Skip to content

Add MACSec interface status and MKA security-policy leaf #1430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dplore wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add MACSec interface status and MKA security-policy leaf #1430

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
02a62a7
Add MACSec interface status and MKA security-policy leaf with should-…
dplore Jan 26, 2026
305e3ba
fix semicolon
dplore Jan 26, 2026
772ded3
add status to mka interface state
dplore Jan 26, 2026
9347fa9
Merge branch 'master' into dplore/macsec-policy
dplore Jan 26, 2026
e7f15ea
Merge branch 'master' into dplore/macsec-policy
dplore Feb 3, 2026
3a47576
fix status description
dplore Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 48 additions & 1 deletion release/models/macsec/openconfig-macsec.yang
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,18 @@ module openconfig-macsec {
"This module defines configuration and state data for
MACsec IEEE Std 802.1AE-2018.";

oc-ext:openconfig-version "1.2.0";
oc-ext:openconfig-version "1.3.0";
oc-ext:regexp-posix;
oc-ext:catalog-organization "openconfig";
oc-ext:origin "openconfig";

revision "2026-01-26" {
description
"Add interface status and security-policy leaf with should-secure and
must-secure enum.";
reference "1.3.0";
}

revision "2025-01-02" {
description
"Add include-sci to allow enable/disable of secure channel
Expand Down Expand Up @@ -233,6 +240,8 @@ revision "2023-06-08" {
description
"MKA interface state grouping";

uses macsec-session-status;

container counters {
description
"MKA interface counters";
Expand Down Expand Up @@ -294,6 +303,27 @@ revision "2023-06-08" {
}
}

grouping macsec-session-status {
description
"Media Access Control Security (MACsec) status grouping";

leaf status {
Copy link
Copy Markdown
Contributor

@ElodinLaarz ElodinLaarz Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lint: Needs a description.

type enumeration {
enum ACTIVE {
description "MACSec is operational and encrypting/decrypting frames
on the interface.";
}
enum INACTIVE {
description "MACSec is disabled on the interface.";
}
enum PENDING {
description "MACSec is enabled, but the secure channel and
association are not yet established.";
}
}
}
}

grouping macsec-scsa-tx-interface-state {
description
"State leaves assigned with the TX Secure Channel and Secure
Expand Down Expand Up @@ -564,6 +594,7 @@ revision "2023-06-08" {
"Operational state data ";

uses macsec-interface-config;
uses macsec-session-status;

container counters {
description
Expand Down Expand Up @@ -657,6 +688,22 @@ revision "2023-06-08" {
"Rekey on peer loss";
}

leaf security-policy {
Copy link
Copy Markdown

@ishwarbnaik ishwarbnaik Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will not have a default value ?

type enumeration {
enum SHOULD_SECURE {
description "Encrypted and un-encrypted frames will be
Copy link
Copy Markdown
Contributor

@m26singhvi m26singhvi Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Traffic unprotected allow in Arista allows encrypted traffic only when there is no successful MKA session on the port. It will be good to be clear in the description about it.

processed.";
}
enum MUST_SECURE {
description "Only encrypted frames will be processed.
Copy link
Copy Markdown
Contributor

@m26singhvi m26singhvi Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In Arista, our default traffic policy is traffic unprotected allow active-sak which means if there is any negotiated SAK, then it will continue to use that otherwise it will block the port. This means as soon as the mac security profile is configured on the port, since there is no SAK, unencrypted traffic won't be allowed however once we have a SAK negotiated, even if the MKA session goes down subsequently, it will continue to get used.

I propose to add another enum, may be OPERATIONAL_SECURE to convey the same.

Unencrypted frames will be dropped.";
}
}
description
"List of options for how to handle unencrypted frames on an interface configured
to use MACSec.";
}

leaf use-updated-eth-header {
type boolean;
default "false";
Expand Down
Loading