BS ISO/IEC/IEEE 8802-1X:2021:2022 Edition
$215.11
Telecommunications and exchange between information technology systems. Requirements for local and metropolitan area networks – Port-based network access control
| Published By | Publication Date | Number of Pages |
| BSI | 2022 | 294 |
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | undefined |
| 6 | Blank Page |
| 7 | Title page |
| 9 | Important Notices and Disclaimers Concerning IEEE Standards Documents |
| 12 | Participants |
| 14 | Introduction |
| 15 | Contents |
| 19 | Figures |
| 21 | Tables |
| 22 | 1. Overview 1.1 Scope 1.2 Purpose 1.3 Introduction |
| 23 | 1.4 Provisions of this standard |
| 25 | 2. Normative references |
| 27 | 3. Definitions |
| 32 | 4. Acronyms and abbreviations |
| 34 | 5. Conformance 5.1 Requirements terminology 5.2 Protocol Implementation Conformance Statement |
| 35 | 5.3 Conformant systems and system components 5.4 PAE requirements |
| 36 | 5.5 PAE options 5.6 Supplicant requirements 5.7 Supplicant options 5.7.1 Integration with IEEE Std 802.1AR 5.8 Authenticator requirements 5.9 Authenticator options |
| 37 | 5.9.1 Integration with IEEE Std 802.1AR 5.10 MKA requirements 5.11 MKA options 5.11.1 Support for PSKs 5.11.2 Key Server support for Group CAs |
| 38 | 5.11.3 CAK Cache 5.11.4 In-service upgrades 5.12 Virtual port requirements |
| 39 | 5.13 Virtual port options 5.14 Announcement transmission requirements 5.15 Announcement transmission options 5.16 Announcement reception requirements 5.17 Announcement reception options |
| 40 | 5.18 Requirements for SNMP access to the PAE MIB 5.19 Options for SNMP access to the PAE MIB 5.20 PAC requirements 5.21 System recommendations 5.22 Prohibitions 5.23 Requirement for YANG data model of a PAE 5.24 Options for YANG data model of a PAE |
| 42 | 6. Principles of port-based network access control operation |
| 43 | 6.1 Port-based network access control architecture |
| 44 | 6.2 Key hierarchy |
| 46 | 6.2.1 Key derivation function (KDF) |
| 47 | 6.2.2 Using EAP for CAK key derivation |
| 48 | 6.2.3 CAK caching and scope 6.2.4 Algorithm agility |
| 49 | 6.3 Port Access Entity (PAE) 6.3.1 Authentication exchanges |
| 50 | 6.3.2 Key agreement 6.3.3 Pre-shared keys 6.3.4 Interoperability and connectivity |
| 51 | 6.3.5 Network announcements, identity, authentication requirements, and status |
| 52 | 6.3.6 Multi-access LANs 6.4 Port Access Controller (PAC) |
| 53 | 6.4.1 Uncontrolled Port transmission and reception 6.4.2 Controlled Port transmission and reception |
| 54 | 6.4.3 PAC management 6.5 Link aggregation |
| 55 | 6.6 Use of this standard by IEEE Std 802.11 |
| 56 | 7. Port-based network access control applications 7.1 Host access with physically secure LANs |
| 57 | 7.1.1 Assumptions and requirements 7.1.2 System configuration and operation |
| 58 | 7.1.3 Connectivity to unauthenticated systems |
| 59 | 7.2 Infrastructure support with physically secure LANs |
| 60 | 7.2.1 Assumptions and requirements |
| 61 | 7.2.2 System configuration and operation 7.3 Host access with MACsec and point-to-point LANs 7.3.1 Assumptions and requirements |
| 62 | 7.3.2 System configuration and operation 7.3.3 Connectivity to unauthenticated systems 7.4 Use with MACsec to support infrastructure LANs |
| 63 | 7.4.1 Assumptions and requirements |
| 64 | 7.4.2 System configuration and operation 7.4.3 Connectivity to unauthenticated systems 7.5 Host access with MACsec and a multi-access LAN |
| 65 | 7.5.1 Assumptions and requirements 7.5.2 System configuration and operation |
| 66 | 7.5.3 Connectivity to unauthenticated systems |
| 67 | 7.6 Group host access with MACsec |
| 68 | 7.6.1 Assumptions and requirements 7.6.2 System configuration and operation 7.7 Use with MACsec to support virtual shared media infrastructure LANs 7.7.1 Assumptions and requirements |
| 69 | 7.7.2 System configuration and operation |
| 71 | 8. Authentication using EAP |
| 72 | 8.1 PACP Overview |
| 73 | 8.2 Example EAP exchanges |
| 74 | 8.3 PAE higher layer interface |
| 75 | 8.4 PAE Client interface |
| 77 | 8.5 EAPOL transmit and receive 8.6 Supplicant and Authenticator PAE timers |
| 78 | 8.7 Supplicant PACP state machine, variables, and procedures 8.8 Supplicant PAE counters |
| 79 | 8.9 Authenticator PACP state machine, variables, and procedures |
| 80 | 8.10 Authenticator PAE counters |
| 81 | 8.11 EAP methods 8.11.1 MKA and EAP methods |
| 82 | 8.11.2 Integration with IEEE Std 802.1AR and EAP methods |
| 83 | 9. MACsec Key Agreement protocol (MKA) |
| 84 | 9.1 Protocol design requirements |
| 85 | 9.2 Protocol support requirements 9.2.1 Random number generation 9.2.2 SC identification 9.3 MKA key hierarchy |
| 86 | 9.3.1 CAK identification 9.3.2 CAK Independence 9.3.3 Derived keys |
| 88 | 9.4 MKA transport 9.4.1 Message authentication |
| 89 | 9.4.2 Member identification and message numbers 9.4.3 Determining liveness |
| 90 | 9.4.4 MKPDU information elements and application data 9.4.5 Addressing 9.4.6 Active and passive participants |
| 91 | 9.5 Key server election |
| 92 | 9.5.1 MKPDU application data 9.6 Use of MACsec |
| 93 | 9.6.1 MKPDU application data 9.7 Cipher suite selection 9.7.1 MKPDU application data |
| 94 | 9.8 SAK generation, distribution, and selection |
| 95 | 9.8.1 SAK generation 9.8.2 Use of AES Key Wrap |
| 96 | 9.8.3 MKPDU application data 9.9 SA assignment 9.9.1 MKPDU application data 9.10 SAK installation and use |
| 97 | 9.10.1 MKPDU application data |
| 98 | 9.11 Connectivity change detection 9.12 CA formation and group CAK distribution 9.12.1 Use of AES Key Wrap 9.12.2 MKPDU application data |
| 99 | 9.13 Secure announcements 9.13.1 MKPDU application data 9.14 MKA participant creation and deletion |
| 100 | 9.15 MKA participant timer values |
| 101 | 9.16 MKA management |
| 103 | 9.17 MKA SAK distribution examples 9.17.1 Two participants 9.17.2 Another participant joins |
| 104 | 9.18 In-service upgrades 9.18.1 Initiating suspension |
| 105 | 9.18.2 Suspending 9.18.3 Suspended members |
| 106 | 9.18.4 Resuming operation 9.18.5 XPN support |
| 107 | 9.18.6 Managing in-service upgrades |
| 108 | 9.18.7 MKPDU application data 9.19 In-service upgrade examples 9.19.1 Requested by end station in point-to-point CA |
| 109 | 9.19.2 Initiated by Key Server in point-to-point CA |
| 110 | 9.19.3 Intermediate systems suspending multiple CAs 9.19.4 Key Server suspends in a group CA |
| 111 | 10. Network announcements 10.1 Announcement information |
| 114 | 10.2 Making and requesting announcements |
| 116 | 10.3 Receiving announcements 10.4 Managing announcements |
| 118 | 11. EAPOL PDUs 11.1 EAPOL PDU transmission, addressing, and protocol identification 11.1.1 Destination MAC address |
| 120 | 11.1.2 Source MAC address 11.1.3 Priority 11.1.4 Ethertype use and encoding |
| 121 | 11.2 Representation and encoding of octets 11.3 Common EAPOL PDU structure 11.3.1 Protocol Version 11.3.2 Packet Type |
| 122 | 11.3.3 Packet Body Length 11.3.4 Packet Body 11.4 Validation of received EAPOL PDUs |
| 123 | 11.5 EAPOL protocol version handling |
| 124 | 11.6 EAPOL-Start |
| 125 | 11.7 EAPOL-Logoff 11.8 EAPOL-EAP 11.9 EAPOL-Key |
| 126 | 11.10 EAPOL-Encapsulated-ASF-Alert 11.11 EAPOL-MKA |
| 128 | 11.11.1 MKA parameter encoding |
| 135 | 11.11.2 Validation of MKPDUs 11.11.3 Encoding MKPDUs |
| 136 | 11.11.4 Decoding MKPDUs 11.12 EAPOL-Announcement |
| 138 | 11.12.1 Network Identity (NID) Set TLV 11.12.2 Access Information TLV |
| 139 | 11.12.3 MACsec Cipher Suites TLV |
| 140 | 11.12.4 Key Management Domain TLV 11.12.5 Organizationally Specific and Organizationally Specific Set TLVs |
| 141 | 11.12.6 Validation of EAPOL-Announcements 11.12.7 Encoding EAPOL-Announcements 11.12.8 Decoding EAPOL-Announcements |
| 142 | 11.13 EAPOL-Announcement-Req |
| 143 | 12. PAE operation 12.1 Model of operation |
| 145 | 12.2 KaY interfaces |
| 147 | 12.3 CP state machine interfaces |
| 148 | 12.4 CP state machine 12.4.1 CP state machine variables and timers 12.5 Logon Process |
| 150 | 12.5.1 Controlling connectivity 12.5.2 Active and passive participation |
| 151 | 12.5.3 Network Identities 12.5.4 Session statistics |
| 152 | 12.6 CAK cache |
| 153 | 12.7 Virtual port creation and deletion |
| 154 | 12.8 EAPOL Transmit and Receive Process 12.8.1 EAPOL frame reception statistics |
| 155 | 12.8.2 EAPOL frame reception diagnostics 12.8.3 EAPOL frame transmission statistics |
| 156 | 12.9 PAE management 12.9.1 System level PAE management |
| 157 | 12.9.2 Identifying PAEs and their capabilities 12.9.3 Initialization |
| 159 | 13. PAE MIB 13.1 The Internet Standard Management Framework 13.2 Structure of the MIB 13.3 Relationship to other MIBs 13.3.1 System MIB Group 13.3.2 Relationship to the Interfaces MIB |
| 161 | 13.3.3 Relationship to the MAC Security MIB |
| 168 | 13.4 Security considerations 13.5 Definitions for PAE MIB |
| 218 | 14. YANG Data Model 14.1 PAE management using YANG |
| 219 | 14.2 Security considerations |
| 220 | 14.3 802.1X YANG model structure |
| 221 | 14.4 Relationship to other YANG data models 14.4.1 General |
| 222 | 14.4.2 Relationship to the System Management YANG model |
| 223 | 14.4.3 Relationship to the Interface Management YANG model |
| 230 | 14.4.4 The Interface Stack Models |
| 235 | 14.5 Definition of the IEEE 802.1X YANG data model 14.5.1 ieee802-dot1x YANG tree schema |
| 238 | 14.5.2 ieee802-dot1x-types YANG module |
| 242 | 14.5.3 ieee802-dot1x YANG module definition |
| 267 | 14.6 YANG data model use in network access control applications 14.6.1 General 14.6.2 Host access with a physically secure point-to-point LAN (7.1) |
| 268 | 14.6.3 Network access point supporting a physically secure point-to-point LAN (7.1) 14.6.4 Network access point supporting MACsec on a point-to-point LAN (7.3) |
| 270 | 14.6.5 Network access point supporting MACsec on a multi-access LAN (7.5) 14.6.6 Network access point supporting MACsec over LAG (11.5 of IEEE Std 802.1AE-2018) |
| 272 | Annex A (normative) PICS proforma A.1 Introduction A.2 Abbreviations and special symbols |
| 273 | A.3 Instructions for completing the PICS proforma |
| 275 | A.4 PICS proforma for IEEE 802.1X |
| 276 | A.5 Major capabilities and options A.6 PAE requirements and options |
| 277 | A.7 Supplicant requirements and options A.8 Authenticator requirements and options A.9 MKA requirements and options |
| 279 | A.10 Announcement transmission requirements A.11 Announcement reception requirements A.12 Management and remote management A.13 Virtual ports |
| 280 | A.14 PAC A.15 YANG requirements and options |
| 281 | Annex B (informative) Bibliography |
| 284 | Annex C (normative) State diagram notation |
| 286 | Annex D (informative) IEEE 802.1X EAP and RADIUS usage guidelines D.1 EAP Session-Id D.2 RADIUS Attributes for IEEE 802 Networks |
| 287 | Annex E (informative) Support for ‘Wake-on-LAN’ protocols |
| 288 | Annex F (informative) Unsecured multi-access LANs |
| 290 | Annex G (informative) Test vectors G.1 KDF |
| 291 | G.2 CAK Key Derivation G.3 CKN Derivation |
| 292 | G.4 KEK Derivation G.5 ICK Derivation |
| 293 | G.6 SAK Derivation |
Related products
-
BS ISO/IEC/IEEE 8802-1X:2013+A1:2016
Information technology. Telecommunications and information exchange between systems. Local and metropolitan area networks – Port-based…
