|Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security
|WORKING GROUP 802.1
IEEE 802 Local Area Networks (LANs) are deployed in networks that support mission-critical applications and a wide variety of devices, implemented and administered by different organizations, and serving customers with different economic interests. The protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Preventing disruption and data loss arising from transmission and reception by unauthorized devices is a required network capability, as it is usually not practical to secure an entire network against physical access.
This standard (MACsec) specifies provision of connectionless user data confidentiality, data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients. The MACsec Key Agreement Protocol (MKA) specified in IEEE Std 802.1X discovers mutually authenticated MACsec peers, and elects one as a Key Server that distributes the symmetric Secure Association Keys (SAKs) used by MACsec to protect frames.
The first edition of IEEE Std 802.1AE was published in 2006. IEEE Std 802.1AEbn-2011 added the GCM-AES-256 Cipher Suite as a option. IEEE Std 802.1AEbw-2013 added extended packet numbering Cipher Suites, allowing more than 232 frames to be protected with a single Secure Association Key (SAK). IEEE-Std 802.1AEcg-2017 specified Ethernet Data Encryption devices (EDEs) that provide transparent secure connectivity while supporting provider network service selection and provider backbone network selection as specified in IEEE Std 802.1Q. IEEE-Std 802.1AEcg-2017 also specified transmission using multiple secure channels (SCs) for strict replay protection when frames of different priorities can be disordered, e.g. by a Provider Bridged Network (PBN) or IEEE Std 802.3 frame preemption, and described how MKA supports those multiple transmit SCs.