Preemption and MACsec replay protection Preemption and MACsec replay protection

Mick Seaman Use of the proposed IEEE 802.3 Ethernet frame preemption capability could result in frame reordering. Without a change in the MACsec specification (IEEE Std 802.1AE) or in the way it is used it would not be possible to use MACsec to provide strict replay protection. This note has been revised to detail the use of multiple SCs1 per port, following the 802.1 Security Task Group discussions2 at the November 2014 meeting. This is the preferred approach to maintaining the current replay protection capabilities because it also addresses traffic class based reordering by Ethernet Virtual Circuits and similar provider network services3. The discussion of alternative approaches has been retained (somewhat reordered) for the record. The use of multiple SCs by a single MKA participant requires some changes to 802.1X4 and to existing MKA implementations. This note points out just how simple these can be. An existing and unchanged conformant implementation of MACsec/MKA should interoperate with one that uses traffic class grouping SCs. ________________________________________________________________________