Description:
|
ieee8021XPaeMIB MODULE-IDENTITY
LAST-UPDATED "202002181507Z"
ORGANIZATION "IEEE 802.1 Working Group"
CONTACT-INFO
"WG-URL: http://www.ieee802.org/1
WG-EMail: stds-802-1-L@ieee.org
Contact: IEEE 802.1 Working Group Chair
Postal: C/O IEEE 802.1 Working Group
IEEE Standards Association
445 Hoes Lane
Piscataway
NJ 08854
USA
E-mail: STDS-802-1-L@LISTSERV.IEEE.ORG"
DESCRIPTION
"The MIB module for managing the Port Access Entity (PAE) functions of IEEE 802.1X (Revision of 802.1X-2004).
The PAE functions managed are summarized in Figure 12-3 of IEEE 802.1X and include EAPOL PACP support for authentication (EAP Supplicant and/or Authenticator), MACsec Key Agreement (MKA), EAPOL, and transmission and reception of network announcements.
The following acronyms and definitions are used in this MIB.
AN : Association Number, a number that is concatenated with a MACsec Secure Channel Identifier to identify a Secure Association (SA).
Announcer : EAPOL-Announcement transmission functionality.
Authenticator : An entity that facilitates authentication of other entities attached to the same LAN.
CA : secure Connectivity Association: A security relationship, established and maintained by key agreement protocols, that comprises a fully connected subset of the service access points in stations attached to a single LAN that are to be supported by MACsec.
CAK : secure Connectivity Association Key, a secret key possessed by members of a given CA.
CKN : secure Connectivity Association Key Name (CKN), a text that identifies a CAK.
Common Port : An instance of the MAC Internal Sublayer Service used by the SecY or PAC to provide transmission and reception of frames for both the Controlled and Uncontrolled Ports.
Controlled Port : The access point used to provide the secure MAC Service to a client of a PAC or SecY.
CP state machine : Controlled Port state machine is capable of controlling a SecY or a PAC. The CP supports interoperability with unauthenticated systems that are not port-based network access control capable, or that lack MKA. When the access controlled port is supported by a SecY, the CP is capable of controlling the SecY so as to provide unsecured connectivity to systems that implement a PAC.
EAP : Extensible Authentication Protocol, RFC3748.
EAPOL : EAP over LANs.
KaY : Key Agreement Entity, a PAE entity responsible for MKA.
Key Server : Elected by MKA, to transport a succession of SAKs, for use by MACsec, to the other member(s) of a CA.
KMD : Key Management Domain, a string identifying systems that share cached CAKs.
Listener : The role is to receive the network announcement parameters in the authentication process.
Logon Process : The Logon Process is responsible for the managing the use of authentication credentials, for initiating use of the PAE's Supplicant and or Authenticator functionality, for deriving CAK, CKN tuples from PAE results, for maintaining PSKs (Pre-Sharing Keys), and for managing MKA instances. In the absence of successful authentication, key agreement, or support for MAC Security, the Logon Process determines whether the CP state machine should provide unauthenticated connectivity or authenticated but unsecured connectivity.
MKA : MACsec Key Agreement protocol allows PAEs, each associated with a port that is an authenticated member of a secure connectivity association (CA) or a potential CA, to discover other PAEs attached to the same LAN, to confirm mutual possession of a CAK and hence to prove a past mutual authentication, to agree the secret keys (SAKs) used by MACsec for symmetric shared key cryptography, and to ensure that the data protected by MACsec has not been delayed.
MKPDU : MACsec Key Agreement Protocol Data Unit.
MPDU : MAC Protocol Data Unit.
NID : Network Identity, a UTF-8 string identifying an network or network service.
PAE : Port Access Entity, the protocol entity associated with a Port. It can support the protocol functionality associated with the Authenticator, the Supplicant, or both.
PAC : Port Access Controller, a protocol-less shim that provides control over frame transmission and reception by clients attached to its Controlled Port, and uses the MAC Service provided by a Common Port. The access control
decision is made by the PAE, typically taking into account the success or failure of mutual authentication and authorization of the PAE's peer(s), and is
communicated by the PAE using the LMI to set the PAC's Controlled Port enabled/disable. Two different interfaces 'Controlled Port' and 'Uncontrolled Port', are associated with a PAC, and that for each instance of a PAC, two ifTable rows (one for each interface) run on top of an ifTable row representing the 'Common Port' interface, such as a row with ifType = 'ethernetCsmacd(6)'.
For example :
-----------------------------------------------------------
| Controlled Port | Uncontrolled Port |
| Interface | Interface |
| (ifEntry = j) | (ifEntry = k) |
| (ifType = | (ifType = |
| macSecControlledIF(231)) | macSecUncontrolledIF(232))|
|-------------------------------------------------------|
| Physical Interface |
| (ifEntry = i) |
| (ifType = ethernetCsmacd(6)) |
|_________________________________________________________|
i, j, k are ifIndex to indicate an interface stack in the ifTable.
Figure : PAC Interface Stack
The 'Controlled Port' is the service point to provide one instance of the secure MAC service in a PAC. The 'Uncontrolled Port' is the service point to provide one instance of the insecure MAC service in a PAC.
PACP : Port Access Controller Protocol.
Port Identifier : A 16-bit identifier that uniquely identifies each of a system's transmit SCs that uses the same MAC address as a component of its SCI.
Real Port : Indicates the PAE is for a real port. A port that is not created on demand by the mechanisms specified in this standard, but that can transmit and receive frames for one or more virtual ports.
SC : Secure Channel, a security relationship used to provide security guarantees for frames transmitted from one member of a CA to the others. An SC is supported by a sequence of SAs thus allowing the periodic use of fresh keys without terminating the relationship.
SA : Secure Association, a security relationship that provides security guarantees for frames transmitted from one member of a CA to the others. Each SA is supported by a single secret key, or a single set of keys where the cryptographic operations used to protect one frame require more than one
key.
SAK : Secure Association key, the secret key used by an SA.
SCI : Secure Channel Identifier, a unique identifier for a secure channel, comprising a MAC Address and a Port Identifier.
secured connectivity : Data transfer between two or 'Controlled Ports' that is protected by MACsec.
SecY : MAC Security Entity, the entity that operates the MAC Security protocol within a system.
Supplicant : An entity at one end of a point-to-point LAN segment that seeks to be authenticated by an Authenticator attached to the other end of that link.
Suspension: Temporary suspension of MKA operation to facilitate in-service control plane software upgrades without disrupting existing secure connectivity.
Uncontrolled Port : The access point used to provide the insecure MAC Service to a client of a SecY or PAC.
Virtual Port : Indicates the PAE is for a virtual port. A MAC Service or Internal Sublayer service access point that is created on demand. Virtual ports can be used to provide separate secure connectivity associations over the same
LAN."
REVISION "201202181507Z"
DESCRIPTION
"Published as part of IEEE Std 802.1X-2020.
Updated CONTACT-INFO. Corrected last REVISION DESCRIPTION."
REVISION "201904102040Z"
DESCRIPTION
"Edited ieee8021XSuppPaeHelloPeriod DESCRIPTION to refer to HeldPeriod.
Updated ieee8021XSuppPaeRetryMax DESCRIPTION to match."
REVISION "201710281457Z"
DESCRIPTION
"Published as part of IEEE 802.1Xck.
Minor DESCRIPTION clarifications as required by resolution of maintenance items 154, 155, 157 (see 802.1 maintenance process discussion). Added ieee8021XPaeEapolGroupMAC Address."
REVISION "201404101619Z"
DESCRIPTION
"Update published as part of IEEE 802.1Xbx (Amendment to IEEE 802.1X-2010)"
REVISION "200910011650Z"
DESCRIPTION
"Initial version of this MIB module. Published as part of IEEE P802.1X (Revision of IEEE Standard 802.1X-2009)"
|
|
