No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Keychain Configuration Commands

Keychain Configuration Commands

algorithm

Function

The algorithm command configures a key authentication algorithm.

The undo algorithm command deletes a key authentication algorithm.

By default, no algorithm is configured.

Format

algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 }

undo algorithm

Parameters

Parameter Description Value
hmac-md5 Indicates that Keyed-Hashing for Message Authentication-Message Digest 5 (HMAC-MD5) is used for packet encryption and authentication.
NOTE:

HMAC-MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
hmac-sha-256 Indicates that HMAC-Secure Hash Algorithm 256 (SHA-256) is used for packet encryption and authentication. -
hmac-sha1-12 Indicates that HMAC-Secure Hash Algorithm 1-12 (SHA1-12) is used for packet encryption and authentication. -
hmac-sha1-20 Indicates that HMAC-SHA1-20 is used for packet encryption and authentication. -
md5 Indicates that MD5 is used for packet encryption and authentication.
NOTE:

MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
sha-1 Indicates that SHA-1 is used for packet encryption and authentication. -
sha-256 Indicates that SHA-256 is used for packet encryption and authentication. -

Views

Key-ID view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. A keychain consists of multiple keys, each of which needs to be configured with an authentication algorithm. Different keys are valid within different time periods, ensuring dynamic change of keychain authentication algorithms.

Packets are authenticated and encrypted based on the authentication algorithm and key string associated with a specified key. This improves the packet transmission security.

The characteristics of each authentication algorithm are as follows:
  • MD5 (Message Digest 5): The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1 (Secure Hash Algorithm): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5 (Keyed-Hashing for Message Authentication-md5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

  • SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.

The calculation speed of the MD5 algorithm is faster than that of the SHA algorithm; the SHA algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA, HMAC is more secure, but slower in calculation speed. To ensure high security, do not use the MD5 algorithm.

Precautions

Keys configured on the sender and receiver of packets must correspond to the same authentication and encryption algorithms. Otherwise, packet transmission fails for not passing the authentication.

If algorithm is not configured, key will never be active.

Different protocols support different algorithms.

  • RIP supports MD5.

  • BGP and BGP4+ support MD5.

  • IS-IS supports HMAC-MD5.

  • OSPF supports MD5 and HMAC-MD5.

  • MSDP supports MD5.

  • MPLS LDP supports MD5.

  • TRILL supports HMAC-MD5.

Example

# Configure algorithm sha-256 on key-id 1.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] key-id 1
[*HUAWEI-keychain-huawei-keyid-1] algorithm sha-256
Related Topics

default send-key-id

Function

The default send-key-id command configures a particular key as the default send key for that keychain.

The undo default send-key-id command deletes default send key.

By default, no key is configured as default send key.

Format

default send-key-id

undo default send-key-id

Parameters

None

Views

Key-ID view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by changing the authentication algorithm and key-sting dynamically. This can reduce the workload of changing the algorithm and key manually. A keychain consists of multiple authentication keys, each of which is valid within different time periods. When a key becomes valid, the authentication algorithm corresponding to the key is used, and packets passing the authentication will be sent or received.

If a key for packet sending is not configured in a keychain or no key for packet sending is valid within a certain period, protocol packets cannot be authenticated and encrypted. As a result, protocol packet transmission fails. To address such a problem, configure a default key for packet sending. If no key is valid, the default key for packet sending is used.

Precautions

Each keychain can have only one default key for packet sending.

  • If the default key for packet sending is an existing key, the authentication and encryption algorithms, and key corresponding to the key are used.

  • If the default key for packet sending is a newly created key, configure the authentication and encryption algorithms.

Example

# Configure the key-1 as default send key in keychain huawei.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] key-id 1
[*HUAWEI-keychain-huawei-keyid-1] default send-key-id
Related Topics

digest-length 16

Function

The digest-length 16 command sets the digest length of the HMAC-SHA-256 encryption algorithm to 16 bytes.

The undo digest-length 16 command restores the digest length of the HMAC-SHA-256 encryption algorithm to 32 bytes.

By default, the digest length of the HMAC-SHA-256 encryption algorithm is 32 bytes.

Format

digest-length 16

undo digest-length 16

Parameters

None

Views

Keychain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the algorithm command is run to configure the authentication algorithm for Key-id, the Keychain automatically generates digest information of a specific length to authenticate and encrypt Keychain protocol packets for security hardening.

When the authentication algorithm is set to HMAC-SHA-256 for Key-id, digest information of 16 bytes (128 bits) is generated in versions earlier than V200R002C50; digest information of 32 bytes (256 bits) is generated in V200R002C50 or later. To ensure version compatibility and uninterrupted OSPF and RSVP services bound to Keychain, run this command in V200R002C50 or later.

Example

# Set the digest length of the HMAC-SHA-256 encryption algorithm to 16 bytes.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] digest-length 16

display keychain

Function

The display keychain command displays the configuration of a specified keychain.

Format

display keychain keychain-name [ key-id key-id ]

Parameters

Parameter Description Value
keychain-name Displays the configuration of a keychain with a specified name. The keychain must already exist.
key-id key-id Displays the configuration of a specified key in the keychain. The key must already exist.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To troubleshoot a keychain authentication failure or collect required information before configuration, run the display keychain command to view configurations of a specified keychain.

Example

# Display the configuration of the keychain huawei.

<HUAWEI> display keychain huawei
 Keychain information:
 ----------------------
 Keychain name             : huawei
   Timer mode              : Absolute
   Receive tolerance(min)  : 100
   TCP kind                : 254
   TCP algorithm ID        :
     HMAC-MD5              : 5
     HMAC-SHA1-12          : 2
     HMAC-SHA1-20          : 6
     MD5                   : 3
     SHA1                  : 4
     HMAC-SHA-256          : 7
     SHA-256               : 8
 Number of key ID          : 1
 Active send key ID        : 1
 Active receive key ID     : 01
 Default send key ID       : Not configured

 Key ID information:
 ----------------------
 Key ID                    : 1
   Key string              : ******
   Algorithm               : MD5
   Send timer              :
     Start time            : 2012-03-12 00:00
     End time              : 2012-03-12 23:59
     Status                : Active
   Receive timer           :
     Start time            : 2012-03-12 00:00
     End time              : 2012-03-12 23:59
     Status                : Active
                                      

# Display the configuration of key-id 1 in the keychain huawei.

<HUAWEI> display keychain huawei key-id 1
 Keychain information:
 ---------------------
 Keychain name             : huawei
   Timer mode              : Absolute
   Receive tolerance(min)  : 100
   TCP kind                : 182
   TCP algorithm ID        :
     HMAC-MD5              : 5
     HMAC-SHA1-12          : 2
     HMAC-SHA1-20          : 6
     MD5                   : 3
     SHA1                  : 4
     HMAC-SHA-256          : 7
     SHA-256               : 8

 Key ID information:
 -------------------
 Key ID                    : 1
   Key string              : ******
   Algorithm               : MD5
   Send timer              :
     Start time            : 2012-03-14 00:00
     End time              : 2012-08-08 23:59
     Status                : Active
   Receive timer           :
     Start time            : 2012-03-14 00:00
     End time              : 2012-08-08 23:59
     Status                : Active
   Default send key ID information 
     Default               : Configured
Table 16-98  Description of the display keychain command output

Item

Description

Keychain name

Name of a keychain.

To set the keychain name, run the keychain command.

Timer mode

Time mode of a keychain.

  • Absolute: The keychain takes effect in an absolute time range.
  • Daily periodic: The keychain is valid on a daily basis.
  • Weekly periodic: The keychain is valid on a weekly basis.
  • Monthly periodic: The keychain is valid on a monthly basis.
  • Yearly periodic: The keychain is valid on a yearly basis.

To set the time mode, run the keychain command.

Receive tolerance(min)

Receive tolerance time configured for a keychain.

To set the receive tolerance time, run the receive-tolerance command.

TCP kind

TCP kind value configured for a keychain.

To set the TCP kind value, run the tcp-kind command.

TCP algorithm ID

TCP algorithm ID configured for a keychain.

The characteristics of each authentication algorithm are as follows:
  • MD5 (Message Digest 5): The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1 (Secure Hash Algorithm): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5 (Keyed-Hashing for Message Authentication-md5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

  • SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.

The calculation speed of the MD5 algorithm is faster than that of the SHA algorithm; the SHA algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA, HMAC is more secure, but slower in calculation speed. To ensure high security, do not use the MD5 algorithm.

To set the TCP algorithm ID, run the tcp-algorithm-id command.

Number of key ID

Number of key IDs.

Active send key ID

ID of the active send key.

Active receive key ID

ID of the active receive key.

Default send key ID

ID of the default send key.

Key ID

Key configured in a keychain.

To set the key ID, run the key-id command.

Key string

Key string configured for the key.

To set the key string, run the key-string command.

Algorithm

Algorithm configured for the key.

To set the algorithm for a key, run the algorithm command.

Send timer

Send time of a key.

To set the send time of a key, run the send-time command.

Start time

Time when a key becomes valid.

End time

Time when a key becomes invalid.

Status

Status of send/receive keys:

  • Active
  • Inactive

Receive timer

Receive time of a key.

To set the receive time of a key, run the receive-time command.

Default send key ID information

Information about the default send key.

Default

Configuration of the default send key:

  • Not configured
  • Configured

keychain

Function

The keychain command creates a new set of keychain rules or displays the keychain view.

The undo keychain command deletes the keychain configuration.

By default, no keychain is configured.

Format

keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } }

undo keychain keychain-name

Parameters

Parameter Description Value
keychain-name Specifies the keychain name. All the applications identify the set of keychain rules by keychain name. The value is a string of 1 to 47 case-insensitive characters except question marks (?) and spaces. However, when double quotation marks (") are used to include the string, spaces are allowed in the string.
mode Indicates the time mode of a keychain.
NOTE:
  • The time mode of a keychain must be specified when a keychain is created.
  • You do not need to specify the time mode for a created keychain.
-
absolute Indicates that the given keychain is non-periodic. -
periodic Indicates that the given keychain is periodic. -
daily Indicates that the given keychain is day-periodic. -
weekly Indicates that the given keychain is week-periodic. -
monthly Indicates that the given keychain is month-periodic. -
yearly Indicates that the given keychain is year-periodic. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by dynamically changing the authentication algorithm and key string. This can prevent unauthorized users from obtaining the key string, and authentication and encryption algorithms, and reduce the workload of manually changing the algorithm and key string.

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm. When a key becomes valid, the corresponding authentication algorithm is used.

There are two keychain time modes:
  • Absolute time range: In this mode, keychains are valid within a certain period.

  • Periodic time range: In this mode, keychains are valid periodically.

Follow-up Procedure

Run the key-id command to configure a key. If the key is not configured, the keychain cannot authenticate and encrypt protocol packets.

The time mode of a key must be the same as the time mode of the keychain.

Precautions

A keychain supports a maximum of 64 keys.

The keychain keychain-name command displays a specific keychain view. If the keychain specified by keychain-name does not exist, the keychain keychain-name command cannot be executed. To create a keychain, run the keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } } command.

Example

# Configure the keychain huawei and enter keychain view.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute 
[*HUAWEI-keychain-huawei] 
Related Topics

key-id

Function

The key-id command creates a new set of key-ids or displays the key-id view.

The undo key-id command deletes the key-id configuration.

By default, no key-id is configured.

Format

key-id key-id

undo key-id key-id

Parameters

Parameter Description Value
key-id Specifies the key identification number of a keychain. The integer value ranges from 0 to 63.

Views

Keychain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by changing the authentication algorithm and key dynamically. This can reduce the workload of manually changing the algorithm and key.

The dynamic change of the keychain authentication algorithm is implemented based on the keys. Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm. When a key becomes valid, the corresponding authentication algorithm is used.

Follow-up Procedure

After key-id is specified, perform the following operations:
  • Run the algorithm command to configure an algorithm used by the key.
  • Run the key-string command to specify a key string.
  • Run the send-time command to specify the send time of the key.
  • Run the receive-time command to specify the receive time of the key.

Precautions

A key-id represents a key on the device.

A keychain supports 64 keys, but only one key takes effect during one period.

No active key can be used to authenticate and encrypt protocol packets at the intervals of keys. Therefore, run the default send-key-id command to specify a default key.

The time mode of the key must be the same as the time mode of Keychain.

Example

# Configure key-id 1.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute 
[*HUAWEI-keychain-huawei] key-id 1
[*HUAWEI-keychain-huawei-keyid-1]

key-string

Function

The key-string command specifies a key used for keychain authentication.

The undo key-string command deletes a key used for keychain authentication.

By default, no key is configured for keychain authentication.

Format

key-string { plain plain-text | [ cipher ] cipher-text }

undo key-string

Parameters

Parameter Description Value
plain plain-text Indicates the plain text used for authentication. The configured text will be stored as unencrypted text and displayed as unencrypted text.
NOTE:

When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.

The value is case-sensitive and ranges from 1 to 255 characters. Spaces are not supported.
NOTE:

If a password contains a space, the password must be placed into a pair of double quotation marks. Only one pair of double quotation marks can be used for each user name.

cipher Specifies the cipher key string used for encryption and decryption. -
cipher-text Indicates the cipher text used for authentication.
The value is a string of case-sensitive characters. Spaces are not supported. The authentication password can be a string of 1 to 255 characters in plain text or a string of 32 to 432 characters in cipher text. The authentication password can also be a string of 24 characters.
NOTE:

If a password contains a space, the password must be placed into a pair of double quotation marks. Only one pair of double quotation marks can be used for each user name.

Views

Key-ID view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by dynamically changing the authentication algorithm and key string. This can prevent unauthorized users from obtaining the key string, and authentication and encryption algorithms, and reduce the workload of manually changing the algorithm and key string.

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm. When a key becomes valid, the corresponding authentication algorithm is used.

Precautions

An authentication key configured in cipher text mode will be also displayed in cipher text mode. Therefore, remember the plaintext key string when configuring the key in cipher text mode.

If the authentication key is not configured, the corresponding key remains in inactive state.

Example

# Configure the key string Huawei@1234.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute 
[*HUAWEI-keychain-huawei] key-id 1
[*HUAWEI-keychain-huawei-keyid-1] key-string cipher Huawei@1234
Related Topics

receive-time

Function

The receive-time command configures a key as a receive key for the specified interval of time.

The undo receive-time command deletes the receive time configuration.

By default, no receive time is configured.

Format

receive-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }

receive-time daily start-time to end-time

receive-time day { start-day-name to end-day-name | day-name &<1-7> }

receive-time date { start-date-value to end-date-value | date-value &<1-31> }

receive-time month { start-month-name to end-month-name | month-name &<1-12> }

undo receive-time

Parameters

Parameter Description Value
start-time Specifies the start receive time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specifies the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the receive time in minutes. The value ranges from 1 to 26280000.
infinite Indicates that the key will be acting as an active receive key forever from the configured start time. -
to Indicates a separator. -
end-time Specifies the end receive time. In HH:MM format. The value ranges from 00:00 to 23:59. The end time must be later than the start start.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily receive time for the given key. -
day Specifies the days of the week. -
start-day-name Specifies the day of the week to be configured as the start receive day for the given key. It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.
end-day-name Specifies the end receive day for the given key. It can be Tue, Wed, Thur, Fri, Sat, and Sun. The end day must be later than the start day.
day-name &<1-7> Specifies the day of the week to be configured as the receive day for the given key.

It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.

One or more days can be configured.

date Specifies the date of the month. -
start-date-value Specifies the start date of the month to be configured as the receive date for the given key. The value ranges from 1 to 31.
end-date-value Specifies the end receive date of the month. The value ranges from 2 to 31. The end date must be later than the start date.
date-value &<1-31> Specifies the date of the month to be configured as the receive date for the given key.

The value ranges from 1 to 31. One or more dates can be configured.

month Specifies the months of the year. -
start-month-name Specifies the month of the year to be configured as the start receive month for the given key. It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.
end-month-name Specifies the end receive month. The end month must be greater than the start month.

The end month must be later than the start month.

It can be Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

month-name &<1-12> Specifies the month of the year to be configured as the receive month for the given key.

It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

One or more months can be configured.

Views

Key-ID view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm and key string. When a key becomes valid, the corresponding authentication algorithm and the key string are used. Configure different keys for packet sending and receiving to be valid within different time periods.

When the system time is within the specified interval, the receive key is in active state.

There are two keychain validity modes:
  • Absolute time range: In this mode, keychains are valid within a certain period.

  • Periodic time range: In this mode, keychains are valid periodically.

The mode in which receive keys become valid must be the same as that configured for the keychain.

Precautions

Multiple receive keys can be active at the same time. The device will select a key for decryption based on the received packet.

Example

# Configure the receive time with the time mode as absolute and range as infinite.

<HUAWEI> system-view
[~HUAWEI] keychain huawei1 mode absolute
[*HUAWEI-keychain-huawei1] key-id 1 
[*HUAWEI-keychain-huawei1-keyid-1] receive-time 14:52 2008-10-1 duration infinite 

# Configure the receive time with the time mode as daily.

<HUAWEI> system-view
[~HUAWEI] keychain huawei2 mode periodic daily
[*HUAWEI-keychain-huawei2] key-id 1 
[*HUAWEI-keychain-huawei2-keyid-1] receive-time daily 14:52 to 18:10 
Related Topics

receive-tolerance

Function

The receive-tolerance command sets receive tolerance for all the receive keys in the keychain.

The undo receive-tolerance command deletes the receive tolerance configuration.

By default, the receive tolerance value is 0.

Format

receive-tolerance { value | infinite }

undo receive-tolerance

Parameters

Parameter Description Value
value Specifies the receive tolerance value for a keychain. The integer value ranges from 1 to 14400 in minutes.
infinite Indicates that the receive tolerance is infinite. That is, the receive key is always valid. -

Views

Keychain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In keychain authentication mode, secure protocol packet transmission is provided by changing the authentication algorithm and key string dynamically. Each key is configured with an authentication algorithm and a key string. When a key becomes valid, the corresponding authentication algorithm is used.

Due to the networking environment or clock asynchronization on the packet sender and receiver, packets may be delayed. The receiver may receive a packet sent from the sender after its key for packet receiving becomes invalid. As a result, the receiver discards the packet and packet transmission is interrupted. To address this problem, set a tolerance time to ensure that the validity period of the receive key on the receiver expires after all packets sent from the sender reach the receiver.

Precautions

A tolerance time is required for each keychain. The configured tolerance time takes effect for all keys in the keychain.

Example

# Configure the receive tolerance time as 570 minutes.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute 
[*HUAWEI-keychain-huawei] receive-tolerance 570 

send-time

Function

The send-time command configures a key as a send key at a specified interval.

The undo send-time command deletes the send time configuration.

By default, no send-time is configured.

Format

send-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }

send-time daily start-time to end-time

send-time day { start-day-name to end-day-name | day-name &<1-7> }

send-time date { start-date-value to end-date-value | date-value &<1-31> }

send-time month { start-month-name to end-month-name | month-name &<1-12> }

undo send-time

Parameters

Parameter Description Value
start-time Specifies the start send time. The value is in HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specify the start date. The value is in YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the send time, in minutes. The value ranges from 1 to 26280000.
infinite Indicates that the key will act as a send key forever from the configured start time. -
to Indicates a separator. -
end-time Specifies the end send time. The value is in HH:MM format. The value ranges from 00:00 to 23:59. The end time must be later than the start time.
end-date Specifies the end date. The value is in YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily send time for the given key. -
day Specifies the days of the week. -
start-day-name Specifies the day of the week to be configured as the start send day for the given key. It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.
end-day-name Specifies the end send day for the given key. It can be Tue, Wed, Thur, Fri, Sat, and Sun. The end day must be later than the start day.
day-name &<1-7> Specifies the day of the week to be configured as the send day for the given key.

It can be Mon, Tue, Wed, Thur, Fri, Sat, and Sun.

One or more days can be configured.

date Specifies the date of the month. -
start-date-value Specifies the start date of the month to be configured as the send date for the given key. The value ranges from 1 to 31.
end-date-value Specifies the end date of the month to be configured as the send date for the given key. the The value ranges from 2 to 31. The end date must be greater than the start date.
date-value &<1-31> Specifies the date of the month to be configured as the send date for the given key.

The value ranges from 1 to 31. One or more dates can be configured.

month Specifies the months of the year. -
start-month-name Specifies the month of the year to be configured as the start send month for the given key. It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.
end-month-name Specifies the end send month. The end month must be greater than the start month.

It can be Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

The end month must be later than the start month.

month-name &<1-12> Specifies the month of the year to be configured as the send month for the given key.

It can be Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, and Dec.

One or more months can be configured.

Views

Key-ID view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Each keychain consists of multiple keys that are valid within different time periods and each key is configured with an authentication algorithm and a key string. When a key becomes valid, the corresponding authentication algorithm and the key string are used. Configure different send and receive keys to be valid within different time periods.

When the system is within the send time range of the key, the device will use the algorithm and key of the configured key to encrypt the packet.

There are two keychain validity modes:
  • Absolute time range: In this mode, keychains are valid within a certain period.

  • Periodic time range: In this mode, keychains are valid periodically.

The mode in which send keys become valid must be the same as that configured for the keychain.

Precautions

Multiple receive keys cannot be active at the same time. Only one key takes effect during a period in a keychain.

Example

# Configure the send time with the time mode as absolute.

<HUAWEI> system-view
[~HUAWEI] keychain huawei1 mode absolute
[*HUAWEI-keychain-huawei1] key-id 1 
[*HUAWEI-keychain-huawei1-keyid-1] send-time 14:52 2008-10-1 to 14:52 2040-10-1 

# Configure the send time with the time mode as daily.

<HUAWEI> system-view
[~HUAWEI] keychain huawei2 mode periodic daily
[*HUAWEI-keychain-huawei2] key-id 1 
[*HUAWEI-keychain-huawei2-keyid-1] send-time daily 14:52 to 18:10 
Related Topics

tcp-algorithm-id

Function

The tcp-algorithm-id command specifies a TCP algorithm ID to represent an algorithm supported by the keychain.

The undo tcp-algorithm-id command restores the default settings.

By default, mapping between the TCP algorithm and algorithm ID supported by IANA is used.

Format

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 } algorithm-id

undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 }

Parameters

Parameter Description Value
hmac-md5 Specifies that message authentication algorithm used is HMAC-MD5.
NOTE:

HMAC-MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
hmac-sha-256 Specifies that message authentication algorithm used is HMAC-SHA-256. -
hmac-sha1-12 Specifies that message authentication algorithm used is HMAC-SHA1-12. -
hmac-sha1-20 Specifies that message authentication algorithm used is HMAC-SHA1-20. -
md5 Specifies that message authentication algorithm used is MD5.
NOTE:

MD5 has potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

-
sha-1 Specifies that message authentication algorithm used is SHA-1. -
sha-256 Specifies that message authentication algorithm used is SHA-256. -
algorithm-id Specifies the TCP algorithm ID to represent the algorithm.
The value ranges from 1 to 63. Default algorithm id for algorithm types are:
  • md5: 3
  • hmac-sha-256: 7
  • sha-1: 4
  • hmac-md5: 5
  • hmac-sha1-12: 2
  • hmac-sha1-20: 6
  • sha-256: 8

Views

Keychain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. Packets to be transmitted over non-TCP and TCP connections are authenticated using authentication and encryption algorithms and key string corresponding to a key. The TCP connection needs to be authenticated to enhance security.

The TCP connection is authenticated using the authentication algorithm specified by the algorithm ID. The algorithm ID is not defined by IANA. Different vendors use different algorithm IDs to identify authentication algorithms. When two devices of different vendors are connected, ensure that algorithm IDs configured on the two devices are the same.

The characteristics of each authentication algorithm are as follows:
  • MD5 (Message Digest 5): The 128-bit MD5 message digest is calculated based on the entered message of any length.

  • SHA-1 (Secure Hash Algorithm): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-MD5 (Keyed-Hashing for Message Authentication-md5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

    NOTE:

    If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.

  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.

  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.

  • SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.

  • HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.

The calculation speed of the MD5 algorithm is faster than that of the SHA algorithm; the SHA algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA, HMAC is more secure, but slower in calculation speed. To ensure high security, do not use the MD5 algorithm.

Follow-up Procedure

After configuring algorithm IDs for the communicating parties, run the tcp-kind command to configure TCP types for the communicating parties.

Precautions

Each algorithm has a unique algorithm ID.

Example

# Configure the TCP algorithm ID of hmac-sha-256 as 1.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] tcp-algorithm-id hmac-sha-256 1
Related Topics

tcp-kind

Function

The tcp-kind command specifies the option type in the TCP enhanced authentication option.

The undo tcp-kind command restores the default TCP kind value.

By default, the default kind value is 254.

Format

tcp-kind kind-value

undo tcp-kind

Parameters

Parameter Description Value
kind-value Specifies the TCP kind value to be used for that keychain. The value ranges from 28 to 255.

Views

Keychain view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. Packets to be transmitted over non-TCP and TCP connections are authenticated using authentication and encryption algorithms and key string corresponding to a key. The TCP connection needs to be authenticated to enhance security.

TCP connection request packets carry enhanced authentication options and are authenticated by a specified authentication algorithm. Different vendors use different kind values to specify the enhanced authentication option. Kind values configured for the communicating parties must be the same.

Follow-up Procedure

After configuring the same TCP kind value for the communicating parties, run the tcp-algorithm-id command to specify TCP algorithm IDs for the communicating parties.

Precautions

Communicating parties using the keychain authentication must establish a TCP connection when configuring the kind value. Otherwise, the TCP authentication does not take effect.

Example

# Configure the TCP kind value as 252 for the keychain huawei.

<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] tcp-kind 252

time mode

Function

The time mode command configures the time mode for Keychain.

The undo time mode command restores the default time mode for Keychain.

By default, the time mode of Keychain is Local Mean Time (LMT).

Format

time mode { utc | lmt }

undo time mode

Parameters

Parameter Description Value
utc Specifies that the configured time is in Universal Time Coordinated (UTC) format. -
lmt Specifies that the configured time is in LMT format. -

Views

Keychain view

Default Level

2: Configuration level

Usage Guidelines

Each keychain consists of multiple key IDs that are valid within different time periods and each key ID is configured with an authentication algorithm. When a key ID becomes valid, the corresponding authentication algorithm is used, ensuring the dynamic change of authentication algorithms. Configure different key IDs for packet sending and receiving to be valid within different time periods.

To configure the time mode for Keychain, run the time mode command. You can configure UTC or LMT for Keychain based on the network planning. Ensure that the time mode remains the same on the entire network.

Example

# Configure the time mode for Keychain as UTC.

<HUAWEI> system-view
[~HUAWEI] keychain huawei1 mode absolute
[*HUAWEI-keychain-huawei1] time mode utc 
Related Topics
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 49732

Downloads: 336

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next