IEEE 802.1 Interim May 2004 Allyn Romanow Overview MACsec D2.0 IEEE 802.1 Interim May 2004 Allyn Romanow
Allyn Romanow, Cisco Systems Outline Disposition of comments for D1.2 Changes in D2.0 – Re-org of material Cipher Suite changes – no null C.S., E bit Keys EPON Parameter enhancements Deployment, Debugging, Other Management SecY Operation, Interface with KaY 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Re-organization of Material (Intro notes to current draft) Cl 8 SecY Operation <-> cl 10 MACsec protocol State machine – cl 15 EPON support in cl 8.4 Cl 7 -> cl 11 MACsec in Systems (ES & B), cl 16 Securing Networks (LAN & PB) 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Allyn Romanow, Cisco Systems Keys Master Key – pre-shared or established by authentication, longer lived Secure Association Key (SAK) Key for the SA, short lived Sometimes called transient key Shared, private key Get a new one from Master Key when PN wraps, or timer expires Need to store 3 SAKs 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Interoperability, Migration Previously, Null Cipher Suite Now, through management controls, E bit saying whether there is encryption, cl 10.1 SecY Overview, E bit is bit 3 in TCI Got rid of Null Cipher Suite and Include Tag- reduces unnecessary complexity 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Allyn Romanow, Cisco Systems EPON Single Copy Broadcast SCB 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Allyn Romanow, Cisco Systems Management Controls, monitors, reports Maintains and uses info for The SecY The CA Each SC in the CA Each SA that supports and SC Operational parameters include MAC status (cl 6.4)-- MAC_Enabled, MAC_Operational Point to point (cl 6.5) --operPointToPointMAC, AdminPointToPoint MAC 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
SecY Management Parameters SecY Parameters List of Cipher Suites C. S. selected Cipher Suite Parameters Confidentiality Provided- E bit C.S. identifier Secure data length- user data length ICV length 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
SecY Management Parameters CA Parameters Transmit SC List of Receiver SCs SCI EncodingSA EncipheringSA 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
SecY Management Parameters Receiver SC SCI Transmit or Receive SAs(set of 4) Statistics Transmit SA SCI AN InUse? SAK Next PN 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
SecY Management Parameters Receive SA SCI AN In use? SAK LastValidatedPN? 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Deployment & Debugging 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Allyn Romanow, Cisco Systems MacSEC Operation 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Allyn Romanow, Cisco Systems SecY Overview 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
KaY Direct Use of SecY Uncontrolled 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
KaY Use of SecY Uncontrolled and Controlled 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
Allyn Romanow, Cisco Systems SecY Operation 9/21/2018 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems