flync_4_security

MACsec Configuration

Expand for Schematic

        classDiagram

    class IntegrityWithoutConfidentiality {
        type: Literal['integrity_without_confidentiality'] = 'integrity_without_confidentiality'
        offset_preference: Literal[0] | None = 0
    }

    class MACsecConfig {
        vlan_bypass: list[int]
        mka_enabled: bool | None = True
        hello_time: int
        bounded_hello_time: int
        life_time: int
        sak_retire_time: int
        hello_time_rampup: list[int] = []
        sak_rekey_time: int | None = 3
        macsec_mode: Literal['disabled', 'integrity', 'integrity_confidentiality']
        kay_on: bool
        key_role: Literal['key_server_always', 'key_server_never']
        delay_protect: bool
        participant_activation: Literal['disabled', 'onoperup', 'always']
        sci_included: bool | None = False
        cipher_preference: list[IntegrityWithoutConfidentiality | IntegrityWithConfidentiality] = <lambda>
    }

    class FLYNCBaseModel {
    }

    class IntegrityWithConfidentiality {
        type: Literal['integrity_with_confidentiality'] = 'integrity_with_confidentiality'
        offset_preference: Literal[0, 30, 50] | None = 0
    }

    MACsecConfig ..> IntegrityWithoutConfidentiality
    MACsecConfig ..> IntegrityWithConfidentiality


    

Hint

Find a YAML example for MACsec inside the Controller example (key macsec_config).

class MACsecConfig

Bases: FLYNCBaseModel

Configuration for MACsec (Media Access Control Security).

Includes global MKA (MACsec Key Agreement) settings and per-port security configuration.

Parameters

vlan_bypasslist of int

VLANs which shall not be protected with MACsec.

mka_enabledbool

Whether MACsec Key Agreement (MKA) is enabled. Default is True.

hello_timeint

MKPDU period when a connection is established, applicable when delay_protect is disabled (milliseconds).

bounded_hello_timeint

Hello time applicable with delay_protect enabled (milliseconds).

life_timeint

Life time for a peer to transmit MKPDU’s in order to consider it alive (milliseconds).

sak_retire_timeint

During a key rotation, time to retire the previous SAK key (milliseconds).

hello_time_rampuplist of int

Periods between initial MKA messages after linkup (milliseconds).

sak_rekey_timeint

Minimum interval (in seconds) before rekeying the SAK.

macsec_modeLiteral[“disabled”, “integrity”, “integrity_confidentiality”]

MACsec operation mode. Options include disabled, integrity-only, and full encryption.

kay_onbool

Whether to activate the KaY (Key Agreement Entity) module. When disabled, MACsec is not negotiated.

key_roleLiteral[“key_server_always”, “key_server_never”]

Role of the device in key negotiation.

delay_protectbool

When enabled, performs frequent updates of the packet number on the receiving side to prevent attackers from delaying MACsec frames.

participant_activationLiteral[“disabled”, “onoperup”, “always”]

Strategy for participant activation.

sci_includedbool

Whether to include the Secure Channel Identifier (SCI) in MACsec frames.

cipher_preferencelist of DiscriminatedCipher

List of preferred ciphers to negotiate, ordered by priority. Defaults to using integrity-only without confidentiality.

class IntegrityWithoutConfidentiality

Bases: FLYNCBaseModel

Cipher configuration representing integrity protection without confidentiality.

This configuration supports authentication and integrity checks but does not encrypt the data.

Parameters

typeLiteral[“integrity_without_confidentiality”]

Identifier for the cipher type. Always "integrity_without_confidentiality".

offset_preferenceLiteral[0]

Preference for offset timing. Always 0 for this cipher.

class IntegrityWithConfidentiality

Bases: FLYNCBaseModel

Cipher configuration representing both integrity protection and confidentiality.

This configuration includes both encryption and authentication features.

Parameters

typeLiteral[“integrity_with_confidentiality”]

Identifier for the cipher type. Always "integrity_with_confidentiality".

offset_preferenceLiteral[0, 30, 50]

Offset timing preference for transmission (in nanoseconds). Allows choosing between no offset, 30 ns, or 50 ns.

Firewall Configuration

Expand for Schematic

        classDiagram

    class Firewall {
        default_action: Literal['reject', 'accept', 'drop'] | None = 'reject'
        input_rules: list[FirewallRule] | None = []
        output_rules: list[FirewallRule] | None = []
        forward_rules: list[FirewallRule] | None = []
    }

    class FLYNCBaseModel {
    }

    class FirewallRule {
        name: str
        action: Literal['reject', 'accept', 'drop']
        pattern: FrameFilter
    }

    class FrameFilter {
        src_mac: str | MACAddressEntry | list[str | MACAddressEntry] | None = None
        dst_mac: str | MACAddressEntry | list[str | MACAddressEntry] | None = None
        vlan_tagged: bool | None = None
        vlanid: int | ValueRange | list[int | ValueRange] | None = None
        pcp: int | list[int] | None = None
        src_ipv4: IPv4AddressEntry | IPv4Address | list[IPv4AddressEntry | IPv4Address] | None = None
        dst_ipv4: IPv4AddressEntry | IPv4Address | list[IPv4AddressEntry | IPv4Address] | None = None
        src_ipv6: IPv6AddressEntry | IPv6Address | list[IPv6AddressEntry | IPv6Address] | None = None
        dst_ipv6: IPv6AddressEntry | IPv6Address | list[IPv6AddressEntry | IPv6Address] | None = None
        protocol: Literal['tcp'] | Literal['udp'] | None = None
        src_port: int | ValueRange | list[int | ValueRange] | None = None
        dst_port: int | ValueRange | list[int | ValueRange] | None = None
    }

    FrameFilter ..> IPv4AddressEntry
    FrameFilter ..> MACAddressEntry
    FrameFilter ..> IPv6Address
    FrameFilter ..> ValueRange
    FrameFilter ..> IPv6AddressEntry
    FrameFilter ..> IPv4Address
    FirewallRule ..> FrameFilter
    Firewall ..> FirewallRule


    

class Firewall

Bases: FLYNCBaseModel

Represents a set of firewall rules with a default action.

Parameters

default_actionLiteral[‘reject’, ‘accept’, ‘drop’]

The action to apply to packets that do not match any rule. Can be one of 'reject', 'accept', or 'drop'.

ruleslist of FirewallRule

A list of FirewallRule objects that define matching conditions and actions.

class FirewallRule

Bases: FLYNCBaseModel

Defines a single firewall rule for matching and handling frames.

Parameters

namestr

A unique name identifying the rule.

actionLiteral[‘reject’, ‘accept’, ‘drop’]

The action to take when the pattern matches. Can be one of 'reject', 'accept', or 'drop'.

patternFrameFilter

The filter pattern used to match frames for this rule.