ISO/IEC/IEEE 8802-1AE:2013

INTERNATIONAL ISO/IEC/
STANDARD IEEE
8802-1AE
First edition
2013-12-01
Information technology —
Telecommunications and information
exchange between systems — Local and
metropolitan area networks —
Part 1AE:
Media access control (MAC) security
Technologies de l'information — Télécommunications et échange
d'information entre systèmes — Réseaux locaux et métropolitains —
Partie 1AE: Sécurité du contrôle d'accès aux supports (MAC)

Reference number
©
IEEE 2006
©  IEEE 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any
means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without permission in writing from ISO,
IEC or IEEE at the respective address below.
ISO copyright office IEC Central Office Institute of Electrical and Electronics Engineers, Inc.
Case postale 56 3, rue de Varembé 3 Park Avenue, New York
CH-1211 Geneva 20 CH-1211 Geneva 20 NY 10016-5997, USA
Tel. + 41 22 749 01 11 Switzerland E-mail stds.ipr@ieee.org
Fax + 41 22 749 09 47 E-mail inmail@iec.ch Web www.ieee.org
E-mail copyright@iso.org Web www.iec.ch
Web www.iso.org
Published in Switzerland
ii © IEEE 2006 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees established
by the respective organization to deal with particular fields of technical activity. ISO and IEC technical
committees collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO
and IEC have established a joint technical committee, ISO/IEC JTC 1.
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards
through a consensus development process, approved by the American National Standards Institute, which
brings together volunteers representing varied viewpoints and interests to achieve the final product. Volunteers
are not necessarily members of the Institute and serve without compensation. While the IEEE administers the
process and establishes rules to promote fairness in the consensus development process, the IEEE does not
independently evaluate, test, or verify the accuracy of any of the information contained in its standards.
The main task of ISO/IEC JTC 1 is to prepare International Standards. Draft International Standards adopted
by the joint technical committee are circulated to national bodies for voting. Publication as an International
Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is called to the possibility that implementation of this standard may require the use of subject matter
covered by patent rights. By publication of this standard, no position is taken with respect to the existence or
validity of any patent rights in connection therewith. ISO/IEEE is not responsible for identifying essential
patents or patent claims for which a license may be required, for conducting inquiries into the legal validity or
scope of patents or patent claims or determining whether any licensing terms or conditions provided in
connection with submission of a Letter of Assurance or a Patent Statement and Licensing Declaration Form, if
any, or in any licensing agreements are reasonable or non-discriminatory. Users of this standard are expressly
advised that determination of the validity of any patent rights, and the risk of infringement of such rights, is
entirely their own responsibility. Further information may be obtained from ISO or the IEEE Standards
Association.
ISO/IEC/IEEE 8802-1AE was prepared by the LAN/MAN Standards Committee of the IEEE Computer Society
(as IEEE Std 802.1AE-2006). It was adopted by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC 6, Telecommunications and information exchange between systems, in parallel
with its approval by the ISO/IEC national bodies, under the “fast-track procedure” defined in the Partner
Standards Development Organization cooperation agreement between ISO and IEEE. IEEE is responsible for
the maintenance of this document with participation and input from ISO/IEC national bodies.
ISO/IEC/IEEE 8802 consists of the following parts, under the general title Information technology —
Telecommunications and information exchange between systems — Local and metropolitan area networks:
— Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications
— Part 1X: Port-based network access control
— Part 1AE: Media access control (MAC) security
— Part 15-4: Wireless medium access control (MAC) and physical layer (PHY) specifications for low-rate
wireless personal area networks (WPANs)

© IEEE 2006 – All rights reserved iii

(blank page)
iv © IEEE 2006 – All rights reserved

I E E E Standard for
Local and metropolitan area networks
Media Access Control (MAC) Security
IEEE Computer Society
Sponsored by the
LAN/MAN Standards Committee
I E E E
™
3 Park Avenue IEEE Std 802.1AE -2006
New York, NY 10016-5997, USA
18 August 2006
(blank page)
vi Copyright © 2006 IEEE. All rights reserved.

™
IEEE Std 802.1AE -2006
IEEE Standard for
Local and metropolitan area networks:
Media Access Control (MAC) Security
Sponsor
LAN/MAN Standards Committee
of the
IEEE Computer Society
Approved 8 June 2006
IEEE-SA Standards Board
Abstract: This standard specifies how all or part of a network can be secured transparently to peer ®
protocol entities that use the MAC Service provided by IEEE 802 LANs to communicate. MAC
security (MACsec) provides connectionless user data confidentiality, frame data integrity, and data
origin authenticity.
Keywords: authorized port, data origin authenticity, integrity/confidentiality, LANs, local area
networks, MAC Bridges, MAC security and tack, MAC Service, MANs, metropolitan area
networks, MSAP, port-based network access control, secure association, security, service access
point, transparent bridging
The Institute of Electrical and Electronics Engineers, Inc.
3 Park Avenue, New York, NY 10016-5997, USA
All rights reserved. Published 18 August 2006. Printed in the United States of America.
IEEE and 802 are both registered trademarks in the U.S. Patent & Trademark Office, owned by the Institute of Electrical
and Electronics Engineers, Incorporated.
Print: ISBN 0-7381-4990-X SH95549
PDF: ISBN 0-7381-4991-8 SS95549
No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without the prior
written permission of the publisher.
viii Copyright © 2006 IEEE. All rights reserved.

IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards
through a consensus development process, approved by the American National Standards Institute, which brings
together volunteers representing varied viewpoints and interests to achieve the final product. Volunteers are not
necessarily members of the Institute and serve without compensation. While the IEEE administers the process
and establishes rules to promote fairness in the consensus development process, the IEEE does not independently
evaluate, test, or verify the accuracy of any of the information contained in its standards.
Use of an IEEE Standard is wholly voluntary. The IEEE disclaims liability for any personal injury, property or
other damage, of any nature whatsoever, whether special, indirect, consequential, or compensatory, directly or
indirectly resulting from the publication, use of, or reliance upon this, or any other IEEE Standard document.
The IEEE does not warrant or represent the accuracy or content of the material contained herein, and expressly
disclaims any express or implied warranty, including any implied warranty of merchantability or fitness for a spe-
cific purpose, or that the use of the material contained herein is free from patent infringement. IEEE Standards
documents are supplied “AS IS.”
The existence of an IEEE Standard does not imply that there are no other ways to produce, test, measure,
purchase, market, or provide other goods and services related to the scope of the IEEE Standard. Furthermore, the
viewpoint expressed at the time a standard is approved and issued is subject to change brought about through
developments in the state of the art and comments received from users of the standard. Every IEEE Standard is
subjected to review at least every five years for revision or reaffirmation. When a document is more than five
years old and has not been reaffirmed, it is reasonable to conclude that its contents, although still of some value,
do not wholly reflect the present state of the art. Users are cautioned to check to determine that they have the
latest edition of any IEEE Standard.
In publishing and making this document available, the IEEE is not suggesting or rendering professional or other
services for, or on behalf of, any person or entity. Nor is the IEEE undertaking to perform any duty owed by any
other person or entity to another. Any person utilizing this, and any other IEEE Standards document, should rely
upon the advice of a competent professional in determining the exercise of reasonable care in any given
circumstances.
Interpretations: Occasionally questions may arise regarding the meaning of portions of standards as they relate to
specific applications. When the need for interpretations is brought to the attention of IEEE, the Institute will initiate
action to prepare appropriate responses. Since IEEE Standards represent a consensus of concerned interests, it is
important to ensure that any interpretation has also received the concurrence of a balance of interests. For this
reason, IEEE and the members of its societies and Standards Coordinating Committees are not able to provide an
instant response to interpretation requests except in those cases where the matter has previously received formal
consideration. At lectures, symposia, seminars, or educational courses, an individual presenting information on
IEEE standards shall make it clear that his or her views should be considered the personal views of that individual
rather than the formal position, explanation, or interpretation of the IEEE.
Comments for revision of IEEE Standards are welcome from any interested party, regardless of membership affil-
iation with IEEE. Suggestions for changes in documents should be in the form of a proposed change of text,
together with appropriate supporting comments. Comments on standards and requests for interpretations should
be addressed to:
Secretary, IEEE-SA Standards Board
445 Hoes Lane
Piscataway, NJ 08854
USA
Authorization to photocopy portions of any individual standard for internal or personal use is granted by the
Institute of Electrical and Electronics Engineers, Inc., provided that the appropriate fee is paid to Copyright
Clearance Center. To arrange for payment of licensing fee, please contact Copyright Clearance Center, Customer
Service, 222 Rosewood Drive, Danvers, MA 01923 USA; +1 978 750 8400. Permission to photocopy portions of
any individual standard for educational classroom use can also be obtained through the Copyright Clearance
Center.
Introduction
This introduction is not part of IEEE Std 802.1AE-2006, IEEE Standard for Local and Metropolitan Area Net-
works: Media Access Control (MAC) Security.
This is the first edition of this standard.
Relationship between IEEE Std 802.1AE and other IEEE 802 standards
™
Another IEEE standard, IEEE Std 802.1X -2004, specifies Port-based Network Access Control, and
provides a means of authenticating and authorizing devices attached to a LAN. Use of this standard in
conjunction with architecture and protocols of IEEE Std 802.1X-2004 extends the applicability of the latter
to publicly accessible LAN/MAN media for which security has not already been defined. A proposed
™
amendment, IEEE P802.1af , to IEEE Std 802.1X-2004 is being developed to specify the additional
protocols and interfaces necessary.
™
This standard is not intended for use with IEEE Std 802.11 , Wireless LAN Medium Access Control. An
™
amendment to that standard, IEEE Std 802.11i -2004, also makes use of IEEE Std 802.1X-2004, thus
facilitating the use of a common authentication and authorization framework for LAN media to which this
standard applies and for Wireless LANs.
™
A previous security standard, IEEE Std 802.10 , IEEE Standard for Interoperable LAN/MAN Security, has
been withdrawn.
Notice to users
Errata
Errata, if any, for this and all other standards can be accessed at the following URL: http://
standards.ieee.org/reading/ieee/updates/errata/index.html. Users are encouraged to check this URL for
errata periodically.
Interpretations
Current interpretations can be accessed at the following URL: http://standards.ieee.org/reading/ieee/interp/
index.html.
Patents
Attention is called to the possibility that implementation of this standard may require use of subject matter
covered by patent rights. By publication of this standard, no position is taken with respect to the existence or
validity of any patent rights in connection therewith. The IEEE shall not be responsible for identifying
patents or patent applications for which a license may be required to implement an IEEE standard or for
conducting inquiries into the legal validity or scope of those patents that are brought to its attention.
x Copyright © 2006 IEEE. All rights reserved.

Contents
1. Overview. 1
1.1 Introduction. 1
1.2 Scope. 2
2. Normative references. 3
3. Definitions . 5
4. Abbreviations and acronyms . 8
5. Conformance. 10
5.1 Requirements terminology.10
5.2 Protocol Implementation Conformance Statement (PICS). 10
5.3 Required capabilities. 10
5.4 Optional capabilities . 11
6. Secure provision of the MAC Service . 13
6.1 MAC Service primitives and parameters. 13
6.2 MAC Service connectivity.15
6.3 Point-to-multipoint LANs. 16
6.4 MAC status parameters. 16
6.5 MAC point-to-point parameters. 16
6.6 Security threats . 17
6.7 MACsec connectivity . 18
6.8 MACsec guarantees . 19
6.9 Security services . 19
6.10 Quality of service maintenance.20
7. Principles of secure network operation. 22
7.1 Support of the secure MAC Service by an individual LAN . 22
7.2 Multiple instances of the secure MAC Service on a single LAN. 27
7.3 Use of the secure MAC Service. 28
8. MAC Security Protocol (MACsec). 31
8.1 Protocol design requirements.32
8.2 Protocol support requirements . 34
8.3 MACsec operation . 36
9. Encoding of MACsec protocol data units. 38
9.1 Structure, representation, and encoding. 38
9.2 Major components . 38
9.3 Security TAG. 39
9.4 MACsec EtherType . 39
9.5 TAG Control Information (TCI). 40
9.6 Association Number (AN) . 41
9.7 Short Length (SL) . 41
9.8 Packet Number (PN). 41
9.9 Secure Channel Identifier (SCI) . 41
9.10 Secure Data . 42
9.11 Integrity Check Value (ICV) .42
9.12 PDU validation . 43
10. Principles of MAC Security Entity (SecY) operation . 44
10.1 SecY overview. 44
10.2 SecY functions. 46
10.3 Model of operation. 47
10.4 SecY architecture. 47
10.5 Secure frame generation . 50
10.6 Secure frame verification. 51
10.7 SecY management . 53
10.8 Addressing . 63
10.9 Priority . 63
10.10 SecY performance requirements. 63
11. MAC Security in Systems. 65
11.1 MAC Service interface stacks.65
11.2 MACsec in end stations . 66
11.3 MACsec in MAC Bridges. 66
11.4 MACsec in VLAN-aware Bridges. 67
11.5 MACsec and Link Aggregation. 68
11.6 Link Layer Discovery Protocol (LLDP). 69
11.7 MACsec in Provider Bridged Networks. 70
11.8 MACsec and multi-access LANs. 72
12. MACsec and EPON . 74
13. Management protocol . 76
13.1 Introduction. 76
13.2 The Internet-Standard Management Framework. 76
13.3 Relationship to other MIBs. 76
13.4 Security considerations . 78
13.5 Structure of the MIB . 80
13.6 Definitions for MAC Security MIB. 84
14. Cipher Suites. 121
14.1 Cipher Suite use . 121
14.2 Cipher Suite capabilities . 122
14.3 Cipher Suite specification. 123
14.4 Cipher Suite conformance . 123
14.5 Default Cipher Suite (GCM–AES–128) . 124
Annex A (normative) PICS Proforma . 126
A.1 Introduction. 126
A.2 Abbreviations and special symbols. 126
A.3 Instructions for completing the PICS proforma. 127
A.4 PICS proforma for IEEE Std 802.1AE . 129
A.5 Major capabilities . 130
A.6 Support and use of Service Access Points . 131
A.7 MAC status and point-to-point parameters. 132
A.8 Secure Frame Generation. 133
xii Copyright © 2006 IEEE. All rights reserved.

A.9 Secure Frame Verification . 134
A.10 MACsec PDU encoding and decoding . 135
A.11 Key Agreement Entity LMI. 135
A.12 Additional fully conformant Cipher Suite capabilities . 139
A.13 Additional variant Cipher Suite capabilities. 140
Annex B (informative) Bibliography. 142
Annex & (informative) ,(((OLVWRISDUWLFLSDQWV. 14
IEEE Standard for
Local and metropolitan area networks:
Media Access Control (MAC) Security
1. Overview
1.1 Introduction ®
IEEE 802 Local Area Networks (LANs) are often deployed in networks that support mission-critical
applications. These include corporate networks of considerable extent, and public networks that support
many customers with different economic interests. The protocols that configure, manage, and regulate
access to these networks typically run over the networks themselves. Preventing disruption and data loss
arising from transmission and reception by unauthorized parties is highly desirable, since it is not practical
to secure the entire network against physical access by determined attackers.
MAC Security (MACsec), as defined by this standard, allows authorized systems that attach to and
interconnect LANs in a network to maintain confidentiality of transmitted data and to take measures against
frames transmitted or modified by unauthorized devices.
MACsec facilitates
a) Maintenance of correct network connectivity and services
b) Isolation of denial of service attacks
c) Localization of any source of network communication to the LAN of origin
d) The construction of public networks, offering service to unrelated or possibly mutually suspicious
customers, using shared LAN infrastructures
e) Secure communication between organizations, using a LAN for transmission
f) Incremental and non-disruptive deployment, protecting the most vulnerable network components.
To deliver these benefits, MACsec has to be used in conjunction with appropriate policies for higher-level
protocol operation in networked systems, an authentication and authorization framework, and network
™ 1
management. IEEE P802.1af [B2] provides authentication and cryptographic key distribution.
MACsec protects communication between trusted components of the network infrastructure, thus protecting
the network operation. MACsec cannot protect against attacks facilitated by the trusted components
The numbers in brackets correspond to those of the bibliography in Annex B.
IEEE Std 802.1AE-2006 LOCAL AND METROPOLITAN AREA NETWORKS
themselves, and is complementary to, rather than a replacement for, end-to-end application-to-application
security protocols. The latter can secure application data independent of network operation, but cannot
necessarily defend the operation of network components, or prevent attacks using unauthorized
communication from reaching the systems that operate the applications.
1.2 Scope
The scope of this standard is to specify provision of connectionless user data confidentiality, frame data
integrity, and data origin authenticity by media access independent protocols and entities that operate
transparently to MAC Clients.
™ ™ ™
NOTE—The MAC Clients are as specified in IEEE Std 802, IEEE Std 802.2 , IEEE Std 802.1D , IEEE Std 802.1Q ,
™ 2
and IEEE Std 802.1X .
To this end it
a) Specifies the requirements to be satisfied by equipment claiming conformance to this standard.
b) Specifies the requirements for MAC Security in terms of provision of the MAC Service and the
preservation of the semantics and parameters of service requests and indications.
c) Describes the threats, both intentional and accidental, to correct provision of the service.
d) Specifies security services that prevent, or restrict, the effect of attacks that exploit these threats.
e) Examines the potential impact of both the threats and the use of MAC Security on the Quality of
Service (QoS), specifying constraints on the design and operation of MAC Security entities and
protocols.
f) Models support of the secure MAC Service in terms of the operation of media access control method
independent MAC Security Entities (SecYs) within the MAC Sublayer.
g) Specifies the format of the MACsec Protocol Data Unit (MPDUs) used to provide secure service.
h) Identifies the functions to be performed by each SecY, and provides an architectural model of its
internal operation in terms of Processes and Entities that provide those functions.
i) Specifies the interface/exchanges between a SecY and its associated and collocated MAC Security
Key Agreement Entity (KaY, IEEE P802.1af [B2]) that provides and updates cryptographic keys.
j) Specifies performance requirements and recommends default values and applicable ranges for the
operational parameters of a SecY.
k) Specifies how SecYs are incorporated within the architectural structure within end stations and
bridges.
l) Establishes the requirements for management of MAC Security, identifying the managed objects
and defining the management operations for SecYs.
m) Specifies the Management Information Base (MIB) module for managing the operation of MAC
Security in TCP/IP networks.
n) Specifies requirements, criteria and choices of Cipher Suites for use with this standard.
This standard does not
o) Specify how the relationships between MACsec protocol peers are discovered and authenticated, as
supported by key management or key distribution protocols, but makes use of IEEE P802.1af Key
Agreement for MAC security to achieve these functions.
Notes in text, tables, and figures are given for information only, and do not contain requirements needed to implement the standard.
2 Copyright © 2006 IEEE. All rights reserved.

MEDIA ACCESS CONTROL (MAC) SECURITY IEEE Std 802.1AE-2006
2. Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments or corrigenda) applies.
Federal Information Processing Standards FIPS 197, Advanced Encryption Standard, 2001, Advanced
Encryption Standard Cyclic Block Chaining (AES-CBC).
Galois Counter Mode of Operation (GCM), David A. McGrew, John Viega.
5, 6
IEEE Std 802, IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture.
IEEE Std 802.1D-2003, IEEE Standards for Local and Metropolitan Area Networks: Media Access Control
(MAC) Bridges.
IEEE Std 802.1Q-2005, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local
Area Networks.
IEEE Std 802.1X-2004, IEEE Standards for Local and Metropolitan Area Networks: Port Based Network
Access Control.
™
IEEE Std 802.1ad -2005, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged
Local Area Networks—Amendment 4: Provider Bridges.
™
IEEE Std 802.1AB -2005, IEEE Standards for Local and Metropolitan Area Networks: Station and Media
Access Control Connectivity and Discovery.
™
IEEE Std 802.2 , IEEE Standard for Information technology—Telecommunications and information
exchange between systems—Local and metropolitan area networks—Specific requirements—Part 2:
Logical link control.
™
IEEE Std 802.3 , IEEE Standard for Information technology—Part 3: Carrier Sense Multiple Access with
Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications.
™
IEEE Std 802.11 , IEEE Standard for Information technology—Telecommunications and information
exchange between systems—Local and metropolitan area networks—Specific requirements—Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications.
™
IEEE Std 802.11i , IEEE Standard for Information technology—Telecommunications and information
exchange between systems—Local and metropolitan area networks—Specific requirements—Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications—Media Access
Control (MAC) Security Enhancements.
™
IEEE Std 802.17 , IEEE Standard for Information technology—Telecommunications and information
exchange between systems—Local and metropolitan area networks—Specific requirements—Part 17:
Resilient packet ring (RPR) access method & physical layer specifications.
FIPS publications are available from the National Technical Information Service (NTIS), U. S. Dept. of Commerce, 5285 Port Royal
Rd., Springfield, VA 22161 (http://www.ntis.org/).
This document can be downloaded from http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf.
IEEE publications are available from the Institute of Electrical and Electronics Engineers, 445 Hoes Lane, P.O. Box 1331, Piscataway,
NJ 08855-1331, USA. IEEE publications can be ordered on-line from the IEEE Standards Website: http://www.standards.ieee.org
The IEEE standards or products referred to in this clause are trademarks of the Institute of Electrical and Electronics Engineers, Inc.
IEEE Std 802.1AE-2006 LOCAL AND METROPOLITAN AREA NETWORKS
IETF RFC 1213: Management Information Base for Network Management of TCP/IP-based internets: MIB-
II, K. McCloghrie, M.T. Rose, March 1991.
IETF RFC 2578, STD 58, Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M.,
Waldbusser, S., April 1999.
IETF RFC 2579, STD 58, Textual Conventions for Version 2 of the Simple Network Management Protocol
(SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., Waldbusser, S., April 1999.
IETF RFC 2580, STD 58, Conformance Statements for SMIv2, McCloghrie, K., Perkins, D.,
Schoenwaelder, J., Case, J., Rose, M., Waldbusser, S., April 1999.
IETF RFC 2863, The Interfaces Group MIB using SMIv2, McCloghrie, K. and Kastenholz, F., June 2000.
IETF RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol
(SNMP), Preshun, R., ED., December 2002.
ISO/IEC 7498-1, Information processing systems—Open Systems Interconnection—Basic Reference
Model—Part 1: The Basic Model.
ISO/IEC 7498-2, Information processing systems—Open Systems Interconnection—Basic Reference
Model—Part 2: Security architecture.
ISO/IEC 14882, Information Technology—Programming languages—C++.
ISO/IEC 15802-1, Information technology—Telecommunications and information exchange between
systems—Local and metropolitan area networks—Common specifications—Part 1: Medium Access
Control (MAC) service definition.
ISO/IEC publications are available from the ISO Central Secretariat, Case Postale 56, 1 rue de Varembé, CH-1211, Genève 20, Swit-
zerland/Suisse (http://www.iso.ch/). ISO/IEC publications are also available in the United States from Global Engineering Documents,
15 Inverness Way East, Englewood, Colorado 80112, USA (http://global.ihs.com/). Electronic copies are available in the United States
from the American National Standards Institute, 25 West 43rd Street, 4th Floor, New York, NY 10036, USA (http://www.ansi.org/).
4 Copyright © 2006 IEEE. All rights reserved.

MEDIA ACCESS CONTROL (MAC) SECURITY IEEE Std 802.1AE-2006
3. Definitions
For the purposes of this standard, the following terms and definitions apply. The Authoritative Dictionary of
IEEE Standards Terms, Seventh Edition [B3], should be referenced for terms not defined in this clause.
3.1 Association Number (AN): A number that is concatenated with the Secure Channel Identifier to iden-
tify a Secure Association.
3.2 bounded receive delay: A guarantee that a frame will not be delivered after a known bounded time, in
the case of protocols designed to use the MAC Service this is typically assumed to be less than two seconds.
3.3 Bridged Local Area Network: A concatenation of individual IEEE 802 LANs interconnected by MAC
Bridges.
NOTE—Unless explicitly specified the use of the word network in this standard refers to a Bridged Local Area Network.
The term Bridged Local Area Network is not otherwise abbreviated. The term Local Area Network and the abbreviation
LAN are used exclusively to refer to an individual LAN specified by a MAC technology without the inclusion of
Bridges. This precise use of terminology within this specification allows a Bridged Local Area Network to be distin-
guished from an individual LAN that has been bridged to other LANs in the network. In more general usage such precise
terminology is not required, as it is an explicit goal of this standard that MAC Security is transparent to the users of the
MAC Service.
3.4 Cipher Suite: A set of one or more algorithms, designed to provide any number of the following: data
confidentiality, data authenticity, data integrity.
3.5 Common Port: An instance of the MAC Internal Sublayer Service used by the SecY to provide trans-
mission and reception of frames for both the controlled and uncontrolled ports.
3.6 Controlled Port: The access point used to provide the secure MAC Service to a client of a SecY.
3.7 cryptographic key: A parameter that determines the operation of a cryptographic function such as:
a) The transformation from plain text to cipher text and vice versa
b) Synchronized generation of keying material
c) Digital signature computation or validation.
3.8 cryptographic mode of operation: Also referred to as mode. An algorithm for the cryptographic trans-
formation of data that features a symmetric key block cipher algorithm.
3.9 data integrity: A property whereby data has not been altered in an unauthorized manner since it was
created, transmitted or stored.
3.10 IEEE 802 Local Area Network (LAN): IEEE 802 LANs (also referred to in the text simply as LANs)
are LAN technologies that provide a MAC Service equivalent to the MAC Service defined in ISO/IEC
15802-1. IEEE 802 LANs include IEEE Std 802.3 (CSMA/CD), IEEE Std 802.11 (Wireless), IEEE Std
802.17 (Resilient Packet Ring).
3.11 initialization vector (IV): A vector used in defining the starting point of an encryption process within
a cryptographic algorithm.
This and some other definitions in this clause have been drawn from ASC TR1/X9, Technical Report for ABA ASC/X9 Standards
Definitions, Acronyms, and Symbols, 2002.
This and some other definitions in this clause have been drawn from NIST Special Publication 800-38A, Recommendation for Block
Cipher Modes of Operation: Methods and Techniques, 2001.
This and some other definitions in this clause have been drawn from NIST Special Publication 800-57, Recommendation for Key
Management, 2005.
IEEE Std 802.1AE-2006 LOCAL AND METROPOLITAN AREA NETWORKS
3.12 integrity: See data integrity.
3.13 integrity check value (ICV): A value that is derived by performing an algorithmic transformation on
the data unit for which data integrity services are provided. The ICV is sent with the protected data unit and
is recalculated and compared by the receiver to detect data modification.
3.14 key: See cryptographic key.
3.15 key management: The generation, storage, distribution, deletion, archiving, and application of keys in
accordance with a security policy.
3.16 Layer Management Interface (LMI): The interface between a protocol entity in a system and the sys-
tem management, providing for the exchange of parameters with other system entities that are not attached
to the service access points used and provided by the protocol entity.
3.17 Local Area Network (LAN): See IEEE 802 Local Area Network (LAN).
3.18 MAC Security Entity (SecY): The entity that operates the MAC Security protocol within a system.
3.19 MAC Security TAG (SecTAG): A protocol header, comprising a number of octets and beginning with
an EtherType, that is prepended to the service data unit supplied by the client of the protocol, and is used to
provide security guarantees.
3.20 MAC service data unit (MSDU): A sequence of zero or more octets that compose the data to be com-
municated with a single MAC Service request or indication.
3.21 man-in-the-middle attack: An attack on the authentication protocol run in which the attacker posi-
tions himself between the claimant and verifier so that he can intercept and alter data traveling between
them.
3.22 master key: A secret key that is used to derive one or more cryptographic keys that are used directly to
protect data transfer.
3.23 message authentication: If the message arrives authenticated, the cryptographic guarantee is that the
message was not modified in
...