MACSec Server Test Suite Data Sheet
Test Suite:
MACSec Server Test Suite
Direction:
Server

MACsec *(Media Access Control Security)* is a Data Link Layer (Layer-2) protocol that allows systems connected in a LAN (Local Area Networks) to maintain confidentiality and integrity of transmitted data. MKA *(MACsec Key Agreement)* is a protocol that provides compatible authentication, authorization and cryptographic key agreement mechanism to support secure communication between devices connected to LAN (Local Area Networks). MKA is based on 802.1X specification EAPoL (Extensible Authentication Protocol over LAN) and implemented as a message type extension. This test suite has been designed to act as a malicious MACsec peer that sends invalid requests to a tested MACsec peer. This test suite can also act as a malicious MKA supplicant that sends invalid requests to a tested MKA authenticator. The test suite uses simple MACsec frames with encapsulated payload and common MKA message sequences to test implementations.

Used specifications

Specification
Title
Notes
IEEE 802.1AE-2006
Media Access Control (MAC) Security
IEEE 802.1AEbn-2011
Media Access Control (MAC) Security. Amendment 1: Galois Counter Mode - Advanced Encryption Standard - 256 (GCM-AES-256) Cipher Suite
IEEE 802.1AEbw-2013
Media Access Control (MAC) Security. Amendment 2: Extended Packet Numbering
IEEE 802.1AEcg-2017
Media Access Control (MAC) Security. Amendment 3: Ethernet Data Encryption devices
IEEE 802.1X-2001
Port-Based Network Access Control
Anomaly only
IEEE 802.1X-2004
Port-Based Network Access Control
Anomaly only
IEEE 802.1X-2010
Port-Based Network Access Control
MACsec Key Agreement (MKA) protocol specification
IEEE 802.1Xbx-2014
Port-Based Network Access Control. Amendment 1: MAC Security Key Agreement Protocol (MKA) Extensions
IEEE 802.11-2007
Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications
Anomaly only (802.11 Key Descriptor Type according to 802.1X-2004)
rfc3629
UTF-8, a transformation format of ISO 10646
rfc3748
Extensible Authentication Protocol (EAP)
rfc5216
The EAP-TLS Authentication Protocol
MKA (authentication only)
rfc6696
EAP Extensions for the EAP Re-authentication Protocol (ERP)
MKA (anomaly only)
rfc7542
The Network Access Identifier
MKA (anomaly only)
rfc826
An Ethernet Address Resolution Protocol
MACsec (valid case only)

Tool-specific information

Tested messages
Specifications
Notes
MPDU
ieee-802.1AE-2006
MACsec Protocol Data Unit
MKPDU
ieee-802.1X-2010, ieee-802.1Xbx-2014
MACsec Key Agreement Protocol Data Unit
EAPOL-PDU
ieee-802.1X-2010
EAP over LAN (EAPOL) Protocol Data Unit
EAP
rfc3748
Extensible Authentication Protocol (EAP)

Supported features
Specification
Notes
GCM-AES-128
IEEE-802.1AE-2006
Integrity and Confidentiality
GCM-AES-256
IEEE-802.1AEbn-2011
Integrity and Confidentiality
GCM-AES-XPN-128
IEEE-802.1AEbw-2014
Integrity and Confidentiality
GCM-AES-XPN-256
IEEE-802.1AEbw-2014
Integrity and Confidentiality
Key Derivation Function
IEEE-802.1X-2010
Integrity and Confidentiality
AES Cipher in CMAC mode
IEEE-802.1X-2010, NIST SP 800-38B
Integrity and Confidentiality
AES-CMAC-128
IEEE-802.1X-2010, rfc4493
The AES-CMAC Algorithm
AES-CMAC-256
IEEE-802.1X-2010, rfc4493
The AES-CMAC Algorithm
AES Key Wrap
IEEE-802.1X-2010, rfc3394
Advanced Encryption Standard (AES) Key Wrap Algorithm
The EAP MD5-Challenge mechanism
rfc3748
EAP authentication method
The EAP-TLS Authentication Protocol
rfc5216
MKA (authentication only)
The TLS Protocol Version 1.0
rfc2246
MKA (authentication only, partially supported)
The TLS Protocol Version 1.1
rfc4346
MKA (authentication only, partially supported)
The TLS Protocol Version 1.2
rfc5246
MKA (authentication only, partially supported)

Unsupported features
Specification
Notes
Integrity validation for incoming data.
IEEE 802.1AE-2006
Suite does not validate integrity of incoming MACsec messages.
Integrity validation for incoming data.
IEEE 802.1X-2010
Suite does not validate integrity of incoming MKA messages.
Authenticator or Key server role.
IEEE 802.1X-2010
This suite supports only client role for the MACsec Key Agreement (MKA) Protocol.
Background service for MKA.
IEEE 802.1X-2010
This suite doesn't support running MKA as a separate background service that persists over test cases while MACsec is used as a fuzz target.
Custom MKA Algorithm Agility parameter values.
IEEE 802.1X-2010
Only the default value is supported.
Multiple MKA peer ACK.
IEEE 802.1X-2010
Suite doesn't support sending individual ACK messages to Network peers other than the system under test (SUT).
Alert Standard Format (ASF) Specification.
DSP0136
Mentioned only in IEEE 802.1X-2010, but not relevant to MACsec Key Agreement (MKA) protocol.
Authentication methods other than EAP-TLS and MD5-Challenge.
rfc3748
Port-based authentication.
Full list of EAP-TLS features.
rfc5216
This TLS feature is only partially supported, in order to pass the port-based authentication required for the MACsec Key Agreement (MKA) protocol. This suite doesn't support TLS protocol fuzzing or all of the cipher suites, extensions, or additional features addressed in this specification.
TLS 1.0
rfc2246
This TLS feature is only partially supported, in order to pass the port-based authentication required for the MACsec Key Agreement (MKA) protocol. This suite doesn't support TLS protocol fuzzing or the full list of cipher suites, extensions or additional features referred in this specification.
TLS 1.1
rfc4346
This TLS feature is only partially supported, in order to pass the port-based authentication required for the MACsec Key Agreement (MKA) protocol. This suite doesn't support TLS protocol fuzzing or all of the cipher suites, extensions, or additional features addressed in this specification.
TLS 1.2
rfc5246
This TLS feature is only partially supported, in order to pass the port-based authentication required for the MACsec Key Agreement (MKA) protocol. This suite doesn't support TLS protocol fuzzing or the full list of cipher suites, extensions or additional features referred in this specification.
Model based fuzzing for ARP.
rfc826
ARP is only used for default minimal sample payload under Ethernet protocol. Suite does not support any other ARP features or fuzzing ARP protocol.
Test tool general features
  • Fully automated black-box negative testing
  • Ready-made test cases
  • Written in Java(tm)
  • GUI command line remote interface modes
  • Instrumentation (health-check) capability
  • Support and maintenance
  • Comprehensive user documentation
  • Results reporting and analysis