Adoption Standard – Superseded. This standard specifies how all or part of a network can be secured transparently to peer protocol entities that use the MAC Service provided by IEEE 802(R) LANs to communicate. MAC security (MACsec) provides connectionless user data confidentiality, frame data integrity, and data origin authenticity.<\/p>\n
| PDF Pages<\/th>\n | PDF Title<\/th>\n<\/tr>\n | ||||||
|---|---|---|---|---|---|---|---|
| 5<\/td>\n | IEEE Std 802.1AE-2013 <\/td>\n<\/tr>\n | ||||||
| 7<\/td>\n | Title page <\/td>\n<\/tr>\n | ||||||
| 10<\/td>\n | Introduction Notice to users <\/td>\n<\/tr>\n | ||||||
| 11<\/td>\n | CONTENTS <\/td>\n<\/tr>\n | ||||||
| 15<\/td>\n | 1. Overview 1.1 Introduction <\/td>\n<\/tr>\n | ||||||
| 16<\/td>\n | 1.2 Scope <\/td>\n<\/tr>\n | ||||||
| 17<\/td>\n | 2. Normative references <\/td>\n<\/tr>\n | ||||||
| 19<\/td>\n | 3. Definitions <\/td>\n<\/tr>\n | ||||||
| 22<\/td>\n | 4. Abbreviations and acronyms <\/td>\n<\/tr>\n | ||||||
| 24<\/td>\n | 5. Conformance 5.1 Requirements terminology 5.2 Protocol Implementation Conformance Statement (PICS) 5.3 Required capabilities <\/td>\n<\/tr>\n | ||||||
| 25<\/td>\n | 5.4 Optional capabilities <\/td>\n<\/tr>\n | ||||||
| 27<\/td>\n | 6. Secure provision of the MAC Service 6.1 MAC Service primitives and parameters <\/td>\n<\/tr>\n | ||||||
| 29<\/td>\n | 6.2 MAC Service connectivity <\/td>\n<\/tr>\n | ||||||
| 30<\/td>\n | 6.3 Point-to-multipoint LANs 6.4 MAC status parameters 6.5 MAC point-to-point parameters <\/td>\n<\/tr>\n | ||||||
| 31<\/td>\n | 6.6 Security threats <\/td>\n<\/tr>\n | ||||||
| 32<\/td>\n | 6.7 MACsec connectivity <\/td>\n<\/tr>\n | ||||||
| 33<\/td>\n | 6.8 MACsec guarantees 6.9 Security services <\/td>\n<\/tr>\n | ||||||
| 34<\/td>\n | 6.10 Quality of service maintenance <\/td>\n<\/tr>\n | ||||||
| 36<\/td>\n | 7. Principles of secure network operation 7.1 Support of the secure MAC Service by an individual LAN <\/td>\n<\/tr>\n | ||||||
| 40<\/td>\n | 7.1.1 Connectivity Association (CA) 7.1.2 Secure Channel (SC) 7.1.3 Secure Association (SA) <\/td>\n<\/tr>\n | ||||||
| 41<\/td>\n | 7.2 Multiple instances of the secure MAC Service on a single LAN <\/td>\n<\/tr>\n | ||||||
| 42<\/td>\n | 7.3 Use of the secure MAC Service <\/td>\n<\/tr>\n | ||||||
| 43<\/td>\n | 7.3.1 Client policies 7.3.2 Use of the secure MAC Service by bridges <\/td>\n<\/tr>\n | ||||||
| 45<\/td>\n | 8. MAC Security Protocol (MACsec) <\/td>\n<\/tr>\n | ||||||
| 46<\/td>\n | 8.1 Protocol design requirements 8.1.1 Security requirements 8.1.2 Manageability requirements <\/td>\n<\/tr>\n | ||||||
| 47<\/td>\n | 8.1.3 Interoperability requirements 8.1.4 Deployment requirements 8.1.5 Coexistence requirements <\/td>\n<\/tr>\n | ||||||
| 48<\/td>\n | 8.1.6 Scalability requirements 8.1.7 Unauthorized access attempts 8.1.8 Localization and isolation of attacks 8.1.9 Implementation 8.2 Protocol support requirements <\/td>\n<\/tr>\n | ||||||
| 49<\/td>\n | 8.2.1 SC identification requirements 8.2.2 SA Key requirements 8.2.3 KaY independence of MACsec 8.2.4 Discovering connectivity <\/td>\n<\/tr>\n | ||||||
| 50<\/td>\n | 8.2.5 Authentication requirements 8.2.6 Authorization requirements 8.2.7 Key exchange and maintenance 8.3 MACsec operation <\/td>\n<\/tr>\n | ||||||
| 52<\/td>\n | 9. Encoding of MACsec protocol data units 9.1 Structure, representation, and encoding 9.2 Major components <\/td>\n<\/tr>\n | ||||||
| 53<\/td>\n | 9.3 Security TAG 9.4 MACsec EtherType <\/td>\n<\/tr>\n | ||||||
| 54<\/td>\n | 9.5 TAG Control Information (TCI) <\/td>\n<\/tr>\n | ||||||
| 55<\/td>\n | 9.6 Association Number (AN) 9.7 Short Length (SL) 9.8 Packet Number (PN) 9.9 Secure Channel Identifier (SCI) <\/td>\n<\/tr>\n | ||||||
| 56<\/td>\n | 9.10 Secure Data 9.11 Integrity Check Value (ICV) <\/td>\n<\/tr>\n | ||||||
| 57<\/td>\n | 9.12 PDU validation <\/td>\n<\/tr>\n | ||||||
| 58<\/td>\n | 10. Principles of MAC Security Entity (SecY) operation 10.1 SecY overview <\/td>\n<\/tr>\n | ||||||
| 60<\/td>\n | 10.2 SecY functions <\/td>\n<\/tr>\n | ||||||
| 61<\/td>\n | 10.3 Model of operation 10.4 SecY architecture <\/td>\n<\/tr>\n | ||||||
| 64<\/td>\n | 10.5 Secure frame generation 10.5.1 Transmit SA assignment 10.5.2 Transmit PN assignment 10.5.3 SecTAG encoding <\/td>\n<\/tr>\n | ||||||
| 65<\/td>\n | 10.5.4 Cryptographic protection 10.5.5 Transmit request 10.6 Secure frame verification <\/td>\n<\/tr>\n | ||||||
| 66<\/td>\n | 10.6.1 Receive SA assignment 10.6.2 Preliminary replay check <\/td>\n<\/tr>\n | ||||||
| 67<\/td>\n | 10.6.3 Cryptographic validation 10.6.4 Replay check update 10.6.5 Receive indication 10.7 SecY management <\/td>\n<\/tr>\n | ||||||
| 68<\/td>\n | 10.7.1 SCI 10.7.2 Uncontrolled Port status <\/td>\n<\/tr>\n | ||||||
| 70<\/td>\n | 10.7.3 Uncontrolled Port statistics 10.7.4 Controlled Port status 10.7.5 Controlled Port controls 10.7.6 Controlled Port statistics <\/td>\n<\/tr>\n | ||||||
| 71<\/td>\n | 10.7.7 Frame verification capabilities 10.7.8 Frame verification controls 10.7.9 Frame verification statistics <\/td>\n<\/tr>\n | ||||||
| 72<\/td>\n | 10.7.10 Frame validation statistics 10.7.11 Receive SC creation 10.7.12 Receive SC status <\/td>\n<\/tr>\n | ||||||
| 73<\/td>\n | 10.7.13 Receive SA creation 10.7.14 Receive SA status 10.7.15 Receive SA control <\/td>\n<\/tr>\n | ||||||
| 74<\/td>\n | 10.7.16 Frame generation capabilities 10.7.17 Frame generation controls 10.7.18 Frame generation statistics 10.7.19 Frame protection statistics <\/td>\n<\/tr>\n | ||||||
| 75<\/td>\n | 10.7.20 Transmit SC status 10.7.21 Transmit SA creation 10.7.22 Transmit SA status 10.7.23 Transmit SA controls 10.7.24 Implemented Cipher Suites <\/td>\n<\/tr>\n | ||||||
| 76<\/td>\n | 10.7.25 Cipher Suite selection 10.7.26 SAK creation <\/td>\n<\/tr>\n | ||||||
| 77<\/td>\n | 10.7.27 SAK status 10.7.28 SAK controls 10.8 Addressing 10.9 Priority 10.10 SecY performance requirements <\/td>\n<\/tr>\n | ||||||
| 79<\/td>\n | 11. MAC Security in Systems 11.1 MAC Service interface stacks <\/td>\n<\/tr>\n | ||||||
| 80<\/td>\n | 11.2 MACsec in end stations 11.3 MACsec in MAC Bridges <\/td>\n<\/tr>\n | ||||||
| 81<\/td>\n | 11.4 MACsec in VLAN-aware Bridges <\/td>\n<\/tr>\n | ||||||
| 82<\/td>\n | 11.5 MACsec and Link Aggregation <\/td>\n<\/tr>\n | ||||||
| 83<\/td>\n | 11.6 Link Layer Discovery Protocol (LLDP) <\/td>\n<\/tr>\n | ||||||
| 84<\/td>\n | 11.7 MACsec in Provider Bridged Networks <\/td>\n<\/tr>\n | ||||||
| 86<\/td>\n | 11.8 MACsec and multi-access LANs <\/td>\n<\/tr>\n | ||||||
| 88<\/td>\n | 12. MACsec and EPON <\/td>\n<\/tr>\n | ||||||
| 90<\/td>\n | 13. Management protocol 13.1 Introduction 13.2 The Internet-Standard Management Framework 13.3 Relationship to other MIBs 13.3.1 System MIB Group 13.3.2 Relationship to the Interfaces MIB <\/td>\n<\/tr>\n | ||||||
| 92<\/td>\n | 13.4 Security considerations <\/td>\n<\/tr>\n | ||||||
| 94<\/td>\n | 13.5 Structure of the MIB <\/td>\n<\/tr>\n | ||||||
| 98<\/td>\n | 13.6 Definitions for MAC Security MIB <\/td>\n<\/tr>\n | ||||||
| 135<\/td>\n | 14. Cipher Suites 14.1 Cipher Suite use <\/td>\n<\/tr>\n | ||||||
| 136<\/td>\n | 14.2 Cipher Suite capabilities <\/td>\n<\/tr>\n | ||||||
| 137<\/td>\n | 14.3 Cipher Suite specification 14.4 Cipher Suite conformance 14.4.1 Conformance with Cipher Suite variance <\/td>\n<\/tr>\n | ||||||
| 138<\/td>\n | 14.5 Default Cipher Suite (GCM-AES-128) <\/td>\n<\/tr>\n | ||||||
| 140<\/td>\n | Annex A (normative) PICS Proforma <\/td>\n<\/tr>\n | ||||||
| 156<\/td>\n | Annex B (informative) Bibliography <\/td>\n<\/tr>\n | ||||||
| 157<\/td>\n | Annex C (informative) IEEE list of participants <\/td>\n<\/tr>\n<\/table>\n","protected":false},"excerpt":{"rendered":" ISO\/IEC\/IEEE International Standard for Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Part 1AE: Media access control (MAC) security<\/b><\/p>\n |