802.1AE: MAC Security (MACsec)

Full title: IEEE Standard for Local and metropolitan area networks–Media Access Control (MAC) Security

IEEE 802 Local Area Networks (LANs) are deployed in networks that support mission-critical applications and a wide variety of devices, implemented and administered by different organizations, and serving customers with different economic interests. The protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Preventing disruption and data loss arising from transmission and reception by unauthorized devices is a required network capability, as it is usually not practical to secure an entire network against physical access.

This standard (MACsec) specifies provision of connectionless user data confidentiality, data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients.

The MACsec Key Agreement Protocol (MKA) specified in IEEE Std 802.1X discovers mutually authenticated MACsec peers, and elects one as a Key Server that distributes the symmetric Secure Association Keys (SAKs) used by MACsec to protect frames. The 802.1AEcg amendment allows a MACsec participant to transmit using multiple secure channels (SCs), each using its own packet number (PN) sequence, to support strict replay protection when frames of different priorities can be disordered (e.g. by a Provider Bridged Network (PBN) or IEEE Std 802.3 frame preemption). 802.1AEcg Annex E describes how MKA supports the multiple transmit SCs.

Current Status

Standard Available free from the IEEE Get Program.
Status Approved June 8th 2006, Published 18th August 2006.
Amendments 802.1AEbn–2011: GCM–AES–256 Cipher Suite
802.1AEbw–2013: Extended Packet Numbering
802.1AEcg–2017: Ethernet Data Encryption devices
Editors Allyn Romanow, Mick Seaman