2018-10-14, 10:59:31 -0400, Josh Coombs wrote: > I initially mistook this for a traffic control issue, but after > stripping the test beds down to just the MACSec component, I can still > replicate the issue. After approximately 5TB of transfer / 4 billion > packets over a MACSec link it stops passing traffic.
I think you're just hitting packet number exhaustion. After 2^32 packets, the packet number would wrap to 0 and start being reused, which breaks the crypto used by macsec. Before this point, you have to add a new SA, and tell the macsec device to switch to it. That's why you should be using wpa_supplicant. It will monitor the growth of the packet number, and handle the rekey for you. If you start with a PN already close to exhaustion (say, 4294967000), you should hit the "bug" very quickly. > # Bring up macsec: > echo "* Enable MACSec" > modprobe macsec > ip link add link "$dif" "$eif" type macsec > ip macsec add "$eif" tx sa 0 pn 1 on key 02 "$txkey" Keep the rest of the configuration, and replace that one with: ip macsec add "$eif" tx sa 0 pn 4294967000 on key 02 "$txkey" to trigger the issue faster. -- Sabrina
