IEEE 802.1AE
Encyclopedia
802.1AE is the IEEE MAC
Media Access Control
The media access control data communication protocol sub-layer, also known as the medium access control, is a sublayer of the data link layer specified in the seven-layer OSI model , and in the four-layer TCP/IP model...

 Security standard (also known as MACsec) which defines connectionless data confidentiality and integrity for media access independent protocols. It is standardized by the IEEE 802.1
IEEE 802.1
IEEE 802.1 is a working group of the IEEE 802 project of the IEEE Standards Association.It is concerned with:* 802 LAN/MAN architecture* internetworking among 802 LANs, MANs and other wide area networks* 802 Link Security* 802 overall network management...

 working group.

Key management and the establishment of secure associations is outside the scope of 802.1AE, but is specified by 802.1X-2010.

The 802.1AE standard specifies the implementation of a MAC Security Entities (SecY) that can be thought of as part of the stations attached to the same LAN, providing secure MAC service to the client. The standard defines
  • MACsec frame format, which is similar to the Ethernet
    Ethernet
    Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....

     frame, but includes additional fields:
    • Security Tag, which is an extension of the EtherType
      EtherType
      EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the PayLoad of an Ethernet Frame. This field was first defined by the Ethernet II framing networking standard, and later adapted for the IEEE 802.3 Ethernet networking standard.EtherType...

    • Message authentication code
      Message authentication code
      In cryptography, a message authentication code is a short piece of information used to authenticate a message.A MAC algorithm, sometimes called a keyed hash function, accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC...

       (ICV)
  • Secure Connectivity Associations that represent groups of stations connected via unidirectional Secure Channels
  • Security Associations within each secure channel. Each association uses its own key (SAK). More than one association is permitted within the channel for the purpose of key change without traffic interruption (standard requires devices to support at least two)
  • Default cipher suite (Galois/Counter Mode
    Galois/Counter Mode
    Galois/Counter Mode is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance...

     of Advanced Encryption Standard
    Advanced Encryption Standard
    Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...

     cipher with 128-bit key)
    • Galois/Counter Mode
      Galois/Counter Mode
      Galois/Counter Mode is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance...

       of Advanced Encryption Standard
      Advanced Encryption Standard
      Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...

       cipher with 256-bit key is being added to the standard.


Security tag inside each frame in addition to EtherType
EtherType
EtherType is a two-octet field in an Ethernet frame. It is used to indicate which protocol is encapsulated in the PayLoad of an Ethernet Frame. This field was first defined by the Ethernet II framing networking standard, and later adapted for the IEEE 802.3 Ethernet networking standard.EtherType...

 includes:
  • association number within the channel
  • packet number to provide unique initialization vector
    Initialization vector
    In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...

     for encryption and authentication algorithms as well as protection against replay attack
    Replay attack
    A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet...

  • optional LAN-wide secure channel identifier (not required on point-to-point links).


The IEEE 802.1AE (MACsec) standard specifies a set of protocols to meet the security requirements for protecting data traversing Ethernet LANs. This norm assures incomplete network operations by identifying unauthorized actions on a LAN and preventing communication from them.

MACsec allows unauthorised LAN connections to be identified and excluded from communication within the network. In common with IPsec and SSL, MACsec defines a security infrastructure to provide data confidentiality, data integrity and data origin authentication.
By assuring that a frame comes from the station that claimed to send it, MACSec can mitigate attacks on Layer 2 protocols.

Publishing history:
  • 2006 - Original publication (802.1AE-2006)
  • 2011 - 802.1AEbn workgroup was formed to add GCM-AES-256 to the standard.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK