MACsec terminology

The following table describes MACsec terminology.

Table: MACsec terminology

MACsec term

Description

Connectivity Association (CA)

A security relationship, established and maintained by the MKA, that comprises a fully connected subset of the service access points in stations attached to a single LAN that are to be supported by MACsec.

MACsec Key Agreement Protocol (MKA)

Control protocol between MACsec peers, which is used for peer aliveness and encryption key distribution. MKA is responsible for discovering, authenticating, and authorizing the potential participants in a CA.

MAC Security Entity (SecY)

Operates the MAC security protocol within a system. Manages and identifies the SC and the corresponding active SA.

Port Access Entity (PAE)

The protocol entity associated with a port. May support the functionality of authenticator, supplicant, or both.

Security Channel (SC)

Provides a unidirectional point-to-point or point-to-multipoint communication. Each SC contains a succession of SAs, and each SC has a different SAK.

Security Association Key (SAK)

The key used to encrypt the datapath of MACsec.

Security Association (SA)

A security relationship that provides security guarantees for frames transmitted from one member of a CA to the others.

In the case of two SAs per SC, each with a different SAK, each SC comprises a succession of SAs. Each SA has an SC identifier, concatenated with a two-bit association number. The Secure Association Identifier (SAI) that has been created allows the receiving SecY to identify the SA, and consequently, the SAK used to decrypt and authenticate the received frame. The AN (and the SAI) is only unique for the SAs that can be used or recorded by participating SecYs at any time.

The MKA creates and distributes SAKs to each of the SecYs in a CA. This key creation and distribution is independent of the cryptographic operation of each of the SecYs. The decision to replace one SA with its successor is made by the SecY that transmits using the SC, after the MKA has informed it that all the other SecYs are prepared to receive using that SA. No notification, other than receipt of a secured frame with a different SAI, is sent to the receiver. A SecY must always be capable of storing SAKs for two SAs for each inbound SC, and of swapping from one SA to another without notice. Certain LAN technologies can reorder frames of different priority, so reception of frames on a single SC can use interleaved SA.