802.1AE: MAC Security (MACsec)

Full title: IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security

IEEE 802 Local Area Networks (LANs) are deployed in networks that support mission-critical applications and a wide variety of devices, implemented and administered by different organizations, and serving customers with different economic interests. The protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Preventing disruption and data loss arising from transmission and reception by unauthorized devices is a required network capability, as it is usually not practical to secure an entire network against physical access.

This standard (MACsec) specifies provision of connectionless user data confidentiality, data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients. The MACsec Key Agreement Protocol (MKA) specified in IEEE Std 802.1X discovers mutually authenticated MACsec peers, and elects one as a Key Server that distributes the symmetric Secure Association Keys (SAKs) used by MACsec to protect frames.

The first edition of IEEE Std 802.1AE was published in 2006. IEEE Std 802.1AEbn-2011 added the GCM-AES-256 Cipher Suite as a option. IEEE Std 802.1AEbw-2013 added extended packet numbering Cipher Suites, allowing more than 232 frames to be protected with a single Secure Association Key (SAK). IEEE-Std 802.1AEcg-2017 specified Ethernet Data Encryption devices (EDEs) that provide transparent secure connectivity while supporting provider network service selection and provider backbone network selection as specified in IEEE Std 802.1Q. IEEE-Std 802.1AEcg-2017 also specified transmission using multiple secure channels (SCs) for strict replay protection when frames of different priorities can be disordered, e.g. by a Provider Bridged Network (PBN) or IEEE Std 802.3 frame preemption, and described how MKA supports those multiple transmit SCs.

The present standard, IEEE Std 802.1AE-2018, incorporates and supersedes the text of the first edition and its subsequent amendments.

IEEE 802.1 Security Task Group projects and related standards.

Current Status

Standard IEEE Std 802.1AE-2018
Status Available free from the IEEE Get Program.
Maintenance IEEE Std 802.1AE-2018-Cor1: Tag Control Information Figure
Fig 9-4 error, should be as IEEE Std 802.1AE-2006 Fig 9-4
Editor Mick Seaman

Project History

Project Revision of IEEE Std 802.1AE-2006 and amendments
PAR PAR approved September 28th, 2017.
CSD Roll-up revision, no new functionality, no CSD required.
Editor Mick Seaman
Supersedes 802.1AE-2006: Media Access Control (MAC) Security
802.1AEbn-2011: GCM–AES–256 Cipher Suite
802.1AEbw-2013: Extended Packet Numbering
802.1AEcg-2017: Ethernet Data Encryption devices
Archive Drafts and dispositions of comments