core,libnm: introduce NMDeviceMacsec

At the moment the device only exposes the current link status, but
cannot create new links.

15 files changed, 1309 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index 1631c3c957..4ebf7b0bd9 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -195,6 +195,8 @@ introspection_sources = \
 	introspection/org.freedesktop.NetworkManager.Device.Infiniband.h \
 	introspection/org.freedesktop.NetworkManager.Device.IPTunnel.c \
 	introspection/org.freedesktop.NetworkManager.Device.IPTunnel.h \
+	introspection/org.freedesktop.NetworkManager.Device.Macsec.c \
+	introspection/org.freedesktop.NetworkManager.Device.Macsec.h \
 	introspection/org.freedesktop.NetworkManager.Device.Macvlan.c \
 	introspection/org.freedesktop.NetworkManager.Device.Macvlan.h \
 	introspection/org.freedesktop.NetworkManager.Device.Modem.c \
@@ -262,6 +264,7 @@ DBUS_INTERFACE_DOCS = \
 	docs/api/dbus-org.freedesktop.NetworkManager.Device.Vxlan.xml \
 	docs/api/dbus-org.freedesktop.NetworkManager.Settings.Connection.xml \
 	docs/api/dbus-org.freedesktop.NetworkManager.Device.Bond.xml \
+	docs/api/dbus-org.freedesktop.NetworkManager.Device.Macsec.xml \
 	docs/api/dbus-org.freedesktop.NetworkManager.Device.Macvlan.xml \
 	docs/api/dbus-org.freedesktop.NetworkManager.PPP.xml \
 	docs/api/dbus-org.freedesktop.NetworkManager.Device.Vlan.xml \
@@ -313,6 +316,7 @@ dbusinterfaces_DATA = \
 	introspection/org.freedesktop.NetworkManager.Device.Generic.xml \
 	introspection/org.freedesktop.NetworkManager.Device.Infiniband.xml \
 	introspection/org.freedesktop.NetworkManager.Device.IPTunnel.xml \
+	introspection/org.freedesktop.NetworkManager.Device.Macsec.xml \
 	introspection/org.freedesktop.NetworkManager.Device.Macvlan.xml \
 	introspection/org.freedesktop.NetworkManager.Device.Modem.xml \
 	introspection/org.freedesktop.NetworkManager.Device.OlpcMesh.xml \
@@ -668,6 +672,7 @@ libnm_lib_h_pub_real = \
 	libnm/nm-device-generic.h \
 	libnm/nm-device-infiniband.h \
 	libnm/nm-device-ip-tunnel.h \
+	libnm/nm-device-macsec.h \
 	libnm/nm-device-macvlan.h \
 	libnm/nm-device-modem.h \
 	libnm/nm-device-olpc-mesh.h \
@@ -717,6 +722,7 @@ libnm_lib_c_real = \
 	libnm/nm-device-generic.c \
 	libnm/nm-device-infiniband.c \
 	libnm/nm-device-ip-tunnel.c \
+	libnm/nm-device-macsec.c \
 	libnm/nm-device-macvlan.c \
 	libnm/nm-device-modem.c \
 	libnm/nm-device-olpc-mesh.c \
@@ -1291,6 +1297,8 @@ src_libNetworkManager_la_SOURCES = \
 	src/devices/nm-device-infiniband.h \
 	src/devices/nm-device-ip-tunnel.c \
 	src/devices/nm-device-ip-tunnel.h \
+	src/devices/nm-device-macsec.c \
+	src/devices/nm-device-macsec.h \
 	src/devices/nm-device-macvlan.c \
 	src/devices/nm-device-macvlan.h \
 	src/devices/nm-device-tun.c \
diff --git a/docs/api/Makefile.am b/docs/api/Makefile.am
index 18cb167dc7..bb54fb35ea 100644
--- a/docs/api/Makefile.am
+++ b/docs/api/Makefile.am
@@ -55,6 +55,7 @@ content_files = \
 	dbus-org.freedesktop.NetworkManager.Settings.Connection.xml \
 	dbus-org.freedesktop.NetworkManager.Device.Bond.xml \
 	dbus-org.freedesktop.NetworkManager.Device.Macvlan.xml \
+	dbus-org.freedesktop.NetworkManager.Device.Macsec.xml \
 	dbus-org.freedesktop.NetworkManager.PPP.xml \
 	dbus-org.freedesktop.NetworkManager.Device.Vlan.xml \
 	dbus-org.freedesktop.NetworkManager.Device.Adsl.xml \
diff --git a/docs/api/network-manager-docs.xml b/docs/api/network-manager-docs.xml
index 51ac3d1483..45164ce068 100644
--- a/docs/api/network-manager-docs.xml
+++ b/docs/api/network-manager-docs.xml
@@ -82,6 +82,7 @@
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Generic.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Infiniband.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.IPTunnel.xml"/>
+      <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Macsec.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Macvlan.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.Modem.xml"/>
       <xi:include href="dbus-org.freedesktop.NetworkManager.Device.OlpcMesh.xml"/>
diff --git a/introspection/org.freedesktop.NetworkManager.Device.Macsec.xml b/introspection/org.freedesktop.NetworkManager.Device.Macsec.xml
new file mode 100644
index 0000000000..e67f937cbb
--- /dev/null
+++ b/introspection/org.freedesktop.NetworkManager.Device.Macsec.xml
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<node name="/">
+  <interface name="org.freedesktop.NetworkManager.Device.Macsec">
+
+    <!--
+        Parent:
+
+        The object path of the parent device.
+    -->
+    <property name="Parent" type="o" access="read"/>
+
+    <!--
+        Sci:
+
+        The Secure Channel Identifier in use.
+    -->
+    <property name="Sci" type="t" access="read"/>
+
+    <!--
+        IcvLength:
+
+        The length of ICV (Integrity Check Value).
+    -->
+    <property name="IcvLength" type="y" access="read"/>
+
+    <!--
+        CipherSuite:
+
+        The set of cryptographic algorithms in use
+        (e.g. 0x0080020001000001 for GCM-AES-128).
+    -->
+    <property name="CipherSuite" type="t" access="read"/>
+
+    <!--
+        Window:
+
+        The size of the replay window.
+    -->
+    <property name="Window" type="u" access="read"/>
+
+    <!--
+        EncodingSa:
+
+        The value of the Association Number (0..3) for the Security
+        Association in use.
+    -->
+    <property name="EncodingSa" type="y" access="read"/>
+
+    <!--
+        Validation:
+
+        The validation mode for incoming packets (strict, check,
+        disabled).
+    -->
+    <property name="Validation" type="s" access="read"/>
+
+    <!--
+        Encrypt:
+
+        Whether encryption of transmitted frames is enabled.
+    -->
+    <property name="Encrypt" type="b" access="read"/>
+
+    <!--
+        Protect:
+
+        Whether protection of transmitted frames is enabled.
+    -->
+    <property name="Protect" type="b" access="read"/>
+
+    <!--
+        IncludeSci:
+
+        Whether the SCI is always included in SecTAG for transmitted
+        frames.
+
+    -->
+    <property name="IncludeSci" type="b" access="read"/>
+
+    <!--
+        Es:
+
+        Whether the ES (End station) bit is enabled in SecTAG for
+        transmitted frames.
+    -->
+    <property name="Es" type="b" access="read"/>
+
+    <!--
+        Scb:
+
+        Whether the SCB (Single Copy Broadcast) bit is enabled in
+        SecTAG for transmitted frames.
+    -->
+    <property name="Scb" type="b" access="read"/>
+
+    <!--
+        ReplayProtect:
+
+        Whether replay protection is enabled.
+    -->
+    <property name="ReplayProtect" type="b" access="read"/>
+
+    <!--
+        PropertiesChanged:
+        @properties: A dictionary mapping property names to variant boxed values
+
+        DEPRECATED. Use the standard "PropertiesChanged" signal from "org.freedesktop.DBus.Properties" instead which exists since version NetworkManager 1.2.0.
+    -->
+    <signal name="PropertiesChanged">
+      <arg name="properties" type="a{sv}"/>
+    </signal>
+  </interface>
+</node>
diff --git a/libnm-core/nm-dbus-interface.h b/libnm-core/nm-dbus-interface.h
index 9ad3aad30d..d2d54f69c5 100644
--- a/libnm-core/nm-dbus-interface.h
+++ b/libnm-core/nm-dbus-interface.h
@@ -64,6 +64,7 @@
 #define NM_DBUS_INTERFACE_DEVICE_GENERIC    NM_DBUS_INTERFACE_DEVICE ".Generic"
 #define NM_DBUS_INTERFACE_DEVICE_VETH       NM_DBUS_INTERFACE_DEVICE ".Veth"
 #define NM_DBUS_INTERFACE_DEVICE_TUN        NM_DBUS_INTERFACE_DEVICE ".Tun"
+#define NM_DBUS_INTERFACE_DEVICE_MACSEC     NM_DBUS_INTERFACE_DEVICE ".Macsec"
 #define NM_DBUS_INTERFACE_DEVICE_MACVLAN    NM_DBUS_INTERFACE_DEVICE ".Macvlan"
 #define NM_DBUS_INTERFACE_DEVICE_VXLAN      NM_DBUS_INTERFACE_DEVICE ".Vxlan"
 #define NM_DBUS_INTERFACE_DEVICE_GRE        NM_DBUS_INTERFACE_DEVICE ".Gre"
@@ -169,6 +170,7 @@ typedef enum {
  * @NM_DEVICE_TYPE_MACVLAN: a MACVLAN interface
  * @NM_DEVICE_TYPE_VXLAN: a VXLAN interface
  * @NM_DEVICE_TYPE_VETH: a VETH interface
+ * @NM_DEVICE_TYPE_MACSEC: a MACsec interface
  *
  * #NMDeviceType values indicate the type of hardware represented by a
  * device object.
@@ -195,6 +197,7 @@ typedef enum {
 	NM_DEVICE_TYPE_MACVLAN    = 18,
 	NM_DEVICE_TYPE_VXLAN      = 19,
 	NM_DEVICE_TYPE_VETH       = 20,
+	NM_DEVICE_TYPE_MACSEC     = 21,
 } NMDeviceType;
 
 /**
diff --git a/libnm/libnm.ver b/libnm/libnm.ver
index cc39286564..1c58d6c14b 100644
--- a/libnm/libnm.ver
+++ b/libnm/libnm.ver
@@ -1091,6 +1091,20 @@ global:
 	nm_client_get_dns_mode;
 	nm_client_get_dns_rc_manager;
 	nm_connection_get_setting_proxy;
+	nm_device_macsec_get_cipher_suite;
+	nm_device_macsec_get_encoding_sa;
+	nm_device_macsec_get_encrypt;
+	nm_device_macsec_get_es;
+	nm_device_macsec_get_hw_address;
+	nm_device_macsec_get_icv_length;
+	nm_device_macsec_get_include_sci;
+	nm_device_macsec_get_protect;
+	nm_device_macsec_get_replay_protect;
+	nm_device_macsec_get_scb;
+	nm_device_macsec_get_sci;
+	nm_device_macsec_get_type;
+	nm_device_macsec_get_validation;
+	nm_device_macsec_get_window;
 	nm_dns_entry_get_domains;
 	nm_dns_entry_get_interface;
 	nm_dns_entry_get_nameservers;
diff --git a/libnm/nm-client.c b/libnm/nm-client.c
index 4b31236e39..63eaa84ce3 100644
--- a/libnm/nm-client.c
+++ b/libnm/nm-client.c
@@ -56,6 +56,7 @@
 #include "nm-device-generic.h"
 #include "nm-device-infiniband.h"
 #include "nm-device-ip-tunnel.h"
+#include "nm-device-macsec.h"
 #include "nm-device-macvlan.h"
 #include "nm-device-modem.h"
 #include "nm-device-olpc-mesh.h"
@@ -2061,6 +2062,8 @@ obj_nm_for_gdbus_object (GDBusObject *object, GDBusObjectManager *object_manager
 			type = NM_TYPE_DEVICE_INFINIBAND;
 		else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_IP_TUNNEL) == 0)
 			type = NM_TYPE_DEVICE_IP_TUNNEL;
+		else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_MACSEC) == 0)
+			type = NM_TYPE_DEVICE_MACSEC;
 		else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_MACVLAN) == 0)
 			type = NM_TYPE_DEVICE_MACVLAN;
 		else if (strcmp (ifname, NM_DBUS_INTERFACE_DEVICE_MODEM) == 0)
diff --git a/libnm/nm-device-macsec.c b/libnm/nm-device-macsec.c
new file mode 100644
index 0000000000..c4762041be
--- /dev/null
+++ b/libnm/nm-device-macsec.c
@@ -0,0 +1,639 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/*
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2017 Red Hat, Inc.
+ */
+
+#include "nm-default.h"
+
+#include <string.h>
+
+#include "nm-device-macsec.h"
+#include "nm-device-private.h"
+#include "nm-object-private.h"
+#include "nm-utils.h"
+
+G_DEFINE_TYPE (NMDeviceMacsec, nm_device_macsec, NM_TYPE_DEVICE)
+
+#define NM_DEVICE_MACSEC_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecPrivate))
+
+typedef struct {
+	NMDevice *parent;
+	char *hw_address;
+	guint64 sci;
+	guint64 cipher_suite;
+	guint8 icv_length;
+	guint32 window;
+	guint8 encoding_sa;
+	gboolean encrypt;
+	gboolean protect;
+	gboolean include_sci;
+	gboolean es;
+	gboolean scb;
+	gboolean replay_protect;
+	char *validation;
+} NMDeviceMacsecPrivate;
+
+NM_GOBJECT_PROPERTIES_DEFINE_BASE (
+	PROP_PARENT,
+	PROP_HW_ADDRESS,
+	PROP_SCI,
+	PROP_CIPHER_SUITE,
+	PROP_ICV_LENGTH,
+	PROP_WINDOW,
+	PROP_ENCODING_SA,
+	PROP_ENCRYPT,
+	PROP_PROTECT,
+	PROP_INCLUDE_SCI,
+	PROP_ES,
+	PROP_SCB,
+	PROP_REPLAY_PROTECT,
+	PROP_VALIDATION,
+);
+
+/**
+ * nm_device_macsec_get_parent:
+ * @device: a #NMDeviceMacsec
+ *
+ * Returns: (transfer none): the device's parent device
+ *
+ * Since: 1.6
+ **/
+NMDevice *
+nm_device_macsec_get_parent (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), NULL);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->parent;
+}
+
+/**
+ * nm_device_macsec_get_hw_address:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the hardware (MAC) address of the #NMDeviceMacsec
+ *
+ * Returns: the hardware address. This is the internal string used by the
+ * device, and must not be modified.
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_device_macsec_get_hw_address (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), NULL);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->hw_address;
+}
+
+/**
+ * nm_device_macsec_get_sci:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the Secure Channel Identifier in use
+ *
+ * Returns: the SCI
+ *
+ * Since: 1.6
+ **/
+guint64
+nm_device_macsec_get_sci (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->sci;
+}
+
+/**
+ * nm_device_macsec_get_icv_length:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the length of ICV (Integrity Check Value)
+ *
+ * Returns: the length of ICV
+ *
+ * Since: 1.6
+ **/
+guint8
+nm_device_macsec_get_icv_length (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->icv_length;
+}
+
+/**
+ * nm_device_macsec_get_cipher_suite:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the set of cryptographic algorithms in use
+ *
+ * Returns:
+ *
+ * Since: 1.6
+ **/
+guint64
+nm_device_macsec_get_cipher_suite (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->cipher_suite;
+}
+
+/**
+ * nm_device_macsec_get_window:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the size of the replay window
+ *
+ * Returns: size of the replay window
+ *
+ * Since: 1.6
+ **/
+guint
+nm_device_macsec_get_window (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->window;
+}
+
+/**
+ * nm_device_macsec_get_encoding_sa:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the value of the Association Number (0..3) for the Security
+ * Association in use.
+ *
+ * Returns: the current Security Association
+ *
+ * Since: 1.6
+ **/
+guint8
+nm_device_macsec_get_encoding_sa (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), 0);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->encoding_sa;
+}
+
+/**
+ * nm_device_macsec_get_validation:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets the validation mode for incoming packets (strict, check,
+ * disabled)
+ *
+ * Returns: the validation mode
+ *
+ * Since: 1.6
+ **/
+const char *
+nm_device_macsec_get_validation (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), NULL);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->validation;
+}
+
+/**
+ * nm_device_macsec_get_encrypt:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets whether encryption of transmitted frames is enabled
+ *
+ * Returns: whether encryption is enabled
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_device_macsec_get_encrypt (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->encrypt;
+}
+
+/**
+ * nm_device_macsec_get_protect:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets whether protection of transmitted frames is enabled
+ *
+ * Returns: whether protection is enabled
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_device_macsec_get_protect (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->protect;
+}
+
+/**
+ * nm_device_macsec_get_include_sci:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets whether the SCI is always included in SecTAG for transmitted
+ * frames
+ *
+ * Returns: whether the SCI is always included
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_device_macsec_get_include_sci (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->include_sci;
+}
+
+/**
+ * nm_device_macsec_get_es:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets whether the ES (End station) bit is enabled in SecTAG for
+ * transmitted frames
+ *
+ * Returns: whether the ES (End station) bit is enabled
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_device_macsec_get_es (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->es;
+}
+
+/**
+ * nm_device_macsec_get_scb:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets whether the SCB (Single Copy Broadcast) bit is enabled in
+ * SecTAG for transmitted frames
+ *
+ * Returns: whether the SCB (Single Copy Broadcast) bit is enabled
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_device_macsec_get_scb (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->scb;
+}
+
+/**
+ * nm_device_macsec_get_replay_protect:
+ * @device: a #NMDeviceMacsec
+ *
+ * Gets whether replay protection is enabled
+ *
+ * Returns: whether replay protection is enabled
+ *
+ * Since: 1.6
+ **/
+gboolean
+nm_device_macsec_get_replay_protect (NMDeviceMacsec *device)
+{
+	g_return_val_if_fail (NM_IS_DEVICE_MACSEC (device), FALSE);
+
+	return NM_DEVICE_MACSEC_GET_PRIVATE (device)->replay_protect;
+}
+
+static const char *
+get_hw_address (NMDevice *device)
+{
+	return nm_device_macsec_get_hw_address (NM_DEVICE_MACSEC (device));
+}
+
+/***********************************************************/
+
+static void
+nm_device_macsec_init (NMDeviceMacsec *device)
+{
+}
+
+static void
+init_dbus (NMObject *object)
+{
+	NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (object);
+	const NMPropertiesInfo property_info[] = {
+		{ NM_DEVICE_MACSEC_PARENT,         &priv->parent, NULL, NM_TYPE_DEVICE },
+		{ NM_DEVICE_MACSEC_HW_ADDRESS,     &priv->hw_address },
+		{ NM_DEVICE_MACSEC_SCI,            &priv->sci },
+		{ NM_DEVICE_MACSEC_CIPHER_SUITE,   &priv->cipher_suite },
+		{ NM_DEVICE_MACSEC_ICV_LENGTH,     &priv->icv_length },
+		{ NM_DEVICE_MACSEC_WINDOW,         &priv->window },
+		{ NM_DEVICE_MACSEC_ENCODING_SA,    &priv->encoding_sa },
+		{ NM_DEVICE_MACSEC_ENCRYPT,        &priv->encrypt },
+		{ NM_DEVICE_MACSEC_PROTECT,        &priv->protect },
+		{ NM_DEVICE_MACSEC_INCLUDE_SCI,    &priv->include_sci },
+		{ NM_DEVICE_MACSEC_ES,             &priv->es },
+		{ NM_DEVICE_MACSEC_SCB,            &priv->scb },
+		{ NM_DEVICE_MACSEC_REPLAY_PROTECT, &priv->replay_protect },
+		{ NM_DEVICE_MACSEC_VALIDATION,     &priv->validation },
+		{ NULL },
+	};
+
+	NM_OBJECT_CLASS (nm_device_macsec_parent_class)->init_dbus (object);
+
+	_nm_object_register_properties (object,
+	                                NM_DBUS_INTERFACE_DEVICE_MACSEC,
+	                                property_info);
+}
+
+static void
+finalize (GObject *object)
+{
+	NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (object);
+
+	g_free (priv->validation);
+	g_free (priv->hw_address);
+	g_clear_object (&priv->parent);
+
+	G_OBJECT_CLASS (nm_device_macsec_parent_class)->finalize (object);
+}
+
+static void
+get_property (GObject *object,
+              guint prop_id,
+              GValue *value,
+              GParamSpec *pspec)
+{
+	NMDeviceMacsec *device = NM_DEVICE_MACSEC (object);
+
+	switch (prop_id) {
+	case PROP_PARENT:
+		g_value_set_object (value, nm_device_macsec_get_parent (device));
+		break;
+	case PROP_HW_ADDRESS:
+		g_value_set_string (value, nm_device_macsec_get_hw_address (device));
+		break;
+	case PROP_SCI:
+		g_value_set_uint64 (value, nm_device_macsec_get_sci (device));
+		break;
+	case PROP_ICV_LENGTH:
+		g_value_set_uchar (value, nm_device_macsec_get_icv_length (device));
+		break;
+	case PROP_CIPHER_SUITE:
+		g_value_set_uint64 (value, nm_device_macsec_get_cipher_suite (device));
+		break;
+	case PROP_WINDOW:
+		g_value_set_uint (value, nm_device_macsec_get_window (device));
+		break;
+	case PROP_ENCODING_SA:
+		g_value_set_uchar (value, nm_device_macsec_get_encoding_sa (device));
+		break;
+	case PROP_VALIDATION:
+		g_value_set_string (value, nm_device_macsec_get_validation (device));
+		break;
+	case PROP_ENCRYPT:
+		g_value_set_boolean (value, nm_device_macsec_get_encrypt (device));
+		break;
+	case PROP_PROTECT:
+		g_value_set_boolean (value, nm_device_macsec_get_protect (device));
+		break;
+	case PROP_INCLUDE_SCI:
+		g_value_set_boolean (value, nm_device_macsec_get_include_sci (device));
+		break;
+	case PROP_ES:
+		g_value_set_boolean (value, nm_device_macsec_get_es (device));
+		break;
+	case PROP_SCB:
+		g_value_set_boolean (value, nm_device_macsec_get_scb (device));
+		break;
+	case PROP_REPLAY_PROTECT:
+		g_value_set_boolean (value, nm_device_macsec_get_replay_protect (device));
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+nm_device_macsec_class_init (NMDeviceMacsecClass *macsec_class)
+{
+	GObjectClass *object_class = G_OBJECT_CLASS (macsec_class);
+	NMObjectClass *nm_object_class = NM_OBJECT_CLASS (macsec_class);
+	NMDeviceClass *device_class = NM_DEVICE_CLASS (macsec_class);
+
+	g_type_class_add_private (macsec_class, sizeof (NMDeviceMacsecPrivate));
+
+	object_class->finalize = finalize;
+	object_class->get_property = get_property;
+
+	nm_object_class->init_dbus = init_dbus;
+
+	device_class->get_hw_address = get_hw_address;
+
+	/**
+	 * NMDeviceMacsec:parent:
+	 *
+	 * The devices's parent device.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_PARENT] =
+		g_param_spec_object (NM_DEVICE_MACSEC_PARENT, "", "",
+		                     NM_TYPE_DEVICE,
+		                     G_PARAM_READABLE |
+		                     G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:hw-address:
+	 *
+	 * The hardware (MAC) address of the device.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_HW_ADDRESS] =
+		g_param_spec_string (NM_DEVICE_MACSEC_HW_ADDRESS, "", "",
+		                     NULL,
+		                     G_PARAM_READABLE |
+		                     G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:sci:
+	 *
+	 * The Secure Channel Identifier in use.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_SCI] =
+		g_param_spec_uint64 (NM_DEVICE_MACSEC_SCI, "", "",
+		                     0, G_MAXUINT64, 0,
+		                     G_PARAM_READABLE |
+		                     G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:icv-length:
+	 *
+	 * The length of ICV (Integrity Check Value).
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_ICV_LENGTH] =
+		g_param_spec_uchar (NM_DEVICE_MACSEC_ICV_LENGTH, "", "",
+		                    0, G_MAXUINT8, 0,
+		                    G_PARAM_READABLE |
+		                    G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:cipher-suite:
+	 *
+	 * The set of cryptographic algorithms in use.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_CIPHER_SUITE] =
+		g_param_spec_uint64 (NM_DEVICE_MACSEC_CIPHER_SUITE, "", "",
+		                     0, G_MAXUINT64, 0,
+		                     G_PARAM_READABLE |
+		                     G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:window:
+	 *
+	 * The size of the replay window.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_WINDOW] =
+		g_param_spec_uint (NM_DEVICE_MACSEC_WINDOW, "", "",
+		                   0, G_MAXUINT32, 0,
+		                   G_PARAM_READABLE |
+		                   G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:encoding-sa:
+	 *
+	 * The value of the Association Number (0..3) for the Security
+	 * Association in use.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_ENCODING_SA] =
+		g_param_spec_uchar (NM_DEVICE_MACSEC_ENCODING_SA, "", "",
+		                    0, G_MAXUINT8, 0,
+		                    G_PARAM_READABLE |
+		                    G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:validation:
+	 *
+	 * The validation mode for incoming packets (strict, check,
+	 * disabled).
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_VALIDATION] =
+		g_param_spec_string (NM_DEVICE_MACSEC_VALIDATION, "", "",
+		                     NULL,
+		                     G_PARAM_READABLE |
+		                     G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:encrypt:
+	 *
+	 * Whether encryption of transmitted frames is enabled.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_ENCRYPT] =
+		g_param_spec_boolean (NM_DEVICE_MACSEC_ENCRYPT, "", "",
+		                      FALSE,
+		                      G_PARAM_READABLE |
+		                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:protect:
+	 *
+	 * Whether protection of transmitted frames is enabled.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_PROTECT] =
+		g_param_spec_boolean (NM_DEVICE_MACSEC_PROTECT, "", "",
+		                      FALSE,
+		                      G_PARAM_READABLE |
+		                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:include-sci:
+	 *
+	 * Whether the SCI is always included in SecTAG for transmitted
+	 * frames.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_INCLUDE_SCI] =
+		g_param_spec_boolean (NM_DEVICE_MACSEC_INCLUDE_SCI, "", "",
+		                      FALSE,
+		                      G_PARAM_READABLE |
+		                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:es:
+	 *
+	 * Whether the ES (End station) bit is enabled in SecTAG for
+	 * transmitted frames.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_ES] =
+		g_param_spec_boolean (NM_DEVICE_MACSEC_ES, "", "",
+		                      FALSE,
+		                      G_PARAM_READABLE |
+		                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:scb:
+	 *
+	 * Whether the SCB (Single Copy Broadcast) bit is enabled in
+	 * SecTAG for transmitted frames.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_SCB] =
+		g_param_spec_boolean (NM_DEVICE_MACSEC_SCB, "", "",
+		                      FALSE,
+		                      G_PARAM_READABLE |
+		                      G_PARAM_STATIC_STRINGS);
+
+	/**
+	 * NMDeviceMacsec:replay-protect:
+	 *
+	 * Whether replay protection is enabled.
+	 *
+	 * Since: 1.6
+	 **/
+	obj_properties[PROP_REPLAY_PROTECT] =
+		g_param_spec_boolean (NM_DEVICE_MACSEC_REPLAY_PROTECT, "", "",
+		                      FALSE,
+		                      G_PARAM_READABLE |
+		                      G_PARAM_STATIC_STRINGS);
+
+	g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
+}
diff --git a/libnm/nm-device-macsec.h b/libnm/nm-device-macsec.h
new file mode 100644
index 0000000000..d6d7c0ef79
--- /dev/null
+++ b/libnm/nm-device-macsec.h
@@ -0,0 +1,101 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/*
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+ * Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2017 Red Hat, Inc.
+ */
+
+#ifndef __NM_DEVICE_MACSEC_H__
+#define __NM_DEVICE_MACSEC_H__
+
+#if !defined (__NETWORKMANAGER_H_INSIDE__) && !defined(NETWORKMANAGER_COMPILATION)
+#error "Only <NetworkManager.h> can be included directly."
+#endif
+
+#include <nm-device.h>
+
+G_BEGIN_DECLS
+
+#define NM_TYPE_DEVICE_MACSEC            (nm_device_macsec_get_type ())
+#define NM_DEVICE_MACSEC(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsec))
+#define NM_DEVICE_MACSEC_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass))
+#define NM_IS_DEVICE_MACSEC(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_DEVICE_MACSEC))
+#define NM_IS_DEVICE_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), NM_TYPE_DEVICE_MACSEC))
+#define NM_DEVICE_MACSEC_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass))
+
+#define NM_DEVICE_MACSEC_PARENT          "parent"
+#define NM_DEVICE_MACSEC_HW_ADDRESS      "hw-address"
+#define NM_DEVICE_MACSEC_SCI             "sci"
+#define NM_DEVICE_MACSEC_ICV_LENGTH      "icv-length"
+#define NM_DEVICE_MACSEC_CIPHER_SUITE    "cipher-suite"
+#define NM_DEVICE_MACSEC_WINDOW          "window"
+#define NM_DEVICE_MACSEC_ENCODING_SA     "encoding-sa"
+#define NM_DEVICE_MACSEC_VALIDATION      "validation"
+#define NM_DEVICE_MACSEC_ENCRYPT         "encrypt"
+#define NM_DEVICE_MACSEC_PROTECT         "protect"
+#define NM_DEVICE_MACSEC_INCLUDE_SCI     "include-sci"
+#define NM_DEVICE_MACSEC_ES              "es"
+#define NM_DEVICE_MACSEC_SCB             "scb"
+#define NM_DEVICE_MACSEC_REPLAY_PROTECT  "replay-protect"
+
+/**
+ * NMDeviceMacsec:
+ */
+struct _NMDeviceMacsec {
+	NMDevice parent;
+};
+
+typedef struct {
+	NMDeviceClass parent;
+
+	/*< private >*/
+	gpointer padding[4];
+} NMDeviceMacsecClass;
+
+NM_AVAILABLE_IN_1_6
+GType nm_device_macsec_get_type (void);
+
+NM_AVAILABLE_IN_1_6
+NMDevice *   nm_device_macsec_get_parent (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+const char * nm_device_macsec_get_hw_address (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+guint64      nm_device_macsec_get_sci (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+guint8       nm_device_macsec_get_icv_length (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+guint64      nm_device_macsec_get_cipher_suite (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+guint        nm_device_macsec_get_window (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+guint8       nm_device_macsec_get_encoding_sa (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+const char * nm_device_macsec_get_validation (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+gboolean     nm_device_macsec_get_encrypt (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+gboolean     nm_device_macsec_get_protect (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+gboolean     nm_device_macsec_get_include_sci (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+gboolean     nm_device_macsec_get_es (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+gboolean     nm_device_macsec_get_scb (NMDeviceMacsec *device);
+NM_AVAILABLE_IN_1_6
+gboolean     nm_device_macsec_get_replay_protect (NMDeviceMacsec *device);
+G_END_DECLS
+
+#endif /* __NM_DEVICE_MACSEC_H__ */
diff --git a/libnm/nm-device.c b/libnm/nm-device.c
index 5c5988862c..02b5cad550 100644
--- a/libnm/nm-device.c
+++ b/libnm/nm-device.c
@@ -267,6 +267,7 @@ coerce_type (NMDeviceType type)
 	case NM_DEVICE_TYPE_BRIDGE:
 	case NM_DEVICE_TYPE_VLAN:
 	case NM_DEVICE_TYPE_ADSL:
+	case NM_DEVICE_TYPE_MACSEC:
 	case NM_DEVICE_TYPE_MACVLAN:
 	case NM_DEVICE_TYPE_VXLAN:
 	case NM_DEVICE_TYPE_IP_TUNNEL:
@@ -1691,6 +1692,8 @@ get_type_name (NMDevice *device)
 		return _("Tun");
 	case NM_DEVICE_TYPE_VETH:
 		return _("Veth");
+	case NM_DEVICE_TYPE_MACSEC:
+		return _("MACsec");
 	case NM_DEVICE_TYPE_GENERIC:
 	case NM_DEVICE_TYPE_UNUSED1:
 	case NM_DEVICE_TYPE_UNUSED2:
diff --git a/libnm/nm-types.h b/libnm/nm-types.h
index be09daaf89..7d224c86fe 100644
--- a/libnm/nm-types.h
+++ b/libnm/nm-types.h
@@ -38,6 +38,7 @@ typedef struct _NMDeviceEthernet    NMDeviceEthernet;
 typedef struct _NMDeviceGeneric     NMDeviceGeneric;
 typedef struct _NMDeviceInfiniband  NMDeviceInfiniband;
 typedef struct _NMDeviceIPTunnel    NMDeviceIPTunnel;
+typedef struct _NMDeviceMacsec      NMDeviceMacsec;
 typedef struct _NMDeviceMacvlan     NMDeviceMacvlan;
 typedef struct _NMDeviceModem       NMDeviceModem;
 typedef struct _NMDeviceOlpcMesh    NMDeviceOlpcMesh;
diff --git a/src/devices/nm-device-factory.c b/src/devices/nm-device-factory.c
index dc8e26605b..0ce2cb48c5 100644
--- a/src/devices/nm-device-factory.c
+++ b/src/devices/nm-device-factory.c
@@ -405,6 +405,7 @@ nm_device_factory_manager_load_factories (NMDeviceFactoryManagerFactoryFunc call
 	_ADD_INTERNAL (nm_ethernet_device_factory_get_type);
 	_ADD_INTERNAL (nm_infiniband_device_factory_get_type);
 	_ADD_INTERNAL (nm_ip_tunnel_device_factory_get_type);
+	_ADD_INTERNAL (nm_macsec_device_factory_get_type);
 	_ADD_INTERNAL (nm_macvlan_device_factory_get_type);
 	_ADD_INTERNAL (nm_tun_device_factory_get_type);
 	_ADD_INTERNAL (nm_veth_device_factory_get_type);
diff --git a/src/devices/nm-device-macsec.c b/src/devices/nm-device-macsec.c
new file mode 100644
index 0000000000..8558ba120c
--- /dev/null
+++ b/src/devices/nm-device-macsec.c
@@ -0,0 +1,365 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/* NetworkManager -- Network link manager
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2017 Red Hat, Inc.
+ */
+
+#include "nm-default.h"
+
+#include "nm-device-macsec.h"
+
+#include "nm-device-private.h"
+#include "platform/nm-platform.h"
+#include "nm-device-factory.h"
+#include "nm-manager.h"
+#include "nm-core-internal.h"
+
+#include "introspection/org.freedesktop.NetworkManager.Device.Macsec.h"
+
+#include "nm-device-logging.h"
+_LOG_DECLARE_SELF(NMDeviceMacsec);
+
+/*****************************************************************************/
+
+NM_GOBJECT_PROPERTIES_DEFINE (NMDeviceMacsec,
+	PROP_SCI,
+	PROP_CIPHER_SUITE,
+	PROP_ICV_LENGTH,
+	PROP_WINDOW,
+	PROP_ENCODING_SA,
+	PROP_ENCRYPT,
+	PROP_PROTECT,
+	PROP_INCLUDE_SCI,
+	PROP_ES,
+	PROP_SCB,
+	PROP_REPLAY_PROTECT,
+	PROP_VALIDATION,
+);
+
+typedef struct {
+	NMPlatformLnkMacsec props;
+	gulong parent_state_id;
+} NMDeviceMacsecPrivate;
+
+struct _NMDeviceMacsec {
+	NMDevice parent;
+	NMDeviceMacsecPrivate _priv;
+};
+
+struct _NMDeviceMacsecClass {
+	NMDeviceClass parent;
+};
+
+G_DEFINE_TYPE (NMDeviceMacsec, nm_device_macsec, NM_TYPE_DEVICE)
+
+#define NM_DEVICE_MACSEC_GET_PRIVATE(self) _NM_GET_PRIVATE (self, NMDeviceMacsec, NM_IS_DEVICE_MACSEC)
+
+/******************************************************************/
+
+NM_UTILS_LOOKUP_STR_DEFINE_STATIC (validation_mode_to_string, guint8,
+	NM_UTILS_LOOKUP_DEFAULT_WARN ("<unknown>"),
+	NM_UTILS_LOOKUP_STR_ITEM (0, "disable"),
+	NM_UTILS_LOOKUP_STR_ITEM (1, "check"),
+	NM_UTILS_LOOKUP_STR_ITEM (2, "strict"),
+);
+
+static void
+parent_state_changed (NMDevice *parent,
+                      NMDeviceState new_state,
+                      NMDeviceState old_state,
+                      NMDeviceStateReason reason,
+                      gpointer user_data)
+{
+	NMDeviceMacsec *self = NM_DEVICE_MACSEC (user_data);
+
+	/* We'll react to our own carrier state notifications. Ignore the parent's. */
+	if (reason == NM_DEVICE_STATE_REASON_CARRIER)
+		return;
+
+	nm_device_set_unmanaged_by_flags (NM_DEVICE (self), NM_UNMANAGED_PARENT, !nm_device_get_managed (parent, FALSE), reason);
+}
+
+static void
+parent_changed_notify (NMDevice *device,
+                       int old_ifindex,
+                       NMDevice *old_parent,
+                       int new_ifindex,
+                       NMDevice *new_parent)
+{
+	NMDeviceMacsec *self = NM_DEVICE_MACSEC (device);
+	NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
+
+	NM_DEVICE_CLASS (nm_device_macsec_parent_class)->parent_changed_notify (device,
+	                                                                        old_ifindex,
+	                                                                        old_parent,
+	                                                                        new_ifindex,
+	                                                                        new_parent);
+
+	/*  note that @self doesn't have to clear @parent_state_id on dispose,
+	 *  because NMDevice's dispose() will unset the parent, which in turn calls
+	 *  parent_changed_notify(). */
+	nm_clear_g_signal_handler (old_parent, &priv->parent_state_id);
+
+	if (new_parent) {
+		priv->parent_state_id = g_signal_connect (new_parent,
+		                                          NM_DEVICE_STATE_CHANGED,
+		                                          G_CALLBACK (parent_state_changed),
+		                                          device);
+
+		/* Set parent-dependent unmanaged flag */
+		nm_device_set_unmanaged_by_flags (device,
+		                                  NM_UNMANAGED_PARENT,
+		                                  !nm_device_get_managed (new_parent, FALSE),
+		                                  NM_DEVICE_STATE_REASON_PARENT_MANAGED_CHANGED);
+	}
+
+	/* Recheck availability now that the parent has changed */
+	if (new_ifindex > 0) {
+		nm_device_queue_recheck_available (device,
+		                                   NM_DEVICE_STATE_REASON_PARENT_CHANGED,
+		                                   NM_DEVICE_STATE_REASON_PARENT_CHANGED);
+	}
+}
+
+static void
+update_properties (NMDevice *device)
+{
+	NMDeviceMacsec *self;
+	NMDeviceMacsecPrivate *priv;
+	const NMPlatformLink *plink = NULL;
+	const NMPlatformLnkMacsec *props = NULL;
+	int ifindex;
+
+	g_return_if_fail (NM_IS_DEVICE_MACSEC (device));
+	self = NM_DEVICE_MACSEC (device);
+	priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
+
+	ifindex = nm_device_get_ifindex (device);
+	g_return_if_fail (ifindex > 0);
+	props = nm_platform_link_get_lnk_macsec (NM_PLATFORM_GET, ifindex, &plink);
+
+	if (!props) {
+		_LOGW (LOGD_PLATFORM, "could not get macsec properties");
+		return;
+	}
+
+	g_object_freeze_notify ((GObject *) device);
+
+	if (priv->props.parent_ifindex != props->parent_ifindex)
+		nm_device_parent_set_ifindex (device, props->parent_ifindex);
+
+#define CHECK_PROPERTY_CHANGED(field, prop) \
+	if (props->field != priv->props.field) \
+		_notify (self, prop)
+
+	CHECK_PROPERTY_CHANGED (sci, PROP_SCI);
+	CHECK_PROPERTY_CHANGED (cipher_suite, PROP_CIPHER_SUITE);
+	CHECK_PROPERTY_CHANGED (window, PROP_WINDOW);
+	CHECK_PROPERTY_CHANGED (icv_length, PROP_ICV_LENGTH);
+	CHECK_PROPERTY_CHANGED (encoding_sa, PROP_ENCODING_SA);
+	CHECK_PROPERTY_CHANGED (validation, PROP_VALIDATION);
+	CHECK_PROPERTY_CHANGED (encrypt, PROP_ENCRYPT);
+	CHECK_PROPERTY_CHANGED (protect, PROP_PROTECT);
+	CHECK_PROPERTY_CHANGED (include_sci, PROP_INCLUDE_SCI);
+	CHECK_PROPERTY_CHANGED (es, PROP_ES);
+	CHECK_PROPERTY_CHANGED (scb, PROP_SCB);
+	CHECK_PROPERTY_CHANGED (replay_protect, PROP_REPLAY_PROTECT);
+
+	priv->props = *props;
+	g_object_thaw_notify ((GObject *) device);
+}
+
+/******************************************************************/
+
+static NMDeviceCapabilities
+get_generic_capabilities (NMDevice *dev)
+{
+	/* We assume MACsec interfaces always support carrier detect */
+	return NM_DEVICE_CAP_CARRIER_DETECT | NM_DEVICE_CAP_IS_SOFTWARE;
+}
+
+/******************************************************************/
+
+static gboolean
+is_available (NMDevice *device, NMDeviceCheckDevAvailableFlags flags)
+{
+	if (!nm_device_parent_get_device (device))
+		return FALSE;
+	return NM_DEVICE_CLASS (nm_device_macsec_parent_class)->is_available (device, flags);
+}
+
+static void
+link_changed (NMDevice *device,
+              const NMPlatformLink *pllink)
+{
+	NM_DEVICE_CLASS (nm_device_macsec_parent_class)->link_changed (device, pllink);
+	update_properties (device);
+}
+
+/******************************************************************/
+
+static void
+get_property (GObject *object, guint prop_id,
+              GValue *value, GParamSpec *pspec)
+{
+	NMDeviceMacsec *self = NM_DEVICE_MACSEC (object);
+	NMDeviceMacsecPrivate *priv = NM_DEVICE_MACSEC_GET_PRIVATE (self);
+
+	switch (prop_id) {
+	case PROP_SCI:
+		g_value_set_uint64 (value, priv->props.sci);
+		break;
+	case PROP_CIPHER_SUITE:
+		g_value_set_uint64 (value, priv->props.cipher_suite);
+		break;
+	case PROP_ICV_LENGTH:
+		g_value_set_uchar (value, priv->props.icv_length);
+		break;
+	case PROP_WINDOW:
+		g_value_set_uint (value, priv->props.window);
+		break;
+	case PROP_ENCODING_SA:
+		g_value_set_uchar (value, priv->props.encoding_sa);
+		break;
+	case PROP_ENCRYPT:
+		g_value_set_boolean (value, priv->props.encrypt);
+		break;
+	case PROP_PROTECT:
+		g_value_set_boolean (value, priv->props.protect);
+		break;
+	case PROP_INCLUDE_SCI:
+		g_value_set_boolean (value, priv->props.include_sci);
+		break;
+	case PROP_ES:
+		g_value_set_boolean (value, priv->props.es);
+		break;
+	case PROP_SCB:
+		g_value_set_boolean (value, priv->props.scb);
+		break;
+	case PROP_REPLAY_PROTECT:
+		g_value_set_boolean (value, priv->props.replay_protect);
+		break;
+	case PROP_VALIDATION:
+		g_value_set_string (value,
+		                    validation_mode_to_string (priv->props.validation));
+		break;
+	default:
+		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+		break;
+	}
+}
+
+static void
+nm_device_macsec_init (NMDeviceMacsec * self)
+{
+}
+
+static void
+nm_device_macsec_class_init (NMDeviceMacsecClass *klass)
+{
+	GObjectClass *object_class = G_OBJECT_CLASS (klass);
+	NMDeviceClass *parent_class = NM_DEVICE_CLASS (klass);
+
+	NM_DEVICE_CLASS_DECLARE_TYPES (klass, NULL, NM_LINK_TYPE_MACSEC)
+
+	object_class->get_property = get_property;
+
+	parent_class->get_generic_capabilities = get_generic_capabilities;
+	parent_class->is_available = is_available;
+	parent_class->link_changed = link_changed;
+	parent_class->parent_changed_notify = parent_changed_notify;
+
+	obj_properties[PROP_SCI] =
+	    g_param_spec_uint64 (NM_DEVICE_MACSEC_SCI, "", "",
+	                         0, G_MAXUINT64, 0,
+	                         G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_CIPHER_SUITE] =
+	    g_param_spec_uint64 (NM_DEVICE_MACSEC_CIPHER_SUITE, "", "",
+	                         0, G_MAXUINT64, 0,
+	                         G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_ICV_LENGTH] =
+	    g_param_spec_uchar (NM_DEVICE_MACSEC_ICV_LENGTH, "", "",
+	                        0, G_MAXUINT8, 0,
+	                        G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_WINDOW] =
+	    g_param_spec_uint (NM_DEVICE_MACSEC_WINDOW, "", "",
+	                       0, G_MAXUINT32, 0,
+	                       G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_ENCODING_SA] =
+	    g_param_spec_uchar (NM_DEVICE_MACSEC_ENCODING_SA, "", "",
+	                        0, 3, 0,
+	                        G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_VALIDATION] =
+	    g_param_spec_string (NM_DEVICE_MACSEC_VALIDATION, "", "",
+	                         NULL,
+	                         G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_ENCRYPT] =
+	    g_param_spec_boolean (NM_DEVICE_MACSEC_ENCRYPT, "", "",
+	                          FALSE,
+	                          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_PROTECT] =
+	    g_param_spec_boolean (NM_DEVICE_MACSEC_PROTECT, "", "",
+	                          FALSE,
+	                          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_INCLUDE_SCI] =
+	    g_param_spec_boolean (NM_DEVICE_MACSEC_INCLUDE_SCI, "", "",
+	                          FALSE,
+	                          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_ES] =
+	    g_param_spec_boolean (NM_DEVICE_MACSEC_ES, "", "",
+	                          FALSE,
+	                          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_SCB] =
+	    g_param_spec_boolean (NM_DEVICE_MACSEC_SCB, "", "",
+	                          FALSE,
+	                          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+	obj_properties[PROP_REPLAY_PROTECT] =
+	    g_param_spec_boolean (NM_DEVICE_MACSEC_REPLAY_PROTECT, "", "",
+	                          FALSE,
+	                          G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+
+	g_object_class_install_properties (object_class, _PROPERTY_ENUMS_LAST, obj_properties);
+
+	nm_exported_object_class_add_interface (NM_EXPORTED_OBJECT_CLASS (klass),
+	                                        NMDBUS_TYPE_DEVICE_MACSEC_SKELETON,
+	                                        NULL);
+}
+
+/*************************************************************/
+
+#define NM_TYPE_MACSEC_DEVICE_FACTORY (nm_macsec_device_factory_get_type ())
+#define NM_MACSEC_DEVICE_FACTORY(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_MACSEC_DEVICE_FACTORY, NMMacsecDeviceFactory))
+
+static NMDevice *
+create_device (NMDeviceFactory *factory,
+               const char *iface,
+               const NMPlatformLink *plink,
+               NMConnection *connection,
+               gboolean *out_ignore)
+{
+	return (NMDevice *) g_object_new (NM_TYPE_DEVICE_MACSEC,
+	                                  NM_DEVICE_IFACE, iface,
+	                                  NM_DEVICE_TYPE_DESC, "Macsec",
+	                                  NM_DEVICE_DEVICE_TYPE, NM_DEVICE_TYPE_MACSEC,
+	                                  NM_DEVICE_LINK_TYPE, NM_LINK_TYPE_MACSEC,
+	                                  NULL);
+}
+
+NM_DEVICE_FACTORY_DEFINE_INTERNAL (MACSEC, Macsec, macsec,
+	NM_DEVICE_FACTORY_DECLARE_LINK_TYPES (NM_LINK_TYPE_MACSEC),
+	factory_class->create_device = create_device;
+)
diff --git a/src/devices/nm-device-macsec.h b/src/devices/nm-device-macsec.h
new file mode 100644
index 0000000000..17b33bf593
--- /dev/null
+++ b/src/devices/nm-device-macsec.h
@@ -0,0 +1,54 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/* NetworkManager -- Network link manager
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright 2017 Red Hat, Inc.
+ */
+
+#ifndef __NM_DEVICE_MACSEC_H__
+#define __NM_DEVICE_MACSEC_H__
+
+#include "nm-device.h"
+
+#define NM_TYPE_DEVICE_MACSEC            (nm_device_macsec_get_type ())
+#define NM_DEVICE_MACSEC(obj)            (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_DEVICE_MACSEC, NMDeviceMacsec))
+#define NM_DEVICE_MACSEC_CLASS(klass)    (G_TYPE_CHECK_CLASS_CAST ((klass),  NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass))
+#define NM_IS_DEVICE_MACSEC(obj)         (G_TYPE_CHECK_INSTANCE_TYPE ((obj), NM_TYPE_DEVICE_MACSEC))
+#define NM_IS_DEVICE_MACSEC_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass),  NM_TYPE_DEVICE_MACSEC))
+#define NM_DEVICE_MACSEC_GET_CLASS(obj)  (G_TYPE_INSTANCE_GET_CLASS ((obj),  NM_TYPE_DEVICE_MACSEC, NMDeviceMacsecClass))
+
+#define NM_DEVICE_MACSEC_SCI             "sci"
+#define NM_DEVICE_MACSEC_CIPHER_SUITE    "cipher-suite"
+#define NM_DEVICE_MACSEC_ICV_LENGTH      "icv-length"
+#define NM_DEVICE_MACSEC_WINDOW          "window"
+#define NM_DEVICE_MACSEC_ENCODING_SA     "encoding-sa"
+#define NM_DEVICE_MACSEC_VALIDATION      "validation"
+#define NM_DEVICE_MACSEC_ENCRYPT         "encrypt"
+#define NM_DEVICE_MACSEC_PROTECT         "protect"
+#define NM_DEVICE_MACSEC_INCLUDE_SCI     "include-sci"
+#define NM_DEVICE_MACSEC_ES              "es"
+#define NM_DEVICE_MACSEC_SCB             "scb"
+#define NM_DEVICE_MACSEC_REPLAY_PROTECT  "replay-protect"
+
+/* defined in the parent class, but exposed on D-Bus by the subclass. */
+#define NM_DEVICE_MACSEC_PARENT          NM_DEVICE_PARENT
+
+typedef struct _NMDeviceMacsec NMDeviceMacsec;
+typedef struct _NMDeviceMacsecClass NMDeviceMacsecClass;
+
+GType nm_device_macsec_get_type (void);
+
+#endif /* __NM_DEVICE_MACSEC_H__ */
diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index c236a85803..f0a218ee18 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -1330,6 +1330,8 @@ nm_device_get_priority (NMDevice *self)
 	case NM_DEVICE_TYPE_ETHERNET:
 	case NM_DEVICE_TYPE_VETH:
 		return 100;
+	case NM_DEVICE_TYPE_MACSEC:
+		return 125;
 	case NM_DEVICE_TYPE_INFINIBAND:
 		return 150;
 	case NM_DEVICE_TYPE_ADSL: