BS ISO IEC IEEE 8802-1AE-2013 Information technology Telecommunications and information exchange between systems Local and metropolitan area networks Media access control (MAC) sec.pdf

1、BSI Standards PublicationInformation technology Telecommunications andinformation exchange between systems Local and metropolitan area networksPart 1AE. Media access control (MAC) securityBS ISO/IEC/IEEE 8802-1AE:2013National forewordThis British Standard is the UK implementation of ISO/IEC/IEEE 880

2、2-1AE:2013.The UK participation in its preparation was entrusted to TechnicalCommittee IST/6, Data communications.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisions ofa contract. U

3、sers are responsible for its correct application. The British Standards Institution 2013Published by BSI Standards Limited 2013ISBN 978 0 580 85074 5ICS 35.110Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of th

4、eStandards Policy and Strategy Committee on 31 December 2013.Amendments/corrigenda issued since publicationDate Text affectedBRITISH STANDARDBS ISO/IEC/IEEE 8802-1AE:2013Reference numberISO/IEC/IEEE 8802-1AE:2013(E)IEEE 2006INTERNATIONAL STANDARD ISO/IEC/IEEE8802-1AEFirst edition2013-12-01Informatio

5、n technology Telecommunications and information exchange between systems Local and metropolitan area networks Part 1AE: Media access control (MAC) security Technologies de linformation Tlcommunications et change dinformation entre systmes Rseaux locaux et mtropolitains Partie 1AE: Scurit du contrle

6、daccs aux supports (MAC) BS ISO/IEC/IEEE 8802-1AE:2013ISO/IEC/IEEE 8802-1AE:2013(E) IEEE 2006 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

7、 on the internet or an intranet, without permission in writing from ISO, IEC or IEEE at the respective address below. ISO copyright office IEC Central Office Institute of Electrical and Electronics Engineers, Inc. Case postale 56 3, rue de Varemb 3 Park Avenue, New York CH-1211 Geneva 20 CH-1211 Gen

8、eva 20 NY 10016-5997, USA Tel. + 41 22 749 01 11 Switzerland E-mail stds.iprieee.org Fax + 41 22 749 09 47 E-mail inmailiec.ch Web www.ieee.org E-mail copyrightiso.org Web www.iec.ch Web www.iso.org Published in Switzerland ii IEEE 2006 All rights reservedBS ISO/IEC/IEEE 8802-1AE:2013ISO/IEC/IEEE 88

9、02-1AE:2013(E) IEEE 2006 All rights reserved iiiForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the devel

10、opment of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmen

11、tal, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating Committees of the IEEE Standa

12、rds Association (IEEE-SA) Standards Board. The IEEE develops its standards through a consensus development process, approved by the American National Standards Institute, which brings together volunteers representing varied viewpoints and interests to achieve the final product. Volunteers are not ne

13、cessarily members of the Institute and serve without compensation. While the IEEE administers the process and establishes rules to promote fairness in the consensus development process, the IEEE does not independently evaluate, test, or verify the accuracy of any of the information contained in its

14、standards. The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies cas

15、ting a vote. Attention is called to the possibility that implementation of this standard may require the use of subject matter covered by patent rights. By publication of this standard, no position is taken with respect to the existence or validity of any patent rights in connection therewith. ISO/I

16、EEE is not responsible for identifying essential patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or scope of patents or patent claims or determining whether any licensing terms or conditions provided in connection with submission of a Le

17、tter of Assurance or a Patent Statement and Licensing Declaration Form, if any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is e

18、ntirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards Association. ISO/IEC/IEEE 8802-1AE was prepared by the LAN/MAN Standards Committee of the IEEE Computer Society (as IEEE Std 802.1AE-2006). It was adopted by Joint Technical Committee ISO/IEC JTC 1,

19、Information technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defined in the Partner Standards Development Organization cooperation agreement between ISO and IEEE.

20、 IEEE is responsible for the maintenance of this document with participation and input from ISO/IEC national bodies. ISO/IEC/IEEE 8802 consists of the following parts, under the general title Information technology Telecommunications and information exchange between systems Local and metropolitan ar

21、ea networks: Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications Part 1X: Port-based network access control Part 1AE: Media access control (MAC) security Part 15-4: Wireless medium access control (MAC) and physical layer (PHY) specifications for low-rate wireles

22、s personal area networks (WPANs) BS ISO/IEC/IEEE 8802-1AE:2013ISO/IEC/IEEE 8802-1AE:2013(E) iv IEEE 2006 All rights reserved(blank page) BS ISO/IEC/IEEE 8802-1AE:2013IEEE Std 802.1AE-2006I E E E Standard forLocal and metropolitan area networks Media Access Control (MAC) SecurityI E E E3 Park Avenue

23、New York, NY 10016-5997, USA18 August 2006IEEE Computer SocietySponsored by theLAN/MAN Standards CommitteeCopyright 2006 IEEE. All rights reserved. vBS ISO/IEC/IEEE 8802-1AE:2013vi Copyright 2006 IEEE. All rights reserved.(blank page) IEEE Std 802.1AE-2006IEEE Standard forLocal and metropolitan area

24、 networks:Media Access Control (MAC) SecuritySponsor LAN/MAN Standards Committee of theIEEE Computer SocietyApproved 8 June 2006IEEE-SA Standards BoardCopyright 2006 IEEE. All rights reserved. viiBS ISO/IEC/IEEE 8802-1AE:2013The Institute of Electrical and Electronics Engineers, Inc.3 Park Avenue, N

25、ew York, NY 10016-5997, USACopyright 2006 by the Institute of Electrical and Electronics Engineers, Inc.All rights reserved. Published 18 August 2006. Printed in the United States of America.IEEE and 802 are both registered trademarks in the U.S. Patent +1 978 750 8400. Permission to photocopy porti

26、ons ofany individual standard for educational classroom use can also be obtained through the Copyright ClearanceCenter.Copyright 2006 IEEE. All rights reserved. ixBS ISO/IEC/IEEE 8802-1AE:2013x Copyright 2006 IEEE. All rights reserved.IntroductionThis is the first edition of this standard.Relationsh

27、ip between IEEE Std 802.1AE and other IEEE 802 standardsAnother IEEE standard, IEEE Std 802.1X-2004, specifies Port-based Network Access Control, andprovides a means of authenticating and authorizing devices attached to a LAN. Use of this standard inconjunction with architecture and protocols of IEE

28、E Std 802.1X-2004 extends the applicability of the latterto publicly accessible LAN/MAN media for which security has not already been defined. A proposedamendment, IEEE P802.1af, to IEEE Std 802.1X-2004 is being developed to specify the additionalprotocols and interfaces necessary.This standard is n

29、ot intended for use with IEEE Std 802.11, Wireless LAN Medium Access Control. Anamendment to that standard, IEEE Std 802.11i-2004, also makes use of IEEE Std 802.1X-2004, thusfacilitating the use of a common authentication and authorization framework for LAN media to which thisstandard applies and f

30、or Wireless LANs.A previous security standard, IEEE Std 802.10, IEEE Standard for Interoperable LAN/MAN Security, hasbeen withdrawn.Notice to usersErrataErrata, if any, for this and all other standards can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/updates/errata/index.h

31、tml. Users are encouraged to check this URL forerrata periodically.InterpretationsCurrent interpretations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/index.html.PatentsAttention is called to the possibility that implementation of this standard may require use o

32、f subject mattercovered by patent rights. By publication of this standard, no position is taken with respect to the existence orvalidity of any patent rights in connection therewith. The IEEE shall not be responsible for identifyingpatents or patent applications for which a license may be required t

33、o implement an IEEE standard or forconducting inquiries into the legal validity or scope of those patents that are brought to its attention.This introduction is not part of IEEE Std 802.1AE-2006, IEEE Standard for Local and Metropolitan Area Net-works: Media Access Control (MAC) Security.BS ISO/IEC/

34、IEEE 8802-1AE:2013Copyright 2006 IEEE. All rights reserved. xiContents1. Overview 11.1 Introduction 11.2 Scope 22. Normative references. 33. Definitions . 54. Abbreviations and acronyms . 85. Conformance 105.1 Requirements terminology.105.2 Protocol Implementation Conformance Statement (PICS) 105.3

35、Required capabilities 105.4 Optional capabilities 116. Secure provision of the MAC Service . 136.1 MAC Service primitives and parameters. 136.2 MAC Service connectivity.156.3 Point-to-multipoint LANs 166.4 MAC status parameters 166.5 MAC point-to-point parameters. 166.6 Security threats 176.7 MACsec

36、 connectivity 186.8 MACsec guarantees . 196.9 Security services 196.10 Quality of service maintenance207. Principles of secure network operation 227.1 Support of the secure MAC Service by an individual LAN 227.2 Multiple instances of the secure MAC Service on a single LAN 277.3 Use of the secure MAC

37、 Service. 288. MAC Security Protocol (MACsec) 318.1 Protocol design requirements.328.2 Protocol support requirements . 348.3 MACsec operation . 369. Encoding of MACsec protocol data units 389.1 Structure, representation, and encoding. 389.2 Major components . 389.3 Security TAG. 399.4 MACsec EtherTy

38、pe . 399.5 TAG Control Information (TCI) 409.6 Association Number (AN) . 419.7 Short Length (SL) 419.8 Packet Number (PN) 419.9 Secure Channel Identifier (SCI) 419.10 Secure Data 42BS ISO/IEC/IEEE 8802-1AE:2013xii Copyright 2006 IEEE. All rights reserved.9.11 Integrity Check Value (ICV) .429.12 PDU

39、validation 4310. Principles of MAC Security Entity (SecY) operation . 4410.1 SecY overview. 4410.2 SecY functions. 4610.3 Model of operation. 4710.4 SecY architecture. 4710.5 Secure frame generation 5010.6 Secure frame verification. 5110.7 SecY management . 5310.8 Addressing . 6310.9 Priority . 6310

40、.10 SecY performance requirements 6311. MAC Security in Systems 6511.1 MAC Service interface stacks6511.2 MACsec in end stations . 6611.3 MACsec in MAC Bridges 6611.4 MACsec in VLAN-aware Bridges. 6711.5 MACsec and Link Aggregation. 6811.6 Link Layer Discovery Protocol (LLDP) 6911.7 MACsec in Provid

41、er Bridged Networks 7011.8 MACsec and multi-access LANs. 7212. MACsec and EPON . 7413. Management protocol 7613.1 Introduction 7613.2 The Internet-Standard Management Framework. 7613.3 Relationship to other MIBs 7613.4 Security considerations 7813.5 Structure of the MIB 8013.6 Definitions for MAC Se

42、curity MIB. 8414. Cipher Suites 12114.1 Cipher Suite use . 12114.2 Cipher Suite capabilities 12214.3 Cipher Suite specification 12314.4 Cipher Suite conformance . 12314.5 Default Cipher Suite (GCMAES128) 124Annex A (normative) PICS Proforma . 126A.1 Introduction 126A.2 Abbreviations and special symb

43、ols 126A.3 Instructions for completing the PICS proforma. 127A.4 PICS proforma for IEEE Std 802.1AE 129A.5 Major capabilities 130A.6 Support and use of Service Access Points . 131A.7 MAC status and point-to-point parameters 132A.8 Secure Frame Generation. 133BS ISO/IEC/IEEE 8802-1AE:2013Copyright 20

44、06 IEEE. All rights reserved. ixA.9 Secure Frame Verification . 134A.10 MACsec PDU encoding and decoding 135A.11 Key Agreement Entity LMI. 135A.12 Additional fully conformant Cipher Suite capabilities 139A.13 Additional variant Cipher Suite capabilities 140Annex B (informative) Bibliography. 142Anne

45、x passive wiretapping only attempts to observe the flow and gainknowledge of information it contains. 14FIPS 140-2.15FIPS 140-2.BS ISO/IEC/IEEE 8802-1AE:2013IEEE Std 802.1AE-2006 LOCAL AND METROPOLITAN AREA NETWORKS8 Copyright 2006 IEEE. All rights reserved.4. Abbreviations and acronymsThe following

46、 abbreviations and acronyms are used in this standard.AES Advanced Encryption StandardAN Association NumberCA secure Connectivity AssociationCRC Cyclic Redundancy CheckCTR Counter modeDA Destination AddressEPON Ethernet Passive Optical NetworkES end stationFCS frame check sequenceFIPS Federal Inform

47、ation Processing StandardGCM Galois Counter ModeGb/s Gigabit per second (1 Gb/s is equivalent to 1 000 000 000 bits per second)ICV integrity check valueISS Internal Sublayer ServiceIV Initialization VectorKaY MAC Security Key Agreement EntityLACP Link Aggregation Control ProtocolLAN IEEE 802 Local A

48、rea NetworkLLC Logical Link Control (IEEE Std 802.2)LLDP Link Layer Discovery ProtocolLMI Layer Management InterfaceMAC Media Access ControlMb/s Megabit per second (1 Mb/s is equivalent to 1 000 000 bits per second)MIB Management Information BaseMPDU MACsec Protocol Data UnitBS ISO/IEC/IEEE 8802-1AE

49、:2013MEDIA ACCESS CONTROL (MAC) SECURITY IEEE Std 802.1AE-2006Copyright 2006 IEEE. All rights reserved. 9MSDU MAC Service Data UnitMSTP Multiple Spanning Tree ProtocolNESSIE New European Schemes for Signatures, Integrity, and EncryptionNIST National Institute of Standards and TechnologyOLT Optical Line TerminatorONU Optical Network UnitPAE Port Access Entity PDU Protocol Data UnitPN Packet NumberQoS quality of serviceRADIUS Remote Authe