2018 IEEE 802.1AE v1.2：MAC安全标准更新概述

IEEE

802.1AE

需积分: 1 79 浏览量更新于2024-06-28 3 收藏 1.51MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

IEEE 802.1AE 2018版本1.2是针对局域网（LAN）和城域网（MAN）的媒体访问控制（MAC）安全标准。这个标准于2018年4月17日发布，是对2006年版IEEE 802.1AE标准的修订，包含了后续三个标准的更新：IEEE 802.1AEbn-2011、IEEE 802.1AEbw-2013和IEEE 802.1AEcg-2017。这个修订版旨在提供更加先进和全面的网络安全性，确保在多样的网络环境中，特别是无线和有线网络的接入点（AP）、交换机和其他设备之间的MAC层数据传输得到保护。 IEEE 802.1AE关注的核心是MAC层的安全性，这是网络通信的基础层次，负责管理数据帧的发送和接收。该标准定义了一系列的机制，如基于密钥的访问控制、加密技术、认证协议以及对恶意行为的检测和防御措施。它适用于各种网络架构，包括企业内部网络、公共Wi-Fi热点和云计算环境，旨在保护网络免受未经授权的访问、数据篡改或窃听。在技术细节上，IEEE 802.1AE 1.2可能涵盖了以下内容： 1. **MAC安全框架**：建立了一套统一的框架，用于实现和管理MAC层的安全特性，包括安全模式的定义和切换、安全协议栈的设计等。 2. **加密**：可能提供了对数据包进行加密的方法，如TKIP（Temporal Key Integrity Protocol）和CCMP（Counter Mode with CBC-MAC Padding），确保即使在网络被截获时，数据也保持私密性。 3. **身份验证**：规定了如何验证发送者和接收者的身份，例如采用EAP（Extensible Authentication Protocol）进行用户接入认证。 4. **访问控制**：通过802.1x协议实现准入控制，限制只有授权用户才能访问网络资源。 5. **完整性保护**：防止数据在传输过程中被篡改，通过使用消息完整性校验码（MIC）来确保数据的完整性和来源的真实性。 6. **报文封装与解封装**：处理安全数据包的封装和解封装过程，确保安全机制能在不同类型的网络接口之间无缝协同。 7. **动态密钥管理**：支持密钥的生成、分发、存储和更新，以应对不断变化的安全威胁。 8. **安全事件报告与监控**：定义了安全事件的检测和报告机制，帮助网络管理员及时发现并响应潜在的安全问题。作为一项未批准的草案，IEEE 802.1AE 1.2标准仍处于不断修改和完善的过程中。用户在实施时应意识到可能存在变动，并且仅适用于非正式的测试或研发环境。对于实际生产环境，需要等待正式标准发布后根据其稳定版本进行应用。这个标准是保障现代网络环境中数据安全的重要工具，对于网络管理员、安全工程师和技术决策者来说，理解和掌握它是必不可少的。

资源详情

资源推荐

P802.1AE™–Rev/D1.2 April 17, 2018

Draft Revision of IEEE Standard for Local and metropolitan area networks—Media Access Control (MAC) Security

This is an unapproved IEEE Standards draft, subject to change.

Draft Standard for

Local and metropolitan area networks—

Media Access Control (MAC) Security

IMPORTANT NOTICE

IMPORTANT NOTICE: IEEE Standards documents are not intended to ensure safety, security, health, or

environmental protection, or ensure against interference with or from other devices or networks.

Implementers of IEEE Standards documents are responsible for determining and complying with all

appropriate safety, security, environmental, health, and interference protection practices and all applicable

laws and regulations.

This IEEE document is made available for use subject to important notices and legal disclaimers. These

notices and disclaimers appear in all publications containing this document and may be found under the

heading “Important Notice” or “Important Notices and Disclaimers Concerning IEEE Documents”. They

can also be obtained on request from IEEE or viewed at http://standards.ieee.org/IPR/disclaimers.html

1. Overview

1.1 Introduction

IEEE 802® Local Area Networks (LANs) are often deployed in networks that support mission-critical

applications. These include corporate networks of considerable extent, and public networks that support

many customers with different economic interests. The protocols that configure, manage, and regulate

access to these networks typically run over the networks themselves. Preventing disruption and data loss

arising from transmission and reception by unauthorized parties is highly desirable, since it is not practical

to secure the entire network against physical access by determined attackers.

MAC Security (MACsec), as defined by this standard, allows authorized systems that attach to and

interconnect LANs in a network to maintain confidentiality of transmitted data and to take measures against

frames transmitted or modified by unauthorized devices.

MACsec facilitates

a) Maintenance of correct network connectivity and services

b) Isolation of denial of service attacks

c) Localization of any source of network communication to the LAN of origin

d) The construction of public networks, offering service to unrelated or possibly mutually suspicious

customers, using shared LAN infrastructures

e) Secure communication between organizations, using a LAN for transmission

f) Incremental and non-disruptive deployment, protecting the most vulnerable network components.

Authorized licensed use limited to: University of Illinois. Downloaded on July 03,2018 at 18:40:40 UTC from IEEE Xplore. Restrictions apply.

P802.1AE™–Rev/D1.2 April 17, 2018

Draft Revision of IEEE Standard for Local and metropolitan area networks—Media Access Control (MAC) Security

This is an unapproved IEEE Standards draft, subject to change.

To deliver these benefits, MACsec has to be used in conjunction with appropriate policies for higher-level

protocol operation in networked systems, an authentication and authorization framework, and network

management. IEEE Std 802.1X™ provides authentication and cryptographic key distribution.

MACsec protects communication between trusted components of the network infrastructure, thus protecting

the network operation. MACsec cannot protect against attacks facilitated by the trusted components

themselves, and is complementary to, rather than a replacement for, end-to-end application-to-application

security protocols. The latter can secure application data independent of network operation, but cannot

necessarily defend the operation of network components, or prevent attacks using unauthorized

communication from reaching the systems that operate the applications.

1.2 Scope

The scope of this standard is to specify provision of connectionless user data confidentiality, frame data

integrity, and data origin authenticity by media access independent protocols and entities that operate

transparently to MAC Clients.

NOTE—The MAC Clients are as specified in IEEE Std 802, IEEE Std 802.1Q

™

, and IEEE Std 802.1X

™

To this end it

a) Specifies the requirements to be satisfied by equipment claiming conformance to this standard.

b) Specifies the requirements for MAC Security in terms of provision of the MAC Service and the

preservation of the semantics and parameters of service requests and indications.

c) Describes the threats, both intentional and accidental, to correct provision of the service.

d) Specifies security services that prevent, or restrict, the effect of attacks that exploit these threats.

e) Examines the potential impact of both the threats and the use of MAC Security on the Quality of

Service (QoS), specifying constraints on the design and operation of MAC Security entities and

protocols.

f) Models support of the secure MAC Service in terms of the operation of media access control method

independent MAC Security Entities (SecYs) within the MAC Sublayer.

g) Specifies the format of the MACsec Protocol Data Unit (MPDUs) used to provide secure service.

h) Identifies the functions to be performed by each SecY, and provides an architectural model of its

internal operation in terms of Processes and Entities that provide those functions.

i) Specifies each SecY’s use of an associated and collocated Port Access Entity (PAE, IEEE Std

802.1X™) to discover and authenticate MACsec protocol peers, and its use of that PAE’s Key

Agreement Entity (KaY) to agree and update cryptographic keys.

j) Specifies performance requirements and recommends default values and applicable ranges for the

operational parameters of a SecY.

k) Specifies how SecYs are incorporated within the architecture of end stations, bridges, and two-port

Ethernet Data Encryption devices (EDEs).

l) Establishes the requirements for management of MAC Security, identifying the managed objects

and defining the management operations for SecYs.

m) Specifies the Management Information Base (MIB) module for managing the operation of MAC

Security in TCP/IP networks.

n) Specifies requirements, criteria, and choices of Cipher Suites for use with this standard.

Notes in text, tables, and figures are given for information only, and do not contain requirements needed to implement the standard.

Authorized licensed use limited to: University of Illinois. Downloaded on July 03,2018 at 18:40:40 UTC from IEEE Xplore. Restrictions apply.

P802.1AE™–Rev/D1.2 April 17, 2018

Draft Revision of IEEE Standard for Local and metropolitan area networks—Media Access Control (MAC) Security

This is an unapproved IEEE Standards draft, subject to change.

2. Normative references

The following referenced documents are indispensable for the application of this document (i.e., they must

be understood and used, so each referenced document is cited in text and its relationship to this document is

explained). For dated references, only the edition cited applies. For undated references, the latest edition of

the referenced document (including any amendments or corrigenda) applies.

IEEE Std 802®, IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture.

IEEE Std 802.1Q

™

, IEEE Standards for Local and Metropolitan Area Networks: Bridges and Bridged

Networks.

IEEE Std 802.1X-2010

™

, IEEE Standards for Local and Metropolitan Area Networks: Port-Based Network

Access Control.

IEEE Std 802.1Xbx-2014

™

, IEEE Standards for Local and Metropolitan Area Networks: Port-Based

Network Access Control—Amendment 1: MAC Security Key Agreement Protocol (MKA) Extensions.

IEEE Std 802.1AB

™

, IEEE Standards for Local and Metropolitan Area Networks: Station and Media Access

Control Connectivity and Discovery.

IEEE Std 802.1AC

™

, IEEE Standard for Local and metropolitan area networks—Media Access Control

(MAC) Service Definition.

IEEE Std 802.3™, IEEE Standard for Ethernet.

IETF RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-

II, K. McCloghrie, M.T. Rose, March 1991.

IETF RFC 2578, STD 58, Structure of Management Information for Version 2 of the Simple Network

Management Protocol (SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M.,

Waldbusser, S., April 1999.

IETF RFC 2579, STD 58, Textual Conventions for Version 2 of the Simple Network Management Protocol

(SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., Waldbusser, S., April 1999.

IETF RFC 2580, STD 58, Conformance Statements for SMIv2, McCloghrie, K., Perkins, D.,

Schoenwaelder, J., Case, J., Rose, M., Waldbusser, S., April 1999.

IETF RFC 2863, The Interfaces Group MIB using SMIv2, McCloghrie, K. and Kastenholz, F., June 2000.

IETF RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol

(SNMP), Preshun, R., ED., December 2002.

ISO/IEC 14882, Information Technology—Programming languages—C++.

NIST SP 800-38D, Nov 2007, Recommendation for Block Cipher Modes of Operation: Galois/Counter

Mode (GCM) and GMAC.

IEEE publications are available from the Institute of Electrical and Electronics Engineers, 445 Hoes Lane, Piscataway, NJ 08854,

USA. IEEE publications can be ordered on-line from the IEEE Standards website: http://www.standards.ieee.org

. With support form

the IEEE-SA, industry sponsors, and government, select IEEE standards are available for download at no cost, see

http://ieeexplore.ieee.org/browse/standards/get-program/page/

The IEEE standards or products referred to in this clause are trademarks of the Institute of Electrical and Electronics Engineers, Inc.

ISO/IEC publications are available from the ISO Central Secretariat, Case Postale 56, 1 rue de Varembé, CH-1211, Genève 20,

Switzerland/Suisse (http://www.iso.ch/

). ISO/IEC publications are also available in the United States from Global Engineering

Documents, 15 Inverness Way East, Englewood, Colorado 80112, USA (http://global.ihs.com/

). Electronic copies are available in the

United States from the American National Standards Institute, 25 West 43rd Street, 4th Floor, New York, NY 10036, USA

(http://www.ansi.org/

This document is available at http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

Authorized licensed use limited to: University of Illinois. Downloaded on July 03,2018 at 18:40:40 UTC from IEEE Xplore. Restrictions apply.

P802.1AE™–Rev/D1.2 April 17, 2018

Draft Revision of IEEE Standard for Local and metropolitan area networks—Media Access Control (MAC) Security

This is an unapproved IEEE Standards draft, subject to change.

3. Definitions

For the purposes of this document, the following terms and definitions apply. The IEEE Standards

Dictionary Online should be consulted for terms not defined in this clause.

6,7

3.1 access priority: In this standard, the priority associated with a transmit request made by a SecY at its

Common Port. The priority associated with a transmit request made by a protocol entity, often a shim, in an

interface stack (see IEEE Std 802.1AC).

3.2 Association Number (AN): A number that is concatenated with the Secure Channel Identifier to

identify a Secure Association.

3.3 black-side: Identifies the EDE port that uses MACsec to protect transmitted frames and verify received

frames.

3.4 bounded receive delay: A guarantee that a frame will not be delivered after a known bounded time, in

the case of protocols designed to use the MAC Service this is typically assumed to be less than two seconds.

3.5 Bridged Local Area Network: A concatenation of individual IEEE 802 LANs interconnected by MAC

Bridges.

NOTE—Unless explicitly specified the use of the word network in this standard refers to a Bridged Local Area Network.

The term Bridged Local Area Network is not otherwise abbreviated. The term Local Area Network and the abbreviation

LAN are used exclusively to refer to an individual LAN specified by a MAC technology without the inclusion of

Bridges. This precise use of terminology within this specification allows a Bridged Local Area Network to be distin-

guished from an individual LAN that has been bridged to other LANs in the network. In more general usage such precise

terminology is not required, as it is an explicit goal of this standard that MAC Security is transparent to the users of the

MAC Service.

3.6 Cipher Suite: A set of one or more algorithms, designed to provide any number of the following: data

confidentiality, data authenticity, data integrity.

3.7 Common Port: An instance of the MAC Internal Sublayer Service used by the SecY to provide

transmission and reception of frames for both the controlled and uncontrolled ports.

3.8 Controlled Port: The access point used to provide the secure MAC Service to a client of a SecY.

3.9 cryptographic key: A parameter that determines the operation of a cryptographic function such as:

a) The transformation from plain text to cipher text and vice versa

b) Synchronized generation of keying material

c) Digital signature computation or validation.

3.10 cryptographic mode of operation: Also referred to as mode. An algorithm for the cryptographic

transformation of data that features a symmetric key block cipher algorithm.

3.11 Customer Edge Port: The red-side port of an EDE-CS, EDE-CC, or EDE-SS.

IEEE Standards Dictionary Online subscription is available at

https://www.ieee.org/publications_standards/publications/subscriptions/prod/standards_dictionary.html

Information on other references can be found in Clause 2.

This and some other definitions in this clause have been drawn from ASC TR1/X9, Technical Report for ABA ASC/X9 Standards

Definitions, Acronyms, and Symbols, 2002.

This and some other definitions in this clause have been drawn from NIST Special Publication 800-38A, Recommendation for Block

Cipher Modes of Operation: Methods and Techniques, 2001.

Authorized licensed use limited to: University of Illinois. Downloaded on July 03,2018 at 18:40:40 UTC from IEEE Xplore. Restrictions apply.

P802.1AE™–Rev/D1.2 April 17, 2018

Draft Revision of IEEE Standard for Local and metropolitan area networks—Media Access Control (MAC) Security

This is an unapproved IEEE Standards draft, subject to change.

NOTE—The terms customer and provider applied to the external and internal ports of an EDE-CS are those used by

IEEE Std 802.1Q in its description of Provider Edge Bridges and reflect the role of those ports in the layered network

architecture. They do not indicate control or ownership of the equipment. In this standard it is convenient to extend the

use of those terms to ports that have the same relative relationship to the edge and network components of an EDE-CC or

EDE-SS. This is not a suggestion that further variants of PEBs and BEBs be specified, as the existence of additional

variants would complicate interoperability, service provision, and the task of this standard.

3.12 Customer Network Port: A port on the network component of an EDE-CS, EDE-CC, or EDE-SS that

provides internal connectivity to the edge component of that EDE.

3.13 data integrity: A property whereby data has not been altered in an unauthorized manner since it was

created, transmitted or stored.

3.14 edge component: The bridge component in an EDE-CS, EDE-CC, or EDE-SS that is attached to the

red-side port.

3.15 Ethernet Data Encryption device (EDE): A two-port bridge that transmits and receives frames that

are assumed to be unprotected to and from one red-side port, and conditionally relays those frames to and

from its other black-side port, protecting and verifying frames transmitted and received on the black-side

port using MACsec.

3.16 IEEE 802 Local Area Network (LAN): IEEE 802 LANs (also referred to in the text simply as LANs)

are LAN technologies that provide a MAC Service equivalent to the MAC Service defined in IEEE Std

802.1AC. IEEE 802 LANs include IEEE Std 802.3 (CSMA/CD) and IEEE Std 802.11 (Wireless) [B1].

3.17 initialization vector (IV): A vector used in defining the starting point of an encryption process within

a cryptographic algorithm.

3.18 integrity: See data integrity.

3.19 integrity check value (ICV): A value that is derived by performing an algorithmic transformation on

the data unit for which data integrity services are provided. The ICV is sent with the protected data unit and

is recalculated and compared by the receiver to detect data modification.

3.20 key: See cryptographic key.

3.21 key management: The generation, storage, distribution, deletion, archiving, and application of keys in

accordance with a security policy.

3.22 Layer Management Interface (LMI): The interface between a protocol entity in a system and the

system management, providing for the exchange of parameters with other system entities that are not

attached to the service access points used and provided by the protocol entity.

3.23 Local Area Network (LAN): See IEEE 802 Local Area Network (LAN).

3.24 MAC Security Entity (SecY): The entity that operates the MAC Security protocol within a system.

3.25 MAC Security TAG (SecTAG): A protocol header, comprising a number of octets and beginning

with an EtherType, that is prepended to the service data unit supplied by the client of the protocol, and is

used to provide security guarantees.

This and some other definitions in this clause have been drawn from NIST Special Publication 800-57, Recommendation for Key

Management, 2005.

This and some other definitions in this clause have been drawn from Federal Information Processing Standard (FIPS) 140-2, Security

Requirements for Cryptographic Modules, 2001.

Authorized licensed use limited to: University of Illinois. Downloaded on July 03,2018 at 18:40:40 UTC from IEEE Xplore. Restrictions apply.

剩余236页未读，继续阅读

孙悟空CN

粉丝: 16
资源: 21

会员权益专享

2018 IEEE 802.1AE v1.2：MAC安全标准更新概述

IEEE Std 802.1AE-2018 局域网和城域网-媒体访问控制（MAC）安全 - 完整英文电子版（239页）

IEEE Std 802.1AR-2018 局域网和城域网-确保设备身份安全 - 完整英文电子版（73页）

IEEE802.3-2012

简述IEEE 802.11a、IEEE 802.11b和IEEE 802.11i

ieee 802.3-2018中文

ieee 802.1是什么

ieee802.1q 最新版本

IEEE 802.11 协议

ieee 802.3 2018

ieee std 802.3 -2018

ieee802.3ae

IEEE 802.11标准协议下载

ieee 802.1q 2018标准下载

ieee std 802.3-2018 pdf 下载

阐述WEP协议、IEEE 802.1x协议、WAPI协议、IEEE 802.11i、IEEE 802.11r协议的认证技术特点。

ieee标准802.1q-2018

ieee 802.1q-2014

ieee std 802.3 -2018中文版

ieee 802.11-2020 下载

ieee 802.11 tutorial

会员权益专享

最新资源