<row><entry><varname>l2tp</varname></entry>
<entry>A Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It does not provide any encryption or confidentiality by itself</entry></row>
+ <row><entry><varname>macsec</varname></entry>
+ <entry>Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats.</entry></row>
+
<row><entry><varname>vrf</varname></entry>
<entry>A Virtual Routing and Forwarding (<ulink url="https://www.kernel.org/doc/Documentation/networking/vrf.txt">VRF</ulink>) interface to create separate routing and forwarding domains.</entry></row>
</varlistentry>
</variablelist>
</refsect1>
+ <refsect1>
+ <title>[MACsec] Section Options</title>
+ <para>The <literal>[MACsec]</literal> section only applies for network devices of kind
+ <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Specifies the port to be used for the MACsec transmit channel. The port is used to make
+ secure channel identifier (SCI). Takes a value between 1 and 65535. Defaults to unset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Encrypt=</varname></term>
+ <listitem>
+ <para>Takes a boolean. When true, enable encryption. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecReceiveChannel] Section Options</title>
+ <para>The <literal>[MACsecReceiveChannel]</literal> section only applies for network devices of
+ kind <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Specifies the port to be used for the MACsec receive channel. The port is used to make
+ secure channel identifier (SCI). Takes a value between 1 and 65535. This option is
+ compulsory, and is not set by default.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MACAddress=</varname></term>
+ <listitem>
+ <para>Specifies the MAC address to be used for the MACsec receive channel. The MAC address
+ used to make secure channel identifier (SCI). This option is compulsory, and is not set by
+ default.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecTransmitAssociation] Section Options</title>
+ <para>The <literal>[MACsecTransmitAssociation]</literal> section only applies for network devices
+ of kind <literal>macsec</literal>, and accepts the following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>PacketNumber=</varname></term>
+ <listitem>
+ <para>Specifies the packet number to be used for replay protection and the construction of
+ the initialization vector (along with the secure channel identifier [SCI]). Takes a value
+ between 1-4,294,967,295. Defaults to unset.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyId=</varname></term>
+ <listitem>
+ <para>Specifies the identification for the key. Takes a number between 0-255. This option
+ is compulsory, and is not set by default.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>Specifies the encryption key used in the transmission channel. The same key must be
+ configured on the peer’s matching receive channel. This option is compulsory, and is not set
+ by default. Takes a 128-bit key encoded in a hexadecimal string, for example
+ <literal>dffafc8d7b9a43d5b9a3dfbbf6a30c16</literal>.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Takes a absolute path to a file which contains a 128-bit key encoded in a hexadecimal
+ string, which will be used in the transmission channel. When this option is specified,
+ <varname>Key=</varname> is ignored. Note that the file must be readable by the user
+ <literal>systemd-network</literal>, so it should be, e.g., owned by
+ <literal>root:systemd-network</literal> with a <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Activate=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If enabled, then the security association is activated. Defaults to
+ unset.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>UseForEncoding=</varname></term>
+ <listitem>
+ <para>Takes a boolean. If enabled, then the security association is used for encoding. Only
+ one <literal>[MACsecTransmitAssociation]</literal> section can enable this option. When enabled,
+ <varname>Activate=yes</varname> is implied. Defaults to unset.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+ <refsect1>
+ <title>[MACsecReceiveAssociation] Section Options</title>
+ <para>The <literal>[MACsecReceiveAssociation]</literal> section only applies for
+ network devices of kind <literal>macsec</literal>, and accepts the
+ following keys:</para>
+
+ <variablelist class='network-directives'>
+ <varlistentry>
+ <term><varname>Port=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>MACAddress=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecReceiveChannel]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>PacketNumber=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyId=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Key=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>KeyFile=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>Activate=</varname></term>
+ <listitem>
+ <para>Accepts the same key in <literal>[MACsecTransmitAssociation]</literal> section.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
<refsect1>
<title>[Tunnel] Section Options</title>