ISO/IEC/IEEE 8802-1X:2013/Amd 1:2016

INTERNATIONAL ISO/IEC/
IEEE
STANDARD
8802-1X
First edition
2013-12-01
AMENDMENT 1
2016-02-15
Information technology —
Telecommunications and information
exchange between systems — Local and
metropolitan area networks —
Part 1X:
Port-based network access control
AMENDMENT 1: MAC security key
agreement protocol (MKA) extensions
Technologies de l'information — Télécommunications et échange
d'information entre systèmes — Réseaux locaux et métropolitains —
Exigences spécifiques —
Partie 1X: Contrôle d'accès au réseau basé sur le port
AMENDEMENT 1: Extensions du protocole d'accord de clés de
sécurité MAC
Reference number
©
IEEE 2014
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat,
the IEC Central Office and IEEE do not accept any liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies
and IEEE members. In the unlikely event that a problem relating to it is found, please inform the ISO Central Secretariat or IEEE at the
address given below.
©  IEEE 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from ISO, IEC or IEEE at the respective
address below.
ISO copyright office IEC Central Office Institute of Electrical and Electronics Engineers, Inc.
Case postale 56 3, rue de Varembé 3 Park Avenue, New York
CH-1211 Geneva 20 CH-1211 Geneva 20 NY 10016-5997, USA
Tel. + 41 22 749 01 11 Switzerland E-mail stds.ipr@ieee.org
Fax + 41 22 749 09 47 E-mail inmail@iec.ch Web www.ieee.org
E-mail copyright@iso.org Web www.iec.ch
Web www.iso.org
Published in Switzerland
© IEEE 2014 – All rights reserved
ii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees established
by the respective organization to deal with particular fields of technical activity. ISO and IEC technical
committees collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO
and IEC have established a joint technical committee, ISO/IEC JTC 1.
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards
through a consensus development process, approved by the American National Standards Institute, which
brings together volunteers representing varied viewpoints and interests to achieve the final product. Volunteers
are not necessarily members of the Institute and serve without compensation. While the IEEE administers the
process and establishes rules to promote fairness in the consensus development process, the IEEE does not
independently evaluate, test, or verify the accuracy of any of the information contained in its standards.
The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted
by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is called to the possibility that implementation of this standard may require the use of subject matter
covered by patent rights. By publication of this standard, no position is taken with respect to the existence or
validity of any patent rights in connection therewith. ISO/IEEE is not responsible for identifying essential
patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or
scope of patents or patent claims or determining whether any licensing terms or conditions provided in
connection with submission of a Letter of Assurance or a Patent Statement and Licensing Declaration Form, if
any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly
advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is
entirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards
Association.
Amendment 1 to ISO/IEC/IEEE 8802-1X:2013 was prepared by the LAN/MAN of the IEEE Computer Society
(as IEEE 802.1Xbx-2014). It was adopted by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel
with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defined in the Partner
Standards Development Organization cooperation agreement between ISO and IEEE. IEEE is responsible for
the maintenance of this document with participation and input from ISO/IEC national bodies.
© IEEE 2014 – All rights reserved iii

(blank page)
iv
IIEEE Standard for
LLocal and metropolitan area networks—
PPort-Based Network Access Control
AAmendment 1: MAC Security Key Agreement
Protocol (MKA) Extensions
IEEE Computer Society
Sponsored by the
LAN/MAN Standards Committee
IEEE
IEEE Std 8802.1Xbx™™-22014
3 Park Avenue
(Amendment to
New York, NY 10016-5997
IEEE Std 802.1X™-2010)
USA
IEEE Std 802.1Xbx™-2014
(Amendment to
IEEE Std 802.1X™-2010)
IEEE Standard for
Local and metropolitan area networks—
Port-Based Network Access Control
Amendment 1: MAC Security Key Agreement
Protocol (MKA) Extensions
Sponsor
LAN/MAN Standards Committee
of the
IEEE Computer Society
Approved 10 December 2014
IEEE-SA Standards Board
Abstract: Media Access Control security (MACsec) Key Agreement protocol (MKA) data elements
and procedures that provide additional security and manageability capabilities, including the ability
to maintain secure communication while the operation of MKA is suspended, when used in
conjunction with MACsec Cipher Suites that support Extended Packet Numbering are added in this
amendment.
Keywords: authorized port, confidentiality, data origin authenticity, IEEE 802.1X™, IEEE
802.1Xbx™, integrity, LANs, local area networks, MAC Bridges, MAC security, MAC Service,
MANs, metropolitan area networks, port based network access control, secure association,
security, transparent bridging
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
All rights reserved. Published 22 December 2014. Printed in the United States of America.
IEEE and 802 are registered trademarks in the U.S. Patent & Trademark Office, owned by The Institute of Electrical and Electronics
Engineers, Incorporated.
PDF: ISBN 978-0-7381-9435-6 STD20045
Print: ISBN 978-0-7381-9436-3 STDPD20045
IEEE prohibits discrimination, harassment and bullying. For more information, visit http://www.ieee.org/web/aboutus/whatis/policies/p9-26.html.
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior written permission
of the publisher.
Important Notices and Disclaimers Concerning IEEE Standards Documents
IEEE documents are made available for use subject to important notices and legal disclaimers. These notices
and disclaimers, or a reference to this page, appear in all standards and may be found under the heading
“Important Notice” or “Important Notices and Disclaimers Concerning IEEE Standards Documents.”
Notice and Disclaimer of Liability Concerning the Use of IEEE Standards
Documents
IEEE Standards documents (standards, recommended practices, and guides), both full-use and trial-use, are
developed within IEEE Societies and the Standards Coordinating Committees of the IEEE Standards
Association (“IEEE-SA”) Standards Board. IEEE (“the Institute”) develops its standards through a
consensus development process, approved by the American National Standards Institute (“ANSI”), which
brings together volunteers representing varied viewpoints and interests to achieve the final product.
Volunteers are not necessarily members of the Institute and participate without compensation from IEEE.
While IEEE administers the process and establishes rules to promote fairness in the consensus development
process, IEEE does not independently evaluate, test, or verify the accuracy of any of the information or the
soundness of any judgments contained in its standards.
IEEE does not warrant or represent the accuracy or content of the material contained in its standards, and
expressly disclaims all warranties (express, implied and statutory) not included in this or any other
document relating to the standard, including, but not limited to, the warranties of: merchantability; fitness
for a particular purpose; non-infringement; and quality, accuracy, effectiveness, currency, or completeness of
material. In addition, IEEE disclaims any and all conditions relating to: results; and workmanlike effort.
IEEE standards documents are supplied “AS IS” and “WITH ALL FAULTS.”
Use of an IEEE standard is wholly voluntary. The existence of an IEEE standard does not imply that there
are no other ways to produce, test, measure, purchase, market, or provide other goods and services related to
the scope of the IEEE standard. Furthermore, the viewpoint expressed at the time a standard is approved and
issued is subject to change brought about through developments in the state of the art and comments
received from users of the standard.
In publishing and making its standards available, IEEE is not suggesting or rendering professional or other
services for, or on behalf of, any person or entity nor is IEEE undertaking to perform any duty owed by any
other person or entity to another. Any person utilizing any IEEE Standards document, should rely upon his
or her own independent judgment in the exercise of reasonable care in any given circumstances or, as
appropriate, seek the advice of a competent professional in determining the appropriateness of a given IEEE
standard.
IN NO EVENT SHALL IEEE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO:
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE PUBLICATION, USE OF, OR RELIANCE UPON
ANY STANDARD, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE AND
REGARDLESS OF WHETHER SUCH DAMAGE WAS FORESEEABLE.
Translations
The IEEE consensus development process involves the review of documents in English only. In the event
that an IEEE standard is translated, only the English version published by IEEE should be considered the
approved IEEE standard.
Official statements
A statement, written or oral, that is not processed in accordance with the IEEE-SA Standards Board
Operations Manual shall not be considered or inferred to be the official position of IEEE or any of its
committees and shall not be considered to be, or be relied upon as, a formal position of IEEE. At lectures,
symposia, seminars, or educational courses, an individual presenting information on IEEE standards shall
make it clear that his or her views should be considered the personal views of that individual rather than the
formal position of IEEE.
Comments on standards
Comments for revision of IEEE Standards documents are welcome from any interested party, regardless of
membership affiliation with IEEE. However, IEEE does not provide consulting information or advice
pertaining to IEEE Standards documents. Suggestions for changes in documents should be in the form of a
proposed change of text, together with appropriate supporting comments. Since IEEE standards represent a
consensus of concerned interests, it is important that any responses to comments and questions also receive
the concurrence of a balance of interests. For this reason, IEEE and the members of its societies and
Standards Coordinating Committees are not able to provide an instant response to comments or questions
except in those cases where the matter has previously been addressed. For the same reason, IEEE does not
respond to interpretation requests. Any person who would like to participate in revisions to an IEEE
standard is welcome to join the relevant IEEE working group.
Comments on standards should be submitted to the following address:
Secretary, IEEE-SA Standards Board
445 Hoes Lane
Piscataway, NJ 08854 USA
Laws and regulations
Users of IEEE Standards documents should consult all applicable laws and regulations. Compliance with the
provisions of any IEEE Standards document does not imply compliance to any applicable regulatory
requirements. Implementers of the standard are responsible for observing or referring to the applicable
regulatory requirements. IEEE does not, by the publication of its standards, intend to urge action that is not
in compliance with applicable laws, and these documents may not be construed as doing so.
Copyrights
IEEE draft and approved standards are copyrighted by IEEE under U.S. and international copyright laws.
They are made available by IEEE and are adopted for a wide variety of both public and private uses. These
include both use, by reference, in laws and regulations, and use in private self-regulation, standardization,
and the promotion of engineering practices and methods. By making these documents available for use and
adoption by public authorities and private users, IEEE does not waive any rights in copyright to the
documents.
iv Copyright © 2014 IEEE. All rights reserved.

Photocopies
Subject to payment of the appropriate fee, IEEE will grant users a limited, non-exclusive license to
photocopy portions of any individual standard for company or organizational internal use or individual, non-
commercial use only. To arrange for payment of licensing fees, please contact Copyright Clearance Center,
Customer Service, 222 Rosewood Drive, Danvers, MA 01923 USA; +1 978 750 8400. Permission to
photocopy portions of any individual standard for educational classroom use can also be obtained through
the Copyright Clearance Center.
Updating of IEEE Standards documents
Users of IEEE Standards documents should be aware that these documents may be superseded at any time
by the issuance of new editions or may be amended from time to time through the issuance of amendments,
corrigenda, or errata. An official IEEE document at any point in time consists of the current edition of the
document together with any amendments, corrigenda, or errata then in effect.
Every IEEE standard is subjected to review at least every ten years. When a document is more than ten years
old and has not undergone a revision process, it is reasonable to conclude that its contents, although still of
some value, do not wholly reflect the present state of the art. Users are cautioned to check to determine that
they have the latest edition of any IEEE standard.
In order to determine whether a given document is the current edition and whether it has been amended
through the issuance of amendments, corrigenda, or errata, visit the IEEE-SA Website at http://
ieeexplore.ieee.org/xpl/standards.jsp or contact IEEE at the address listed previously. For more information
about the IEEE SA or IEEE’s standards development process, visit the IEEE-SA Website at http://
standards.ieee.org.
Errata
Errata, if any, for all IEEE standards can be accessed on the IEEE-SA Website at the following URL: http://
standards.ieee.org/findstds/errata/index.html. Users are encouraged to check this URL for errata
periodically.
Patents
Attention is called to the possibility that implementation of this standard may require use of subject matter
covered by patent rights. By publication of this standard, no position is taken by the IEEE with respect to the
existence or validity of any patent rights in connection therewith. If a patent holder or patent applicant has
filed a statement of assurance via an Accepted Letter of Assurance, then the statement is listed on the IEEE-
SA Website at http://standards.ieee.org/about/sasb/patcom/patents.html. Letters of Assurance may indicate
whether the Submitter is willing or unwilling to grant licenses under patent rights without compensation or
under reasonable rates, with reasonable terms and conditions that are demonstrably free of any unfair
discrimination to applicants desiring to obtain such licenses.
Essential Patent Claims may exist for which a Letter of Assurance has not been received. The IEEE is not
responsible for identifying Essential Patent Claims for which a license may be required, for conducting
inquiries into the legal validity or scope of Patents Claims, or determining whether any licensing terms or
conditions provided in connection with submission of a Letter of Assurance, if any, or in any licensing
agreements are reasonable or non-discriminatory. Users of this standard are expressly advised that
determination of the validity of any patent rights, and the risk of infringement of such rights, is entirely their
own responsibility. Further information may be obtained from the IEEE Standards Association.
Participants
At the time this amendment was submitted to the IEEE-SA Standards Board for approval, the IEEE 802.1
Working Group had the following membership:
Glenn Parsons, Chair
John Messenger, Vice Chair
Mick Seaman, Security Task Group Chair, Editor
Ting Ao    Hitoshi Hayakawa Karen Randall
Christian Boiger Jeremy Hitt Maximilian Riegel
Paul Bottorff Rahil Hussain Dan Romascanu
David Chen Tony Jeffree Jessy V. Rouyer
Feng Chen Michael Johas Teener Panagiotis Saltsidis
Weiying Cheng Peter Jones Behcet Sarikaya
Diego Crupnicoff Hal Keen Daniel Sexton
Rodney Cummings Marcel Kiessling Johannes Specht
Patrick Diamond Yongbum Kim Kevin B. Stanton
Aboubacar Kader Diarra Philippe Klein Wilfried Steiner
Janos Farkas Jouni Korhonen Vahid Tabatabaee
Norman Finn Jeff Lynch Patricia Thaler
Geoffrey Garner Ben Mack-Crane Jeremy Touve
Anoop Ghanwani Christophe Mangin Karl Weber
Mark Gravel James McIntosh Yuehua Wei
Eric W. Gray Eric Multanen Brian Weis
Craig Gunther Donald Pannell Jordon Woods
Stephen Haddock Juan-Carlos Zuniga
The following members of the individual balloting committee voted on this standard. Balloters may have
voted for approval, disapproval, or abstention.
Thomas Alexander Tony Jeffree Satoshi Obara
Satoshi Oyama
Butch Anton Peter Jones
Karen Randall
Olugbenga Ayinde Shinkyo Kaku
Maximilian Riegel
William Byrd Piotr Karocki
Jessy V. Rouyer
Stuart Kerry
Juan Carreon
Mick Seaman
Keith Chow Max Kicherer
Kapil Sood
Charles Cook Jeff Koftinoff
Thomas Starai
Grazia Delia Bruce Kraemer
Rene Struik
Sourav Dutta Yasushi Kudoh
Walter Struppler
Richard Edgar Thomas Kurihara
Joseph Tardo
Yukihiro Fujimoto Paul Lambert
William Taylor
Devon Gayle Hyeong Ho Lee
Patricia Thaler
Gregory Gillooly Shen Loh
Dmitri Varsanofiev
Randall Groves Elvis Maculuba
Hung-Yu Wei
Michael Gundlach Jouni Malinen
Brian Weis
Werner Hoelzl Michael Newman
Oren Yuen
Atsushi Ito Nick S.A. Nikjoo
Daidi Zhong
vi Copyright © 2014 IEEE. All rights reserved.

When the IEEE-SA Standards Board approved this amendment on 10 December 2014, it had the following
membership:
John Kulick, Chair
Jon Walter Rosdahl, Vice Chair
Richard H. Hulett, Past Chair
Konstantinos Karachalios, Secretary
Peter Balma Michael Janezic Ron Peterson
Farooq Bari Jeffrey Katz Adrian Stephens
Joseph L. Koepfinger* Peter Sutherland
Ted Burse
Yatin Trivedi
Clint Chaplain David J. Law
Phil Winston
Hung Ling
Stephen Dukes
Don Wright
Oleg Logvinov
Jean-Phillippe Faure
Ted Olsen Yu Yuan
Gary Hoffman
Glenn Parsons
*Member Emeritus
Also included are the following nonvoting IEEE-SA Standards Board liaisons:
Richard DeBlasio, DOE Representative
Michael Janezic, NIST Representative
Catherine Berger
IEEE-SA Content Production and Management
Kathryn Bennett
Program Manager, IEEE-SA Technical Program Operations
Introduction
This introduction is not part of IEEE Std 802.1Xbx™-2014, IEEE Standard for Local and metropolitan area
networks—Port-Based Network Access Control—Amendment 1: MAC Security Key Agreement Protocol
(MKA) Extenstions.
This first amendment to IEEE Std 802.1X-2010, extends MKA to realize additional security and
manageability capabilities made possible by the IEEE Std 802.1AEbw™ amendment that added extended
packet numbering Cipher Suites to IEEE Std 802.1AE™-2006. Secure connectivity association (CA)
members can now temporarily suspend MKA operation without causing protocol timeouts that would
disrupt secure data transfer, thus allowing in-service control plane software upgrades.
The first edition of IEEE Std 802.1X was published in 2001. The second edition, IEEE Std 802.1X-2004
clarified areas related to mutual authentication and the interface between IEEE 802.1X specified state
machine, and those specified by the Extensible Authentication Protocol (EAP), and by IEEE Std 802.11™ in
support of IEEE Std 802.1X.
The third edition, IEEE Std 802.1X-2010, added authenticated key agreement in support of IEEE Std
802.1AE™ MAC Security, clarifying and generalizing the relationship between the common architecture
specified for port-based network access control, and the functional elements and protocols that support that ®
architecture as specified in IEEE Std 802.1X, other IEEE 802 standards, and in IETF RFCs. Further
changes updated the standard to reflect best current practice, insisting, for example, upon mutual
authentication methods and using such methods in examples. A greater emphasis was placed on the security
of systems accessing the network, as well as upon the security of the network accessed, and some prior
provisions, with a more comprehensive treatment of segregating and limiting connectivity to
unauthenticated systems. Applications of port-based network access that use IEEE Std 802.1AE MAC
Security (MACsec) and/or MKA (MACsec Key Agreement protocol) are described.
Every effort was made to ensure that systems conformant to IEEE Std 802.1X-2010 will interoperate,
without prior configuration, with implementations conforming to IEEE Std 802.1X-2004 and IEEE Std
802.1X-2001. However it is anticipated that claims of conformance in respect of some existing
implementations, not needing to support IEEE Std 802.1AE and already conforming to best current practice
as of 2010, will continue to refer to IEEE Std 802.1X-2004. IEEE Std 802.1X-2010 includes a number of
improvements to the specification of the port access control protocol (PACP) state machines and their
relationship to EAP methods and state machines.
viii Copyright © 2014 IEEE. All rights reserved.

Contents
2.Normative references. 2
3.Definitions . 5
4.Abbreviations and acronyms . 6
5.Conformance. 7
5.11 MKA options . 7
6.Principles of port-based network access control operation. 8
6.2 Key hierarchy. 8
7.Port-based network access control applications . 9
9.MACsec Key Agreement protocol (MKA) . 10
9.1 Protocol design requirements.10
9.5 Key server election . 14
9.8 SAK generation, distribution, and selection . 16
9.15 MKA participant timer values . 17
9.16 MKA management. 17
9.18 In-service upgrades . 18
9.19 In-service upgrade examples .22
11.EAPOL PDUs . 26
11.5 EAPOL protocol version handling . 26
11.11 EAPOL-MKA. 26
12.PAE operation. 32
12.1 Model of operation. 32
12.2 KaY interfaces . 32
12.5 Logon Process. 33
12.9 PAE management . 34
13.PAE MIB . 36
13.4 Security considerations . 36
13.5 Definitions for PAE MIB. 36
Annex A (normative) PICS Proforma .85
A.9 MKA requirements and options. 85
Annex B (informative) Bibliography. 86
Annex H (informative) Test vectors . 88
H.1 KDF . 88
H.2 CAK Key Derivation . 89
H.3 CKN Derivation. 89
H.4 KEK Derivation . 90
H.5 ICK Derivation . 90
H.6 SAK Derivation . 91
x Copyright © 2014 IEEE. All rights reserved.

Figures
Figure 11-10 MACsec SAK Use parameter set. 29
Figure 11-12 Distributed SAK parameter set (other MACsec Cipher Suites) . 29
Figure 11-13 Distributed CAK parameter set. 30
Figure 11-16 XPN parameter set . 30
Figure 12-3 PAE management information . 35
Tables
Table 9-1 MKA Algorithm Agility parameter values. 12
Table 9-3 MKA Participant timer values . 17
Table 11-7 MKPDU parameter sets . 27
Table 13-4 PAE managed object cross-reference table . 36
Table 13-4 PAE managed object cross-reference table . 36
xii Copyright © 2014 IEEE. All rights reserved.

IEEE Standard for
Local and metropolitan area networks—
Port Based Network Access Control
Amendment 1: MAC Security Key Agreement
Protocol (MKA) Extensions
[This amendment is based on IEEE Std 802.1X™-2010.]
NOTE—The editing instructions contained in this amendment define how to merge the material contained therein into
the existing base standard and its amendments to form the comprehensive standard.
The editing instructions are shown in bold italic. Four editing instructions are used: change, delete, insert, and replace.
Change is used to make corrections in existing text or tables. The editing instruction specifies the location of the change
and describes what is being changed by using strikethrough (to remove old material) and underscore (to add new
material). Delete removes existing material. Insert adds new material without disturbing the existing material. Deletions
and insertions may require renumbering. If so, renumbering instructions are given in the editing instruction. Replace is
used to make changes in figures or equations by removing the existing figure or equation and replacing it with a new
one. Editing instructions, change markings, and this NOTE will not be carried over into future editions because the
changes will be incorporated into the base standard.
IIMPORTANT NOTICE: IEEE Standards documents are not intended to ensure safety, security, health,
or environmental protection, or ensure against interference with or from other devices or networks.
Implementers of IEEE Standards documents are responsible for determining and complying with all
appropriate safety, security, environmental, health, and interference protection practices and all applica-
ble laws and regulations.
This IEEE document is made available for use subject to important notices and legal disclaimers. These
notices and disclaimers appear in all publications containing this document and may be found under the
heading “Important Notice” or “Important Notices and Disclaimers Concerning IEEE Documents.”
They can also be obtained on request from IEEE or viewed at http://standards.ieee.org/IPR/disclaim-
ers.html.
IEEE LOCAL AND METROPOLITAN AREA NETWORKS
Std 802.1Xbx-2014
2. Normative references
Change the Normative references clause as follows:
The following referenced documents are indispensable for the application of this document (i.e., they must
be understood and used, so each referenced document is cited in text and its relationship to this document is
explained). For dated references, only the edition cited applies. For undated references, the latest edition of
the referenced document (including any amendments or corrigenda) applies.
IEEE Std 802.1D™, IEEE Standard for Local and Metropolitan Area Networks: Media access control
1, 2
(MAC) Bridges.
IEEE Std 802.1Q™, IEEE Standard for Local and Metropolitan Area Networks: Bridges and Bridged
Networks Virtual Bridged Local Area Networks.
IEEE Std 802.1AB™, IEEE Standard for Local and Metropolitan Area Networks: Station and Media Access
Control Connectivity and Discovery.
IEEE Std 802.1ad™-2005, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged
Local Area Networks—Amendment 4: Provider Bridges.
IEEE Std 802.1AE™, IEEE Standard for Local and Metropolitan Area Networks: Media Access Control
(MAC) Security.
IEEE Std 802.1AE™-2006, IEEE Standard for Local and Metropolitan Area Networks: Media Access
Control (MAC) Security.
IEEE Std 802.1AEbn™-2011, IEEE Standard for Local and Metropolitan Area Network — Media Access
Control (MAC) Security — Amendment 1: Galois Counter Mode—Advanced Encryption Standard—256
(GCM–AES–256) Cipher Suite.
IEEE Std 802.1AEbw™-2013, IEEE Standard for Local and Metropolitan Area Networks: Media Access
Control (MAC) Security — Amendment 2: Extended Packet Numbering.
IEEE Std 802.1AX™, IEEE Standard for Local and Metropolitan Area Networks: Link Aggregation.
IEEE Std 802.2™, 1998 Edition [ISO/IEC 8802-2: 1998], Information technology—Telecommunications
and information exchange between systems—Local and metropolitan area networks—Specific
requirements—Part 2: Logical link control.
IEEE Std 802.3™, IEEE Standard for EthernetInformation technology—Local and metropolitan area
networks—Part 3: Carrier sense multiple access with collision detection (CSMA/CD) access method and
physical layer specifications.
IEEE publications are available from the Institute of Electrical and Electronics Engineers, 445 Hoes Lane, Piscataway, NJ 08854,
USA. IEEE publications can be ordered on-line from the IEEE Standards Website: http://www.standards.ieee.org.
The IEEE standards or products referred to in this clause are trademarks of the Institute of Electrical and Electronics Engineers, Inc.
This standard refers to the latest edition of IEEE Std 802.1AE in addition to referencing specific revisions and amendments.
ISO [IEEE] and ISO/IEC [IEEE] documents are available from ISO Central Secretariat, 1 rue de Varembé, Case Postale 56, CH-1211,
Genève 20, Switzerland/Suisse; and from the Institute of Electrical and Electronics Engineers, 445 Hoes Lane, Piscataway, NJ 08854,
USA. ISO [IEEE] and ISO/IEC [IEEE] documents can be ordered on-line from the IEEE Standards Website:
http://www.standards.ieee.org.
2 Copyright © 2014 IEEE. All rights reserved.

AMENDMENT 1: MAC SECURITY KEY AGREEMENT PROTOCOL (MKA) EXTENSIONS IEEE
Std 802.1Xbx-2014
IEEE Std 802.11™, IEEE Standard for Information technology—Telecommunications and information
exchange between systems—Local and metropolitan area networks—Specific requirements—Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications.
IEEE Std 802.17™-2004 IEEE Standard for Information Technology—Telecommunications and
information exchange between systems—Local and metropolitan area networks—Specific
requirements—Part 17: Resilient packet ring (RPR) access method and physical layer specifications.
IEEE Std 802.1AR™, IEEE Standard for Local and Metropolitan Area Networks: Secure Device Identifier.
IETF RFC 2578, STD 58, Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M.,
Waldbusser, S., April 1999.
IETF RFC 2579, STD 58, Textual Conventions for Version 2 of the Simple Network Management Protocol
(SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., Waldbusser, S., April 1999.
IETF RFC 2580, STD 58, Conformance Statements for SMIv2, McCloghrie, K., Perkins, D.,
Schoenwaelder, J., Case, J., Rose, M., Waldbusser, S., April 1999.
IETF RFC 2863, The Interfaces Group MIB using SMIv2, McCloghrie, K. and Kastenholz, F., June 2000.
IETF RFC 2869, RADIUS Extensions, Rigney, C., Willats, W., and Calhoun, P., June 2000.
IETF RFC 3394, Advanced Encryption Standard (AES) Key Wrap Algorithm, J. Schaad, R. Housley,
September 2002.
IETF RFC 3410, Introduction and Applicability Statements for Internet Standard Management Framework,
J. Case, R. Mundy, D. Partain, B. Stewart, December 2002.
IETF RFC 3579, RADIUS (Remote Authentication Dial In User Service) Support For Extensible
Authentication Protocol (EAP), Aboba, B., Calhoun, P., September 2003.
IETF RFC 3580, IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Guidelines,
Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., September 2003.
IETF RFC 3629, STD 63, UTF-8, a transformation format of ISO 10646, Yergeau, F., November 2003.
IETF RFC 4017, Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs,
Stanley, D., Walker, J., Aboba, B., March 2005.
IETF RFC 4346, The Transport Layer Security (TLS) Protocol Version 1.1, Diercks, T., Rescorla, E., April
2006.
IETF RFC 4493, THE AES-CMAC Algorithm, Song, J.H., Lee, J., Iwata, T., June 2006.
IETF RFC 4675, RADIUS Attributes for Virtual LAN and Priority Support, Congdon, P., Sanchez, M.,
Aboba, B., September 2006.
IETF RFC 5216, The EAP-TLS Authentication Protocol, Simon, D., Aboba, B., Hurst, R., March 2008.
IETF RFCs are available from the Internet Engineering Task Force website at http://www.ietf.org/rfc.html.
IEEE LOCAL AND METROPOLITAN AREA NETWORKS
Std 802.1Xbx-2014
IETF RFC 5247, Extensible Authentication Protocol (EAP) Key Management Framework, Aboba, B.,
Simon, D., Eronen, P., October 2007.
FIPS Publication 197, The Advanced Encryption Standard (AES), U.S. DoC/NIST, November 26, 2001.
ISO/IEC 18033-3: 2010, Information technology—Security techniques—Encryption algorithms—Part
3:Block ciphers.
NIST Federal Information Processing Standard 140-2, Security Requirements for Cryptographic Modules ,
3 December 2002.
NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC
Mode for Authentication, Morris Dworkin, May 2005.
NIST Special Publication 800-90, Recommendation for Random Number Generation Using Deterministic
Random Bit Generators, E. Barker, J. Kelsey, revised March 2007.
NIST Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions,
Lily Chen, November 2008.
National Institute of Standards and Technology, FIPS 140-2 is available at http://www.nist.gov/cmvp.
NIST Special Publications (800 Series) are available at http://csrc.nist.gov/publications/PubsSPs.html.
4 Copyright © 2014 IEEE. All rights reserved.

AMENDMENT 1: MAC SECURITY KEY AGREEMENT PROTOCOL (MKA) EXTENSIONS IEEE
Std 802.1Xbx-2014
3. Definitions
Change the definition of packet number as follows:
packet number (PN): A monotonically increasing value used to uniquely identify a MACsec frame in the
sequence of frames transmitted using an SA that is guaranteed unique for each MACsec frame transmitted
using a given SAK.
Insert the following definition(s), in the appropriate collating order:
extended packet number (XPN): A 64-bit packet number (PN) specified in IEEE Std 802.1AE.
Salt: A 96-bit secret value communicated by key agreement protocol for use by the protection and
verification operations of the IEEE Std 802.1AE GCM-AES-XPN Cipher Suites.
Short Secure Channel Identifier (SSCI): A 32-bit value that is unique for each SCI within the context of
all SecYs using a given SAK.
NOTE—IEEE Std 802.1AEbw-2013 specifies the calculation of SSCI and Salt values used by the IEEE Std
802.1AE GCM-AES-XPN Cipher Suites from other MKA values.
IEEE LOCAL AND METROPOLITAN AREA NETWORKS
Std 802.1Xbk-2014
4. Abbreviations and acronyms
Insert the following abbreviation(s), in the appropriate collating sequence:
SSCI Short SCI
XPN Extended Packet Number
Delete the following abbreviation:
FDDI Fiber Distributed Data Interface
6 Copyright © 2014 IEEE. All rights reserved.

AMENDMENT 1: MAC SECURITY KEY AGREEMENT PROTOCOL (MKA) EXTENSIONS IEEE
Std 802.1Xbx-2014
5. Conformance
5.11 MKA options
Insert new subclause 5.11.4 as follows:
5.11.4 In-service upgrades
A PAE that supports in-service upgrades shall be capable of
a) Suspending MKA operation as specified in 9.18.
b) Communicating the values of the most significant 32 bits of the Lowest Acceptable PN for the
Latest Key and the Old Key when any XPN capable Cipher Suite is being used, as specified in
9.18.5.
NOTE—Selection and use of Extended Packet Numbering depends on the implementation of an XPN capable Cipher
Suite by each SecY participating in a CA. See IEEE Std 802.1AE as amended by IEEE Std 802.1AEbw-2013.
A PAE that supports in-service upgrades may use additional protocol(s), outside the scope of this
specification, to coordinate in-service upgrades as specified in 9.18.6.
IEEE LOCAL AND METROPOLITAN AREA NETWORKS
Std 802.1Xbk-2014
6. Principles of port-based network access control operation
6.2 Key hierarchy
Change the first paragraph of 6.2 as
...