802.1AE: MAC Security (MACsec)

Full title: IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security

IEEE 802 Local Area Networks (LANs) are deployed in networks that support mission-critical applications and a wide variety of devices, implemented and administered by different organizations, and serving customers with different economic interests. The protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Preventing disruption and data loss arising from transmission and reception by unauthorized devices is a required network capability, as it is usually not practical to secure an entire network against physical access.

This standard (MACsec) specifies provision of connectionless user data confidentiality, data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients. The MACsec Key Agreement Protocol (MKA) specified in IEEE Std 802.1X discovers mutually authenticated MACsec peers, and elects one as a Key Server that distributes the symmetric Secure Association Keys (SAKs) used by MACsec to protect frames.

The first edition of IEEE Std 802.1AE was published in 2006. IEEE Std 802.1AEbn-2011 added the GCM-AES-256 Cipher Suite as a option. IEEE Std 802.1AEbw-2013 added extended packet numbering Cipher Suites, allowing more than 232 frames to be protected with a single Secure Association Key (SAK). IEEE-Std 802.1AEcg-2017 specified Ethernet Data Encryption devices (EDEs) that provide transparent secure connectivity while supporting provider network service selection and provider backbone network selection as specified in IEEE Std 802.1Q. IEEE-Std 802.1AEcg-2017 also specified transmission using multiple secure channels (SCs) for strict replay protection when frames of different priorities can be disordered, e.g. by a Provider Bridged Network (PBN) or IEEE Std 802.3 frame preemption, and described how MKA supports those multiple transmit SCs. IEEE Std 802.1AE-2018 incorporated and superseded the text of the first edition and its subsequent amendments.

IEEE Std 802.1AE comprises IEEE Std 802.1AE-2018 and its approved corrigenda and amendments.

IEEE 802.1 Security Task Group projects and related standards.

Current Status

Base Standard
IEEE Std 802.1AE-2018
Available free from the IEEE Get Program.
IEEE Std 802.1AEdk-2023
Published 18th August, 2023
IEEE Std 802.1AE-2018-Cor1: Tag Control Information Figure
Available free from the IEEE Get Program.
Editor Mick Seaman

Project History

802.1AE-2006: Media Access Control (MAC) Security
802.1AEbn-2011: GCM–AES–256 Cipher Suite
802.1AEbw-2013: Extended Packet Numbering
802.1AEcg-2017: Ethernet Data Encryption devices