MACsec terminology
The following figure illustrates some of the main concepts used in MACsec for the static CAK scenario.
The following table describes MACsec terminology.
| MACsec term | Description |
|---|---|
CA: connectivity association |
Provides a security relationship, established and maintained by key agreement protocols (MKA), that comprises a fully connected subset of the SAPs in stations attached to a single LAN that are to be supported by MACsec |
MKA: MACsec key agreement protocol |
Provides a control protocol between MACsec peers, which is used for peer aliveness and encryption key distribution. MACsec key agreement is responsible for discovering, authenticating, and authorizing the potential participants in a CA. |
SecY: MAC security entity |
Operates the MAC security protocol within a system and manages and identifies the SC and corresponding active SA |
SC:security channel |
Provides a unidirectional point-to-point or point-to-multipoint communication. Each SC contains a succession of SAs, and each SC has a different SAK. |
SA: security association |
The 7705 SAR has two SAs per SC, each with a different SAK, and each SC comprises a succession of SAs. Each SA is identified by the SC identifier, concatenated with a two-bit association number. The secure association identifier (SAI) that is created allows the receiving SecY to identify the SA and the SAK used to decrypt and authenticate the received frame. The AN, and consequently the SAI, is only unique for the SAs that can be used or recorded by participating SecYs at any time. The MACsec key agreement creates and distributes SAKs to each of the SecYs in a CA. This key creation and distribution is independent of the cryptographic operation of each of the SecYs. The decision to replace one SA with its successor is made by the SecY that transmits using the SC, after the MKA has informed it that all the other SecYs are prepared to receive using that SA. No notification, other than receipt of a secured frame with a different SAI, is sent to the receiver. A SecY must always be capable of storing SAKs for two SAs for each inbound SC and of swapping from one SA to another without notice. Certain LAN technologies can reorder frames of different priority, so reception of frames on a single SC can use interleaved SAs. |
SAK: security association key |
The encryption key used to encrypt the datapath of MACsec |