IEEE 802.1AEcg 2017
$80.71
IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security – Amendment 3: Ethernet Data Encryption devices
Published By | Publication Date | Number of Pages |
IEEE | 2017 | 143 |
Amendment Standard – Superseded. Ethernet Data Encryption devices (EDEs) are specified in this amendment. An EDE is a two-port bridge that uses MACsec to provide secure connectivity for attached customer bridges, or for attached provider bridges. EDEs may allow the customer (or provider) bridges to continue to use a VLAN Identifier (VID) in transmitted frames to select (as already specified in IEEE Std 802.1Q™) between provider network or provider backbone network services. (The PDF of this standard is available at no cost compliments of the IEEE GET program)
PDF Catalog
PDF Pages | PDF Title |
---|---|
1 | IEEE Std 802.1AEcg-2017 Front cover |
2 | Title page |
4 | Important Notices and Disclaimers Concerning IEEE Standards Documents |
7 | Participants |
9 | Introduction |
10 | Contents |
13 | Figures |
14 | Tables |
16 | 1. Overview 1.2 Scope |
17 | 2. Normative references |
19 | 3. Definitions |
21 | 4. Abbreviations and acronyms |
22 | 5. Conformance 5.1 Requirements terminology |
23 | 5.2 Protocol Implementation Conformance Statement (PICS) 5.3 Required capabilitiesMAC Security Entity requirements |
24 | 5.4 Optional capabilitiesMAC Security Entity options |
25 | 5.5 EDE conformance 5.6 EDE-M conformance |
26 | 5.7 EDE-CS conformance 5.8 EDE-CC conformance 5.9 EDE-SS conformance |
27 | 6. Secure provision of the MAC Service 6.1 MAC Service primitives and parameters 6.2 MAC Service connectivity |
28 | 6.4 MAC status parameters 6.5 MAC point-to-point parameters 6.10 Quality of service maintenance |
30 | 7. Principles of secure network operation 7.1 Support of the secure MAC Service by an individual LAN 7.1.2 Secure Channel (SC) 7.1.3 Secure Association (SA) Untitled |
31 | Figure 7-7—Secure Channel and Secure Association Identifiers 7.3 Use of the secure MAC Service 7.3.1 Client policies |
32 | 7.3.2 Use of the secure MAC Service by bridges |
33 | 8. MAC Security Protocol (MACsec) 8.1.1 Security requirements 8.2.1 SC identification requirements 8.2.5 Authentication requirements 8.2.6 Authorization requirements 8.3 MACsec operation |
35 | 9. Encoding of MACsec protocol data units 9.9 Secure Channel Identifier (SCI) |
36 | 10. Principles of MAC Security Entity (SecY) operation 10.1 SecY overview 10.2 SecY functions |
37 | 10.4 SecY architecture Figure 10-4—Management controls and counters for secure frame generation 10.5 Secure frame generation |
38 | 10.5.1 Transmit SA assignment |
39 | Figure 10-5—Management controls and counters for secure frame verification |
40 | 10.5.3 SecTAG encoding |
41 | 10.6 Secure frame verification 10.6.1 Receive SA assignment |
42 | 10.7 SecY management |
44 | Figure 10-6—SecY managed objects |
45 | 10.7.1 SCI 10.7.4 Controlled Port status 10.7.6 Controlled Port statistics |
46 | 10.7.8 Frame verification controls 10.7.9 Frame verification statistics |
47 | 10.7.14 Receive SA status 10.7.16 Frame generation capabilities 10.7.17 Frame generation controls |
49 | 10.7.18 Frame generation statistics 10.7.20 Transmit SC creation |
50 | 10.7.21 Transmit SC status 10.7.22 Transmit SA creation 10.7.23 Transmit SA status |
51 | 10.7.25 Implemented Cipher Suites |
52 | 10.7.26 SecY Cipher Suite use 10.7.28 SAK creation |
53 | 11. MAC Security in Systems 11.1 MAC Service interface stacks 11.3 MACsec in MAC Bridges Figure 11-4 MACsec in a VLAN-unaware MAC Bridge |
54 | Figure 11-5 VLAN-unaware MAC Bridge Port with MACsec 11.4 MACsec in VLAN-aware Bridges Figure 11-6—Addition of MAC Security to a VLAN-aware MAC Bridge 11.8 MACsec and multi-access LANs |
55 | Figure 11-15—An example multi-access LAN |
56 | 13. Management protocol MAC Security Entity MIB 13.1 Introduction 13.4 Security considerations |
57 | 13.5 Structure of the MIB module |
63 | 13.6 Definitions for MAC Security Entity (SecY) MIB definitions |
101 | 14. Encoding of MACsec protocol data units 14.5 Default Cipher Suite (GCM–AES–128) 14.6 GCM-AES-256 |
102 | 15. Ethernet Data Encryption devices 15.1 EDE characteristics |
103 | 15.2 Securing LANs with EDE-Ms Figure 15-1—EDE-Ms connected by a point-to-point LAN |
104 | Figure 15-2—EDE-Ms securing a point-to-point LAN between Provider Bridges |
105 | 15.3 Securing connectivity across PBNs Figure 15-3—MACsec protected frame traversing a PBN |
106 | 15.4 Securing PBN connectivity with an EDE-M Figure 15-4—EDE-Ms securing point-to-point LAN connectivity across a PBN |
107 | Figure 15-5—EDE-Ms securing multi-point PBN connectivity 15.5 Securing PBN connectivity with an EDE-CS |
108 | Figure 15-6—Example of a network with an EDE-CS |
109 | Figure 15-7—EDE-CS connected to a PBN S-tagged interface 15.6 Securing PBN connectivity with an EDE-CC |
111 | Figure 15-9—EDE-CC architecture |
112 | 15.7 Securing PBN connectivity with an EDE-SS 15.8 EDE Interoperability |
113 | 15.9 EDEs, CFM, and UNI Access |
115 | 16. Using MIB modules to manage EDEs 16.1 Security considerations 16.2 EDE-M Management 16.3 EDE-CS Management 16.4 EDE-CC and EDE-SS Management |
117 | Annex A (normative) PICS Proforma A.5 Major capabilities |
119 | A.9 Secure Frame Verification |
123 | A.12 Additional fully conformant Cipher Suite capabilities |
124 | A.13 Additional variant Cipher Suite capabilities |
126 | Annex B (informative) Bibliography |
128 | Annex D (normative) PICS Proforma for an Ethernet Data Encryption device D.1 Introduction D.2 Abbreviations and special symbols D.2.1 Status symbols D.2.2 General abbreviations |
129 | D.3 Instructions for completing the PICS proforma D.3.1 General structure of the PICS proforma D.3.2 Additional information D.3.3 Exception information |
130 | D.3.4 Conditional status D.3.4.1 Conditional items D.3.4.2 Predicates |
131 | D.4 PICS proforma for IEEE Std 802.1AE EDE D.4.1 Implementation identification D.4.2 Protocol summary, IEEE Std 802.1AE EDE |
132 | D.5 EDE type and common requirements |
133 | D.6 EDE-M Configuration D.7 EDE-CS Configuration |
134 | D.8 EDE-CC Configuration D.9 EDE-SS Configuration |
135 | Annex E (informative) MKA operation for multiple transmit SCs |
137 | Annex F (informative) EDE Interoperability and PAE addresses |
140 | Annex G (informative) Management and MIB revisions |
141 | G.1 Counter changes |
142 | G.2 Available Cipher Suites |
143 | Back cover |