802.1AE: MAC Security (MACsec)
Full title: IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security
IEEE 802 Local Area Networks (LANs) are deployed in networks that support mission-critical applications and a wide variety of devices, implemented and administered by different organizations, and serving customers with different economic interests. The protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Preventing disruption and data loss arising from transmission and reception by unauthorized devices is a required network capability, as it is usually not practical to secure an entire network against physical access.
This standard (MACsec) specifies provision of connectionless user data confidentiality, data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients. The MACsec Key Agreement Protocol (MKA) specified in IEEE Std 802.1X discovers mutually authenticated MACsec peers, and elects one as a Key Server that distributes the symmetric Secure Association Keys (SAKs) used by MACsec to protect frames.
The first edition of IEEE Std 802.1AE was published in 2006. IEEE Std 802.1AEbn-2011 added the GCM-AES-256 Cipher Suite as a option. IEEE Std 802.1AEbw-2013 added extended packet numbering Cipher Suites, allowing more than 232 frames to be protected with a single Secure Association Key (SAK). IEEE-Std 802.1AEcg-2017 specified Ethernet Data Encryption devices (EDEs) that provide transparent secure connectivity while supporting provider network service selection and provider backbone network selection as specified in IEEE Std 802.1Q. IEEE-Std 802.1AEcg-2017 also specified transmission using multiple secure channels (SCs) for strict replay protection when frames of different priorities can be disordered, e.g. by a Provider Bridged Network (PBN) or IEEE Std 802.3 frame preemption, and described how MKA supports those multiple transmit SCs.
The present standard, IEEE Std 802.1AE-2018, incorporates and supersedes the text of the first edition and its subsequent amendments.
IEEE 802.1 Security Task Group projects and related standards.
Current Status
| Standard | IEEE Std 802.1AE-2018 |
| Status | Available free from the IEEE Get Program. |
| Maintenance | IEEE Std 802.1AE-2018-Cor1: Tag Control Information Figure Fig 9-4 error, should be as IEEE Std 802.1AE-2006 Fig 9-4 |
| Editor | Mick Seaman |
Project History
| Project | Revision of IEEE Std 802.1AE-2006 and amendments |
| PAR | PAR approved September 28th, 2017. |
| CSD | Roll-up revision, no new functionality, no CSD required. |
| Editor | Mick Seaman |
| Supersedes | 802.1AE-2006: Media Access Control (MAC) Security 802.1AEbn-2011: GCM–AES–256 Cipher Suite 802.1AEbw-2013: Extended Packet Numbering 802.1AEcg-2017: Ethernet Data Encryption devices |
| Archive | Drafts and dispositions of comments |