No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

Basic Concepts

A keychain is a set of encryption rules, called keys. A key includes an algorithm, a key string, and the send/receive time. The algorithm and key string are used to encrypt and decrypt packets. The send and receive time indicate that during the period, packets are sent and received using the algorithm and key string.

key

A key includes an algorithm, a key string, and the send/receive time. The keychain support algorithms such as MD5, SHA-1, SHA-256, HMAC-MD5, HMAC-SHA1-12, and HMAC-SHA1-20. An application must support the algorithm configured in the keychain if the keychain is applied to the application. The key string is a string configured by users.

The active time includes the active send time and the active receive time. The device dynamically changes keys by setting the send and receive time. Keys are classified into the following types:

  • Active send key: When the system time is within the send time range, the key is the active send key. When the application sends a packet, the algorithm and key configured by the key generate a Message Authentication Code (MAC) on the sending end.

  • Active receive key: When the system time is within the receive time range, the key is the active receive key. When the application receives a packet, the algorithm and key configured by the key generate a MAC on the receiving end.

Message Authentication Code

A MAC is a character string. The MAC is calculated from data packets and key string using the algorithm.

Keychain Time Mode

Keychain time has an absolute time mode and a periodic time mode.

Absolute time mode uses the Coordinated Universal Time (UTC) format.

Periodic time mode sets a specific time period during which a keychain functions. Periodic time mode includes the following types:
  • Daily: The key in a keychain takes effect at a specified time each day.
  • Weekly: The key in a keychain takes effect on a specified day or days each week.
  • Monthly: The key in a keychain takes effect on a specified day or days each month.
  • Yearly: The key in a keychain takes effect in a specified month or months each year.
Only one time mode can be specified in a keychain. The time mode must be specified when the keychain is created. The send time and receive time of the key are configured based on the time mode of the keychain.

Default Send Key

If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. When no other send keys are active, the default send key takes effect.

Receive Tolerance Time

When the send key on the device changes, the receive key on the receiving end must be changed. A delay may occur when keys change due to time asynchronization. Packets may be lost during this period. To prevent this situation, a smooth transit is needed in the receive key change. The smooth transit time is called the receive tolerance time.

The receive tolerance time only takes effect on the receive key and can be configured on each keychain. As shown in Figure 12-65, when the receive tolerance time is configured, the start receive time is advanced and the end receive time is delayed.

Figure 12-65 Valid Time Range of Tolerance Time

TCP kind-value and TCP algorithm-id

TCP applications are connected using TCP authentication. TCP uses enhanced TCP authentication options to send TCP authentication packets.

  • Vendors use different kind-values to represent the enhanced TCP authentication option. To enable devices of different vendors to communicate with each other, the kind-value can be configured based on the TCP kind of the peer device.

  • There is an algorithm-id field in the enhanced TCP authentication option, indicating the type of the algorithm. The algorithm-id is not defined by the Internet Assigned Numbers Authority (IANA), so different vendors use different algorithm-id to represent algorithms. The mapping between the algorithm-id and the algorithm can be configured to enable devices of different vendors to communicate with each other.

Principles of Applying Keychain to a Non-TCP Application

The keychain provides authentication for application-layer protocols. A keychain only takes effect after it is applied to applications. Based on processing procedures, the keychain can be applied to non-TCP applications and TCP applications.

A Non-TCP Application Sends Packets Using the Keychain

A non-TCP application sends packets using the keychain in the procedures as shown in Figure 12-66.
  1. The application requests the ID of the active send key and the algorithm of the keychain.

  2. If an active send key exists, the keychain module provides the ID and algorithm of the active send key. If no active send key exists, the application sends the packet without encryption.

  3. After receiving the ID and algorithm of the active send key, the application converts the algorithm into the algorithm ID in a protocol and encapsulates the algorithm ID and the key ID in the packet.

  4. The application provides data for MAC calculation.

  5. The keychain module calculates the MAC using the algorithm and key defined by the active send key and returns the MAC to the application.

  6. The application generates a packet carrying authentication information and sends the packet.

Figure 12-66 A non-TCP application sends packets using the keychain

A Non-TCP Application Receives Packets Using the Keychain

A non-TCP application receives packets using the keychain in the procedures as shown in Figure 12-67.
  1. The receiving end receives a packet carrying authentication information.

  2. The application on the receiving end converts the received algorithm ID into the keychain algorithm.

  3. The application on the receiving end provides data packets, key ID, algorithm, and the MAC to be verified.

  4. The keychain module checks whether the receive key having the same key ID with the received packet is active. If the receive key is not active, the keychain sends a Reject packet.

  5. If the receive key is active, the keychain module uses the algorithm and key string configured on the key to recalculate the MAC and checks whether the new MAC and the received MAC are the same.

  6. A message indicating authentication success or failure is returned.

  7. The application receives or discards the packets based on the authentication result.

Figure 12-67 A non-TCP application receives packets using the keychain
IS-IS uses the keychain authentication and the packet does not carry the key ID. When the receive end receives the IS-IS packet carrying authentication information, the device will check all the active receive keys to find a receive key which has the same algorithm for verification.

Principles of Applying Keychain to TCP Applications

TCP Applications Send Packets Using the Keychain

In the donica draft, TCP uses enhanced TCP authentication options to send TCP authentication packets. Figure 12-68 shows the format of the enhanced authentication option packet:

Figure 12-68 Format of enhanced TCP authentication option

The donica draft has not been standardized, and IANA has not defined the kind value and algorithm ID. Vendors use different kind values and algorithm IDs. To enable devices of different vendors to communication with each other, you can configure the TCP kind value and the mapping between the TCP algorithm and algorithm ID.

The command output is as follows: A TCP application sends packets using the keychain in the procedures as shown in Figure 12-69.
  1. The application requests the ID, TCP kind value, and TCP algorithm ID of the active send key.

  2. If the active send key exists, the keychain provides information about the request.

  3. The application fills the specified TCP kind value, TCP algorithm ID, and key ID entries in the enhanced TCP authentication options.

  4. The application provides data for MAC calculation.

  5. The keychain module calculates the MAC based on the algorithm and key string configured for the active send key and returns the MAC.

  6. The application fills the MAC entry in the enhanced TCP authentication options and sends the packet.

Figure 12-69 A TCP application sends packets using the keychain

A TCP Application Receives Packets Using the Keychain

A TCP application receives packets using the keychain in the procedures, as shown in Figure 12-70.
  1. The receiving end receives a TCP packet carrying authentication information.

  2. The receiving end provides data packets, key ID, TCP algorithm ID, TCP kind value, and the MAC to be verified for the keychain.

  3. The keychain checks whether the TCP type value and algorithm ID in the received packet is the same as those in the local end. If not, the keychain sends a Reject packet.

  4. The keychain module checks whether the receive key having the same key ID with the received packet is active. If the receive key is not active, the keychain sends a Reject packet.

  5. If the receive key is active, the keychain module uses the algorithm and key string configured on the key to recalculate the MAC and checks whether the new MAC and the received MAC are the same.

  6. A message indicating authentication success or failure is returned.

  7. The application receives or discards the packets based on the authentication result.

Figure 12-70 A TCP application receives packets using the keychain
Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 60567

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next