标准摘要
[中文适用范围]: 规定了无连接用户数据保密性、帧数据完整性以及数据来源真实性的提供要求,这些是由介质访问无关协议和透明操作的实体实现的。 指定了满足本标准符合性声明的设备应满足的要求。 规定了MACsec在MAC服务提供的方面以及保护服务请求和服务指示语义方面的具体要求。 描述了对正确服务提供的威胁,包括故意和非故意的威胁。 指定了防止或限制通过利用这些威胁进行攻击的安全服务。 分析了威胁以及使用MACsec对服务质量(QoS)的潜在影响,规定了对MAC安全实体和协议设计及操作的约束。 描述了在介质访问控制方法无关的MAC子层中支持安全MAC服务的操作模型。 规定了用于提供安全服务的MACsec协议数据单元(MPDU)的格式。 指定了每个安全机制(SecY)的功能,并提供了其实现内部操作的架构模型。 描述了SecY与相关联且位于同一端口的接入实体(PAE,IEEE Std 802.1 X)配合使用以发现和验证MACsec协议对等体的方式,并指定了其使用该PAE的密钥协商实体(KaY)来协商和更新加密密钥。 规定了SecY的性能要求,并推荐了默认值及其操作参数的适用范围。 说明了在端站、桥接设备和双端口以太网数据加密设备(EDEs)架构中纳入SecY的方式。 建立了MAC安全管理的要求,指定了受管对象并定义了对SecY的操作管理。 规定了用于管理和控制TCP/IP网络中MAC安全操作的MIB模块。 指定了密钥套件的选择标准和使用要求。 [外文原描述]: This document specifies provision of connectionless user data confidentiality, frame data integrity, and data origin authenticity by media access independent protocols and entities that operate transparently to MAC Clients. NOTE—The MAC Clients are as specified in IEEE Std 802®, IEEE Std 802.1Q?, and IEEE Std 802.1X.2 To this end, it a) Specifies the requirements to be satisfied by equipment claiming conformance to this standard. b) Specifies the requirements for MACsec in terms of provision of the MAC Service and the preservation of the semantics and parameters of service requests and indications. c) Describes the threats, both intentional and accidental, to correct provision of the service. d) Specifies security services that prevent, or restrict, the effect of attacks that exploit these threats. e) Examines the potential impact of both the threats and the use of MACsec on the Quality of Service (QoS), specifying constraints on the design and operation of MAC Security entities and protocols. f) Models support of the secure MAC Service in terms of the operation of media access control method independent MAC Security Entities (SecYs) within the MAC Sublayer. g) Specifies the format of the MACsec Protocol Data Unit (MPDUs) used to provide secure service. h) Identifies the functions to be performed by each SecY, and provides an architectural model of its internal operation in terms of Processes and Entities that provide those functions. i) Specifies each SecY's use of an associated and collocated Port Access Entity (PAE, IEEE Std 802.1X) to discover and authenticate MACsec protocol peers and its use of that PAE's Key Agreement Entity (KaY) to agree and update cryptographic keys. j) Specifies performance requirements and recommends default values and applicable ranges for the operational parameters of a SecY. k) Specifies how SecYs are incorporated within the architecture of end stations, bridges, and two-port Ethernet Data Encryption devices (EDEs). l) Establishes the requirements for management of MAC Security, identifying the managed objects and defining the management operations for SecYs. m) Specifies the Management Information Base (MIB) module for managing the operation of MAC Security in TCP/IP networks. n) Specifies requirements, criteria, and choices of Cipher Suites for use with this standard.
英文名称Telecommunications and exchange between information technology systems - Requirements for local and metropolitan area networks - Part 1AE: Media access control (MAC) security