802.1AR: Secure Device Identity

Local Area Networks (LANs) are often deployed in networks that provide publicly accessible services or cannot be completely physically secured. Protocols that configure, manage, and regulate access to these networks typically run over the networks themselves. Secure and predictable network operation depends on authenticating each device attached to and participating in the network, so that the degree of trust and authorization to be accorded to that device by its communicating peers can be determined. Authentication of a human user, through a credential known to or possessed by that user, is often used to authenticate devices such as laptop personal computers, but many network devices are designed for unattended autonomous operation and do not support user authentication.

This standard specifies Secure Device Identifiers (DevIDs) designed to be used as interoperable secure device authentication credentials with Extensible Authentication Protocol (EAP [B4]) and other industry standard authentication and provisioning protocols. A standardized device identity facilitates interoperable secure device authentication and simplifies secure device deployment and management.

A device with DevID capability incorporates a globally unique manufacturer provided Initial Device Identifier (IDevID), stored in a way that protects it from modification. The device may support the creation of Locally Significant Device Identifiers (LDevIDs) by a network administrator. Each LDevID is bound to the device in a way that makes it infeasible for it to be forged or transferred to a device with a different IDevID without knowledge of the private key used to effect the cryptographic binding. LDevIDs can incorporate, and fully protect, additional information specified by the network administrator to support local authorization conventions.

Current Status

Standard Available free from the IEEE Get Program
Status Approved December 9th 2009, Published 22nd December 2009.
Revision in progress
Editor Max Pritikin