The MIB module for managing the Port Access Entity (PAE)
functions of IEEE 802.1X (Revision of 802.1X-2004).
The PAE functions managed are summarized in Figure 12-3 of
IEEE 802.1X and include EAPOL PACP support for authentication
(EAP Supplicant and/or Authenticator), MACsec Key Agreement
(MKA), EAPOL, and transmission and reception of network
announcements.

The following acronyms and definitions are used in this MIB.

AN : Association Number, a number that is concatenated with a
    MACsec Secure Channel Identifier to identify a Secure
    Association (SA).

Announcer : EAPOL-Announcement transmission functionality.

Authenticator : An entity that facilitates authentication of
    other entities attached to the same LAN.

CA : secure Connectivity Association: A security relationship,
    established and maintained by key agreement protocols, that
    comprises a fully connected subset of the service access
    points in stations attached to a single LAN that are to be
    supported by MACsec.

CAK : secure Connectivity Association Key, a secret key
    possessed by members of a given CA.

CKN : secure Connectivity Association Key Name (CKN), a text
    that identifies a CAK.

Common Port : An instance of the MAC Internal Sublayer Service
    used by the SecY or PAC to provide transmission and
    reception of frames for both the Controlled and
    Uncontrolled Ports.

Controlled Port : The access point used to provide the secure
    MAC Service to a client of a PAC or SecY.

CP state machine : Controlled Port state machine is capable of
    controlling a SecY or a PAC.  The CP supports
    interoperability with unauthenticated systems that are not
    port-based network access control capable, or that lack 
    MKA.  When the access controlled port is supported by a
    SecY, the CP is capable of controlling the SecY so as to
    provide unsecured connectivity to systems that implement a
    PAC.

EAP : Extensible Authentication Protocol, RFC3748.

EAPOL : EAP over LANs.

KaY : Key Agreement Entity, a PAE entity responsible for MKA.

Key Server : Elected by MKA, to transport a succession of SAKs,
    for use by MACsec, to the other member(s) of a CA.

KMD : Key Management Domain, a string identifying systems that
     share cached CAKs.

Listener : The role is to receive the network announcement
    parameters in the authentication process.

Logon Process : The Logon Process is responsible for the
    managing the use of authentication credentials, for
    initiating use of the PAE's Supplicant and or Authenticator
    functionality, for deriving CAK, CKN tuples from PAE
    results, for maintaining PSKs (Pre-Sharing Keys), and for
    managing MKA instances.  In the absence of successful
    authentication, key agreement, or support for MAC Security,
    the Logon Process determines whether the CP state machine
    should provide unauthenticated connectivity or
    authenticated but unsecured connectivity.

MKA : MACsec Key Agreement protocol allows PAEs, each
    associated with a port that is an authenticated member of a
    secure connectivity association (CA) or a potential CA, to
    discover other PAEs attached to the same LAN, to confirm
    mutual possession of a CAK and hence to prove a past mutual
    authentication, to agree the secret keys (SAKs) used by
    MACsec for symmetric shared key cryptography, and to ensure
    that the data protected by MACsec has not been delayed.

MKPDU : MACsec Key Agreement Protocol Data Unit.

MPDU : MAC Protocol Data Unit.

NID : Network Identity, a UTF-8 string identifying an network
     or network service.

PAE : Port Access Entity, the protocol entity associated with a
     Port.  It can support the protocol functionality
     associated with the Authenticator, the Supplicant, or
     both.

PAC : Port Access Controller, a protocol-less shim that
     provides control over frame transmission and reception by
     clients attached to its Controlled Port, and uses the MAC
     Service provided by a Common Port.  The access control
     decision is made by the PAE, typically taking into
     account the success or failure of mutual authentication
     and authorization of the PAE's peer(s), and is
     communicated by the PAE using the LMI to set the PAC's
     Controlled Port enabled/disable.  Two different interfaces
     'Controlled Port' and 'Uncontrolled Port', are associated
     with a PAC, and that for each instance of a PAC, two
     ifTable rows (one for each interface) run on top of an
     ifTable row representing the 'Common Port' interface,
     such as a row with ifType = 'ethernetCsmacd(6)'.

     For example :
    -----------------------------------------------------------
    |                            |                            |
    |   Controlled Port          |   Uncontrolled Port        |
    |      Interface             |      Interface             |
    |    (ifEntry = j)           |     (ifEntry = k)          |
    | (ifType =                  | (ifType =                  |
    |  macSecControlledIF(231))  |  macSecUncontrolledIF(232))|
    |                            |                            |
    |---------------------------------------------------------|
    |                                                         |
    |                    Physical Interface                   |
    |                      (ifEntry = i)                      |
    |                (ifType = ethernetCsmacd(6))             |
    |_________________________________________________________|
                i, j, k are ifIndex to indicate
               an interface stack in the ifTable.
                Figure : PAC Interface Stack

     The 'Controlled Port' is the service point to provide one
     instance of the secure MAC service in a PAC.  The
     'Uncontrolled Port' is the service point to provide one
     instance of the insecure MAC service in a PAC.

PACP : Port Access Controller Protocol.

Port Identifier : A 16-bit number that is unique within the
    scope of the address of the port.

Real Port : Indicates the PAE is for a real port.  A port that
    is not created on demand by the mechanisms specified in
    this standard, but that can transmit and receive frames for
    one or more virtual ports.

SC : Secure Channel, a security relationship used to provide
    security guarantees for frames transmitted from one member
    of a CA to the others.  An SC is supported by a sequence of
    SAs thus allowing the periodic use of fresh keys without
    terminating the relationship.

SA : Secure Association, a security relationship that provides
    security guarantees for frames transmitted from one member
    of a CA to the others. Each SA is supported by a single
    secret key, or a single set of keys where the cryptographic
    operations used to protect one frame require more than one
    key. 

SAK : Secure Association key, the secret key used by an SA.

SCI : Secure Channel Identifier, a globally unique identifier
    for a secure channel, comprising a globally unique MAC
    Address and a Port Identifier, unique within the system
    allocated that address.

secured connectivity : Data transfer between two or 'Controlled
    Ports' that is protected by MACsec.

SecY : MAC Security Entity, the entity that operates the MAC
    Security protocol within a system.

Supplicant : An entity at one end of a point-to-point LAN
    segment that seeks to be authenticated by an Authenticator
    attached to the other end of that link.
    
Suspension: Temporary suspension of MKA operation to facilitate
    in-service control plane software upgrades without
    disrupting existing secure connectivity.

Uncontrolled Port : The access point used to provide the
    insecure MAC Service to a client of a SecY or PAC.

Virtual Port : Indicates the PAE is for a virtual port.  A MAC
    Service or Internal Sublayer service access point that is
    created on demand.  Virtual ports can be used to provide
    separate secure connectivity associations over the same
    LAN.