《IEEE Std 802.1AE-2006 IEEE Standard for Local and Metropolitan Area Networks-Media Access Control (MAC) Security.pdf》由会员分享,可在线阅读,更多相关《IEEE Std 802.1AE-2006 IEEE Standard for Local and Metropolitan Area Networks-Media Access Control (MAC) Security.pdf(154页珍藏版)》请在三一文库上搜索。
1、IEEE Std 802.1AE-2006 I E E E Standard for Local and metropolitan area networks Media Access Control (MAC) Security I E E E 3 Park Avenue New York, NY 10016-5997, USA 18 August 2006 IEEE Computer Society Sponsored by the LAN/MAN Standards Committee Authorized licensed use limited to: Tsinghua Univer
2、sity Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. IEEE Std 802.1AE-2006 IEEE Standard for Local and m
3、etropolitan area networks: Media Access Control (MAC) Security Sponsor LAN/MAN Standards Committee of the IEEE Computer Society Approved 8 June 2006 IEEE-SA Standards Board Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplor
4、e. Restrictions apply. The Institute of Electrical and Electronics Engineers, Inc. 3 Park Avenue, New York, NY 10016-5997, USA Copyright 2006 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved. Published 18 August 2006. Printed in the United States of America. IEEE an
5、d 802 are both registered trademarks in the U.S. Patent +1 978 750 8400. Permission to photocopy portions of any individual standard for educational classroom use can also be obtained through the Copyright Clearance Center. Authorized licensed use limited to: Tsinghua University Library. Downloaded
6、on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. ivCopyright 2006 IEEE. All rights reserved. Introduction This is the first edition of this standard. Relationship between IEEE Std 802.1AE and other IEEE 802 standards Another IEEE standard, IEEE Std 802.1X-2004, specifies Por
7、t-based Network Access Control, and provides a means of authenticating and authorizing devices attached to a LAN. Use of this standard in conjunction with architecture and protocols of IEEE Std 802.1X-2004 extends the applicability of the latter to publicly accessible LAN/MAN media for which securit
8、y has not already been defined. A proposed amendment, IEEE P802.1af, to IEEE Std 802.1X-2004 is being developed to specify the additional protocols and interfaces necessary. This standard is not intended for use with IEEE Std 802.11, Wireless LAN Medium Access Control. An amendment to that standard,
9、 IEEE Std 802.11i-2004, also makes use of IEEE Std 802.1X-2004, thus facilitating the use of a common authentication and authorization framework for LAN media to which this standard applies and for Wireless LANs. A previous security standard, IEEE Std 802.10, IEEE Standard for Interoperable LAN/MAN
10、Security, has been withdrawn. Notice to users Errata Errata, if any, for this and all other standards can be accessed at the following URL: http:/ standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encouraged to check this URL for errata periodically. Interpretations Current interp
11、retations can be accessed at the following URL: http:/standards.ieee.org/reading/ieee/interp/ index.html. Patents Attention is called to the possibility that implementation of this standard may require use of subject matter covered by patent rights. By publication of this standard, no position is ta
12、ken with respect to the existence or validity of any patent rights in connection therewith. The IEEE shall not be responsible for identifying patents or patent applications for which a license may be required to implement an IEEE standard or for conducting inquiries into the legal validity or scope
13、of those patents that are brought to its attention. This introduction is not part of IEEE Std 802.1AE-2006, IEEE Standard for Local and Metropolitan Area Net- works: Media Access Control (MAC) Security. Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 a
14、t 11:59:41 UTC from IEEE Xplore. Restrictions apply. Copyright 2006 IEEE. All rights reserved.v Participants At the time this standard was completed, the working group had the following membership: Tony Jeffree, Chair Mick Seaman, Interworking and Security Task Group Chair Allyn Romanow, Editor Fran
15、k Chao, MIB Editor The following members of the individual balloting committee voted on this standard. Balloters may have voted for approval, disapproval, or abstention. Brandon Barry Les Bell Mike Borza Paul Bottorff Jim Burns Dirceu Cavendish Paul Congdon Sharam Davari Arjan de Heer Craig Easley A
16、nush Elangovan Hesham Elbakoury David Elie-Dit-Cosaque Norm Finn David Frattura Anoop Ghanwani Ken Grewal Steve Haddock Ran Ish-Shalom Tony Jeffree Hal Keen Yongbum Kim Loren Larsen Yannick Le Goff David Melman John Messenger Dinesh Mohan Bob Moskowitz Don OConnor Glenn Parsons Ken Patton Karen T. R
17、andall Allyn Romanow Dan Romascanu Jessy V. Rouyer Ali Sajassi Dolors Sala Sam Sambasivan John Sauer Mick Seaman Koichiro Seto Muneyoshi Suzuki Geoff Thompson John Viega Dennis Volpano Karl Weber Ludwig Winkel Michael D. Wright Eng Ahmed Abdelhalim Butch Anton Pierrejean Arcos Chris B. Bagge John B.
18、 Barnett Mark A. Beadles Michael A. Beck Rahul B. Bhushan Gennaro Boggia James T. Carlo Juan C. Carreon Jon S. Chambers Danila Chernetsov Keith Chow John L. Cole Paul Congdon Tommy P. Cooper Russell S. Dietz Thomas J. Dineen Sean Dougherty Alistair P. Duffy Sourav K. Dutta David Elie-Dit-Cosaque Mic
19、hael A. Fischer Yukihiro Fujimoto James P. Gilb Nikhil Goel Sergiu R. Goma Patrick S. Gonia Karanvir Grewal Randall C. Groves C. G. Guy Ronald D. Hochnadel Andreas J. Holtmann Dennis Horwitz Russell D. Housley David Hunter C. R. Huntley Atsushi Ito Raj Jain David V. James Tony Jeffree Peter G. Johan
20、sson David Johnston Joe Natharoj Juisai Piotr Karocki Lior Khermosh Byoung-jo Kim Yongbum Kim Mark J. Knight Hermann Koch Thomas M. Kurihara David J. Law Shawn M. Leard Kang Lee Li Li William Lumpkins G. L. Luri Jonathon C. Mclendon Francisco J. Melendez George J. Miao Gary L. Michel Mike Moreton M.
21、 Narayanan Michael S. Newman Paul Nikolich Robert Ohara Glenn W. Parsons Vikram Punj Jose P. Puthenkulam Karen T. Randall John J. Roese Allyn Romanow Jessy V. Rouyer Michael Scholles Stephen C. Schwarm Mick Seaman William M. Shvodian Thomas M. Siep Manikantan Srinivasan Thomas E. Starai Guenter Stei
22、ndl Michael L. Takefman Joseph J. Tardo Michael D. Johas Teener Thomas A. Tullia Mark-rene Uchida Timothy P. Walker Derek T. Woo Steven A. Wright TakahitoYoshizawa Oren Yuen Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplo
23、re. Restrictions apply. viCopyright 2006 IEEE. All rights reserved. When the IEEE-SA Standards Board approved this standard on 8 June 2006, it had the following membership: Steve M. Mills, Chair Richard H. Hulett, Vice Chair Don Wright, Past Chair Judith Gorman, Secretary *Member Emeritus Also inclu
24、ded are the following nonvoting IEEE-SA Standards Board liaisons: Satish K. Aggarwal, NRC Representative Richard DeBlasio, DOE Representative Alan H. Cookson, NIST Representative Don Messina IEEE Standards Program Manager, Document Development Michael Kipness IEEE Standards Program Manager, Technica
25、l Program Development Mark D. Bowman Dennis B. Brophy William R. Goldbach Arnold M. Greenspan Robert M. Grow Joanna N. Guenin Julian Forster* Mark S. Halpin Kenneth S. Hanus William B. Hopf Joseph L. Koepfinger* David J. Law Daleep C. Mohla T. W. Olsen Glenn Parsons Ronald C. Petersen Tom A. Prevost
26、 Greg Ratta Robby Robson Anne-Marie Sahazizian Virginia C. Sulzberger Malcolm V. Thaden Richard L. Townsend Walter Weigel Howard L. Wolfman Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. Copyright
27、2006 IEEE. All rights reserved. vii Contents 1. Overview 1 1.1Introduction 1 1.2Scope 2 2. Normative references. 3 3. Definitions . 5 4. Abbreviations and acronyms . 8 5. Conformance 10 5.1Requirements terminology. 10 5.2Protocol Implementation Conformance Statement (PICS) 10 5.3Required capabilitie
28、s 10 5.4Optional capabilities 11 6. Secure provision of the MAC Service. 13 6.1MAC Service primitives and parameters. 13 6.2MAC Service connectivity. 15 6.3Point-to-multipoint LANs 16 6.4MAC status parameters 16 6.5MAC point-to-point parameters. 16 6.6Security threats 17 6.7MACsec connectivity 18 6.
29、8MACsec guarantees. 19 6.9Security services 19 6.10Quality of service maintenance 20 7. Principles of secure network operation 22 7.1Support of the secure MAC Service by an individual LAN 22 7.2Multiple instances of the secure MAC Service on a single LAN 27 7.3Use of the secure MAC Service. 28 8. MA
30、C Security Protocol (MACsec) 31 8.1Protocol design requirements. 32 8.2Protocol support requirements. 34 8.3MACsec operation. 36 9. Encoding of MACsec protocol data units 38 9.1Structure, representation, and encoding. 38 9.2Major components . 38 9.3Security TAG. 39 9.4MACsec EtherType . 39 9.5TAG Co
31、ntrol Information (TCI) 40 9.6Association Number (AN). 41 9.7Short Length (SL) 41 9.8Packet Number (PN) 41 9.9Secure Channel Identifier (SCI) 41 9.10Secure Data 42 Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restri
32、ctions apply. viiiCopyright 2006 IEEE. All rights reserved. 9.11Integrity Check Value (ICV) . 42 9.12PDU validation 43 10. Principles of MAC Security Entity (SecY) operation . 44 10.1SecY overview. 44 10.2SecY functions. 46 10.3Model of operation. 47 10.4SecY architecture. 47 10.5Secure frame genera
33、tion 50 10.6Secure frame verification. 51 10.7SecY management . 53 10.8Addressing. 63 10.9Priority. 63 10.10 SecY performance requirements 63 11. MAC Security in Systems 65 11.1MAC Service interface stacks 65 11.2MACsec in end stations. 66 11.3MACsec in MAC Bridges 66 11.4MACsec in VLAN-aware Bridge
34、s. 67 11.5MACsec and Link Aggregation. 68 11.6Link Layer Discovery Protocol (LLDP) 69 11.7MACsec in Provider Bridged Networks 70 11.8MACsec and multi-access LANs. 72 12. MACsec and EPON. 74 13. Management protocol 76 13.1Introduction 76 13.2The Internet-Standard Management Framework. 76 13.3Relation
35、ship to other MIBs 76 13.4Security considerations 78 13.5Structure of the MIB 80 13.6Definitions for MAC Security MIB. 84 14. Cipher Suites 121 14.1Cipher Suite use. 121 14.2Cipher Suite capabilities 122 14.3Cipher Suite specification 123 14.4Cipher Suite conformance . 123 14.5Default Cipher Suite (
36、GCMAES128) 124 Annex A (normative) PICS Proforma . 126 A.1Introduction 126 A.2Abbreviations and special symbols 126 A.3Instructions for completing the PICS proforma. 127 A.4PICS proforma for IEEE Std 802.1AE 129 A.5Major capabilities 130 A.6Support and use of Service Access Points. 131 A.7MAC status
37、 and point-to-point parameters 132 A.8Secure Frame Generation. 133 Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. Copyright 2006 IEEE. All rights reserved. ix A.9Secure Frame Verification. 134 A.10
38、MACsec PDU encoding and decoding 135 A.11Key Agreement Entity LMI. 135 A.12Additional fully conformant Cipher Suite capabilities 139 A.13Additional variant Cipher Suite capabilities 140 Annex B (informative) Bibliography. 142 Authorized licensed use limited to: Tsinghua University Library. Downloade
39、d on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. Authorized licensed use limited to: Tsinghua University Library. Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. Copyright 2006 IEEE. All rights reserved. 1 IEEE Standard for Local and me
40、tropolitan area networks: Media Access Control (MAC) Security 1. Overview 1.1 Introduction IEEE 802 Local Area Networks (LANs) are often deployed in networks that support mission-critical applications. These include corporate networks of considerable extent, and public networks that support many cus
41、tomers with different economic interests. The protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Preventing disruption and data loss arising from transmission and reception by unauthorized parties is highly desirable, since it is not p
42、ractical to secure the entire network against physical access by determined attackers. MAC Security (MACsec), as defined by this standard, allows authorized systems that attach to and interconnect LANs in a network to maintain confidentiality of transmitted data and to take measures against frames t
43、ransmitted or modified by unauthorized devices. MACsec facilitates a)Maintenance of correct network connectivity and services b)Isolation of denial of service attacks c)Localization of any source of network communication to the LAN of origin d)The construction of public networks, offering service to
44、 unrelated or possibly mutually suspicious customers, using shared LAN infrastructures e)Secure communication between organizations, using a LAN for transmission f)Incremental and non-disruptive deployment, protecting the most vulnerable network components. To deliver these benefits, MACsec has to b
45、e used in conjunction with appropriate policies for higher-level protocol operation in networked systems, an authentication and authorization framework, and network management. IEEE P802.1af B21 provides authentication and cryptographic key distribution. MACsec protects communication between trusted
46、 components of the network infrastructure, thus protecting the network operation. MACsec cannot protect against attacks facilitated by the trusted components 1The numbers in brackets correspond to those of the bibliography in Annex B. Authorized licensed use limited to: Tsinghua University Library.
47、Downloaded on December 25,2010 at 11:59:41 UTC from IEEE Xplore. Restrictions apply. IEEE Std 802.1AE-2006LOCAL AND METROPOLITAN AREA NETWORKS 2Copyright 2006 IEEE. All rights reserved. themselves, and is complementary to, rather than a replacement for, end-to-end application-to-application security
48、 protocols. The latter can secure application data independent of network operation, but cannot necessarily defend the operation of network components, or prevent attacks using unauthorized communication from reaching the systems that operate the applications. 1.2 Scope The scope of this standard is
49、 to specify provision of connectionless user data confidentiality, frame data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients. NOTEThe MAC Clients are as specified in IEEE Std 802, IEEE Std 802.2, IEEE Std 802.1D, IEEE Std 802.1Q, and IEEE Std 802.1X.2 To this end it a)Specifies the requirements to be satisfied by equipment claiming conformance to this standard. b)Specifies the requirements for MAC Security in terms of provision of the MAC Service and the preservation of