The MAC security entity (SecY) module for managing IEEE
802.1AE. An SecY is the entity that operates the MAC Security
protocol within the system.
Each SecY transmits frames conveying secure MAC Service
requests on a single Secure Channel (SC), and receives frames
conveying secure service indications on separate SCs (one for
each of the other SecYs participating in the Secure
Connectivity Association (CA)). A CA is a security
relationship, established and maintained by key agreement
protocols that comprise a fully connected subset of the
service access points in stations attached to a single MACsec
supported LAN. An SC is a security relationship used to
provide security guarantees for frames transmitted from one
member of a CA to the others. It is a unidirectional point to
multipoint communication, and can be long lived, persisting
through Secure Association Key (SAK) changes. Each SC is
supported by a sequence of Secure Associations (SAs) thus
allowing the periodic use of fresh keys without terminating
the relationship. Each SA is supported by a single secret
key, or a set of keys where the cryptographic operations used
to protect one frame require more than one key.
Two different interfaces 'Controlled Port' and
'Uncontrolled Port', are associated with a SecY, and that for
each instance of a SecY, two ifTable rows (one for each
interface) run on top of an ifTable row representing the
'Common Port' interface, such as a row with ifType =
'ethernetCsmacd(6)'.
For example :
-----------------------------------------------------------
| | |
| Controlled Port | Uncontrolled Port |
| Interface | Interface |
| (ifEntry = j) | (ifEntry = k) |
| (ifType = | (ifType = |
| macSecControlledIF(231)) | macSecUncontrolledIF(232))|
| | |
|---------------------------------------------------------|
| |
| Physical Interface |
| (ifEntry = i) |
| (ifType = ethernetCsmacd(6)) |
|_________________________________________________________|
i, j, k are ifIndex to indicate an interface row in the ifTable.
Figure : MACsec Interface Stack
The 'Controlled Port' is the service point to provide one
instance of the secure MAC service in a SecY. The
'Uncontrolled Port' is the service point to provide one instance
of the insecure MAC service in a SecY.