MACsec/ MKA config and metric support in OTG model #408
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,230 @@ | ||
| components: | ||
| schemas: | ||
| Macsec.CryptoEngine: | ||
| description: >- | ||
| A container of crypto engine properties of a SecY. | ||
| type: object | ||
| properties: | ||
| choice: | ||
| description: >- | ||
| Engine type based on encryption and/ or decryption capability. Supported types: 1) stateless_encryption_only - engine can only encrypt transmitted packets but such engine cannot decrypt packets upon arrival. As the packets cannot be decrypted on arrival, such packets cannot be delivered to the receiving device. Hence only stateless traffic can be sent. 2) stateful_encryption_decryption - engine can both encrypt transmitted packets and decrypt packets on arrival. Such engine can have hardware acceleration for faster encryption/ ddecryption. As both encryption and decryption are possible, stateful (e.g. TCP) traffic can be sent/ received. | ||
| type: string | ||
| default: stateless_encryption_only | ||
| x-field-uid: 1 | ||
| x-enum: | ||
| stateless_encryption_only: | ||
sasubrata marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| x-field-uid: 1 | ||
| stateful_encryption_decryption: | ||
| x-field-uid: 2 | ||
| stateless_encryption_only: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatelessEncryptionOnly' | ||
| x-field-uid: 2 | ||
| stateful_encryption_decryption: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatefulEncryptionDecryption' | ||
| x-field-uid: 3 | ||
| Macsec.CryptoEngine.StatelessEncryptionOnly: | ||
| description: >- | ||
| The container for stateless encryption only engine configuration. | ||
| type: object | ||
| properties: | ||
| tx_pn: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatelessEncryptionOnly.TxPn' | ||
| x-field-uid: 1 | ||
| traffic: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatelessEncryptionOnly.Traffic' | ||
| x-field-uid: 3 | ||
| Macsec.CryptoEngine.StatefulEncryptionDecryption: | ||
| description: >- | ||
| The container for stateful encryption and decryption engine configuration. | ||
| type: object | ||
| properties: | ||
| initial_pn: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatefulEncryptionDecryption.InitialPn' | ||
| x-field-uid: 1 | ||
| hardware_acceleration: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatefulEncryptionDecryption.HardwareAcceleration' | ||
| x-field-uid: 2 | ||
| Macsec.CryptoEngine.StatelessEncryptionOnly.TxPn: | ||
| description: >- | ||
| Tx packet number(PN) configuration. | ||
| type: object | ||
| properties: | ||
| choice: | ||
| description: >- | ||
| Types of Tx packet number(PN) series. Supported choices: 1) fixed PN - MACsec packets will be sent out with the configured fixed PN or lower half of configured fixed XPN. 2) incrementing PN - MACsec packets will be sent out by single device with an incrementing PN or XPN. | ||
| type: string | ||
| default: fixed_pn | ||
| x-field-uid: 1 | ||
| x-enum: | ||
| fixed_pn: | ||
| x-field-uid: 1 | ||
| incrementing_pn: | ||
| x-field-uid: 2 | ||
| fixed: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatelessEncryptionOnly.FixedPn' | ||
| x-field-uid: 2 | ||
| incrementing: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatelessEncryptionOnly.IncrementingPn' | ||
| x-field-uid: 3 | ||
| Macsec.CryptoEngine.StatelessEncryptionOnly.FixedPn: | ||
| description: >- | ||
| Fixed packet number(PN) configuration. | ||
| type: object | ||
| properties: | ||
| pn: | ||
| description: >- | ||
| Fixed Tx packet number(PN). 4 bytes PN with which all packets will be sent out. | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 1 | ||
| maximum: 4294967295 | ||
| default: 6 | ||
| x-field-uid: 1 | ||
| xpn: | ||
| description: >- | ||
| Fixed Tx extended packet number(XPN). 8 bytes XPN with which all packets will be sent out. | ||
| type: string | ||
| format: hex | ||
| minLength: 1 | ||
| maxLength: 8 | ||
| minimum: 1 | ||
| default: "0x0000000000000006" | ||
| x-field-uid: 2 | ||
| Macsec.CryptoEngine.StatelessEncryptionOnly.IncrementingPn: | ||
| description: >- | ||
| Incrementing packet number(PN) configuration. | ||
| type: object | ||
| properties: | ||
| count: | ||
| description: >- | ||
| Count of packet numbers in series. | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 2 | ||
| maximum: 1000000 | ||
| default: 100 | ||
| x-field-uid: 1 | ||
| first_pn: | ||
| description: >- | ||
| The first packet number(PN). | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 1 | ||
| default: 10000 | ||
| x-field-uid: 2 | ||
| first_xpn: | ||
| description: >- | ||
| The first extended packet number(XPN). | ||
| type: string | ||
| format: hex | ||
| minLength: 1 | ||
| maxLength: 8 | ||
| minimum: 1 | ||
| default: "0x0000000000010000" | ||
| x-field-uid: 3 | ||
| Macsec.CryptoEngine.StatelessEncryptionOnly.Traffic: | ||
| description: >- | ||
| Encryption only traffic configuration. | ||
| type: object | ||
| properties: | ||
| send_gratarp: | ||
| description: >- | ||
| Send gratuitous ARP or not. | ||
| type: boolean | ||
| default: true | ||
| x-field-uid: 1 | ||
| Macsec.CryptoEngine.StatefulEncryptionDecryption.InitialPn: | ||
| description: >- | ||
| Initial packet number(PN) configuration. | ||
| type: object | ||
| properties: | ||
| pn: | ||
| description: >- | ||
| Initial Tx packet number(PN). | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 1 | ||
| default: 1 | ||
| x-field-uid: 1 | ||
| Macsec.CryptoEngine.StatefulEncryptionDecryption.HardwareAcceleration: | ||
| description: >- | ||
| Hardware acceleration configuration for offloading MACsec processing to hardware. | ||
| type: object | ||
| properties: | ||
| choice: | ||
sasubrata marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| description: >- | ||
| Hardware acceleration types. | ||
| type: string | ||
| default: none | ||
| x-field-uid: 1 | ||
| x-enum: | ||
| none: | ||
| x-field-uid: 1 | ||
| inline_crypto: | ||
| x-field-uid: 2 | ||
| inline_crypto: | ||
| $ref: '#/components/schemas/Macsec.CryptoEngine.StatefulEncryptionDecryption.HardwareAcceleration.InlineCrypto' | ||
| x-field-uid: 2 | ||
| Macsec.CryptoEngine.StatefulEncryptionDecryption.HardwareAcceleration.InlineCrypto: | ||
| description: >- | ||
| Inline cryto engine configuration. Encryption/ decryption are offloaded to hardware. Also dynamic fields e.g. packet number(PN) and integrity check value(ICV) are updated in MACsec header on transmit. | ||
| type: object | ||
| properties: | ||
| rx_sectag_offset: | ||
| description: >- | ||
| Offset of Rx secTAG from the first byte in packet. | ||
| type: integer | ||
| format: uint32 | ||
| default: 12 | ||
sasubrata marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| x-field-uid: 1 | ||
| type_of_ca: | ||
| description: >- | ||
| Type of connectivity association(CA). | ||
| type: string | ||
| x-field-uid: 2 | ||
| x-enum: | ||
| pairwise_ca: | ||
| x-field-uid: 1 | ||
| group_ca_single_dut: | ||
| x-field-uid: 2 | ||
| group_ca_multipe_duts: | ||
| x-field-uid: 3 | ||
| max_ca_count: | ||
| description: >- | ||
| The maximum number of CAs configured on the port. The maximum count supported per port is 256 for Pair-wise CA, each CA having one MACsec device. | ||
| type: integer | ||
| format: uint32 | ||
sasubrata marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| minimum: 1 | ||
| maximum: 256 | ||
| default: 256 | ||
| x-field-uid: 3 | ||
| max_dut_tx_sc_per_ca: | ||
| description: >- | ||
| The maximum number of DUT transmit SCs that can be supported per CA. The count should be number of Tx SCs supported by the DUT per CA, multiplied by number of DUTs in the CA in case of group CA with multiple DUTs scenario. | ||
| type: integer | ||
| format: uint32 | ||
sasubrata marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| minimum: 1 | ||
| maximum: 256 | ||
| default: 1 | ||
| x-field-uid: 4 | ||
| max_device_per_ca: | ||
| description: >- | ||
| The maximum number of MACsec devices at test port that can be supported on each CA. This number is calculated automatically based on the values configured for Max CA Count and Max DUT Tx SC Per CA. Number of MACsec devices at test port should be configured accordingly. | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 1 | ||
| default: 256 | ||
| x-field-uid: 5 | ||
| rx_sc_identifying_field: | ||
| description: >- | ||
| The field based on which secure channel(SC) will be identified by the receiving port. Supported fields are:- - 1) source MAC - identify SC based on source MAC field. 2) SCI system ID - identify SC bbased on SCI system ID field. 3) SCI port ID - identify based on SCI port ID field. | ||
| type: string | ||
| default: source_mac | ||
| x-field-uid: 6 | ||
| x-enum: | ||
| source_mac: | ||
| x-field-uid: 1 | ||
| sci_sytem_id: | ||
| x-field-uid: 2 | ||
| sci_port_id: | ||
| x-field-uid: 3 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| components: | ||
| schemas: | ||
| Device.Macsec: | ||
| description: >- | ||
| A container of properties for a MACsec capable device. | ||
| type: object | ||
| required: [ethernet_interfaces] | ||
| properties: | ||
| ethernet_interfaces: | ||
| description: |- | ||
| Ethernet Interfaces | ||
| type: array | ||
| items: | ||
| $ref: '#/components/schemas/Device.Macsec.EthernetInterface' | ||
| x-field-uid: 1 | ||
| Device.Macsec.EthernetInterface: | ||
| description: >- | ||
| Configuration for single MACsec interface. | ||
| type: object | ||
| required: [eth_name, secy] | ||
| properties: | ||
| eth_name: | ||
| description: >- | ||
| The unique name of the Ethernet interface on which MACsec | ||
| is enabled. | ||
| type: string | ||
| x-constraint: | ||
| - '/components/schemas/Device.Ethernet/properties/name' | ||
| x-field-uid: 1 | ||
| secy: | ||
|
There was a problem hiding this comment. Could we possible have a choice maybe at this level or for both tx/rx within secy to choose either static or mka , and depending on that take in the static or mka config ? At device level , we have single macsec protocol node and within that per interface ( or per interface tx and rx ) we have a choice of static or mka . There was a problem hiding this comment. Currently configuration is arranged this way:
Currently configurations common to static key and MKA are not duplicated. These are set once only. If we have static key and MKA choices at secY or Tx/ Rx level - common configurations in Tx/ Rx will be repeated and any change in model/ test script in common config needs to be done twice. There was a problem hiding this comment. Would like to discuss this with some you and some other MacSec stakeholders if possible. Need to also discuss if external ( to Keysight ) is planned for this model or has been done. Ideally prefer validations to be built in into model where possible not allowing users to make mistakes at compile time itself. Not sure on this. Need to also see what are the number of common parameters you describe. |
||
| description: >- | ||
| This contains the properties of Secure Entity (SecY). | ||
| $ref: '#/components/schemas/Macsec' | ||
| x-field-uid: 2 | ||
|
|
||
| Macsec: | ||
| description: >- | ||
| Configuration of a Secure Entity (SecY). | ||
| type: object | ||
| required: [name] | ||
| properties: | ||
| name: | ||
| x-include: ../../common/common.yaml#/components/schemas/Named.Object/properties/name | ||
| x-field-uid: 1 | ||
| static_key: | ||
| description: >- | ||
| Static key properties properties of SecY. Static key is used in absence MKA. | ||
| $ref: './statickey.yaml#/components/schemas/Macsec.StaticKey' | ||
| x-field-uid: 2 | ||
| tx: | ||
| description: >- | ||
| Tx properties of SecY. | ||
| $ref: './tx.yaml#/components/schemas/Macsec.Tx' | ||
| x-field-uid: 3 | ||
| rx: | ||
| description: >- | ||
| Rx properties of SecY. | ||
| $ref: './rx.yaml#/components/schemas/Macsec.Rx' | ||
| x-field-uid: 4 | ||
| crypto_engine: | ||
| description: >- | ||
| Crypto engine properties of SecY. | ||
| $ref: './cryptoengine.yaml#/components/schemas/Macsec.CryptoEngine' | ||
| x-field-uid: 5 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| components: | ||
| schemas: | ||
| Macsec.Rx: | ||
| description: >- | ||
| A container for Rx settings of SecY. | ||
| type: object | ||
| properties: | ||
| replay_protection: | ||
| description: |- | ||
| Enable replay protection on not. | ||
| type: boolean | ||
| default: false | ||
| x-field-uid: 1 | ||
| replay_window: | ||
| description: |- | ||
| Replay window size. | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 1 | ||
| default: 1 | ||
| x-field-uid: 2 | ||
| static_key: | ||
| description: |- | ||
| Rx settings for static key. | ||
| $ref: '#/components/schemas/Macsec.Rx.StaticKey' | ||
| x-field-uid: 3 | ||
| Macsec.Rx.StaticKey: | ||
| description: >- | ||
| Container for Rx setting for static key. | ||
| type: object | ||
| properties: | ||
| scs: | ||
| description: >- | ||
| Rx secure channels. | ||
| type: array | ||
| items: | ||
| $ref: './rxsc.yaml#/components/schemas/Macsec.RxSc' | ||
| x-field-uid: 1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| components: | ||
| schemas: | ||
| Macsec.RxSc: | ||
| description: |- | ||
| Rx SC settings. | ||
| type: object | ||
| properties: | ||
| dut_system_id: | ||
| description: |- | ||
| System ID in DUT SCI. | ||
| type: string | ||
| format: mac | ||
| x-field-uid: 1 | ||
| dut_port_id: | ||
| description: |- | ||
| Port ID in DUT SCI. | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 1 | ||
| maximum: 65535 | ||
| default: 1 | ||
| x-field-uid: 2 | ||
| dut_msb_xpn: | ||
| description: |- | ||
| DUT MSB of XPN. The 32 most significant bits of the XPN that DUT will be using to construct the 64 bits XPN value when test starts. | ||
| type: integer | ||
| format: uint32 | ||
| minimum: 0 | ||
| maximum: 4294967295 | ||
| default: 0x00000000 | ||
| x-field-uid: 3 | ||
| saks: | ||
| description: |- | ||
| Rx SAK pool. | ||
| type: array | ||
| items: | ||
| $ref: './statickey.yaml#/components/schemas/Macsec.StaticKey.Sak' | ||
| x-field-uid: 4 |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.