- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-Security policy configuration
- 03-ASPF configuration
- 04-Session management
- 05-Object group configuration
- 06-Object policy configuration
- 07-IP source guard configuration
- 08-AAA configuration
- 09-User identification configuration
- 10-Password control configuration
- 11-Portal configuration
- 12-MAC authentication configuration
- 13-IPoE configuration
- 14-Public key management
- 15-PKI configuration
- 16-SSH configuration
- 17-SSL configuration
- 18-Connection limit configuration
- 19-Attack detection and prevention configuration
- 20-Server connection detection configuration
- 21-ARP attack protection configuration
- 22-ND attack defense configuration
- 23-uRPF configuration
- 24-IP-MAC binding configuration
- 25-IP reputation configuration
- 26-APR configuration
- 27-Keychain configuration
- 28-Crypto engine configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
27-Keychain configuration | 88.12 KB |
Contents
Restrictions and guidelines: Keychain configuration
Configuring a keychain in absolute time mode
Configuring a keychain in periodic time mode
Display and maintenance commands for keychain
Keychain configuration examples
Example: Configuring keychains
Configuring keychains
About keychains
A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication by periodically changing the key and authentication algorithm without service interruption.
Operating mechanism
Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving lifetime. When the system time is within the lifetime of a key in a keychain, an application uses the key to authenticate incoming and outgoing packets. The keys in the keychain take effect one by one according to the sequence of the configured lifetimes. In this way, the authentication algorithms and keys are dynamically changed to implement dynamic authentication.
Time modes
A keychain operates in absolute time mode or periodic time mode. The lifetime for a key varies by time mode.
· Absolute time mode—Each time point in a key's lifetime is in UTC and is not affected by the system's time zone or daylight saving time.
· Periodic time mode—A key's lifetime is calculated based on the local time and is affected by the system's time zone and daylight saving time.
¡ daily—The lifetime for a key is from the specified start time to the specified end time of each day.
¡ weekly—The lifetime for a key is from the specified start day to the specified end day of each week.
¡ monthly—The lifetime for a key is from the specified start date to the specified end date of each month.
¡ yearly—The lifetime for a key is from the specified start month to the specified end month of each year.
Restrictions and guidelines: Keychain configuration
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.
The keys used by the local device and the peer device must have the same authentication algorithm and key string.
Configuring a keychain in absolute time mode
1. Enter system view.
system-view
2. Create a keychain and enter keychain view.
keychain keychain-name mode absolute
3. (Optional.) Configure TCP authentication.
¡ Set the kind value in the TCP Enhanced Authentication Option.
tcp-kind kind-value
By default, the kind value is 254.
¡ Set an algorithm ID for a TCP authentication algorithm.
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id
By default, the algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5 authentication algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.
When the local device uses TCP to communicate with a peer device from another vendor, make sure both devices have the same kind value and algorithm ID settings. If they do not, modify the settings on the local device.
4. (Optional.) Set a tolerance time for accept keys in the keychain.
accept-tolerance { value | infinite }
By default, no tolerance time is configured for accept keys in a keychain.
If authentication information is changed, information mismatch occurs on the local and peer devices, and the service might be interrupted. Use this command to ensure continuous packet authentication.
5. Create a key and enter key view.
key key-id
6. Configure the key.
¡ Specify an authentication algorithm for the key.
authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 | md5 }
By default, no authentication algorithm is specified for a key.
¡ Configure a key string for the key.
key-string { cipher | plain } string
By default, no key string is configured.
¡ Set the sending lifetime in UTC mode for the key.
send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
By default, the sending lifetime is not configured for a key.
¡ Set the receiving lifetime in UTC mode for the key.
accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
By default, the receiving lifetime is not configured for a key.
¡ (Optional.) Specify the key as the default send key.
default-send-key
By default, a keychain does not have a default send key.
You can specify only one key as the default send key in a keychain.
Configuring a keychain in periodic time mode
1. Enter system view.
system-view
2. Create a keychain and enter keychain view.
keychain keychain-name mode periodic { daily | monthly | weekly | yearly }
3. (Optional.) Configure TCP authentication.
¡ Set the kind value in the TCP Enhanced Authentication Option.
tcp-kind kind-value
By default, the kind value is 254.
¡ Set an algorithm ID for a TCP authentication algorithm.
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id
By default, the algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5 authentication algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.
When the local device uses TCP to communicate with a peer device from another vendor, make sure both devices have the same kind value and algorithm ID settings. If they do not, modify the settings on the local device.
4. (Optional.) Set a tolerance time for accept keys in the keychain.
accept-tolerance { value | infinite }
By default, no tolerance time is configured for accept keys in a keychain.
If authentication information is changed, information mismatch occurs on the local and peer devices, and the service might be interrupted. Use this command to ensure continuous packet authentication.
5. Create a key and enter key view.
key key-id
6. Configure the key.
¡ Specify an authentication algorithm for the key.
authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 | md5 }
By default, no authentication algorithm is specified for a key.
¡ Configure a key string for the key.
key-string { cipher | plain } string
By default, no key string is configured.
¡ Set the daily, weekly, monthly, or yearly sending lifetime in periodic time mode for the key.
send-lifetime daily start-day-time to end-day-time
send-lifetime date { month-day&<1-31> | start-month-day to end-month-day }
send-lifetime day { week-day | start-week-day to end-week-day }
send-lifetime month { month | start-month to end-month }
By default, the sending lifetime is not configured for a key.
¡ Set the daily, weekly, monthly, or yearly receiving lifetime in periodic time mode for the key.
accept-lifetime daily start-day-time to end-day-time
accept-lifetime date { month-day&<1-31> | start-month-day to end-month-day }
accept-lifetime day { week-day | start-week-day to end-week-day }
accept-lifetime month { month | start-month to end-month }
By default, the receiving lifetime is not configured for a key.
¡ (Optional.) Specify the key as the default send key.
default-send-key
By default, a keychain does not have a default send key.
You can specify only one key as the default send key in a keychain.
Display and maintenance commands for keychain
Execute display commands in any view.
Task |
Command |
Display keychain information. |
display keychain [ name keychain-name [ key key-id ] ] |
Keychain configuration examples
Example: Configuring keychains
Network configuration
As shown in Figure 1, establish an OSPF neighbor relationship between Device A and Device B, and use a keychain to authenticate packets between the devices. Configure key 1 and key 2 for the keychain and make sure key 2 is used immediately when key 1 expires.
Procedure
1. Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)
2. Configure Device A:
# Configure OSPF.
<DeviceA> system-view
[DeviceA] ospf 1 router-id 1.1.1.1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[DeviceA] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[DeviceA-keychain-abc] key 1
[DeviceA-keychain-abc-key-1] authentication-algorithm md5
[DeviceA-keychain-abc-key-1] key-string plain 123456
[DeviceA-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
[DeviceA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
[DeviceA-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[DeviceA-keychain-abc] key 2
[DeviceA-keychain-abc-key-2] authentication-algorithm hmac-md5
[DeviceA-keychain-abc-key-2] key-string plain pwd123
[DeviceA-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[DeviceA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[DeviceA-keychain-abc-key-2] quit
[DeviceA-keychain-abc] quit
# Configure GigabitEthernet 1/2/5/1 to use keychain abc for authentication.
[DeviceA] interface gigabitethernet 1/2/5/1
[DeviceA-GigabitEthernet1/2/5/1] ospf authentication-mode keychain abc
[DeviceA-GigabitEthernet1/2/5/1] quit
3. Configure Device B:
# Configure OSPF.
<DeviceB> system-view
[DeviceB] ospf 1 router-id 2.2.2.2
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
# Create a keychain named abc, and specify the absolute time mode for it.
[DeviceB] keychain abc mode absolute
# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[DeviceB-keychain-abc] key 1
[DeviceB-keychain-abc-key-1] authentication-algorithm md5
[DeviceB-keychain-abc-key-1] key-string plain 123456
[DeviceB-keychain-abc-key-1] send-lifetime utc 10:00:00 2015/02/06 to 11:00:00 2015/02/06
[DeviceB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2015/02/06 to 11:10:00 2015/02/06
[DeviceB-keychain-abc-key-1] quit
# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string and the sending and receiving lifetimes for the key.
[DeviceB-keychain-abc] key 2
[DeviceB-keychain-abc-key-2] key-string plain pwd123
[DeviceB-keychain-abc-key-2] authentication-algorithm hmac-md5
[DeviceB-keychain-abc-key-2] send-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[DeviceB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2015/02/06 to 12:00:00 2015/02/06
[DeviceB-keychain-abc-key-2] quit
[DeviceB-keychain-abc] quit
# Configure GigabitEthernet 1/2/5/1 to use keychain abc for authentication.
[DeviceB] interface gigabitethernet 1/2/5/1
[DeviceB-GigabitEthernet1/2/5/1] ospf authentication-mode keychain abc
[DeviceB-GigabitEthernet1/2/5/1] quit
Verifying the configuration
1. When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
# Display keychain information on Device A. The output shows that key 1 is the valid key.
[DeviceA] display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Active
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Inactive
# Display keychain information on Device B. The output shows that key 1 is the valid key.
[DeviceB]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Active
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Active
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Inactive
2. When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2015/02/06, verify the status of the keys in keychain abc.
# Display keychain information on Device A. The output shows that key 2 becomes the valid key.
[DeviceA]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 2
Active accept key IDs: 2
Key ID : 1
Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Active
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Active
# Display keychain information on Device B. The output shows that key 2 becomes the valid key.
[DeviceB]display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1
Key ID : 1
Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==
Algorithm : md5
Send lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Send status : Inactive
Accept lifetime : 10:00:00 2015/02/06 to 11:00:00 2015/02/06
Accept status : Inactive
Key ID : 2
Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==
Algorithm : hmac-md5
Send lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Send status : Active
Accept lifetime : 11:00:00 2015/02/06 to 12:00:00 2015/02/06
Accept status : Active