1. IEEE 802.21 MEDIA INDEPENDENT HANDOVER
DCN: sec-802_1af_overview
Title: 802.1af Overview
Date Submitted: January 16, 2008
Presented at IEEE session #24 in Taipei
Authors or Source(s):
 Yoshihiro Ohba (Toshiba)
Abstract: This document provides an overview of IEEE 802.1af - Media Access Control (MAC) Key Security
sec

2. IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as stated in Section 6 of the IEEE-SA Standards Board bylaws < and in Understanding Patent Issues During IEEE Standards Development
IEEE presentation release statements
This document has been prepared to assist the IEEE Working Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE
The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual < and in Understanding Patent Issues During IEEE Standards Development
sec

3. What is 802.1af?
802.1af is an amendment to IEEE std 802.1X to establish security associations for 802.1ae MAC Security, and provide media access method independent association discovery
802.1af will facilitate secure communication over publicly accessible LAN/MAN media for which security has not otherwise been defined
It is not the purpose of this standard to provide alternatives for the IEEE Std specified functionality in wireless networks.
Latest 802.1af draft revision (as of 2008-Jan-7): 1.7
sec

4. What is defined in 802.1af
The principles of port-based access control operation and functional components
The key hierarchy used by the functional components
An encapsulation format for EAP carried directly by a LAN MAC service
A MAC Security Key Agreement protocol (MKA)
MIBs
sec

5. Security Relationships
secure Connectivity Association (CA): A security relationship, established and maintained by key agreement protocols, that comprises a fully connected subset of the service access points in stations attached to a single LAN that are to be supported by MACsec.
Secure Association (SA): A security relationship that provides security guarantees for frames transmitted from one member of a CA to the others. Each SA is supported by a single secret key, or a single set of keys where the cryptographic operations used to protect one frame require more than one key.
Secure Channel (SC): A security relationship used to provide security guarantees for frames transmitted from one member of a CA to the others. An SC is supported by a sequence of SAs thus allowing the periodic use of fresh keys without terminating the relationship.
sec

6. Functional Components
Port Access Entity (PAE)
Support EAP as a Supplicant or as an Authenticator, or both
Support PACP (Port Access Control Protocol) to carry EAP
Port Access Controller (PAC)
Support operation of the controlled Port
MACsec Key Agreement Entity (KaY)
A part of PAE
Support the configuration and use of pre-shared keys
Support MKA (MACsec Key Agreement) protocol
MAC Security Entities (SecY)
Secure each port using 802.1AE
Management Entity
Support the system configuration and monitoring functions
Without further qualifications, PAE, PAC and Management Entity must be supported, and KaY and SecY may be supported (e.g., does not support KaY and SecY)
sec

7. Architecture ( ) ( ) ( ) ( ) LLC LLC LLC LLC (U) (C) (U) (C)
Authentication exchange using EAPoL
Authz using RADIUS
PAE
PAE
Peer discovery and key agreement
Auth using EAP/RADIUS
MAC
Clients
MAC
Clients
Secured access controlled communication
( )
( )
( )
( )
LLC
LLC
LLC
LLC
(U)
(C)
(U)
(C)
PAC or SecY
Cryptographically secured communication (w/SecY only)
PAC or SecY
(M)
(M)
MAC specific
functions
MAC specific
functions
-()- Port, -(U)- Uncontrolled Port, -(C)- Uncontrolled Port
sec

8. Architecture for shared LAN
Network Access Point
Host
Host
PAE
PAE
PAE
MAC
Clients
MAC
Clients
PAC or SecY
LLC
(U)
(C)
( )
MAC
Clients
MAC
Clients
( )
( )
( )
( )
( )
( )
LLC
LLC
LLC
LLC
LLC
LLC
(U)
(C)
(U)
(C)
(U)
(C)
PAC or SecY
PAC or SecY
PAC or SecY
(M)
(M)
MAC specific
functions
MAC specific
functions
(M)
MAC specific functions
-()- Port, -(U)- Uncontrolled Port, -(C)- Uncontrolled Port, -(M)- Common Port
sec

9. Use Cases
[Simple] Host access using individual, physically secure LANs
[Infrastructure] Infrastructure support with physically secure LANs
[Secure] Host access using MACsec
[Secure Infrastructure] Infrastructure LANs using MACsec
Group host access using MACsec
sec

10. “Simple” Use Case Secured network Physically secure Access LAN AS Host
Point
sec

11. “Infrastructure” Use Case
Physically secure LAN
Secured network
Secured network AS
Intermediate Systems
Secured network
sec

12. “Secure” Use Case AS Host Network Access Point Secured network AS
P-P access LAN
with MACsec AS
Pair-wise CA
Host
Network
Access
Point
Secured network
Shared-access LAN
with MACsec AS
Pair-wise CAs
Hosts
sec

13. “Secure Infrastructure” Use Case
P-P LAN with MACsec
Secured network
Secured network AS
Intermediate Systems
Secured network
Secured network
Shared-access LAN with MACsec
Secured network
Secured network AS
Pair-wise CAs
sec

14. “Group host access” Use Case
Network
Access
Point
Secured network
Shared access LAN
with MACsec AS
Hosts
Group CA
sec

15. System conformance claim
Conformance claim (use case)
PAE
PAC
KaY
SecY
Management
Simple
(unqualified)
Required
Infrastructure
Secure
Secure infrastructure
PSK required
PAC and SecY are exclusively used for a given CA
Each CA may support different use case
sec

16. Key Management Overview
Key hierarchy
A root key, or a CAK (Connection Association Key), is shared between stations in a CA
Pair-wise CAK for pair-wise CA
Group CAK for group CA (for “group host access” use case)
Keys for protecting key distribution are derived from a CAK
ICK (ICV Key)
KEK (Key Encrypting Key)
A pair-wise CAK may be a pre-shared key (PSK)
By default, MKA gives precedence to the use of CAKs generated by EAP and then to PSKs
Key distribution
The following keys can be distributed using a CAK:
SAK (Security Association Key)
Group CAK
Key distribution protocol: MKA (MACsec Key Agreement) protocol
MKA is carried in EAPOL-MKA packet
Key caching
A CAK may be cached for later use
Cached CAKs are shared among systems in the same Key Management Domain
While a Key Management Domain can comprise more than one system, how a number of systems hold a CAK in common or convey it to the particular system that requires it to support roaming is outside the scope of 802.1af
sec

17. MKA Key Hierarchy CAK ICK KEK + ECB Key Wrap MKA Integrity
Key Server rng()
SAK
Distributed SAK
CAK: Connectivity Association Key
ICK: ICV Key
KEK: Key Encrypting Key
SAK: Secure Association Key
ECB: Electronic Code Book
rng: random number generator
sec

18. Use of Pair-Wise CAKs to distribute Group SAKs (for “Group host access” Use Case)
ICK
KEK +
ECB
Key Wrap
MKA
Integrity
Key Server rng()
ECB
ECB
ICK
MKA
Key Wrap
KEK
Integrity
Group CAK +
Distributed Group CAK
ECB
ECB
Key Server rng()
ICK
KEK
MKA
Key Wrap
Integrity +
SAK
Distributed SAK
sec

19. Network Discovery and Selection
A PAE may advertise information about the network(s) for which it controls access
A PAE may solicit advertisements from the PAEs of other systems attached to the same LAN
Advertisements and solicitations are conveyed in EAOPL PDUs
Information about the network(s):
NID (Network Identity)
Whether the advertising PAE supports PACP and/or MKA
Whether fallback, unauthenticated, unsecured, and limited connectivity is provided
Whether authentication is supported by a higher layer protocol (such as WebAuth)
Key Management Domain identifier
Network selection
A Supplicant PAE may select the network to be accessed, by choosing to send unicast PACP PDUs over the port advertising the preferred network
If a single port has advertised access to several networks, where each network is associated with a VLAN, the Supplicant can make its choice by using the appropriate VLAN for the PACP PDUs
A given system can be attached to one of many LANs, with its potential peer or peers providing access to many different networks.
sec

20. Roaming
“A given system can also be moved (roam) from one network to another before being reconnected (roaming) to the first”
“In that case communication can be re-established quickly if both communicating PAEs have cached the results of a prior mutual authentication”
“Peer discovery and key agreement can be used to confirm the authentication and use it to agree fresh keys to protect data transfer, while a fresh authentication exchange with the AAA server is in progress”
A cached CAK cannot be used across multiple Key Management Domains
sec

21. Requirements on EAP methods for 802.1af
Mutual authentication must be supported
When 802.1AR Secure Device Identifier is used:
EAP-TLS with TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite must be supported
When MKA is used:
Additional mandatory features:
Support key derivation. The strength of the derived keys should be at least equivalent to 128 bits
Generate a session identifier
Recommended features:
Integrity/Replay protection, Dictionary attack protection, cryptographic binding, session independence, fragmentation, Ciphersuite negotiation, Confidentiality, Fast reconnect, Channel binding
When the EAP Supplicant represents a human user, identity protection should be provided
sec

22. PACP (Port Access Control Protocol)
Support EAP Peer and/or EAP Authenticator functionality
Transmission and reception of EAPOL PDUs, including the dynamic creation of virtual ports, between Supplicant and Authenticator PAEs
Encoding, decoding, and validation of EAPOL PDUs
sec

23. EAPOL PDU
Transmitted and received using the service provided by an LLC entity that uses, in turn, a single instance of the MAC Service provided at an MSAP, using Ehertype 88-8E
Each EAPOL PDU is transmitted as a single MAC service request, and received as a single MAC service indication
Source address: individual address
Destination address : individual address or group address
Where a group destination address is used, the choice of address depends on the potential scope of the CA
A scope can be:
a single LAN segment
the whole of a bridged LAN
sec

24. EAPOL Packet Types Determined by the Descriptor Type Packet Type Value
Recipient Entity
EAP-Packet
PAE/PACP
EAPOL-Start
EAPOL-Logoff
EAPOL-Key
Determined by the Descriptor Type
EAPOL-Encapsulated-ASF-Alert
ASF-Helper
EAPOL-MKA
PAE/MKA
sec

25. Relationship with
SSOH (security signaling optimization during handovers) being studied in Security SG is applicable to support secure seamless handovers:
between network and 802.1af-enabled network
between network and 802.1af-enabled network
between 802.1af-enabled networks across 802.1af Key Management Domains
These use cases need to work across multiple LANs while architecture is defined within a single LAN
sec