ISO/IEC/IEEE 8802-1AE:2020/Amd 4:2024

International
Standard
ISO/IEC/IEEE
8802-1AE
Second edition
Telecommunications and exchange
2020-08
between information technology
systems — Requirements for local
AMENDMENT 4
and metropolitan area networks —
2024-11
Part 1AE:
Media access control (MAC) security
AMENDMENT 4: MAC Privacy
Protection
Télécommunications et échange entre systèmes informatiques —
Exigences pour les réseaux locaux et métropolitains —
Partie 1AE: Sécurité du contrôle d'accès aux supports (MAC)
AMENDEMENT 4: Protection de la vie privée MAC
Reference number
ISO/IEC/IEEE 8802-1AE:2020/
Amd.4:2024(en) © IEEE 2024
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
© IEEE 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from IEEE at the address below.
Institute of Electrical and Electronics Engineers, Inc
3 Park Avenue, New York
NY 10016-5997, USA
Email: stds.ipr@ieee.org
Website: www.ieee.org
Published in Switzerland
© IEEE 2023 – All rights reserved
ii
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members
of ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of
document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC
Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
IEEE Standards documents are developed within the IEEE Societies and the Standards Coordinating
Committees of the IEEE Standards Association (IEEE-SA) Standards Board. The IEEE develops its standards
through a consensus development process, approved by the American National Standards Institute, which
brings together volunteers representing varied viewpoints and interests to achieve the final product.
Volunteers are not necessarily members of the Institute and serve without compensation. While the IEEE
administers the process and establishes rules to promote fairness in the consensus development process, the
IEEE does not independently evaluate, test, or verify the accuracy of any of the information contained in its
standards.
ISO and IEC draw attention to the possibility that the implementation of this document may involve the use of
(a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any claimed
patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had received notice
of (a) patent(s) which may be required to implement this document. However, implementers are cautioned
that this may not represent the latest information, which may be obtained from the patent database available
at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held responsible for identifying
any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4 was prepared by the LAN/MAN of the IEEE Computer Society (as IEEE
Std 802.1AEdk-2023) and drafted in accordance with its editorial rules. It was adopted, under the “fast-track
procedure” defined in the Partner Standards Development Organization cooperation agreement between ISO
and IEEE, by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 6,
Telecommunications and information exchange between systems.
A list of all parts in the ISO/IEC/IEEE 8802 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-
committees.
© IEEE 2023 – All rights reserved
iii
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
Contents
1. Overview. 16
1.1 Introduction. 16
1.2 Scope. 17
2. Normative references. 19
3. Definitions . 21
4. Abbreviations and acronyms . 22
5. Conformance. 23
5.1 Requirements terminology.23
5.2 Protocol Implementation Conformance Statements (PICS) . 24
5.5 EDE Conformance. 24
5.8 EDE-CC conformance .25
5.10 MAC Privacy protection Entity requirements . 25
5.11 MAC Privacy protection Entity options . 26
10. Principles of MAC Security Entity (SecY) operation . 27
10.7 SecY management . 27
13. MAC Security Entity MIB. 30
13.1 Introduction. 30
13.6 MAC Security Entity (SecY) MIB definition, . 31
15. Ethernet Data Encryption devices. 69
15.6 Securing PBN connectivity with an EDE-CC . 69
16. Using MIB modules to manage EDEs. 70
16.4 EDE-CC and EDE-SS Management. 70
17. MAC Privacy protection. 71
17.1 Need for MAC Privacy protection. 71
17.2 Protecting user data frames. 72
17.3 Quality of Service impact and mitigation . 74
17.4 Configuring MAC Privacy protection . 76
18. MAC Privacy protection protocol. 81
18.1 Addressing . 81
18.2 Data origin authenticity, frame data integrity and confidentiality. 82
18.3 Applicability . 82
18.4 Bandwidth utilization, fragmentation, and transit delay. 83
18.5 Coexistence and use. 84
19. Encoding of MAC Privacy protection Protocol Data Units . 85
19.1 Structure, representation, and encoding. 85
19.2 MPPDU Format . 85
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
19.3 MAC Privacy protection EtherType . 86
19.4 Protocol Version strategy. 87
19.5 MPPDU component encoding . 87
19.6 MPPDU generation. 90
19.7 MPPDU validation. 91
20. MAC Privacy protection Entity (PrY) operation. 93
20.1 PrY overview . 93
20.2 Model of operation. 94
20.3 PrY architecture . 94
20.4 MAC status and point-to-point parameters. 95
20.5 Privacy Selection . 95
20.6 Unprotected frame transmission . 96
20.7 Privacy Frame transmission. 96
20.8 Privacy Channel transmission.97
20.9 Privacy Channel MPPDU Generation . 97
20.10 Privacy Channel Encapsulation . 100
20.11 MPPDU reception and demultiplexing. 101
20.12 MPPDU component validation and extraction . 103
20.13 Protected frame reception and reassembly . 103
20.14 PrY management. 106
20.15 PrY performance requirements. 109
21. MAC Privacy protection in Systems . 110
21.1 MAC Privacy protection interface stacks . 110
21.2 Privacy protection for end station interfaces . 112
21.3 MAC Privacy protection for bridge interfaces . 112
21.4 Privacy protection for Link Aggregation. 113
21.5 EDEs with MAC Privacy protection . 114
21.6 Privacy protection with shared media. 115
21.7 Privacy protection and multi-access LANs . 116
21.8 Separate privacy protection devices . 116
22. MAC Privacy protection Entity (Pry) MIB . 117
22.1 Introduction. 117
22.2 The Internet-Standard Management Framework. 117
22.3 Relationship to other MIBs.117
22.4 Security considerations . 119
22.5 Structure of the MIB module . 120
23. YANG Data Models . 139
23.1 YANG Framework .140
23.2 MAC Security Entity (SecY) model. 141
23.3 Security considerations for the SecY model. 145
23.4 MAC Privacy protection (PrY) model. 146
23.5 Security considerations for the PrY model . 148
23.6 Interface stack models . 149
23.7 Security considerations for interface stack models. 151
23.8 System models . 151
23.9 Security considerations for system models. 152
23.10 YANG module schema. 153
23.11 YANG modules . 157
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
Annex B (informative) Bibliography . 186
Annex D (normative) PICS Proforma for an Ethernet Data Encryption device . 188
D.5 EDE type and common requirements . 188
D.8 EDE-CC Configuration. 189
Annex G (informative) SecY Management and MIB revisions . 190
Annex H (normative) PICS proforma for MAC Privacy protection . 191
H.1 Introduction. 191
H.2 Abbreviations and special symbols. 191
H.3 Instructions for completing the PICS proforma. 192
H.4 PICS proforma for IEEE Std 802.1AE MAC Privacy protection . 194
H.5 Mandatory capabilities. 195
H.6 Optional capabilities . 196
Annex I (informative) Privacy considerations in bridged networks . 197
I.1 Personal devices. 197
I.2 Goals of adversaries. 197
I.3 Network operation . 198
I.4 Network security and privacy . 199
I.5 Privacy exposures . 199
I.6 Standard specific considerations. 201
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
Figures
Figure 10-5 SecY managed objects . 28
Figure 13-1 MACsec Interface Stack . 30
Figure 17-1 Privacy-protected communication between bridges . 73
Figure 17-2 A privacy protected user data frame . 73
Figure 17-3 Privacy selection, priority and traffic class mapping. 80
Figure 19-1 MACsec protected MPPDU. 85
Figure 19-2 MPPDU Examples . 86
Figure 19-3 MAC Privacy protection EtherType encoding. 87
Figure 19-4 MPPDU component format . 87
Figure 19-5 MPPDU component encoding . 88
Figure 19-6 Frame Fragments. 89
Figure 20-1 PrY and SecY. 93
Figure 20-2 PrY architecture . 94
Figure 20-3 Privacy Channel Encapsulation state machine. 102
Figure 20-4 Protected frame reception and reassembly. 104
Figure 20-5 Reassembly state machine . 105
Figure 20-6 PrY Managed objects . 107
Figure 21-1 A Privacy-protecting interface stack. 110
Figure 21-2 Privacy-protected Bridge Ports . 112
Figure 21-3 Privacy protection and Link Aggregation. 113
Figure 21-4 EDE-CC with privacy-protection. 114
Figure 21-5 EDE-CCs communicating over a PBN . 114
Figure 21-6 Privacy-protection using existing EDEs . 116
Figure 22-1 PrY Interfaces . 117
Figure 22-2 PrY MIB structure. 121
Figure 23-1 YANG hierarchy, models and objects . 140
Figure 23-2 SecY model system nodes and references . 142
Figure 23-3 SecY model system nodes and references . 143
Figure 23-4 PrY model interface nodes. 147
Figure 23-5 Explicit and augmented interface stack models for an end station . 149
Figure 23-6 Two further interface stack modeling choices . 149
Figure 23-7 An interface stack model for link aggregation and MACsec. 150
Figure 23-8 An interface stack with LLDP instances. 150
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
Tables
Table 19-1 MAC Privacy protection EtherType allocation . 86
Table 22-1 Use of ifGeneralInformationGroup Objects . 118
Table 22-2 Use of ifCounterDiscontinuityGroup Object. 119
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
Editing instructions
IEEE Standard for
Local and Metropolitan Area Networks —
Media Access Control (MAC) Security
Amendment 4:
MAC Privacy Protection
[This amendment is based on IEEE Std 802.1AE™-2018.]
NOTE—The editing instructions contained in this amendment define how to merge the material contained therein into
the existing base standard and its amendments to form the comprehensive standard.
The editing instructions are shown in bold italics. Four editing instructions are used: change, delete, insert,
and replace. Change is used to make corrections in existing text or tables. The editing instruction specifies
the location of the change and describes what is being changed by using strikethrough (to remove old
material) and underscore (to add new material). Delete removes existing material. Insert adds new material
without disturbing the existing material. Deletions and insertions may require renumbering. If so,
renumbering instructions are given in the editing instruction. Replace is used to make changes in figures or
equations by removing the existing figure or equation and replacing it with a new one. Editing instructions,
change markings, and this note will not be carried over into future editions because the changes will be
incorporated into the base standard.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
1. Overview
1.1 Introduction
Change 1.1 as follows:
IEEE 802® Local Area Networks (LANs) are often deployed in networks that support mission-critical
applications. These include corporate networks of considerable extent, and public networks that support
many customers with different economic interests. The protocols that configure, manage, and regulate
access to these networks typically run over the networks themselves. Preventing disruption and data loss
arising from transmission and reception by unauthorized parties is highly desirable, since it is not practical
to secure the entire network against physical access by determined attackers.
The MAC Security protocol (MACsec), as defined by this standard, allows authorized systems that attach to
and interconnect LANs in a network to maintain confidentiality of transmitted data and to take measures
against frames transmitted or modified by unauthorized devices.
MACsec facilitates
a) Maintenance of correct network connectivity and services
b) Isolation of denial of service attacks
c) Localization of any source of network communication to the LAN of origin
d) The construction of public networks, offering service to unrelated or possibly mutually suspicious
customers, using shared LAN infrastructures
e) Secure communication between organizations, using a LAN for transmission
f) Incremental and non-disruptive deployment, protecting the most vulnerable network components
To deliver these benefits, MACsec has to be used in conjunction with appropriate policies for higher-level
protocol operation in networked systems, an authentication and authorization framework, and network
management. IEEE Std 802.1X™ provides authentication and cryptographic key distribution.
MACsec protects communication between trusted components of the network infrastructure, thus protecting
the network operation. MACsec cannot protect against attacks facilitated by the trusted components
themselves, and is complementary to, rather than a replacement for, end-to-end application-to-application
security protocols. The latter can secure application data independent of network operation, but cannot
necessarily defend the operation of network components, or prevent attacks using unauthorized
communication from reaching the systems that operate the applications.
MAC Privacy protection protocol, as defined by this standard, can be used in conjunction with MACsec to
reduce the ability of adversaries to correlate the MAC addresses, sizes, and transmission timing of user data
frames with individual persons, network applications, details of those applications, and levels of application
activity.
Information on other references can be found in Clause 2.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
1.2 Scope
Change 1.2 as follows:
The scope of this standard is to specify provision of connectionless user data confidentiality, frame data
integrity, and data origin authenticity by media access independent protocols and entities that operate
transparently to MAC Clients.
™ ™ 2
NOTE—The MAC Clients are as specified in IEEE Std 802, IEEE Std 802.1Q , and IEEE Std 802.1X .
To this end it
a) Specifies the requirements to be satisfied by equipment claiming conformance to this standard.
b) Specifies the requirements for MAC Security MACsec in terms of provision of the MAC Service
and the preservation of the semantics and parameters of service requests and indications.
c) Describes the threats, both intentional and accidental, to correct provision of the service.
d) Specifies security services that prevent, or restrict, the effect of attacks that exploit these threats.
e) Examines the potential impact of both the threats and the use of MACsec on the Quality of Service
(QoS), specifying constraints on the design and operation of MAC Security entities and protocols.
f) Models support of the secure MAC Service in terms of the operation of media access control method
independent MAC Security Entities (SecYs) within the MAC Sublayer.
g) Specifies the format of the MACsec Protocol Data Unit (MPDUs) used to provide secure service.
h) Identifies the functions to be performed by each SecY, and provides an architectural model of its
internal operation in terms of Processes and Entities that provide those functions.
i) Specifies each SecY’s use of an associated and collocated Port Access Entity (PAE,
IEEE Std 802.1X) to discover and authenticate MACsec protocol peers, and its use of that PAE’s
Key Agreement Entity (KaY) to agree and update cryptographic keys.
j) Specifies performance requirements and recommends default values and applicable ranges for the
operational parameters of a SecY.
k) Specifies how SecYs are incorporated within the architecture of end stations, bridges, and two-port
Ethernet Data Encryption devices (EDEs).
l) Establishes the requirements for management of MAC Security, identifying the managed objects
and defining the management operations for SecYs.
m) Specifies the a Management Information Base (MIB) module for SecY management managing the
operation of MAC Security in TCP/IP networks.
n) Specifies a YANG configuration and operational state model for SecY management.
o) Specifies requirements, criteria, and choices of Cipher Suites for use with this standard.
p) Describes threats to individual privacy that can result from an adversary’s observation of individual
frames, even if those frames are integrity protected and their data confidentiality protected.
q) Models support of a privacy protected secure MAC Service in terms of the operation of MAC
Privacy protection Entities (PrYs) that encapsulate user data frames in MAC Privacy protection
Protocol Data Units (MPPDUs) to hide the user source and destination MAC addresses and to
reduce any correlation of the sizes and transmission timing of frames with user identities and
communication purposes, applications, or content.
r) Specifies the addressing, encoding, and decoding of MPPDUs.
s) Identifies the functions to be performed by each PrY, and provides an architectural model of its
internal operation in terms of Processes and Entities that provide those functions.
Notes in text, tables, and figures are given for information only and do not contain requirements needed to implement the standard.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
t) Specifies performance requirements and recommends default values and applicable ranges for the
operational parameters of a PrY.
u) Specifies how PrYs can be incorporated within the architecture of end stations, bridges, two-port
Ethernet Data Encryption devices (EDEs), and bridged networks.
v) Describes the requirements for management of MAC Privacy protection, identifying the managed
objects and defining the manged objects for PrYs.
w) Specifies a Management Information Base (MIB) module for PrY management.
x) Specifies a YANG configuration and operational state model for PrY management.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
2. Normative references
Change the list of normative references in Clause 2 as follows:
The following referenced documents are indispensable for the application of this document (i.e., they must
be understood and used, so each referenced document is cited in text and its relationship to this document is
explained). For dated references, only the edition cited applies. For undated references, the latest edition of
the referenced document (including any amendments or corrigenda) applies.
® 3,4
IEEE Std 802 , IEEE Standard for Local and Metropolitan Area Networks: Overview and Architecture.
IEEE Std 802.1Q™, IEEE Standard for Local and Metropolitan Area Networks: Bridges and Bridged
Networks.
IEEE Std 802.1X™, IEEE Standard for Local and Metropolitan Area Networks: Port-Based Network
Access Control.
IEEE Std 802.1Xbx™-2014, IEEE Standard for Local and Metropolitan Area Networks: Port-Based
Network Access Control—Amendment 1: MAC Security Key Agreement Protocol (MKA) Extensions.
IEEE Std 802.1AB™, IEEE Standard for Local and Metropolitan Area Networks: Station and Media Access
Control Connectivity and Discovery.
IEEE Std 802.1AC™, IEEE Standard for Local and metropolitan area networks—Media Access Control
(MAC) Service Definition.
IEEE Std 802.3™, IEEE Standard for Ethernet.
IETF RFC 1213: Management Information Base for Network Management of TCP/IP-based internets:
MIB-II, McCloghrie, K., and Rose, M. T., March 1991.
IETF RFC 2578, STD 58, Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and
Waldbusser, S., April 1999.
IETF RFC 2579, STD 58, Textual Conventions for Version 2 of the Simple Network Management Protocol
(SNMPv2), McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and Waldbusser, S.,
April 1999.
IETF RFC 2580, STD 58, Conformance Statements for SMIv2, McCloghrie, K., Perkins, D.,
Schoenwaelder, J., Case, J., Rose, M., and Waldbusser, S., April 1999.
IETF RFC 2863, The Interfaces Group MIB using SMIv2, McCloghrie, K., and Kastenholz, F., June 2000.
IETF RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol
(SNMP), Preshun, R., editor, December 2002.
IETF RFC 7317, A YANG Data Model for System Management, Bierman, A., Bjorklund, M., August 2014.
IETF RFC 7950, The YANG 1.1 Data Modeling Laguage, Bjorklund, M., August 2016.
IEEE publications are available from The Institute of Electrical and Electronics Engineers (https://www.standards.ieee.org).
The IEEE standards or products referred to in this clause are trademarks of The Institute of Electrical and Electronics Engineers, Inc.
IETF RFCs are available from the Internet Engineering Task Force (https://www.ietf.org/rfc.html).
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
IETF RFC 8343, A YANG Data Model for Interface Management, Bjorklund, M., March 2018.
ISO/IEC 14882, Information Technology—Programming languages—C++.
NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/
Counter Mode (GCM) and GMAC, November 2007.
ISO/IEC documents are available from the International Organization of Standardization (https://www.iso.org/) and from the Interna-
tional Electrotechnical Commission (http://www.iec.ch). These documents are also available from the American National Standards
Institute (https://www.ansi.org/).
NIST Special Publications are available from the National Institute of Standards and Technology (https://csrc.nist.gov/).
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
3. Definitions
Change the following definitions in Clause 3 as shown:
access priority: The priority that a client of the MAC Service or MAC Internal Sublayer Service (ISS)
associates associated with a given transmit request made by a MAC Security Entity (SecY) at its Common
Port.
NOTE—In this standard a MAC Security Entity (SecY) is a shim that can be a client of a service access point supported
(at its lower interface) by a specific media access method, e.g., IEEE Std 802.3, and can provide (at its upper interface) a
service access point that is used by its own client. From the point of view of the SecY, the priority associated with each
transmit request received from its client is the user priority for that request and the priority associated with the
corresponding transmit request that it makes of the underlying service is the access priority.
Customer Network Port (CNP): A port on the network component of an Ethernet Data Encryption device
(EDE-CS, EDE-CC, or EDE-SS) that provides internal connectivity to the edge component of that EDE.
Provider Network Port (PNP): The black-side port of an Ethernet Data Encryption device (EDE-CS,
EDE-CC, or EDE-SS).
user priority: The priority associated with a transmit request accepted by an entity that provides the MAC
Service or MAC Internal Sublayer Service (ISS) received by the Controlled Port of a MAC Security Entity
(SecY).
Insert the following terms and definitions in Clause 3 in alphabetical order:
express frame: A frame that a protocol entity identifies as a candidate for early transmission using
preemption capabilities.
NOTE—Not all protocol entities that forward a given frame need identify that frame as an express frame or a
preemptable frame. In this standard that identification uses the priority of the frame.
preemptable frame: A frame that a protocol entity identifies as a candidate for suspension by preemption
capabilities, so as to allow the earlier transmission of an express frame.
preemption: The temporary suspension of the transmission (or encoding for transmission) of a
preemptable frame to allow the earlier transmission of an express frame.
NOTE—The preemption capabilities specified by IEEE Std 802.3 can be used in conjunction with the MAC Security
protocol (MACsec) to expedite the transmission of an express frame that becomes available for transmission after
transmission of a preemptable frame has begun. The MAC Privacy protection protocol also supports preemption,
allowing the encoding of an express frame prior to the encoding of the remaining fragment(s) of a preemptable frame.
Privacy Channel: A sequence of frames with the same MAC source and destination addresses each
conveying a single MAC Privacy Protocol Data Unit (MPPDU), with the sequence conveying a sequence of
entire or fragmented user data frames and padding.
NOTE—In this standard all unqualified references to “fragments” and “fragmentation” are to MPPDU encoding.
Privacy Frame: A frame that conveys a single MAC Privacy Protocol Data Unit (MPPDU) that includes a
single, unfragmented, user data frame followed by zero or more octets of padding.
Private Port: The access point used to provide the privacy protected secure MAC Service to a client of a
MAC Privacy protection Entity (PrY).
shim: A protocol entity that uses the same service as it provides.
NOTE—Shims specified or referenced in this standard secure the ISS, enhance privacy, or provided multiplexing over
separate instances of the ISS.
traffic: A sequence of frames forwarded in a network.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
4. Abbreviations and acronyms
Insert the following abbreviations and acronyms in Clause 4 in alphabetical order:
ATS Asynchronous Traffic Shaping
C-TAG C-VLAN tag
C-VID Customer VLAN Identifier
C-VLAN Customer Virtual Local Area Network
CNP Customer Network Port
MPP MAC Privacy protection
MPPDU MAC Privacy protection Protocol Data Unit
MPPCI MAC Privacy protection Protocol Component Identifier
PBN Provider Bridged Network
PCI Personal Correlatable Information
PII Personally Identifiable Information
PNP Provider Network Port
PrY MAC Privacy protection Entity
PSFP Per-Stream Filtering and Policing
PVID port VLAN Identifier
S-VLAN Service Virtual Local Area Network
TPMR Two-Port MAC Relay
VID VLAN Identifier
VLAN Virtual Local Area Network
YANG Yet Another Next Generation
The acronym MPP is used in figures.
YANG is best viewed as a name, not an acronym.
ISO/IEC/IEEE 8802-1AE:2020/Amd.4:2024(en)
IEEE Std 802.1AEdk-2023
IEEE Standard for Local and Metropolitan Area Networks—Media Access Control (MAC) Security—Amendment 4: MAC Privacy Protection
5. Conformance
Change the introductory text of Clause 5 as follows:
A claim of conformance to this standard for the implementation of MAC Security is a claim that the
behavior of an implementation of a MAC Security Entity (SecY) meets the requirements of this standard
(5.3, 5.4) as they apply to the operation of the MACsec protocol, management of its operation, and provision
of service to the protocol clients of the SecY, as revealed through externally observable behavior of the
system of which the SecY forms a part.
A claim of conformance for the implementation of MAC Security may be a claim of full conformance, or a
claim of conformance with Cipher Suite variance, as specified in 5.4.
Conformance to this standard does not ensure that the system of which a the MAC Security implementation
forms a part is secure, or that the operation of other protocols used to support MAC Security, such as key
management and network management do not provide a way for an attacker to breach that security.
Conformance to this standard does not require any restriction as to the nature of the system of which a SecY
forms part other than as constrained by the SecY’s required and optional capabilities (5.3, 5.4). Clause 11
describes the use of SecYs within a number of different types of systems. These include, but are not limited
to, systems specified in IEEE Std 802.1Q and those that make use of IEEE Std 802.1X. Successful
interoperable use of MACsec in those systems also requires conformance to those standards. In addition
Clause 15 of this standard makes use of components specified in IEEE Std 802.1Q to define further systems,
Ethernet Data Encryption devices (EDEs), whose purpose is to secure the MAC Service within networks
comprising bridging systems specified by IEEE Std 802.1Q in a way that is transparent to the operation of
those bridging systems. Additional claims of conformance can be made to this standard in respect of EDEs
(5.5–5.7).
A claim of conformance to this standard for the implementation of MAC Privacy protection is a claim that
the b
...