250
Configuring keychains
Overview
A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication
by periodically changing the key and authentication algorithm without service interruption.
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving
lifetime. These settings can be different for the keys. When the system time is within the lifetime of a
key in a keychain, an application uses the key to authenticate incoming and outgoing packets. The
keys in the keychain take effect one by one according to the sequence of the configured lifetimes. In
this way, the authentication algorithms and keys are dynamically changed to implement dynamic
authentication.
A keychain operates in absolute time mode. In this mode, each time point during a key's lifetime is
the UTC time and is not affected by the system's time zone or daylight saving time.
Configuration procedure
Follow these guidelines when you configure a keychain:
•
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set
non-overlapping sending lifetimes for the keys in the keychain.
•
The keys used by the local device and the peer device must have the same authentication
algorithm and key string.
To configure a keychain:
Step Command Remarks
1.
Enter system view.
system-view
N/A
2.
Create a keychain and
enter keychain view.
keychain keychain-name
[
mode
absolute
]
By default, no keychains exist.
3.
(Optional.) Set the kind
value in the TCP
Enhanced Authentication
Option.
tcp-kind
kind-value
By default, the kind value is 254.
When the local device uses TCP
to communicate with a peer
device from another vendor,
make sure both devices have the
same kind value setting. If they
do not have the same value, use
this command to modify the kind
value on the local device.
4.
(Optional.) Set an
algorithm ID for a TCP
authentication algorithm.
tcp-algorithm-id
{
hmac-md5
|
md5
}
algorithm-id
By default, the algorithm ID is 3
for the MD5 authentication
algorithm, and is 5 for the
HMAC-MD5 authentication
algorithm.
When the local device uses TCP
to communicate with a peer
device from another vendor,
make sure both devices have the
same algorithm ID setting. If they
do not have the same algorithm
ID, use this command to modify
the algorithm ID on the local
Summary of Contents for FlexFabric 5940 SERIES
Page 251: ...238 ...