Implementing Keychain Management onCisco IOS XR Software
Prerequisites for Configuring Keychain Management
SC-154
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Prerequisites for Configuring Keychain Management
• You must be in a user group associated with a task group that includes the proper task IDs. The
command reference guides include the task IDs required for each command.
• If you suspect user group assignment is preventing you from using a command, contact your AAA
administrator for assistance.
Restrictions for Implementing Keychain Management
You must be aware that changing the system clock impacts the validity of the keys in the existing
configuration.
Information About Implementing Keychain Management
The keychain by itself has no relevance; therefore, it must be used by an application that needs to
communicate by using the keys (for authentication) with its peers. The keychain provides a secure
mechanism to handle the keys and rollover based on the lifetime. Border Gateway Protocol (BGP), Open
Shortest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain
to implement a hitless key rollover for authentication. BGP uses TCP authentication, which enables the
authentication option and sends the Message Authentication Code (MAC) based on the cryptographic
algorithm configured for the keychain. For information about BGP, OSPF, and IS-IS keychain
configurations, see Cisco
IOS XR Routing Configuration GuideTo implement keychain management,
you must understand the concept of key lifetime, which is explained in the next section.
Lifetime of a Key
If you are using keys as the security method, you must specify the lifetime for the keys and change the
keys on a regular basis when they expire. To maintain stability, each party must be able to store and use
more than one key for an application at the same time. A keychain is a sequence of keys that are
collectively managed for authenticating the same peer, peer group, or both.
Keychain management groups a sequence of keys together under a keychain and associates each key in
the keychain with a lifetime.
Note Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during
configuration.
The lifetime of a key is defined by the following options:
• Start-time—Specifies the absolute time.
• End-time—Specifies the absolute time that is relative to the start-time or infinite time.
Each key definition within the keychain must specify a time interval for which that key is activated; for
example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated
key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend
that for a given keychain, key activation times overlap to avoid any period of time for which no key is
activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur;
therefore, routing updates can fail.
To Next Page
Loading...
Need help?
General
