Security
36
System Management Guide
3HE 11018 AAAC TQZZA Edition: 01
3.4.6.2 Keychain Configuration Guidelines and Behavior
• Either the existing authentication-key command or the new auth-keychain
command can be used by the protocols, but both cannot be supported at the
same time. If both commands are configured, the auth-keychain configuration
will be applied and the authentication-key command will be ignored.
• A keychain cannot be referenced by a protocol until it has been configured.
• If a keychain is referenced by a protocol, the keychain cannot be deleted.
• If multiple keys in a keychain are valid at the same time, the newest key (key with
the most current start time) is used.
• If a protocol sends a packet that is configured to use a keychain, the most
current key from that keychain is used.
• If a protocol receives a packet that is configured to use a keychain, the current
key set is returned to authenticate the received packet.
− The key set includes the currently active keys (based on the current system
time) and the begin/end time associated with each key in the specified
keychain.
− If a tolerance value is set for a key, the key is returned as part of the key set
if the current time is within the key’s begin time, plus or minus the tolerance
value. For example, if the begin time is 12:00 p.m. and the tolerance is 600
seconds, the new key should be included from 11:55 a.m. and the key to be
replaced should be included until 12:05 p.m.
• The end time and tolerance attributes apply only to received packets.
Transmitted packets always use the newest key, regardless of the tolerance
value.
Table 3 Security Algorithm Support Per Protocol
Protocol Clear Text MD5
(message
digest)
HMAC-
MD5
HMAC-
SHA-1-96
HMAC-
SHA-1
HMAC-
SHA-256
AES-128-
CMAC-96
OSPF Yes Yes No Yes Yes Yes No
IS-IS Yes No Yes No Yes Yes No
RSVP-TE No No Yes Yes Yes Yes No
BGP No No No Yes No No Yes
LDP No No No Yes No No Yes
To Next Page
Loading...
