From 85f357e88a7738de8594e7fff36571912c2018ad Mon Sep 17 00:00:00 2001 From: mssonicbld <79238446+mssonicbld@users.noreply.github.com> Date: Sat, 9 Sep 2023 00:51:56 +0800 Subject: [PATCH 1/4] [submodule] Update submodule sonic-swss to the latest HEAD automatically (#16455) src/sonic-swss * 33d81e7f - (HEAD -> 202205, origin/202205) Support type7 encoded CAK key for macsec in config_db (#2892) (2 days ago) [judyjoseph] --- src/sonic-swss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sonic-swss b/src/sonic-swss index d787d50d9fcb..33d81e7feaeb 160000 --- a/src/sonic-swss +++ b/src/sonic-swss @@ -1 +1 @@ -Subproject commit d787d50d9fcbb050c6a87a40faede655f7e95f0e +Subproject commit 33d81e7feaeb8e016d3a4cb3434da8d5506dc3a4 From 32f23dd7860f062dc1c8138a9cba440432f9e376 Mon Sep 17 00:00:00 2001 From: mssonicbld <79238446+mssonicbld@users.noreply.github.com> Date: Sat, 9 Sep 2023 06:23:49 +0800 Subject: [PATCH 2/4] Update macsec CAK keys in profile for tests to change to type7 encoded format (#16388) (#16499) --- .../cli-plugin-tests/config_db.json | 2 +- .../cli-plugin-tests/test_config_macsec.py | 10 ++++----- .../cli/config/plugins/macsec.py | 8 +++---- .../tests/macsec_profile.json | 8 +++---- .../tests/files/sample_config_db.json | 4 ++-- .../yang_model_tests/tests_config/macsec.json | 22 +++++++++---------- .../yang-models/sonic-macsec.yang | 8 ++----- 7 files changed, 29 insertions(+), 33 deletions(-) diff --git a/dockers/docker-macsec/cli-plugin-tests/config_db.json b/dockers/docker-macsec/cli-plugin-tests/config_db.json index 8c6b6893e560..9f4c266d4284 100644 --- a/dockers/docker-macsec/cli-plugin-tests/config_db.json +++ b/dockers/docker-macsec/cli-plugin-tests/config_db.json @@ -2,7 +2,7 @@ "MACSEC_PROFILE|macsec_profile": { "cipher_suite": "GCM-AES-XPN-256", "policy": "security", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", "priority": "0", "rekey_period": "900", diff --git a/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py b/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py index 45ab80c7ed12..3a279bd61272 100644 --- a/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py +++ b/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py @@ -8,7 +8,7 @@ profile_name = "test" -primary_cak = "01234567890123456789012345678912" +primary_cak = "2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541" primary_ckn = "01234567890123456789012345678912" @@ -48,7 +48,7 @@ def test_macsec_valid_profile(self, mock_cfgdb): profile_name = "test" profile_map = { - "primary_cak": "0123456789012345678901234567891201234567890123456789012345678912", + "primary_cak": "3946080a0407070303530256560a04504650530352565e731f1a5c4f524f4b5a5e547b79777c6663754b5e465253050d0d0503565a48470b0b030604020c520a54", "primary_ckn": "01234567890123456789012345678912", "priority": 64, "cipher_suite": "GCM-AES-XPN-256", @@ -109,7 +109,7 @@ def test_macsec_port(self, mock_cfgdb): runner = CliRunner() result = runner.invoke(macsec.macsec, ["profile", "add", "test", - "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], + "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info) result = runner.invoke(macsec.macsec, ["port", "add", "Ethernet0", "test"], obj=cfgdb) @@ -141,8 +141,8 @@ def test_macsec_invalid_operation(self, mock_cfgdb): result = runner.invoke(macsec.macsec, ["profile", "del", "test"], obj=cfgdb) assert result.exit_code != 0 - result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) + result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info) # Repeat add profile - result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) + result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code != 0 diff --git a/dockers/docker-macsec/cli/config/plugins/macsec.py b/dockers/docker-macsec/cli/config/plugins/macsec.py index 1b820dfd0e99..9f5ac5bd7bc4 100644 --- a/dockers/docker-macsec/cli/config/plugins/macsec.py +++ b/dockers/docker-macsec/cli/config/plugins/macsec.py @@ -137,11 +137,11 @@ def add_profile(profile, priority, cipher_suite, primary_cak, primary_ckn, polic profile_table["cipher_suite"] = cipher_suite if "128" in cipher_suite: - if len(primary_cak) != 32: - ctx.fail("Expect the length of CAK is 32, but got {}".format(len(primary_cak))) + if len(primary_cak) != 66: + ctx.fail("Expect the length of CAK is 66, but got {}".format(len(primary_cak))) elif "256" in cipher_suite: - if len(primary_cak) != 64: - ctx.fail("Expect the length of CAK is 64, but got {}".format(len(primary_cak))) + if len(primary_cak) != 130: + ctx.fail("Expect the length of CAK is 130, but got {}".format(len(primary_cak))) if not is_hexstring(primary_cak): ctx.fail("Expect the primary_cak is valid hex string") if not is_hexstring(primary_ckn): diff --git a/src/sonic-config-engine/tests/macsec_profile.json b/src/sonic-config-engine/tests/macsec_profile.json index b70f1a052128..87e633e49b9d 100644 --- a/src/sonic-config-engine/tests/macsec_profile.json +++ b/src/sonic-config-engine/tests/macsec_profile.json @@ -2,18 +2,18 @@ "MACSEC_PROFILE":{ "macsec-profile": { "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "priority": "0", "rekey_period": "60" }, "macsec-profile2": { "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "priority": "0", "rekey_period": "60" diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index c9237f8f19e6..b2faa0d51cbb 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -1923,9 +1923,9 @@ "test": { "priority": "64", "cipher_suite": "GCM-AES-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "00000000000000000000000000000000", + "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "11111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json index cfd7c512a67a..5c748606eed9 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json @@ -7,9 +7,9 @@ "name": "test32", "priority": 64, "cipher_suite": "GCM-AES-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "00000000000000000000000000000000", + "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "11111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", @@ -21,9 +21,9 @@ "name": "test64", "priority": 64, "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", @@ -61,7 +61,7 @@ { "name": "test", "cipher_suite": "gcm-aes-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70" } ] @@ -74,9 +74,9 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0123456789ABCDEF0123456789ABCDEF", + "fallback_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "fallback_ckn": "6162636465666768696A6B6C6D6E6F70" } ] @@ -89,7 +89,7 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEFA", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d7", "primary_ckn": "6162636465666768696A6B6C6D6E6F70A" } ] @@ -115,9 +115,9 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111" } ] @@ -130,7 +130,7 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", "replay_window": 64 } diff --git a/src/sonic-yang-models/yang-models/sonic-macsec.yang b/src/sonic-yang-models/yang-models/sonic-macsec.yang index 4e3412f86a3d..f4ce318822bf 100644 --- a/src/sonic-yang-models/yang-models/sonic-macsec.yang +++ b/src/sonic-yang-models/yang-models/sonic-macsec.yang @@ -46,7 +46,7 @@ module sonic-macsec { leaf primary_cak { type string { - pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}"; } mandatory true; } @@ -60,7 +60,7 @@ module sonic-macsec { leaf fallback_cak { type string { - pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}"; } } @@ -70,10 +70,6 @@ module sonic-macsec { } } - must "string-length(primary_cak) = string-length(primary_ckn)"; - - must "string-length(fallback_cak) = string-length(fallback_ckn)"; - must "string-length(fallback_cak) = string-length(primary_cak)"; must "primary_ckn != fallback_ckn"; From 91382fe31ccefc75fec6109a211f5ddc34370923 Mon Sep 17 00:00:00 2001 From: mssonicbld <79238446+mssonicbld@users.noreply.github.com> Date: Sat, 9 Sep 2023 09:03:31 +0800 Subject: [PATCH 3/4] [Nokia][sonic-platform] Update Nokia sonic-platform submodule (#16348) (#16503) --- platform/broadcom/sonic-platform-modules-nokia | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/broadcom/sonic-platform-modules-nokia b/platform/broadcom/sonic-platform-modules-nokia index c976714e3f39..af640254883f 160000 --- a/platform/broadcom/sonic-platform-modules-nokia +++ b/platform/broadcom/sonic-platform-modules-nokia @@ -1 +1 @@ -Subproject commit c976714e3f39fc22b5c616ae0f4aadbd2bd4360f +Subproject commit af640254883fd39489e32cc1a13908d82da3833a From 2b302e83c0fc00cb2209c2aa888076da5dc5e77f Mon Sep 17 00:00:00 2001 From: anamehra <54692434+anamehra@users.noreply.github.com> Date: Fri, 1 Sep 2023 11:41:46 -0700 Subject: [PATCH 4/4] chassis-packet: Update arp_update script for FAILED and STALE check (#16311) chassis-packet: Update arp_update script for FAILED and STALE check (#16311) 1. Fixing an issue with FAILED entry resolution retry. Neighbor entries in arp table may sometimes enter a FAILED state when the far end is down and reports the state as follows: 2603:10e2:400:3::1 dev PortChannel19 router FAILED While the arp_update script handles the entries for FAILED in the following format, the above was not handled due to the token location (extra router keyword at index 4): 2603:10e2:400:3::1 dev PortChannel19 FAILED The former format may appear if an arp resolution is tried on a link that is known but the far end goes down, e.g., pinging a STALE entry while the far end is down. 2. Refreshing STALE entries to make sure the far end is reachable. STALE entries for some backend ports may appear in chassis-packet when no traffic is received for a while on the port. When the far end goes down, it is expected for BFD to stop sending packets on the session for which the far end is not reachable. But as the entry is known as stale, on the Cisco chassis, BFD keeps sending packets. Refreshing the stale entry will keep active links as reachable in the neighbor table while the entries for the far end down will enter a failed state. FAILED state entries will be retired and entered reachable when far end comes back up. --- files/scripts/arp_update | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/files/scripts/arp_update b/files/scripts/arp_update index f267e05a54cc..14a82ebe4da3 100755 --- a/files/scripts/arp_update +++ b/files/scripts/arp_update @@ -25,29 +25,35 @@ while /bin/true; do for i in ${!STATIC_ROUTE_NEXTHOPS[@]}; do nexthop="${STATIC_ROUTE_NEXTHOPS[i]}" if [[ $nexthop == *"."* ]]; then - neigh_state=( $(ip -4 neigh show | grep -w $nexthop | tr -s ' ' | cut -d ' ' -f 3,4) ) + neigh_state=$(ip -4 neigh show | grep -w $nexthop | tr -s ' ') ping_prefix=ping elif [[ $nexthop == *":"* ]] ; then - neigh_state=( $(ip -6 neigh show | grep -w $nexthop | tr -s ' ' | cut -d ' ' -f 3,4) ) + neigh_state=$(ip -6 neigh show | grep -w $nexthop | tr -s ' ') ping_prefix=ping6 fi - if [[ -z "${neigh_state}" ]] || [[ "${neigh_state[1]}" == "INCOMPLETE" ]] || [[ "${neigh_state[1]}" == "FAILED" ]]; then + # Check if there is an INCOMPLETE, FAILED, or STALE entry and try to resolve it again. + # STALE entries may be present if there is no traffic on a path. A far-end down event may not + # clear the STALE entry. Refresh the STALE entry to clear the table. + if [[ -z "${neigh_state}" ]] || [[ -n $(echo ${neigh_state} | grep 'INCOMPLETE\|FAILED\|STALE') ]]; then interface="${STATIC_ROUTE_IFNAMES[i]}" if [[ -z "$interface" ]]; then # should never be here, handling just in case logger "ERR: arp_update: missing interface entry for static route $nexthop" - interface=${neigh_state[0]} + continue fi intf_up=$(ip link show $interface | grep "state UP") if [[ -n "$intf_up" ]]; then pingcmd="timeout 0.2 $ping_prefix -I ${interface} -n -q -i 0 -c 1 -W 1 $nexthop >/dev/null" eval $pingcmd - logger "arp_update: static route nexthop not resolved, pinging $nexthop on ${neigh_state[0]}" + # STALE entries may appear more often, not logging to prevent periodic syslogs + if [[ -z $(echo ${neigh_state} | grep 'STALE') ]]; then + logger "arp_update: static route nexthop not resolved ($neigh_state), pinging $nexthop on $interface" + fi fi fi done - sleep 300 + sleep 150 continue fi # find L3 interfaces which are UP, send ipv6 multicast pings