---------------------------P802.1Xbu Preliminary Draft PAR and 5 Criteria, omitting some boiler-plate fields ------------ P802.1Xbu Type of Project: Amendment to IEEE Standard 802.1X-2010 Status: Unapproved PAR, PAR for an Amendment to an existing IEEE Standard 1.1 Project Number: P802.1Xbu 1.2 Type of Document: Standard 1.3 Life Cycle: Full Use 2.1 Title: Standard for Local and Metropolitan Area Networks---Port-Based Network Access Control Amendment: MAC Security Key Agreement protocol (MKA) extensions 4.1 Type of Ballot: Individual 4.2 Expected Date of submission of draft to the IEEE-SA for Initial Sponsor Ballot: 07/2013 4.3 Projected Completion Date for Submittal to RevCom: 10/2013 5.1 Approximate number of people expected to be actively involved in the development of this project: 10 5.2 Scope: This standard adds MACsec Key Agreement protocol (MKA) data elements and procedures that provide additional security and manageability capabilities, including the ability to maintain secure communication while the operation of MKA is suspended, when used in conjunction with MAC Security (MACsec) Cipher Suites that support Extended Packet Numbering. 5.3 Is the completion of this standard dependent upon the completion of another standard: Yes If yes please explain: the project makes use of the proposed P802.1AEbt amendment. 5.4 Purpose: This project will extend MKA to realize additional security and manageability capabilities made possible by the P802.1AEbt amendment that adds extended packet numbering Cipher Suites to IEEE Std 802.1AE-2006. These additional capabilities will include MKA data elements and procedures that allow secure connectivity association (CA) members to temporarily suspend MKA operation without causing protocol timeouts that would disrupt secure data transfer, thus allowing in-service control plane software upgrades. 5.5 Need for the Project: MKA already allows secure data transfer to continue without disruption as fresh keys are distributed and re-authentication and authorization takes place, potentially allowing any secured link or LAN to provide continuous connectivity for many years. One environmental factor likely to limit the longevity of this uninterrupted communication is the need to perform a control plane software upgrade. This fact has been recognized in the design of other networking protocols that include explicit support for continuing operation and state recovery when monitoring protocol actions need to be suspended and resumed. This project will allow such in-service upgrade capability when communication is being protected by 802.1AE MACsec in conjunction with 802.1X. The IEEE Std 802.1AEbt extended packet numbering amendment will ensure that the interval between the need for fresh keys (even in very high speed operation) is greater than the time required for control plane upgrades, and this project is needed to realize the potential benefit. 5.6 Stakeholders for the Standard: Developers and users of networking equipment. Intellectual Property 6.1.a. Is the Sponsor aware of any copyright permissions needed for this project?: No 6.1.b. Is the Sponsor aware of possible registration activity related to this project?: No 7.1 Are there other standards or projects with a similar scope?: No If Yes please explain: 7.2 Joint Development Is it the intent to develop this document jointly with another organization?: No Five Criteria for 802.1Xbu– Port-Based Network Access Control Amendment: MAC Security Key Agreement protocol (MKA) extensions 1. Broad Market Potential a. Broad sets of applicability This amendment is applicable to all networks that are currently using or planning to use MACsec. The addition of this capability will further broaden the appeal and applicability of IEEE 802.1AE. b. Multiple vendors and numerous users A number of major equipment providers have indicated support for this amendment. c. Balanced costs (LAN versus attached stations) There is no imbalance of cost created by this amendment. 2. Compatibility This amendment fits within the framework of IEEE 802.1X-2010, and in particular within the design and specification of the MACsec Key Agreement protocol (MKA) without reducing the use and applicability of existing data elements and procedures, and without changing existing interoperability provisions. Implementations that conform to the existing standard will remain conformant. 3. Distinct Identity a. Substantially different from other IEEE 802 standards IEEE 802.1X is already a recognized and established standard. b. One unique solution per problem (not two solutions to a problem) This project enhances IEEE 802.1X to meet emerging and additional needs, it does not duplicate existing capabilities. c. Easy for the document reader to select the relevant specification IEEE Std 802.1X is already an established reference for LAN security. 4. Technical Feasibility a. Demonstrated system feasibility The protocol extensions required for this amendment are modest within the existing context of 802.1X, and similar capabilities are routinely designed and deployed with other protocols. In particular the design of MKA is such that the simple addition of new data elements does not require redesign or reevaluation of its security properties. b. Proven technology, reasonable testing Technology for testing similar capabilities has been in widespread use for a number of decades. c. Confidence in reliability This project is expected to pose no new reliability challenges. The effects of suspending control plane operation are simply quantifiable. d. Coexistence of 802 wireless standards specifying devices for unlicensed operation Not applicable. 5. Economic Feasibility a. Known cost factors, reliable data The fractional implementation costs involved are trivial. b. Reasonable cost for performance Data transfer performance would not be affected by the provisions of the proposed amendment. c. Consideration of installation costs Deployment would occur as a control plane software upgrade with typical associated cost. Deployment would be typically arranged to coincide with other reasons for performing such an upgrade and would only represent a fraction of the associated cost.