🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
IEEE 8802-1X-2021

IEEE 8802-1X-2021

$109.42

IEEE/ISO/IEC International Standard-Telecommunications and exchange between information technology systems–Requirements for local and
metropolitan area networks–Part 1X:Port-based network access control

Published By Publication Date Number of Pages
IEEE 2021
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Adoption Standard – Active. Port-based network access control allows a network administrator to restrict the use of IEEE 802(R) LAN service access points (ports) to secure communication between authenticated and authorized devices. This standard specifies a common architecture, functional elements, and protocols that support mutual authentication between the clients of ports attached to the same LAN and that secure communication between the ports, including the media access method independent protocols that are used to discover and establish the security associations used by IEEE 802.1AE(TM) MAC Security.

PDF Catalog

PDF Pages PDF Title
4 Blank Page
5 Title page
7 Important Notices and Disclaimers Concerning IEEE Standards Documents
10 Participants
12 Introduction
13 Contents
17 Figures
19 Tables
20 1. Overview
1.1 Scope
1.2 Purpose
1.3 Introduction
21 1.4 Provisions of this standard
23 2. Normative references
25 3. Definitions
30 4. Acronyms and abbreviations
32 5. Conformance
5.1 Requirements terminology
5.2 Protocol Implementation Conformance Statement
33 5.3 Conformant systems and system components
5.4 PAE requirements
34 5.5 PAE options
5.6 Supplicant requirements
5.7 Supplicant options
5.7.1 Integration with IEEE Std 802.1AR
5.8 Authenticator requirements
5.9 Authenticator options
35 5.9.1 Integration with IEEE Std 802.1AR
5.10 MKA requirements
5.11 MKA options
5.11.1 Support for PSKs
5.11.2 Key Server support for Group CAs
36 5.11.3 CAK Cache
5.11.4 In-service upgrades
5.12 Virtual port requirements
37 5.13 Virtual port options
5.14 Announcement transmission requirements
5.15 Announcement transmission options
5.16 Announcement reception requirements
5.17 Announcement reception options
38 5.18 Requirements for SNMP access to the PAE MIB
5.19 Options for SNMP access to the PAE MIB
5.20 PAC requirements
5.21 System recommendations
5.22 Prohibitions
5.23 Requirement for YANG data model of a PAE
5.24 Options for YANG data model of a PAE
40 6. Principles of port-based network access control operation
41 6.1 Port-based network access control architecture
42 6.2 Key hierarchy
44 6.2.1 Key derivation function (KDF)
45 6.2.2 Using EAP for CAK key derivation
46 6.2.3 CAK caching and scope
6.2.4 Algorithm agility
47 6.3 Port Access Entity (PAE)
6.3.1 Authentication exchanges
48 6.3.2 Key agreement
6.3.3 Pre-shared keys
6.3.4 Interoperability and connectivity
49 6.3.5 Network announcements, identity, authentication requirements, and status
50 6.3.6 Multi-access LANs
6.4 Port Access Controller (PAC)
51 6.4.1 Uncontrolled Port transmission and reception
6.4.2 Controlled Port transmission and reception
52 6.4.3 PAC management
6.5 Link aggregation
53 6.6 Use of this standard by IEEE Std 802.11
54 7. Port-based network access control applications
7.1 Host access with physically secure LANs
55 7.1.1 Assumptions and requirements
7.1.2 System configuration and operation
56 7.1.3 Connectivity to unauthenticated systems
57 7.2 Infrastructure support with physically secure LANs
58 7.2.1 Assumptions and requirements
59 7.2.2 System configuration and operation
7.3 Host access with MACsec and point-to-point LANs
7.3.1 Assumptions and requirements
60 7.3.2 System configuration and operation
7.3.3 Connectivity to unauthenticated systems
7.4 Use with MACsec to support infrastructure LANs
61 7.4.1 Assumptions and requirements
62 7.4.2 System configuration and operation
7.4.3 Connectivity to unauthenticated systems
7.5 Host access with MACsec and a multi-access LAN
63 7.5.1 Assumptions and requirements
7.5.2 System configuration and operation
64 7.5.3 Connectivity to unauthenticated systems
65 7.6 Group host access with MACsec
66 7.6.1 Assumptions and requirements
7.6.2 System configuration and operation
7.7 Use with MACsec to support virtual shared media infrastructure LANs
7.7.1 Assumptions and requirements
67 7.7.2 System configuration and operation
69 8. Authentication using EAP
70 8.1 PACP Overview
71 8.2 Example EAP exchanges
72 8.3 PAE higher layer interface
73 8.4 PAE Client interface
75 8.5 EAPOL transmit and receive
8.6 Supplicant and Authenticator PAE timers
76 8.7 Supplicant PACP state machine, variables, and procedures
8.8 Supplicant PAE counters
77 8.9 Authenticator PACP state machine, variables, and procedures
78 8.10 Authenticator PAE counters
79 8.11 EAP methods
8.11.1 MKA and EAP methods
80 8.11.2 Integration with IEEE Std 802.1AR and EAP methods
81 9. MACsec Key Agreement protocol (MKA)
82 9.1 Protocol design requirements
83 9.2 Protocol support requirements
9.2.1 Random number generation
9.2.2 SC identification
9.3 MKA key hierarchy
84 9.3.1 CAK identification
9.3.2 CAK Independence
9.3.3 Derived keys
86 9.4 MKA transport
9.4.1 Message authentication
87 9.4.2 Member identification and message numbers
9.4.3 Determining liveness
88 9.4.4 MKPDU information elements and application data
9.4.5 Addressing
9.4.6 Active and passive participants
89 9.5 Key server election
90 9.5.1 MKPDU application data
9.6 Use of MACsec
91 9.6.1 MKPDU application data
9.7 Cipher suite selection
9.7.1 MKPDU application data
92 9.8 SAK generation, distribution, and selection
93 9.8.1 SAK generation
9.8.2 Use of AES Key Wrap
94 9.8.3 MKPDU application data
9.9 SA assignment
9.9.1 MKPDU application data
9.10 SAK installation and use
95 9.10.1 MKPDU application data
96 9.11 Connectivity change detection
9.12 CA formation and group CAK distribution
9.12.1 Use of AES Key Wrap
9.12.2 MKPDU application data
97 9.13 Secure announcements
9.13.1 MKPDU application data
9.14 MKA participant creation and deletion
98 9.15 MKA participant timer values
99 9.16 MKA management
101 9.17 MKA SAK distribution examples
9.17.1 Two participants
9.17.2 Another participant joins
102 9.18 In-service upgrades
9.18.1 Initiating suspension
103 9.18.2 Suspending
9.18.3 Suspended members
104 9.18.4 Resuming operation
9.18.5 XPN support
105 9.18.6 Managing in-service upgrades
106 9.18.7 MKPDU application data
9.19 In-service upgrade examples
9.19.1 Requested by end station in point-to-point CA
107 9.19.2 Initiated by Key Server in point-to-point CA
108 9.19.3 Intermediate systems suspending multiple CAs
9.19.4 Key Server suspends in a group CA
109 10. Network announcements
10.1 Announcement information
112 10.2 Making and requesting announcements
114 10.3 Receiving announcements
10.4 Managing announcements
116 11. EAPOL PDUs
11.1 EAPOL PDU transmission, addressing, and protocol identification
11.1.1 Destination MAC address
118 11.1.2 Source MAC address
11.1.3 Priority
11.1.4 Ethertype use and encoding
119 11.2 Representation and encoding of octets
11.3 Common EAPOL PDU structure
11.3.1 Protocol Version
11.3.2 Packet Type
120 11.3.3 Packet Body Length
11.3.4 Packet Body
11.4 Validation of received EAPOL PDUs
121 11.5 EAPOL protocol version handling
122 11.6 EAPOL-Start
123 11.7 EAPOL-Logoff
11.8 EAPOL-EAP
11.9 EAPOL-Key
124 11.10 EAPOL-Encapsulated-ASF-Alert
11.11 EAPOL-MKA
126 11.11.1 MKA parameter encoding
133 11.11.2 Validation of MKPDUs
11.11.3 Encoding MKPDUs
134 11.11.4 Decoding MKPDUs
11.12 EAPOL-Announcement
136 11.12.1 Network Identity (NID) Set TLV
11.12.2 Access Information TLV
137 11.12.3 MACsec Cipher Suites TLV
138 11.12.4 Key Management Domain TLV
11.12.5 Organizationally Specific and Organizationally Specific Set TLVs
139 11.12.6 Validation of EAPOL-Announcements
11.12.7 Encoding EAPOL-Announcements
11.12.8 Decoding EAPOL-Announcements
140 11.13 EAPOL-Announcement-Req
141 12. PAE operation
12.1 Model of operation
143 12.2 KaY interfaces
145 12.3 CP state machine interfaces
146 12.4 CP state machine
12.4.1 CP state machine variables and timers
12.5 Logon Process
148 12.5.1 Controlling connectivity
12.5.2 Active and passive participation
149 12.5.3 Network Identities
12.5.4 Session statistics
150 12.6 CAK cache
151 12.7 Virtual port creation and deletion
152 12.8 EAPOL Transmit and Receive Process
12.8.1 EAPOL frame reception statistics
153 12.8.2 EAPOL frame reception diagnostics
12.8.3 EAPOL frame transmission statistics
154 12.9 PAE management
12.9.1 System level PAE management
155 12.9.2 Identifying PAEs and their capabilities
12.9.3 Initialization
157 13. PAE MIB
13.1 The Internet Standard Management Framework
13.2 Structure of the MIB
13.3 Relationship to other MIBs
13.3.1 System MIB Group
13.3.2 Relationship to the Interfaces MIB
159 13.3.3 Relationship to the MAC Security MIB
166 13.4 Security considerations
13.5 Definitions for PAE MIB
216 14. YANG Data Model
14.1 PAE management using YANG
217 14.2 Security considerations
218 14.3 802.1X YANG model structure
219 14.4 Relationship to other YANG data models
14.4.1 General
220 14.4.2 Relationship to the System Management YANG model
221 14.4.3 Relationship to the Interface Management YANG model
228 14.4.4 The Interface Stack Models
233 14.5 Definition of the IEEE 802.1X YANG data model
14.5.1 ieee802-dot1x YANG tree schema
236 14.5.2 ieee802-dot1x-types YANG module
240 14.5.3 ieee802-dot1x YANG module definition
265 14.6 YANG data model use in network access control applications
14.6.1 General
14.6.2 Host access with a physically secure point-to-point LAN (7.1)
266 14.6.3 Network access point supporting a physically secure point-to-point LAN (7.1)
14.6.4 Network access point supporting MACsec on a point-to-point LAN (7.3)
268 14.6.5 Network access point supporting MACsec on a multi-access LAN (7.5)
14.6.6 Network access point supporting MACsec over LAG (11.5 of IEEE Std 802.1AE-2018)
270 Annex A (normative) PICS proforma
A.1 Introduction
A.2 Abbreviations and special symbols
271 A.3 Instructions for completing the PICS proforma
273 A.4 PICS proforma for IEEE 802.1X
274 A.5 Major capabilities and options
A.6 PAE requirements and options
275 A.7 Supplicant requirements and options
A.8 Authenticator requirements and options
A.9 MKA requirements and options
277 A.10 Announcement transmission requirements
A.11 Announcement reception requirements
A.12 Management and remote management
A.13 Virtual ports
278 A.14 PAC
A.15 YANG requirements and options
279 Annex B (informative) Bibliography
282 Annex C (normative) State diagram notation
284 Annex D (informative) IEEE 802.1X EAP and RADIUS usage guidelines
D.1 EAP Session-Id
D.2 RADIUS Attributes for IEEE 802 Networks
285 Annex E (informative) Support for ‘Wake-on-LAN’ protocols
286 Annex F (informative) Unsecured multi-access LANs
288 Annex G (informative) Test vectors
G.1 KDF
289 G.2 CAK Key Derivation
G.3 CKN Derivation
290 G.4 KEK Derivation
G.5 ICK Derivation
291 G.6 SAK Derivation

Related products

IEEE 8802-1X-2021
$109.42