1、 Reference numberISO/IEC/IEEE 8802-1AE:2013(E)IEEE 2006INTERNATIONAL STANDARD ISO/IEC/IEEE8802-1AEFirst edition2013-12-01Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Part 1AE: Media access control (MAC) security Technologies
2、de linformation Tlcommunications et change dinformation entre systmes Rseaux locaux et mtropolitains Partie 1AE: Scurit du contrle daccs aux supports (MAC) ISO/IEC/IEEE 8802-1AE:2013(E) IEEE 2006 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utiliz
3、ed otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without permission in writing from ISO, IEC or IEEE at the respective address below. ISO copyright office IEC Central Office Institute of Electrical and Electronics
4、Engineers, Inc. Case postale 56 3, rue de Varemb 3 Park Avenue, New York CH-1211 Geneva 20 CH-1211 Geneva 20 NY 10016-5997, USA Tel. + 41 22 749 01 11 Switzerland E-mail stds.iprieee.org Fax + 41 22 749 09 47 E-mail inmailiec.ch Web www.ieee.org E-mail copyrightiso.org Web www.iec.ch Web www.iso.org
5、 Published in Switzerland ii IEEE 2006 All rights reservedISO/IEC/IEEE 8802-1AE:2013(E) IEEE 2006 All rights reserved iiiForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization
6、. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual in
7、terest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. IEEE Standards documents are developed within the IE
8、EE Societies and the Standards Coordinating Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards through a consensus development process, approved by the American National Standards Institute, which brings together volunteers representing varied vie
9、wpoints and interests to achieve the final product. Volunteers are not necessarily members of the Institute and serve without compensation. While the IEEE administers the process and establishes rules to promote fairness in the consensus development process, the IEEE does not independently evaluate,
10、 test, or verify the accuracy of any of the information contained in its standards. The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an Internation
11、al Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is called to the possibility that implementation of this standard may require the use of subject matter covered by patent rights. By publication of this standard, no position is taken with respect to the
12、existence or validity of any patent rights in connection therewith. ISO/IEEE is not responsible for identifying essential patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or scope of patents or patent claims or determining whether any lic
13、ensing terms or conditions provided in connection with submission of a Letter of Assurance or a Patent Statement and Licensing Declaration Form, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that determination of the validit
14、y of any patent rights, and the risk of infringement of such rights, is entirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards Association. ISO/IEC/IEEE 8802-1AE was prepared by the LAN/MAN Standards Committee of the IEEE Computer Society (as IEEE Std 8
15、02.1AE-2006). It was adopted by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defined in the Partner Stand
16、ards Development Organization cooperation agreement between ISO and IEEE. IEEE is responsible for the maintenance of this document with participation and input from ISO/IEC national bodies. ISO/IEC/IEEE 8802 consists of the following parts, under the general title Information technology Telecommunic
17、ations and information exchange between systems Local and metropolitan area networks: Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications Part 1X: Port-based network access control Part 1AE: Media access control (MAC) security Part 15-4: Wireless medium access c
18、ontrol (MAC) and physical layer (PHY) specifications for low-rate wireless personal area networks (WPANs) ISO/IEC/IEEE 8802-1AE:2013(E) iv IEEE 2006 All rights reserved(blank page) IEEE Std 802.1AE-2006I E E E Sta nda rd forLocal and metropolitan area networks Media Access Control (MAC) SecurityI E
19、E E3 Park Avenue New York, NY 10016-5997, USA18 August 2006IEEE Computer SocietySponsored by theLAN/MAN Standards CommitteeCopyright 2006 IEEE. All rights reserved. vg44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12vi Copyright 2006 IEEE. All rights reserved.g44g
20、54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12(blank page) IEEE Std 802.1AE-2006IEEE Standard forLocal and metropolitan area networks:Media Access Control (MAC) SecuritySponsor LAN/MAN Standards Committee of theIEEE Computer SocietyApproved 8 June 2006IEEE-SA Stan
21、dards BoardCopyright 2006 IEEE. All rights reserved. viig44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12The Institute of Electrical and Electronics Engineers, Inc.3 Park Avenue, New York, NY 10016-5997, USACopyright 2006 by the Institute of Electrical and Electr
22、onics Engineers, Inc.All rights reserved. Published 18 August 2006. Printed in the United States of America.IEEE and 802 are both registered trademarks in the U.S. Patent +1 978 750 8400. Permission to photocopy portions ofany individual standard for educational classroom use can also be obtained th
23、rough the Copyright ClearanceCenter.Copyright 2006 IEEE. All rights reserved. ixg44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12g91 Copyright 2006 IEEE. All rights reserved.IntroductionThis is the first edition of this standard.Relationship between IEEE Std 802.
24、1AE and other IEEE 802 standardsAnother IEEE standard, IEEE Std 802.1X-2004, specifies Port-based Network Access Control, andprovides a means of authenticating and authorizing devices attached to a LAN. Use of this standard inconjunction with architecture and protocols of IEEE Std 802.1X-2004 extend
25、s the applicability of the latterto publicly accessible LAN/MAN media for which security has not already been defined. A proposedamendment, IEEE P802.1af, to IEEE Std 802.1X-2004 is being developed to specify the additionalprotocols and interfaces necessary.This standard is not intended for use with
26、 IEEE Std 802.11, Wireless LAN Medium Access Control. Anamendment to that standard, IEEE Std 802.11i-2004, also makes use of IEEE Std 802.1X-2004, thusfacilitating the use of a common authentication and authorization framework for LAN media to which thisstandard applies and for Wireless LANs.A previ
27、ous security standard, IEEE Std 802.10, IEEE Standard for Interoperable LAN/MAN Security, hasbeen withdrawn.Notice to usersErrataErrata, if any, for this and all other standards can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encourage
28、d to check this URL forerrata periodically.InterpretationsCurrent interpretations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/index.html.PatentsAttention is called to the possibility that implementation of this standard may require use of subject mattercovered
29、by patent rights. By publication of this standard, no position is taken with respect to the existence orvalidity of any patent rights in connection therewith. The IEEE shall not be responsible for identifyingpatents or patent applications for which a license may be required to implement an IEEE stan
30、dard or forconducting inquiries into the legal validity or scope of those patents that are brought to its attention.This introduction is not part of IEEE Std 802.1AE-2006, IEEE Standard for Local and Metropolitan Area Net-works: Media Access Control (MAC) Security.g44g54g50g18g44g40g38g18g44g40g40g4
31、0g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12Copyright 2006 IEEE. All rights reserved. g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g3g
32、3g3g3g3g3g91iContents1. Overview 11.1 Introduction 11.2 Scope 22. Normative references. 33. Definitions . 54. Abbreviations and acronyms . 85. Conformance 105.1 Requirements terminology.105.2 Protocol Implementation Conformance Statement (PICS) 105.3 Required capabilities 105.4 Optional capabilities
33、 116. Secure provision of the MAC Service . 136.1 MAC Service primitives and parameters. 136.2 MAC Service connectivity.156.3 Point-to-multipoint LANs 166.4 MAC status parameters 166.5 MAC point-to-point parameters. 166.6 Security threats 176.7 MACsec connectivity 186.8 MACsec guarantees . 196.9 Sec
34、urity services 196.10 Quality of service maintenance207. Principles of secure network operation 227.1 Support of the secure MAC Service by an individual LAN 227.2 Multiple instances of the secure MAC Service on a single LAN 277.3 Use of the secure MAC Service. 288. MAC Security Protocol (MACsec) 318
35、.1 Protocol design requirements.328.2 Protocol support requirements . 348.3 MACsec operation . 369. Encoding of MACsec protocol data units 389.1 Structure, representation, and encoding. 389.2 Major components . 389.3 Security TAG. 399.4 MACsec EtherType . 399.5 TAG Control Information (TCI) 409.6 As
36、sociation Number (AN) . 419.7 Short Length (SL) 419.8 Packet Number (PN) 419.9 Secure Channel Identifier (SCI) 419.10 Secure Data 42g44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12g91ii Copyright 2006 IEEE. All rights reserved.9.11 Integrity Check Value (ICV) .4
37、29.12 PDU validation 4310. Principles of MAC Security Entity (SecY) operation . 4410.1 SecY overview. 4410.2 SecY functions. 4610.3 Model of operation. 4710.4 SecY architecture. 4710.5 Secure frame generation 5010.6 Secure frame verification. 5110.7 SecY management . 5310.8 Addressing . 6310.9 Prior
38、ity . 6310.10 SecY performance requirements 6311. MAC Security in Systems 6511.1 MAC Service interface stacks6511.2 MACsec in end stations . 6611.3 MACsec in MAC Bridges 6611.4 MACsec in VLAN-aware Bridges. 6711.5 MACsec and Link Aggregation. 6811.6 Link Layer Discovery Protocol (LLDP) 6911.7 MACsec
39、 in Provider Bridged Networks 7011.8 MACsec and multi-access LANs. 7212. MACsec and EPON . 7413. Management protocol 7613.1 Introduction 7613.2 The Internet-Standard Management Framework. 7613.3 Relationship to other MIBs 7613.4 Security considerations 7813.5 Structure of the MIB 8013.6 Definitions
40、for MAC Security MIB. 8414. Cipher Suites 12114.1 Cipher Suite use . 12114.2 Cipher Suite capabilities 12214.3 Cipher Suite specification 12314.4 Cipher Suite conformance . 12314.5 Default Cipher Suite (GCMAES128) 124Annex A (normative) PICS Proforma . 126A.1 Introduction 126A.2 Abbreviations and sp
41、ecial symbols 126A.3 Instructions for completing the PICS proforma. 127A.4 PICS proforma for IEEE Std 802.1AE 129A.5 Major capabilities 130A.6 Support and use of Service Access Points . 131A.7 MAC status and point-to-point parameters 132A.8 Secure Frame Generation. 133g44g54g50g18g44g40g38g18g44g40g
42、40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12Copyright 2006 IEEE. All rights reserved. ixA.9 Secure Frame Verification . 134A.10 MACsec PDU encoding and decoding 135A.11 Key Agreement Entity LMI. 135A.12 Additional fully conformant Cipher Suite capabilities 139A.13 Additional variant Ciphe
43、r Suite capabilities 140Annex B (informative) Bibliography. 142g44g54g50g18g44g40g38g18g44g40g40g40g3g27g27g19g21g16g20g36g40g29g21g19g20g22g11g40g12Annex C (informative) IEEE list of participants . 143Copyright 2006 IEEE. All rights reserved. 1IEEE Standard forLocal and metropolitan area networks:M
44、edia Access Control (MAC) Security1. Overview1.1 IntroductionIEEE 802Local Area Networks (LANs) are often deployed in networks that support mission-criticalapplications. These include corporate networks of considerable extent, and public networks that supportmany customers with different economic in
45、terests. The protocols that configure, manage, and regulateaccess to these networks typically run over the networks themselves. Preventing disruption and data lossarising from transmission and reception by unauthorized parties is highly desirable, since it is not practicalto secure the entire networ
46、k against physical access by determined attackers.MAC Security (MACsec), as defined by this standard, allows authorized systems that attach to andinterconnect LANs in a network to maintain confidentiality of transmitted data and to take measures againstframes transmitted or modified by unauthorized
47、devices.MACsec facilitatesa) Maintenance of correct network connectivity and servicesb) Isolation of denial of service attacksc) Localization of any source of network communication to the LAN of origind) The construction of public networks, offering service to unrelated or possibly mutually suspicio
48、uscustomers, using shared LAN infrastructurese) Secure communication between organizations, using a LAN for transmissionf) Incremental and non-disruptive deployment, protecting the most vulnerable network components.To deliver these benefits, MACsec has to be used in conjunction with appropriate pol
49、icies for higher-levelprotocol operation in networked systems, an authentication and authorization framework, and networkmanagement. IEEE P802.1afB21provides authentication and cryptographic key distribution.MACsec protects communication between trusted components of the network infrastructure, thus protectingthe network operation. MACsec cannot protect against attacks facilitated by the trusted components1The numbers in brackets correspond to those of the bibliography in Annex B.g44g54g50g18g44g40g38g1
