IP Router Configuration
Router Configuration Guide 41
• The system was booted from a configuration file generated by a software version not
having persistent CGAs.
Key rollover
You can import a new RSA key pair for SeND with the key-rollover keyword. This will
result in the regeneration of all CGAs on all interfaces.
Exporting the SeND RSA key pair
Another method that does not result in the regeneration of the CGAs, is to export the RSA
key pair that is currently in use by SeND to the system-pki directory via an admin command:
admin certificate secure-nd-export
This command will write the RSA key pair to the file cfx:\system-pki\secureNdKey in
encrypted der format.
Booting from a saved configuration file
Configuration saved by a software version with persistent CGAs
The file cfx:\system-pki\secureNdKey should exist. This file will be automatically uploaded
by SeND during initialization.
The configuration file should contain a modifier for each address on a SeND enabled
interface.
Modifiers in the configuration file are checked against the current RSA key pair. If the check
fails, a new modifier and CGA is generated and a warning is given to the operator that a new
CGA is generated.
If a modifier is missing in the configuration file for an IPv6 /64 prefix on a SeND enabled
interface, a new modifier and CGA will be generated based on the active RSA key pair.
Configuration saved by a software version having non-persistent CGAs
The file cfx:\system-pki\secureNdKey does not exist nor does the configuration file contain
a modifier for any of the IPv6 /64 prefixes on secure-nd enabled interfaces.
New CGAs have to be generated (from the CLI context). Follow one of the procedures
described in section Making non-persistent CGAs persistent to make the non-persistent
CGA's persistent.
To Next Page
Loading...
