The MAC security entity (SecY) MIB module. A SecY is a protocol
shim providing MAC Security (MACsec) in an interface stack.
Each SecY transmits MACsec protected frames on one or more
Secure Channels (SCs) to each of the other SecYs attached to the
same LAN and participating in the same Secure Connectivity
Association (CA). The CA is a security relationship, that is
established and maintained by key agreement protocols and supported
by MACsec to provide full connectivity between its participants.
Each SC provides unidirectional point to multipoint connectivity
from one participant to all the others and is supported by a
succession of similarly point to multipoint Secure Associations
(SAs). The Secure Association Key (SAK) used to protect frames is
changed as an SA is replaced by its (overlapping) successor so
fresh keys can be used without disrupting a long lived SC and CA.
Two different upper interfaces, a Controlled Port (for frames
protected by MACsec, providing an instance of the secure MAC
service) and an Uncontrolled Port (for frames not requiring
protection, like the key agreement frames used to establish the
CA and distribute keys) are associated with a SecY shim. For each
instance of a SecY two ifTable rows (one for each interface) run on
top of an ifTable row representing the 'Common Port' interface,
such as a row with ifType ='ethernetCsmacd(6)'.
___________________________________________________________________
| | |
| Controlled Port Interface | Uncontrolled Port Interface |
| (ifEntry = j,ifType = | (ifEntry = k, ifType = |
| macSecControlledIF(231)) | macSecUncontrolledIF(232)) |
|________________________________________________________________|
| |
| Physical Interface |
| (ifEntry = i) |
| (ifType = ethernetCsmacd(6)) |
|________________________________________________________________|
Example MACsec Interface Stack. i, j, k are ifIndexes each
indicating a row in the ifTable.