Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1420

Support MACSec interfaces in Nmstate

    • nmstate-2.2.16-1.el9
    • None
    • 2
    • rhel-sst-network-management
    • ssg_networking
    • 17
    • 13
    • Hide
       
      Customer/Partner Bugzilla ID Case ID Status Details
      TELCON RAN None None Telco RAN partners require MACsec (IEEE 802.1AE) encryption in order to protect 5G Front Haul traffic between the DU & RU in order to achieve feature parity with their Classic RAN product lines and also in anticipation of O-RAN specifying MACsec encryption of Front Haul traffic between the DU & RU.
       
      rust-netlink and Nispor patches are now merged and the team is working on the needed changes for Nmstate.

       

      Show
        Customer/Partner Bugzilla ID Case ID Status Details TELCON RAN None None Telco RAN partners require MACsec (IEEE 802.1AE) encryption in order to protect 5G Front Haul traffic between the DU & RU in order to achieve feature parity with their Classic RAN product lines and also in anticipation of O-RAN specifying MACsec encryption of Front Haul traffic between the DU & RU.   rust-netlink and Nispor patches are now merged and the team is working on the needed changes for Nmstate.  
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • NMT - RHEL 8.10/9.4 DTM 00, NMT - RHEL 8.10/9.4 DTM 2
    • Hide

      User story

      As a system administrator responsible for deploying and maintaining a RHOSP environment, I want nmstate to support the configuration of MACSec interfaces as slaves for bonds or bridges so that I can ensure L2 encryption for all traffic on the network device, thus eliminating the need for individual service encryption at L7 and the associated challenges it brings, such as managing large amounts of certificates required for each endpoint on each overcloud node.

      Acceptance criteria
      Given a system administrator configuring a system with Nmstate installed,
      When the system administrator configure a MACSec interface using Nmstate,
      Then:

      1. The MACSec interface should be correctly configured without any errors.
      2. The system administrator should be able to enslave the MACSec interface to a bond or bridge.
      3. All traffic on the MACSec interface should be encrypted at L2.
      4. Nmstate should provide clear logging or error messages if there are any issues configuring the MACSec interface.
      Show
      User story As a system administrator responsible for deploying and maintaining a RHOSP environment, I want nmstate to support the configuration of MACSec interfaces as slaves for bonds or bridges so that I can ensure L2 encryption for all traffic on the network device, thus eliminating the need for individual service encryption at L7 and the associated challenges it brings, such as managing large amounts of certificates required for each endpoint on each overcloud node. Acceptance criteria Given a system administrator configuring a system with Nmstate installed, When the system administrator configure a MACSec interface using Nmstate, Then: The MACSec interface should be correctly configured without any errors. The system administrator should be able to enslave the MACSec interface to a bond or bridge. All traffic on the MACSec interface should be encrypted at L2. Nmstate should provide clear logging or error messages if there are any issues configuring the MACSec interface.
    • Pass
    • None
    • Enhancement
    • Hide
      .`nmstate` now supports creating MACsec interfaces

      With this update, the users of the `nmstate` framework can configure MACsec interfaces to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model. As a result, there is no need to encrypt individual services later on Layer 7. Also, the feature eliminates associated challenges such as managing large amounts of certificates for each endpoint.

      For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/configuring_and_managing_networking/index#configuring-a-macsec-connection-using-nmstatectl_assembly_using-macsec-to-encrypt-layer-2-traffic-in-the-same-physical-network[Configuring a MACsec connection using nmstatectl].
      Show
      .`nmstate` now supports creating MACsec interfaces With this update, the users of the `nmstate` framework can configure MACsec interfaces to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model. As a result, there is no need to encrypt individual services later on Layer 7. Also, the feature eliminates associated challenges such as managing large amounts of certificates for each endpoint. For more information, see link: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/configuring_and_managing_networking/index#configuring-a-macsec-connection-using-nmstatectl_assembly_using-macsec-to-encrypt-layer-2-traffic-in-the-same-physical-network [Configuring a MACsec connection using nmstatectl].
    • Done
    • None

      Description of problem:

      Requesting nmstate to support configuring MACSec interfaces, so that they can be used as slaves of bonds or bridges. This would allow for L2 encryption of all traffic on the network device, eliminating the need to encrypt per service at L7.

      Additional info:

      This was originally request in the context of RHOSP, here:

      https://bugzilla.redhat.com/show_bug.cgi?id=2111556

      Acceptance Criteria:
      User story

      As a system administrator responsible for deploying and maintaining a RHOSP environment, I want nmstate to support the configuration of MACSec interfaces as slaves for bonds or bridges so that I can ensure L2 encryption for all traffic on the network device, thus eliminating the need for individual service encryption at L7 and the associated challenges it brings, such as managing large amounts of certificates required for each endpoint on each overcloud node.

      Acceptance criteria
      Given a system administrator configuring a system with Nmstate installed,
      When the system administrator configure a MACSec interface using Nmstate,
      Then:

      1. The MACSec interface should be correctly configured without any errors.
      2. The system administrator should be able to enslave the MACSec interface to a bond or bridge.
      3. All traffic on the MACSec interface should be encrypted at L2.
      4. Nmstate should provide clear logging or error messages if there are any issues configuring the MACSec interface.

      Definition of done

      • The implementation meets the acceptance criteria
      • Unit test and integration test are written and passed
      • The Release Note text field is filled
      • The code is part of a build attached to an errata

       

              ferferna Fernando Fernandez Mancera
              rhn-support-enothen Eric Nothen
              Fernando Fernandez Mancera Fernando Fernandez Mancera
              Mingyu Shi Mingyu Shi
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: