag)
mask_tag_match_bitmap: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_packet_type: 0 # Encoded Packet Type = NO_VLAN_OR_MPLS; see MRVL_Q222X_MSEC_PACKET_TYPE
mask_packet_type: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_inner_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the second outermost VLAN Tag
mask_inner_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_outer_vlan_type: 0xFFFF # 3 bits total. Encoded value indicating which VLAN TPID value matched for the outermost VLAN Tag
mask_outer_vlan_type: 0xFFFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_num_tags: 0xFF # 7 bits total. Number of VLAN/custom tags or MPLS lables detected. Ingress: before SecTag; Egress: total detected
mask_num_tags: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
key_express: 0xFF # 1 bits. Express packet
mask_express: 0xFF # Set bits to 1 to mask/exclude corresponding flowid_tcam_data bit from compare
isMPLS: False
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
map:
index: 0
sectag_sci: 0xAFAFAFAFAFAFFFFF # Identifies the SecTAG SCI for this Flow
secYIndex: 0x00 # Index for entry in Egress secY Policy
isControlPacket: False # Identifies all packets matching this index lookup as control packets
scIndex: 0x00 # Identifies the SC for this Flow
auxiliary_plcy: False # Auxiliary policy bits
ruleId: 0x00 # Identifies the Rule for this Flow
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
secy:
index: 0x00 # Identifies the SecY for this Flow
controlled_port_enabled: True # Enable (or disable) operation of the Controlled port associated with this SecY
validate_frames: 2 # Validate Frame = STRICT; see MRVL_Q222X_MSEC_VALIDATEFRAME
strip_sectag_icv: 0 # Strip SecTag and ICV; see MRVL_Q222X_MSEC_STRIP_SECTAG_ICV
cipher: 1 # GCM_AES_256 = Cipher suite to use for this SecY; see MRVL_Q222X_MSEC_CIPHER_SUITE
confidential_offset: 0x00 # Define the number of bytes that are unencrypted following the SecTag
icv_includes_da_sa: True # When set, the outer DA/SA bytes are included in the authentication GHASH calculation
replay_protect: True # Enables Anti-Replay protection
replay_window: 0xFFFFFFFF # Unsigned value indicating the size of the anti-replay window
protect_frames: True # 0 = do not encrypt or authenticate this packet; 1 = always Authenticate frame and if SecTag.TCI.E = 1 encrypt the packet as well
sectag_offset: 12 # 12B = sizeof(DA) + sizeof(SA); offset in bytes from either the start of the packet or a matching Etype depending on SecTag_Insertion_Mode
sectag_tci: 0x0B # SCI included, encrypt and auth user data; Tag Control Information excluding the AN field which originates from the SA Policy table;
mtu: 0xFFFF # Specifies the outgoing MTU for this SecY
reserved: [ 0, 0, 0, 0, 0, 0 ]
enable: True
sc:
index: 0x00 # SC index
secYIndex: 0x00 # SecY associated with this packet
sci: 0xAFAFAFAFAFAFFFFF # The Secure Channel Identifier
sa_index0: 0x00 # Define the 1st SA to use
sa_index1: 0x01 # Define the 2nd SA to use
sa_index0_in_use: True # Specifies whether 1st SA is in use or not
sa_index1_in_use: True # Specifies whether 2nd SA is in use or not
enable_auto_rekey: True # If enabled, then once the pn_threshold is reached, auto rekey will happen
isActiveSA1: False # If set, then sa_index1 is the currently active SA index. If cleared, the sa_index0 is the currently active SA index
reserved: [ 0, 0, 0, 0, 0, 0, 0 ]
enable: True
sa0:
index: 0x00 # SA index
sak: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x00 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True
sa1:
index: 0x01 # SA index
sak: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 9, 0, 0, 0, 8, 0, 0, 0, 11, 0, 0, 0 ] # 256b SAK: Define the encryption key to be used to encrypte this packet. The lower 128 bits are used for 128-bit ciphers
hashKey: [ 3, 0, 0, 0, 5, 0, 0, 0, 4, 0, 0, 0, 7, 0, 0, 0 ] # 128b Hash Key: Key used for authentication
salt: [ 2, 0, 0, 0, 3, 0, 0, 0, 4, 0, 0, 0 ] # 96b Salt value: Salt value used in XPN ciphers
ssci: 0xFFFFFFFF # 32b SSCI value: Short Secure Channel Identifier, used in XPN ciphers
AN: 0x01 # 2b SecTag Association Number (AN)
nextPN: 0x0000000000000001 # 64b next_pn value: Next packet number to insert into outgoing packet on a particular SA
reserved: [ 0, 0, 0, 0, 0 ]
enable: True

34
ReadMe.md 100644
View File

@ -0,0 +1,34 @@
# <u>MACsec and TC10 demo</u>
## Show case
The demo should show:
1. MACsec secured datastream - only one Module is MACsec configured, modules might be swapped for showcasing
2. TC10 controlled SFP plugs
<u>Needed equipment:</u>
* GigaStar
* 2 SFP: MV2221M 1000-Base-T1 modules, enabled for TC10/MACsec
## 1. Preparation
* If SFP module MV2221M 1000-Base-T1 is not yet flashed to support MACsec,\
[RGS_ICS_SFP_FLASHER_REV1_4.vs3](.\SFP_Flasher\v1.4\RGS_ICS_SFP_FLASHER_REV1_4.vs3) is needed to flash the module.
Take care that also the binary [sfp_mv2221m_b1_mchip.msgbin](.\SFP_Flasher\v1.4\sfp_mv2221m_b1_mchip.msgbin) is available.
* To download a MACsec configuration, actually you will need a small python script you find in the [MACsec_Utilities folder](.\MACsec_Utilitie) (see **2.**)\
In this case you might have to install [python](https://www.python.org/downloads/) onto the PC\
Also you will need python_ics ``` pip instal python_ics ``` and ``` pip install pyyaml ```
## 2. Downloading MACsec configuration to SFP module
If the SFP module is ready for MACsec en- and decryption, you can download one of the [Example YAML-Files](.\MACsec_Utilitie\yaml)\
e.g.\
<b>programming SFP01 of device <i>GS0728</i>:</b>
python test_sfp_macsec_util.py <i><b>GS0728</b></i> --sfp --config_netid <b>NETID_I2C2</b> --yaml test_sfp_macsec_Rule_wildcard_SecY_256_strip_noEncrypt_onlyCheck_sci_SA_sak0.yml\
<b>programming SFP02 of device <i>GS0728</i>:</b> python test_sfp_macsec_util.py <i><b>GS0728</b></i> --sfp --config_netid <b>NETID_I2C3</b> --yaml test_sfp_macsec_Rule_wildcard_SecY_256_strip_noEncrypt_onlyCheck_sci_SA_sak0.yml\
<b>clearing SFP02 of device <i>GS0728</i>:</b> python test_sfp_macsec_util.py <i><b>GS0728</b></i> --sfp --config_netid <b>NETID_I2C3</b> --yaml test_sfp_macsec_Rule_wildcard_SecY_256_strip_noEncrypt_onlyCheck_sci_SA_sak0.yml --reset\
or just\
python test_sfp_macsec_util.py <i><b>GS0728</b></i> --sfp --config_netid <b>NETID_I2C3</b> --reset\
\
There are four example <b>batch-files</b> available to set and reset SFP01 and SFP02 modules. Device SN has to be adjusted.
## 3. Demosetup TC10_MACsec Demo.vs3
![Description](./resources/TX_RX_MV2221M_setup.jpg)\
![Graphical panel](./resources/TC10_MACse_Demo_GP.jpg)
If SFP modules are swapped direction of encryption will change

75
SFP_Flasher/v1.4/README.md 100644
View File

@ -0,0 +1,75 @@
@mainpage README.md
# ICS SFP RESOURCES RELEASE NOTES
> Copyright (c) 2023 Intrepid Control Systems, Inc.
---
## General Information
### ICS SFP Resources include latest Release firmware and VSpy .vs3 files for module interfacing, and includes the following:
- sfp_mv2221m_b1_mchip.msgbin
- Latest Release Firmware for SFP-MV2221M module
- sfp_mv2112_a2_mchip.msgbin
- Latest Release Firmware for SFP-MV2112 module
- RGS_ICS_SFP_FLASHER_REV1_4.vs3
- VSpy .vs3 for flashing ICS SFP module firmware
- ICS_SFP_MV2221M_TC10.vs3
- VSpy .vs3 for interfacing examples with ICS SFP modules via I2C
- /MACsec/
- Python src files for loading a MACsec configuration to the device
### Instructions:
- ICS SFP Firmware Flashing:
- Copy "sfp_mv2221m_b1_mchip.msgbin" and "sfp_mv2112_a2_mchip.msgbin" to directory "<VSPY_INSTALL_DIR>\Data Directory\Default"
- Run VSpy
- Load "RGS_ICS_SFP_FLASHER_REV1_4.vs3"
- Go online with RADGigastar
- Make sure an SFP module is plugged into a RADGigastar SFP port
- Click the "Flash Firmware" button on the displayed Graphical Panel
- Wait for indicater "Flashing Completed"
- Limitations:
- This .vs3 only supports flashing 1 SFP port at a time (RADGigastar SFP1 port is prioritized)
- May need to plug cycle the device after successful flashing for the RADgigastar to detect the module
- ICS SFP module interfacing examples:
- Run VSpy
- Load "ICS_SFP_MV2221M_TC10.vs3"
- Go online with RADGigastar
- Make sure an ICS SFP module is plugged into a RADGigstar SFP port
- Transmit I2C messages for Read/Write examples
- NOTES
- I2C2 messages correlate with SFP1 port on the RADgigastar
- I2C3 messages correlate with SFP2 port on the RADgigastar
- All TC10 example messages are only supported on the SFP-MV2221M module (PHY limitation)
- MACsec
- See "/MACsec/README.md"
---
## Version History
- (11/27/2023)
- Added "MACsec" folder with python src files for loading a MACsec configuration to the device
- /yaml/ folder containing 8 MACsec configurations
- test_sfp_macsec_util.py
- util_eth.py
- util_sfp.py
- util.py
- README.md
- (9/5/2023)
- Fix ICS SFP flasher textbox and led indicaters:
- RGS_ICS_SFP_FLASHER_REV1_4.vs3
- (9/5/2023)
- Fix ICS SFP flasher binary size errors:
- RGS_ICS_SFP_FLASHER_REV1_3.vs3
- (8/9/2023)
- Update Release firwmare:
- sfp_mv2221m_b1_mchip.msgbin
- sfp_mv2112_a2_mchip.msgbin
- (6/29/2023)
- First draft of the following files:
- sfp_mv2221m_b1_mchip.msgbin
- sfp_mv2112_a2_mchip.msgbin
- ICS_SFP_FLASHER.vs3
- ICS_SFP_MV2221M_TC10.vs3
---

8687
SFP_Flasher/v1.4/RGS_ICS_SFP_FLASHER_REV1_4.vs3 100644
View File

File diff suppressed because one or more lines are too long

BIN
SFP_Flasher/v1.4/sfp_mv2112_a2_mchip.msgbin 100644
View File

Binary file not shown.

BIN
SFP_Flasher/v1.4/sfp_mv2221m_b1_mchip.msgbin 100644
View File

Binary file not shown.

21523
TC10_MACsec Demo.vs3 100644
View File

File diff suppressed because it is too large Load Diff

BIN
resources/TC10_MACse_Demo_GP.jpg 100644
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 659 KiB

BIN
resources/TX_RX_MV2221M_GP.jpg 100644
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 818 KiB

BIN
resources/TX_RX_MV2221M_setup.jpg 100644
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 748 KiB