Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-Portal configuration
- 03-User profile configuration
- 04-Password control configuration
- 05-Keychain configuration
- 06-Public key management
- 07-PKI configuration
- 08-IPsec configuration
- 09-Group domain VPN configuration
- 10-SSH configuration
- 11-SSL configuration
- 12-SSL VPN configuration
- 13-ASPF configuration
- 14-APR configuration
- 15-Session management
- 16-Connection limit configuration
- 17-Object group configuration
- 18-Object policy configuration
- 19-Attack detection and prevention configuration
- 20-ARP attack protection configuration
- 21-ND attack defense configuration
- 22-uRPF configuration
- 23-Crypto engine configuration
- 24-FIPS configuration
- 25-SMA configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Keychain configuration | 59.98 KB |
Configuring keychains
Overview
A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption.
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime. When the system time is within the lifetime of a key in a keychain, an application uses the key to authenticate incoming and outgoing packets. The keys in the keychain take effect one by one according to the sequence of the configured lifetimes. In this way, the authentication algorithms and keys are dynamically changed to implement dynamic authentication.
A keychain operates in absolute time mode. In this mode, each time point during a key's lifetime is the UTC time and is not affected by the system's time zone or daylight saving time.
Configuration procedure
Follow these guidelines when you configure a keychain:
· To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.
· The keys used by the local device and the peer device must have the same authentication algorithm and key string.
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a keychain and enter keychain view. |
keychain keychain-name [ mode absolute ] |
By default, no keychains exist. |
|
3. Create a key and enter key view. |
key key-id |
By default, no keys exist. |
|
4. Specify an authentication algorithm for the key. |
authentication-algorithm { hmac-md5 | md5 } |
By default, no authentication algorithm is specified for a key. |
|
5. Configure a key string for the key. |
key-string { cipher | plain } string |
By default, no key string is configured. |
|
6. Set the sending lifetime in UTC mode for the key. |
send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } |
By default, the sending lifetime is not configured for a key. |
|
7. Set the receiving lifetime in UTC mode for the key. |
accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } |
By default, the receiving lifetime is not configured for a key. |
Displaying and maintaining keychain
Execute display commands in any view.
|
Task |
Command |
|
Display keychain information. |
display keychain [ name keychain-name [ key key-id ] ] |
Keychain configuration example
Network requirements
As shown in Figure 1, establish an OSPF neighbor relationship between Router A and Router B, and use a keychain to authenticate packets between the routers. Configure key 1 and key 2 for the keychain and make sure key 2 is used immediately when key 1 expires.
Configuration procedure
Configuring Router A
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
<RouterA> system-view
[RouterA] ospf 1 router-id 1.1.1.1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[RouterA] keychain abc mode absolute
# Create key 1 for the keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[RouterA-keychain-abc] key 1
[RouterA-keychain-abc-key-1] authentication-algorithm md5
[RouterA-keychain-abc-key-1] key-string plain 123456
[RouterA-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
[RouterA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
[RouterA-keychain-abc-key-1] quit
# Create key 2 for the keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[RouterA-keychain-abc] key 2
[RouterA-keychain-abc-key-2] authentication-algorithm hmac-md5
[RouterA-keychain-abc-key-2] key-string plain pwd123
[RouterA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[RouterA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[RouterA-keychain-abc-key-2] quit
[RouterA-keychain-abc] quit
# Configure GigabitEthernet 2/1/1 to use the keychain abc for authentication.
[RouterA] interface GigabitEthernet 2/1/1
[RouterA-GigabitEthernet2/1/1] ospf authentication-mode keychain abc
[RouterA-GigabitEthernet2/1/1] quit
Configuring Router B
# Configure IP addresses for interfaces. (Details not shown.)
# Configure OSPF.
<RouterB> system-view
[RouterB] ospf 1 router-id 2.2.2.2
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[RouterB] keychain abc mode absolute
# Create key 1 for the keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[RouterB-keychain-abc] key 1
[RouterB-keychain-abc-key-1] authentication-algorithm md5
[RouterB-keychain-abc-key-1] key-string plain 123456
[RouterB-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
[RouterB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:10:00 2015/02/06
[RouterB-keychain-abc-key-1] quit
# Create key 2 for the keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[RouterB-keychain-abc] key 2
[RouterB-keychain-abc-key-2] key-string plain pwd123
[RouterB-keychain-abc-key-2] authentication-algorithm hmac-md5
[RouterB-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[RouterB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[RouterB-keychain-abc-key-2] quit
[RouterB-keychain-abc] quit
# Configure GigabitEthernet 2/1/1 to use the keychain abc for authentication.
[RouterB] interface GigabitEthernet 2/1/1
[RouterB-GigabitEthernet2/1/1] ospf authentication-mode keychain abc
[RouterB-GigabitEthernet2/1/1] quit
Verifying the configuration
1. When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in the keychain abc.
# Display keychain information on Router A. The output shows that key 1 is the valid key.
[RouterA] display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Active
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Inactive
# Display keychain information on Router B. The output shows that key 1 is the valid key.
[RouterB]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Active
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Inactive
2. When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in the keychain abc.
# Display keychain information on Router A. The output shows that key 2 becomes the valid key.
[RouterA]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
MD5 : 3
Default send key ID : None
Active send key ID : 2
Active accept key IDs: 2
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Active
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Active
# Display keychain information on Router B. The output shows that key 2 becomes the valid key.
[RouterB]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Active
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Active
