CSA ISO/IEC/IEEE 8802-1X:22

CSA Preface Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. For brevity, this Standard will be referred to as \"CSA ISO/IEC/IEEE 8802-1X\" throughout. This Standard supersedes CAN/CSA-ISO/IEC/IEEE 8802-1X:18 (adopted ISO/IEC/IEEE 8802-1X:2013). The International Standard was reviewed by the CSA TCIT under the jurisdiction of the CSA Strategic Steering Committee on Information and Communications Technology and deemed acceptable for use in Canada. This Standard has been formally approved, without modification, by the Technical Committee and has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group. Scope For the purpose of providing compatible authentication, authorization, and cryptographic key agreement mechanisms to support secure communication between devices connected by IEEE 802® Local Area Networks (LANs), this standard a) Specifies a general method for provision of port-based network access control. b) Specifies protocols that establish secure associations for IEEE Std 802.1AE™ MAC Security. c) Facilitates the use of industry standard authentication and authorization protocols. 1.2 Purpose IEEE 802 LANs are deployed in networks that convey or provide access to critical data, that support mission critical applications, or that charge for service. Protocols that configure, manage, and regulate access to these networks and network-based services and applications typically run over the networks themselves. Port-based network access control regulates access to the network, guarding against transmission and reception by unidentified or unauthorized parties, and consequent network disruption, theft of service, or data loss. 1.3 Introduction The stations attached to an IEEE 802 LAN transmit and receive data frames using the service provided by the IEEE 802 LAN MAC at a service access point, often referred to as a port, within each end station or bridge. Port-based network access control specifies a common architecture comprising cooperative functional elements and protocols that a) Use the service provided by the LAN MAC, at a common service access point, to support a Controlled Port that provides secure access-controlled communication and an Uncontrolled Port that supports protocols that initiate the secure communication or do not require protection. b) Support mutual authentication between a Port Access Entity (PAE) associated with a Controlled Port, and a peer PAE associated with a peer port in a LAN attached station that desires to communicate through the Controlled Port. c) Secure the communication between the Controlled Port and the authenticated peer port, excluding other devices attached to or eavesdropping on the LAN. d) Provide the Controlled Port with attributes that specify access controls appropriate to the authorization accorded to the peer station or its user. This standard specifies the use of EAP, the Extensible Authentication Protocol (IETF RFC 3748 [B14]1), to support authentication using a centrally administered Authentication Server and defines EAP encapsulation over LANs (EAPOL, Clause 11) to convey the necessary exchanges between peer PAEs attached to a LAN. Where communication over the LAN connecting a Controlled Port to its peer(s) is physically secure, no additional protocol is required to protect their communication. This mode of operation is supported by this standard. More commonly intrusion into the LAN communication is a principal security threat, and the result of mutual authentication is not simply Controlled Port authorization to transmit and receive data, but secure distribution of master keys and associated data to the communicating peers. Proof of possession of master keys subsequently serves as proof of mutual authentication in key agreement protocols. These protocols generate keys that are used to cryptographically protect data frames transmitted and received by the Controlled Port. IEEE Std 802.11™ Wireless LANs specifies protocols that associate wireless stations with access points and initiate mutual authentication using the procedures specified in this standard, the subsequent generation of keys to protect data transfer, and the cryptographic methods that protect data frames using those keys. IEEE Std 802.1AE MAC Security (MACsec) specifies cryptographic support of the Controlled Port for other media access methods. Authenticated key agreement for MAC Security, as specified in this standard, specifies the generation of the Secure Association Keys (SAKs) used by MACsec. Use of the Controlled Port can be restricted by access controls bound to the results of authentication and distributed via AAA protocols such as Diameter (IETF RFC 6733 [B25]) or RADIUS (IETF RFC 2865 [B6]). Attributes supporting certain port-based network access control scenarios are described in IETF RFC 3580 [B13], IETF RFC 4675 [B17], IETF RFC 4849 [B18], IETF RFC 7268 [B28], and IETF RFC 8044 [B29]. Clause 7 illustrates use of the above components and protocols in typical network access control scenarios. 1.4 Provisions of this standard The scope (1.1) of this standard is addressed by detailed specification of the following: a) The principles of port-based network access control operation, identifying the protocol components that compose a port-based network access control implementation (Clause 6). b) A PAE component, that supports authentication, authorization, and the key agreement functionality required by IEEE Std 802.1AE to allow a MAC Security Entity (SecY) to protect communication through a port (6.3, Clause 12). c) A Port Access Controller (PAC) component, that controls communication where the attached LAN is deemed to be physically secure and provides point-to-point connectivity (6.4). d) The key hierarchy used by the PAE and SecY (6.2). e) The use of EAP by PAEs to support authentication and authorization using a centrally administered Authentication or AAA Server (Clause 8). f) An encapsulation format, EAPOL, that allows EAP Messages and other protocol exchanges to support authentication and key agreement to be carried directly by a LAN MAC service (Clause 11). g) A MAC Security Key Agreement protocol (MKA) that the PAE uses to discover associations and agree the keys used by a SecY (Clause 9). h) An EAPOL Announcement protocol that allows a PAE to indicate the availability of network services, helping other PAEs to choose appropriate credentials and parameters for authentication and network access (Clause 10). i) Requirements for management of port-based access control, identifying the managed objects and defining the management operations for PAEs (12.9). j) SMIv2 MIB objects that can be used with SNMPv3 to manage PAEs (Clause 13). k) YANG configuration and operational state models for PAE and PAE System components (Clause 14). The use of port-based network access control in a number of applications is described (Clause 7) to illustrate the use of these components and the requirements taken into account in their specification. To facilitate migration to this standard, Annex F (informative) uses the same concepts to describe the architectural modeling of unsecured multi-access LANs, a widely deployed form of authenticated port-based network access control that does not meet the security requirements of this standard. Administrative connectivity to unauthenticated devices, as required for use of industry standard ‘Wake-on-LAN’ (WoL) protocols, is described for the scenarios of Clause 7; Annex E (informative) provides background information on WoL. This standard defines conformance requirements (Clause 5) for the implementation of the following: l) Port Access Entities (PAEs) m) Port Access Controllers (PACs) Annex A provides PICS (Protocol Implementation Conformance Statement) Proformas for completion by suppliers of implementations that are claimed to conform to this standard. The basic architectural concepts, such as ‘port’, on which this standard relies are reviewed in IEEE Std 802.1AC. This standard uses and selects options provided by EAP and AAA protocol specifications, but does not modify those specifications (see Clause 2 for references). Annex D (informative) provides EAP and RADIUS usage guidelines. The specification and conformance requirements for association discovery and key agreement for IEEE 802.11 Wireless LANs are outside the scope of this standard (see IEEE Std 802.11). That standard makes use of the PAE specified by this standard.