No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Keychain Configuration Commands

Keychain Configuration Commands

algorithm

Function

The algorithm command configures a key authentication algorithm.

The undo algorithm command deletes a key authentication algorithm.

By default, no algorithm is configured.

Format

algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 | simple }

undo algorithm

Parameters

Parameter Description Value
hmac-md5 Indicates that HMAC (Keyed-Hashing for Message Authentication)-Message Digest 5 (MD5) is used for packet encryption and authentication.
NOTE:

HMAC-MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
hmac-sha-256 Indicates that HMAC-Secure Hash Algorithm 256 (SHA-256) is used for packet encryption and authentication. -
hmac-sha1-12 Indicates that HMAC-Secure Hash Algorithm 1-12 (SHA1-12) is used for packet encryption and authentication. -
hmac-sha1-20 Indicates that HMAC-SHA1-20 is used for packet encryption and authentication. -
md5 Indicates that MD5 is used for packet encryption and authentication.
NOTE:

MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
sha-1 Indicates that SHA-1 is used for packet encryption and authentication.
NOTE:

To ensure high security, do not use the SHA-1 algorithm.

-
sha-256 Indicates that SHA-256 is used for packet encryption and authentication. -
simple Indicates that the configured key is used for packet authentication.
NOTE:

The authentication algorithm specified by simple is not secure. HMAC-SHA-256 or SHA-256 is recommended.

-

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. A keychain consists of multiple keys, each of which needs to be configured with an authentication algorithm. Different keys are valid within different time periods, ensuring dynamic change of keychain authentication algorithms.

Packets are authenticated and encrypted based on the authentication algorithm and key string associated with a specified key. This improves the packet transmission security.

The characteristics of each authentication algorithm are as follows:
  • MD5: The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1: The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5: The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA-256: The 128-bit SHA-1 message digest.
  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

  • SHA-256: The 128-bit SHA-1 message digest.
The MD5 algorithm provides faster calculation speed than the SHA-1 algorithm; the SHA-1 algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA-1, HMAC is more secure, but slower in calculation speed. The HMAC algorithm is recommended to improve data transmission security.

Precautions

Keys configured on the sender and receiver of packets must correspond to the same authentication and encryption algorithms. Otherwise, packet transmission fails for not passing the authentication.

If algorithm is not configured, key will never be active.

Example

# Configure algorithm sha-256 on key-id 1.

<Huawei> system-view
[Huawei] keychain huawei mode absolute
[Huawei-keychain-huawei] key-id 1
[Huawei-keychain-huawei-keyid-1] algorithm sha-256
Related Topics

default send-key-id

Function

The default send-key-id command configures a particular key as the default send key for that keychain.

The undo default send-key-id command deletes default send key.

By default, no key is configured as default send key.

Format

default send-key-id

undo default send-key-id

Parameters

None

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by changing the authentication algorithm and key-sting dynamically. This can reduce the workload of changing the algorithm and key manually. A keychain consists of multiple authentication keys, each of which is valid within different time periods. When a key becomes valid, the authentication algorithm corresponding to the key is used, and packets passing the authentication will be sent or received.

If a key for packet sending is not configured in a keychain or no key for packet sending is valid within a certain period, protocol packets cannot be authenticated and encrypted. As a result, protocol packet transmission fails. To address such a problem, configure a default key for packet sending. If no key is valid, the default key for packet sending is used.

Precautions

Each keychain can have only one default key for packet sending.

  • If the default key for packet sending is an existing key, the authentication and encryption algorithms, and key corresponding to the key are used.

  • If the default key for packet sending is a newly created key, configure the authentication and encryption algorithms.

Example

# Configure the key-1 as default send key in keychain huawei.

<Huawei> system-view
[Huawei] keychain huawei mode absolute
[Huawei-keychain-huawei] key-id 1
[Huawei-keychain-huawei-keyid-1] default send-key-id
Related Topics

display keychain

Function

The display keychain command displays the configuration of a specified keychain.

Format

display keychain keychain-name [ key-id key-id ]

Parameters

Parameter Description Value
keychain-name Displays the configuration of a keychain with a specified name. The keychain must already exist.
key-id key-id Displays the configuration of a specified key in the keychain. The key must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To troubleshoot a keychain authentication failure or collect required information before configuration, run the display keychain command to view configurations of a specified keychain.

Example

# Display the configuration of the keychain huawei.

<Huawei> display keychain huawei
 Keychain Information:
 ---------------------
 Keychain Name             : huawei
   Timer Mode              : Absolute
   Receive Tolerance(min)  : 100
   TCP Kind                : 182
   TCP Algorithm IDs       :
     HMAC-MD5              : 5
     HMAC-SHA1-12          : 2
     HMAC-SHA1-20          : 6
     HMAC-SHA-256          : 7
     SHA-256               : 8
     MD5                   : 3
     SHA1                  : 4
 Number of Key IDs         : 1
 Active Send Key ID        : 1
 Active Receive Key IDs    : 01
 Default send Key ID       : 1
 Default send Key Status   : Inactive

 Key ID Information:
 -------------------
 Key ID                    : 1
   Key string              : ******
   Algorithm               : MD5
   SEND TIMER              :
     Start time            : 2012-03-14 00:00
     End time              : 2012-08-08 23:59
     Status                : Active
   RECEIVE TIMER           :
     Start time            : 2012-03-14 00:00
     End time              : 2012-08-08 23:59
     Status                : Active

 Key ID                    : 2
   Key string              : -
   Algorithm               : -
   SEND TIMER              :
     Status                : Inactive
   RECEIVE TIMER           :
     Status                : Inactive
                                               

# Display the configuration of key-id 1 in the keychain huawei.

<Huawei> display keychain huawei key-id 1
 Keychain Information:
 ---------------------
 Keychain Name             : huawei
   Timer Mode              : Absolute
   Receive Tolerance(min)  : 100
   TCP Kind                : 182
   TCP Algorithm IDs       :
     HMAC-MD5              : 5
     HMAC-SHA1-12          : 2
     HMAC-SHA1-20          : 6
     HMAC-SHA-256          : 7
     SHA-256               : 8
     MD5                   : 3
     SHA1                  : 4

 Key ID Information:
 -------------------
 Key ID                    : 1
   Key string              : ******
   Algorithm               : MD5
   SEND TIMER              :
     Start time            : 2012-03-14 00:00
     End time              : 2012-08-08 23:59
     Status                : Active
   RECEIVE TIMER           :
     Start time            : 2012-03-14 00:00
     End time              : 2012-08-08 23:59
     Status                : Active
   DEFAULT SEND KEY ID INFORMATION
     Default               : Configured
     Status                : Inactive                                           
Table 14-112  Description of the display keychain command output

Item

Description

Keychain Name

Name of a keychain.

To set the keychain name, run the keychain command.

Timer Mode

Time mode of a keychain.

  • Absolute: The keychain takes effect in an absolute time range.
  • Daily periodic: The keychain is valid on a daily basis.
  • Weekly periodic: The keychain is valid on a weekly basis.
  • Monthly periodic: The keychain is valid on a monthly basis.
  • Yearly periodic: The keychain is valid on a yearly basis.

To set the time mode, run the keychain command.

Receive Tolerance(min)

Receive tolerance time configured for a keychain.

To set the receive tolerance time, run the receive-tolerance command.

TCP Kind

TCP kind value configured for a keychain.

To set the TCP kind value, run the tcp-kind command.

TCP Algorithm IDs

TCP algorithm ID configured for a keychain.

The characteristics of each authentication algorithm are as follows:
  • MD5: The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1: The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5: The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA-256: The 128-bit SHA-1 message digest.
  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

  • SHA-256: The 128-bit SHA-1 message digest.
The MD5 algorithm provides faster calculation speed than the SHA-1 algorithm; the SHA-1 algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA-1, HMAC is more secure, but slower in calculation speed. The HMAC algorithm is recommended to improve data transmission security.

To set the TCP algorithm ID, run the tcp-algorithm-id command.

Number of Key IDs

Number of key IDs.

Active Send Key ID

ID of the active send key.

Active Receive Key IDs

ID of the active receive key.

Default send Key ID

ID of the default send key.

Default send Key Status

Status of the default send key:
  • Active
  • Inactive

Key ID

Key configured in a keychain.

To set the key ID, run the key-id command.

Key string

Key string configured for the key.

To set the key string, run the key-string command.

Algorithm

Algorithm configured for the key.

The characteristics of each authentication algorithm are as follows:
  • MD5: The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1: The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5: The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA-256: The 128-bit SHA-1 message digest.
  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

  • SHA-256: The 128-bit SHA-1 message digest.
The MD5 algorithm provides faster calculation speed than the SHA-1 algorithm; the SHA-1 algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA-1, HMAC is more secure, but slower in calculation speed. The HMAC algorithm is recommended to improve data transmission security.

SEND TIMER

Send time of a key.

To set the send time of a key, run the send-time command.

Start time

Time when a key becomes valid.

End time

Time when a key becomes invalid.

Status

Status of send/receive keys:

  • Active
  • Inactive

RECEIVE TIMER

Receive time of a key.

To set the receive time of a key, run the receive-time command.

DEFAULT SEND KEY ID INFORMATION

Information about the default send key.

Default

Configuration of the default send key:

  • Not configured
  • Configured

Status

Status of the default send key:

  • Active
  • Inactive

keychain

Function

The keychain command creates a new set of keychain rules or displays the keychain view.

The undo keychain command deletes the keychain configuration.

By default, no keychain is configured.

Format

keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } }

undo keychain keychain-name

Parameters

Parameter Description Value
keychain-name Specifies the keychain name. All the applications identify the set of keychain rules by keychain name. The value is a string of 1 to 47 case-insensitive characters. Except the question mark (?) and space. However, when double quotation marks (") are used around the string, spaces are allowed in the string.
mode Indicates the time mode of a keychain.
NOTE:
  • The time mode of a keychain must be specified when a keychain is created.
  • You do not need to specify the time mode for a created keychain.
-
absolute Indicates that the given keychain is non-periodic. -
periodic Indicates that the given keychain is periodic. -
daily Indicates that the given keychain is day-periodic. -
weekly Indicates that the given keychain is week-periodic. -
monthly Indicates that the given keychain is month-periodic. -
yearly Indicates that the given keychain is year-periodic. -

Views

System view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by dynamically changing the authentication algorithm and key string. This can prevent unauthorized users from obtaining the key string, and authentication and encryption algorithms, and reduce the workload of manually changing the algorithm and key string.

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm. When a key becomes valid, the corresponding authentication algorithm is used.

There are two keychain time modes:
  • Absolute time range: In this mode, keychains are valid within a certain period.

  • Periodic time range: In this mode, keychains are valid periodically.

Follow-up Procedure

Run the key-id command to configure a key. If the key is not configured, the keychain cannot authenticate and encrypt protocol packets.

The time mode of a key must be the same as the time mode of the keychain.

Precautions

A keychain supports a maximum of 64 keys.

The keychain keychain-name command displays a specific keychain view. If the keychain specified by keychain-name does not exist, the keychain keychain-name command cannot be executed. To create a keychain, run the keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } } command.

Example

# Configure the keychain huawei and enter keychain view.

<Huawei> system-view
[Huawei] keychain huawei mode absolute 
[Huawei-keychain-huawei] 
Related Topics

key-id

Function

The key-id command creates a new set of key-ids or displays the key-id view.

The undo key-id command deletes the key-id configuration.

By default, no key-id is configured.

Format

key-id key-id

undo key-id key-id

Parameters

Parameter Description Value
key-id Specifies the key identification number of a keychain. The integer value ranges from 0 to 63.

Views

Keychain view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by changing the authentication algorithm and key dynamically. This can reduce the workload of manually changing the algorithm and key.

The dynamic change of the keychain authentication algorithm is implemented based on the keys. Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm. When a key becomes valid, the corresponding authentication algorithm is used.

Follow-up Procedure

After key-id is specified, perform the following operations:
  • Run the algorithm command to configure an algorithm used by the key.
  • Run the key-string command to specify a key string.
  • Run the send-time command to specify the send time of the key.
  • Run the receive-time command to specify the receive time of the key.

Precautions

A key-id represents a key on the device.

A keychain supports 64 keys, but only one key takes effect during one period.

No active key can be used to authenticate and encrypt protocol packets at the intervals of keys. Therefore, run the default send-key-id command to specify a default key.

The time mode of the key must be the same as the time mode of Keychain.

Example

# Configure key-id 1.

<Huawei> system-view
[Huawei] keychain huawei mode absolute 
[Huawei-keychain-huawei] key-id 1
[Huawei-keychain-huawei-keyid-1]

key-string

Function

The key-string command specifies a key used for keychain authentication.

The undo key-string command deletes a key used for keychain authentication.

By default, no key is configured for keychain authentication.

Format

key-string { plain plain-text | [ cipher ] cipher-text }

undo key-string

Parameters

Parameter Description Value
plain plain-text Indicates the plain text used for authentication. The configured text will be stored as unencrypted text and displayed as unencrypted text.
NOTE:

When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.

The value is a string of case-sensitive characters that can be letters or digits. The value is a string of case-sensitive characters ranging from 1 to 255.
NOTE:

If a password contains a space, the password must be placed into a pair of double quotation marks. Only one pair of double quotation marks can be used for each user name.

cipher Specifies the cipher key string used for encryption and decryption. -
cipher-text Indicates the cipher text used for authentication.
The value is a string of case-sensitive characters that can be letters or digits. The authentication password can be a string of 1 to 255 characters in plaintext or a string of 20 to 392 characters in ciphertext.
NOTE:

If a password contains a space, the password must be placed into a pair of double quotation marks. Only one pair of double quotation marks can be used for each user name.

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by dynamically changing the authentication algorithm and key string. This can prevent unauthorized users from obtaining the key string, and authentication and encryption algorithms, and reduce the workload of manually changing the algorithm and key string.

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm. When a key becomes valid, the corresponding authentication algorithm is used.

Precautions

An authentication key configured in cipher text mode will be also displayed in cipher text mode. Therefore, remember the plaintext key string when configuring the key in cipher text mode.

If the authentication key is not configured, the corresponding key remains in inactive state.

Example

# Configure the key string Huawei@1234.

<Huawei> system-view
[Huawei] keychain huawei mode absolute 
[Huawei-keychain-huawei] key-id 1
[Huawei-keychain-huawei-keyid-1] key-string cipher Huawei@1234
Related Topics

receive-time

Function

The receive-time command configures a key as a receive key for the specified interval of time.

The undo receive-time command deletes the receive time configuration.

By default, no receive time is configured.

Format

receive-time utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }

receive-time daily start-time to end-time

receive-time day { start-day-name to end-day-name | day-name &<1-7> }

receive-time date { start-date-value to end-date-value | date-value &<1-31> }

receive-time month { start-month-name to end-month-name | month-name &<1-12> }

undo receive-time

Parameters

Parameter Description Value
utc Indicates that the given time is in UTC format. -
start-time Specifies the start receive time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specifies the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the receive time in minutes. The value ranges from 1 to 26280000.
infinite Indicates that the key will be acting as an active receive key forever from the configured start time. -
to Indicates a separator. -
end-time Specifies the end receive time. In HH:MM format. The value ranges from 00:00 to 23:59. The end time must be later than the start start.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily receive time for the given key. -
day Specifies the days of the week. -
start-day-name Specifies the day of the week to be configured as the start receive day for the given key. It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.
end-day-name Specifies the end receive day for the given key. It can be Tue, Wed, Thur, Fri, Sat, and Sun. The end day must be later than the start day.
day-name &<1-7> Specifies the day of the week to be configured as the receive day for the given key.

It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.

One or more days can be configured.

date Specifies the date of the month. -
start-date-value Specifies the start date of the month to be configured as the receive date for the given key. The value ranges from 1 to 31.
end-date-value Specifies the end receive date of the month. The value ranges from 2 to 31. The end date must be later than the start date.
date-value &<1-31> Specifies the date of the month to be configured as the receive date for the given key.

The value ranges from 1 to 31. One or more dates can be configured.

month Specifies the months of the year. -
start-month-name Specifies the month of the year to be configured as the start receive month for the given key. It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.
end-month-name Specifies the end receive month. The end month must be greater than the start month.

The end month must be later than the start month.

It can be Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

month-name &<1-12> Specifies the month of the year to be configured as the receive month for the given key.

It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

One or more months can be configured.

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm and key string. When a key becomes valid, the corresponding authentication algorithm and the key string are used. Configure different keys for packet sending and receiving to be valid within different time periods.

When the system time is within the specified interval, the receive key is in active state.

There are two keychain validity modes:
  • Absolute time range: In this mode, keychains are valid within a certain period.

  • Periodic time range: In this mode, keychains are valid periodically.

The mode in which receive keys become valid must be the same as that configured for the keychain.

Precautions

Multiple receive keys can be active at the same time. The device will select a key for decryption based on the received packet.

Example

# Configure the receive time with the time mode as absolute and range as infinite.

<Huawei> system-view
[Huawei] keychain huawei1 mode absolute
[Huawei-keychain-huawei1] key-id 1 
[Huawei-keychain-huawei1-keyid-1] receive-time utc 14:52 2008-10-1 duration infinite 

# Configure the receive time with the time mode as daily.

<Huawei> system-view
[Huawei] keychain huawei2 mode periodic daily
[Huawei-keychain-huawei2] key-id 1 
[Huawei-keychain-huawei2-keyid-1] receive-time daily 14:52 to 18:10 
Related Topics

receive-tolerance

Function

The receive-tolerance command sets receive tolerance for all the receive keys in the keychain.

The undo receive-tolerance command deletes the receive tolerance configuration.

By default, no receive tolerance is configured.

Format

receive-tolerance { value | infinite }

undo receive-tolerance

Parameters

Parameter Description Value
value Specifies the receive tolerance value for a keychain. The integer value ranges from 1 to 14400 in minutes.
infinite Indicates that the receive tolerance is infinite. That is, the receive key is always valid. -

Views

Keychain view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by changing the authentication algorithm and key string dynamically. Each key is configured with an authentication algorithm and a key string. When a key becomes valid, the corresponding authentication algorithm is used.

Due to the networking environment or clock asynchronization on the packet sender and receiver, packets may be delayed. The receiver may receive a packet sent from the sender after its key for packet receiving becomes invalid. As a result, the receiver discards the packet and packet transmission is interrupted. To address this problem, set a tolerance time to ensure that the validity period of the receive key on the receiver expires after all packets sent from the sender reach the receiver.

Precautions

A tolerance time is required for each keychain. The configured tolerance time takes effect for all keys in the keychain.

Example

# Configure the receive tolerance time as 570 minutes.

<Huawei> system-view
[Huawei] keychain huawei mode absolute 
[Huawei-keychain-huawei] receive-tolerance 570 

send-time

Function

The send-time command configures a key as a send key at a specified interval.

The undo send-time command deletes the send time configuration.

By default, no send-time is configured.

Format

send-time utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }

send-time daily start-time to end-time

send-time day { start-day-name to end-day-name | day-name &<1-7> }

send-time date { start-date-value to end-date-value | date-value &<1-31> }

send-time month { start-month-name to end-month-name | month-name &<1-12> }

undo send-time

Parameters

Parameter Description Value
utc Indicates that the given time is in UTC format. -
start-time Specifies the start send time. The value is in HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specify the start date. The value is in YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the send time, in minutes. The value ranges from 1 to 26280000.
infinite Indicates that the key will act as a send key forever from the configured start time. -
to Indicates a separator. -
end-time Specifies the end send time. The value is in HH:MM format. The value ranges from 00:00 to 23:59. The end time must be later than the start time.
end-date Specifies the end date. The value is in YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily send time for the given key. -
day Specifies the days of the week. -
start-day-name Specifies the day of the week to be configured as the start send day for the given key. It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.
end-day-name Specifies the end send day for the given key. It can be Tue, Wed, Thur, Fri, Sat, and Sun. The end day must be later than the start day.
day-name &<1-7> Specifies the day of the week to be configured as the send day for the given key.

It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.

One or more days can be configured.

date Specifies the date of the month. -
start-date-value Specifies the start date of the month to be configured as the send date for the given key. The value ranges from 1 to 31.
end-date-value Specifies the end date of the month to be configured as the send date for the given key. the The value ranges from 2 to 31. The end date must be greater than the start date.
date-value &<1-31> Specifies the date of the month to be configured as the send date for the given key.

The value ranges from 1 to 31. One or more dates can be configured.

month Specifies the months of the year. -
start-month-name Specifies the month of the year to be configured as the start send month for the given key. It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.
end-month-name Specifies the end send month. The end month must be greater than the start month.

It can be Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

The end month must be later than the start month.

month-name &<1-12> Specifies the month of the year to be configured as the send month for the given key.

It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

One or more months can be configured.

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm and a key string. When a key becomes valid, the corresponding authentication algorithm and the key string are used. Configure different send and receive keys to be valid within different time periods.

When the system is within the send time range of the key, the device will use the algorithm and key of the configured key to encrypt the packet.

There are two keychain validity modes:
  • Absolute time range: In this mode, keychains are valid within a certain period.

  • Periodic time range: In this mode, keychains are valid periodically.

The mode in which send keys become valid must be the same as that configured for the keychain.

Precautions

Multiple receive keys can not be active at the same time. Only one key takes effect during a period in a keychain.

Example

# Configure the send time with the time mode as absolute.

<Huawei> system-view
[Huawei] keychain huawei1 mode absolute
[Huawei-keychain-huawei1] key-id 1 
[Huawei-keychain-huawei1-keyid-1] send-time utc 14:52 2008-10-1 to 14:52 2040-10-1 

# Configure the send time with the time mode as daily.

<Huawei> system-view
[Huawei] keychain huawei2 mode periodic daily
[Huawei-keychain-huawei2] key-id 1 
[Huawei-keychain-huawei2-keyid-1] send-time daily 14:52 to 18:10 
Related Topics

tcp-algorithm-id

Function

The tcp-algorithm-id command specifies a TCP algorithm ID to represent an algorithm supported by the keychain.

The undo tcp-algorithm-id command restores the default settings.

By default, mapping between the TCP algorithm and algorithm ID supported by IANA is used.

Format

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 } algorithm-id

undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 }

Parameters

Parameter Description Value
hmac-md5 Specifies that message authentication algorithm used is HMAC-MD5.
NOTE:

HMAC-MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
hmac-sha-256 Specifies that message authentication algorithm used is HMAC-SHA-256. -
hmac-sha1-12 Specifies that message authentication algorithm used is HMAC-SHA1-12. -
hmac-sha1-20 Specifies that message authentication algorithm used is HMAC-SHA1-20. -
md5 Specifies that message authentication algorithm used is MD5.
NOTE:

MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
sha-1 Specifies that message authentication algorithm used is SHA-1.
NOTE:

To ensure high security, do not use the SHA-1 algorithm.

-
sha-256 Specifies that message authentication algorithm used is SHA-256. -
algorithm-id Specifies the TCP algorithm ID to represent the algorithm. The value ranges from 1 to 63. Default algorithm id for algorithm types are: md5 is 3, hmac-sha-256 is 7, sha-1 is 4, hmac-md5 is 5, hmac-sha1-12 is 2, hmac-sha1-20 is 6 and sha-256 is 8.

Views

Keychain view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. Packets to be transmitted over non-TCP and TCP connections are authenticated using authentication and encryption algorithms and key string corresponding to a key. The TCP connection needs to be authenticated to enhance security.

The TCP connection is authenticated using the authentication algorithm specified by the algorithm ID. The algorithm ID is not defined by IANA. Different vendors use different algorithm IDs to identify authentication algorithms. When two devices of different vendors are connected, ensure that algorithm IDs configured on the two devices are the same.

The characteristics of each authentication algorithm are as follows:
  • MD5: The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1: The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5: The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

Follow-up Procedure

After configuring algorithm IDs for the communicating parties, run the tcp-kind command to configure TCP types for the communicating parties.

Precautions

Each algorithm has a unique algorithm ID.

Example

# Configure the TCP algorithm ID of hmac-sha-256 as 1.

<Huawei> system-view
[Huawei] keychain huawei mode absolute
[Huawei-keychain-huawei] tcp-algorithm-id hmac-sha-256 1
Related Topics

tcp-kind

Function

The tcp-kind command specifies the option type in the TCP enhanced authentication option.

The undo tcp-kind command restores the default TCP kind value.

By default, the default kind value is 254.

Format

tcp-kind kind-value

undo tcp-kind

Parameters

Parameter Description Value
kind-value Specifies the TCP kind value to be used for that keychain. The value ranges from 28 to 255.

Views

Keychain view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. Packets to be transmitted over non-TCP and TCP connections are authenticated using authentication and encryption algorithms and key string corresponding to a key. The TCP connection needs to be authenticated to enhance security.

TCP connection request packets carry enhanced authentication options and are authenticated by a specified authentication algorithm. Different vendors use different kind values to specify the enhanced authentication option. Kind values configured for the communicating parties must be the same.

Follow-up Procedure

After configuring the same TCP kind value for the communicating parties, run the tcp-algorithm-id command to specify TCP algorithm IDs for the communicating parties.

Precautions

Communicating parties using the keychain authentication must establish a TCP connection when configuring the kind value. Otherwise, the TCP authentication does not take effect.

Example

# Configure the TCP kind value as 252 for the keychain huawei.

<Huawei> system-view
[Huawei] keychain huawei mode absolute
[Huawei-keychain-huawei] tcp-kind 252
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 48397

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next