Requested revision
Standard: | 802.1X | Clause: | 3 |
Clause title: | Definitions |
Rationale for revision
The definition for SCI does not align with the use of the SCI and the required guarantees for uniqueness as used in Clause 9 (MACsec Key Agreement protocol (MKA)) of this standard. It also does not align with the recently approved P802.1AE-Rev which specifies the use of the SCI in MKA frames. In the context of security it is most important that uniqueness is stated in the way that it is used and verified.
Proposed text
Delete the first occurence of "globally", the following occurence of "globally unique" and the remainder of the sentence following "unique within". Add a note to explain that "Key agreement protocols" are responsible for ensuring uniqueness as required for nonce construction. The entire text to read (as already included in the successfully balloted 802.1Xck - this maintenance request has been submitted to complete the audit trail):
Secure Channel Identifier (SCI): A unique identifier for a secure channel, comprising a MAC Address and a Port Identifier.
NOTE--Key agreement protocols such as MKA are responsible for ensuring that each SCI used with a given SAK is unique where a Cipher Suite requires that for nonce construction, as does the Default Cipher Suite (14.5). SCI uniqueness does not rely on MAC Address allocation procedures.
Impact on existing networks
None. The checks applied to SCI fields and their use remain unchanged. The changed text aligns with that for IEEE Std 802.1AE-2018. The change does make apparent the (existing) freedom to use locally assigned addresses as the the basis of the SCI, provided they are unique within a CA.
Originator
Name: | Mick Seaman | Email: | mickseaman@gmail.com |
Affiliation: | Mick Seaman | ||
Submitted: | 2018-06-22 |