Create macsec encrypted ethernet links automatically and transparently with minimal interaction. Intended to run between two Raspberry Pi's but should work on any OS which supports MACsec.
Aiming to be an opensource, cheap hardware, high security, easy to use bump in the wire solution.
- Clone this repository
- Start master instance
- Start slave instance
- Confirm hash match on both devices
git clone [email protected]:ali-raheem/PiSec.git --depth=1
master# bash sync.sh -m
slave# bash sync.sh
If you don't want to run the script in a root shell use sudo.
You need to confirm the public key hashes on both devices with y when promited.
Running the script again will prompt you to reuse the last config or start fresh. Start fresh if there was an error previously.
They link will then automatically be set up.
If you want to re-establish the link without user input or changing the keys then just run scripts/macsec.sh on startup.
- MACsec (in Linux kernel >= 4.6)
- Flask (and Python3)
- openssl
- iproute2
- use dhcpd?
- use iptables to forward/NAT traffic to allow bridging?
- IPv6?
- Use SPI screen and buttons on raspberry pi
- For raspberry pi (atleast) you will need to compile the macsec module. It's easy, just make sure to enable macsec as a module in .config (uncomment
macsec m). - There will be a performance hit, on my ancient laptop 950 mbps without macsec 850 mbps with macsec. On RPi1 60 mbps to 12 mbps testing with iperf3.
- Currently using brainpoolP512t1, maybe there is something better? Should be hashing params file? Or just using a named curve?