802.1X-2010 - IEEE Standard for Local and metropolitan area networks--Port-Based Network Access Control.pdf

1、 !“#$ $% +1 978 750 8400. Permission to photocopy portions of any individual standard for educational classroom use can also be obtained through the Copyright Clearance Center.iv Copyright 2010 IEEE. All rights reserved. IntroductionPort-based network access control allows a network administrator to

2、 restrict the use of IEEE 802 LAN service access points (ports) to secure communication between authenticated and authorized devices. IEEE Std 802.1X specifies an architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN

3、 and secure communication between the ports. The first edition of IEEE Std 802.1X was published in 2001. The second edition, IEEE Std 802.1X-2004, clarified areas related to mutual authentication and the interface between IEEE 802.1X specified state machine, and those specified by the Extensible Aut

4、hentication Protocol (EAP), and by IEEE Std 802.11 in support of IEEE Std 802.1X. Work on this edition, IEEE Std 802.1X-2010, began as IEEE P802.1af an amendment to specify authenticated key agreement in support of IEEE 802.1AE MAC Security. Part of that work clarified and generalized the relationsh

5、ip between the common architecture specified for port-based network access control, and the functional elements and protocols that support that architecture as specified in IEEE Std 802.1X, other IEEE 802 Standards, and in IETF RFCs. The extent of the changes necessary to IEEE Std 802.1X-2004 made i

6、t appropriate to revise IEEE Std 802.1X as a whole. Further changes updated the standard to reflect best current practice, insisting, for example, upon mutual authentication methods and using such methods in examples. A greater emphasis is placed on the security of systems accessing the network, as

7、well as upon the security of the network accessed, and some prior provisions, such as the controlled directions parameters, have been removed and replaced with a more comprehensive treatment of segregating and limiting connectivity to unauthenticated systems. Every effort has been made to maintain i

8、nteroperability, without prior configuration, with implementations conforming to IEEE Std 802.1X-2004 and IEEE Std 802.1X-2001. However it is anticipated that claims of conformance in respect of some existing implementations will continue to refer to IEEE Std 802.1X-2004. Changes to the functionalit

9、y provided by that prior edition and its documentation include those detailed in the following paragraph. This edition, IEEE Std 802.1X-2010, describes applications of port-based network access that use IEEE 802.1AE MAC Security (MACsec) and/or MKA (MACsec Key Agreement protocol) as well as those pr

10、eviously supported. The specification of the use of EAP for authentication has been updated, enforcing a stricter separation between the port access control protocol (PACP), local to the Supplicant and Authenticator, and the EAP state machines proper. Details of particular EAP methods are no longer

11、interpreted by the PACP machines. The existing EAPOL (EAP over LANs) PDU formats have not been modified, but additional EAPOL PDUs have been added to support MKA and the specification of EAPOL improved. The bibliography, previously Annex F, has been moved to Annex B. The discussions previously in An

12、nex B and Annex C have been updated and integrated into the main body of the standard. The state machine diagram and language conventions, now used by a number of clauses in the standard, have been moved to a new Annex C. Notice to users Laws and regulations Users of these documents should consult a

13、ll applicable laws and regulations. Compliance with the provisions of this standard does not imply compliance to any applicable regulatory requirements. This introduction is not part of IEEE Std 802.1X-2010, IEEE Standard for Local and Metropolitan Area NetworksPort-Based Network Access Control.Copy

14、right 2010 IEEE. All rights reserved. v Implementers of the standard are responsible for observing or referring to the applicable regulatory requirements. IEEE does not, by the publication of its standards, intend to urge action that is not in compliance with applicable laws, and these documents may

15、 not be construed as doing so. Copyrights This document is copyrighted by the IEEE. It is made available for a wide variety of both public and private uses. These include both use, by reference, in laws and regulations, and use in private self-regulation, standardization, and the promotion of engine

16、ering practices and methods. By making this document available for use and adoption by public authorities and private users, the IEEE does not waive any rights in copyright to this document. Updating of IEEE documents Users of IEEE standards should be aware that these documents may be superseded at

17、any time by the issuance of new editions or may be amended from time to time through the issuance of amendments, corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of the document together with any amendments, corrigenda, or errata then in effect. I

18、n order to determine whether a given document is the current edition and whether it has been amended through the issuance of amendments, corrigenda, or errata, visit the IEEE Standards Association website at http:/ ieeexplore.ieee.org/xpl/standards.jsp, or contact the IEEE at the address listed prev

19、iously. For more information about the IEEE Standards Association or the IEEE standards development process, visit the IEEE-SA website at http:/standards.ieee.org. Errata Errata, if any, for this and all other standards can be accessed at the following URL: http:/ standards.ieee.org/reading/ieee/upd

20、ates/errata/index.html. Users are encouraged to check this URL for errata periodically. Interpretations Current interpretations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/ index.html. Patents Attention is called to the possibility that implementation of this a

21、mendment may require use of subject matter covered by patent rights. By publication of this amendment, no position is taken with respect to the existence or validity of any patent rights in connection therewith. The IEEE is not responsible for identifying Essential Patent Claims for which a license

22、may be required, for conducting inquiries into the legal validity or scope of Patents Claims or determining whether any licensing terms or conditions provided in connection with submission of a Letter of Assurance, if any, or in any licensing agreements are reasonable or non- discriminatory. Users o

23、f this amendment are expressly advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is entirely their own responsibility. Further information may be obtained from the IEEE Standards Association.vi Copyright 2010 IEEE. All rights reserved. Part

24、icipants At the time this standard was submitted to the IEEE-SA for approval, the IEEE 802.1 Working Group had the following membership: Tony Jeffree, Chair Paul Congdon, Vice Chair Mick Seaman, Security Task Group Chair, Editor Zehavit Alon Siamack Ayandeh Caitlin Bestler Jan Bialkowski Jean-Michel

25、 Bonnamy Paul Bottorff Rudolf Brandner Craig W. Carlson Weiying Cheng Rao Cherukuri Jin-Seek Choi Don Connor Diego Crupnicoff Claudio Desanti Zhemin Ding Linda Dunbar David Elie-Dit-Cosaque Janos Farkas Donald Fedyk Norman Finn Robert Frazier John Fuller Geoffrey Garner Anoop Ghanwani Franz Goetz Ya

26、nnick Le Goff Eric Gray Ken Grewal Craig Gunther Mitch Gusat Stephen Haddock Asif Hazarika Charles Hudson Romain Insler Pankaj Jha Abhay Karandikar Prakash Kashyap Hal Keen Keti Kilcrease Yongbum Kim Philippe Klein Mike Ko Vinod Kumar Bruce Kwan Ashvin Lakshmikantha Kari Laihonen John Lemon Marina L

27、ipshteyn Gael Mace Ben Mack-Crane David Martin Riccardo Martinotti Alan McGuire James McIntosh Menucher Menuchery John Messenger Gabriel Montenegro Matthew Mora John Morris Eric Multanen Paul Nikolich Kevin Nolish David Olsen Donald Pannell Glenn Parsons Joseph Pelissier David Peterson Hayim Porat M

28、ax Pritikin Karen Randall Josef Roese Derek J. Rohde Dan Romascanu Jessy V. Rouyer Jonathan Sadler Ali Sajassi Panagiotis Saltsidis Joseph Salowey Satish Sathe John Sauer Koichiro Seto Nurit Sprecher Kevin B. Stanton Robert A. Sultan Muneyoshi Suzuki Michael Johas Teener Patricia Thaler Ao Ting Manoj Wadekar Yuehua Wei Brian Weis Martin White Bert Wijnen Michael D. Wright Chien-Hsien Wu Ken Young Glen Zorn