The current description of the leaf is "Use updated ethernet header for ICV calculation. In case the Ethernet frame headers change, use the updated headers to calculate the ICV."
This description of the leaf should be updated to clearly state that only the updated Source MAC (SMAC), Destination MAC (DMAC), and EtherType fields from the header may be considered when calculating the ICV. Any VLAN tags added prior to the transmission of the MKPDU must not be included in the ICV calculation.
This behaviour is as per the requirement defined in IEEE 802.1X-2020, Section 9.4.1:
NOTE—M comprises the whole of what is often referred to as ‘the frame’ considered from the point of view of the MAC Service provided by Common Port of the SecY (Figure 6-2) or PAC (Figure 6-6) supporting MKPDU transmission. The description does not use the term ‘frame’, because that Common Port could be supported by additional VLAN tags or other tags (consider the upper SecY shown in Figure 7-17) prior to transmission of a MAC frame by a system. Any such additional tags would not be covered by the ICV, and would be removed prior to MKPDU reception by a peer PAE.
New Description : Indicates whether updated Ethernet header fields are used for ICV calculation. When enabled, only the updated Source MAC (SMAC), Destination MAC (DMAC), and EtherType fields of the Ethernet header are considered along with payload for calculating the ICV. Any VLAN tags inserted before transmission of the MKPDU must not be included in the ICV calculation.
The current description of the leaf is "Use updated ethernet header for ICV calculation. In case the Ethernet frame headers change, use the updated headers to calculate the ICV."
This description of the leaf should be updated to clearly state that only the updated Source MAC (SMAC), Destination MAC (DMAC), and EtherType fields from the header may be considered when calculating the ICV. Any VLAN tags added prior to the transmission of the MKPDU must not be included in the ICV calculation.
This behaviour is as per the requirement defined in IEEE 802.1X-2020, Section 9.4.1:
NOTE—M comprises the whole of what is often referred to as ‘the frame’ considered from the point of view of the MAC Service provided by Common Port of the SecY (Figure 6-2) or PAC (Figure 6-6) supporting MKPDU transmission. The description does not use the term ‘frame’, because that Common Port could be supported by additional VLAN tags or other tags (consider the upper SecY shown in Figure 7-17) prior to transmission of a MAC frame by a system. Any such additional tags would not be covered by the ICV, and would be removed prior to MKPDU reception by a peer PAE.
New Description : Indicates whether updated Ethernet header fields are used for ICV calculation. When enabled, only the updated Source MAC (SMAC), Destination MAC (DMAC), and EtherType fields of the Ethernet header are considered along with payload for calculating the ICV. Any VLAN tags inserted before transmission of the MKPDU must not be included in the ICV calculation.