No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Implementation of Keychains for a Non-TCP Application

Implementation of Keychains for a Non-TCP Application

The keychain provides authentication for application-layer protocols. A keychain only takes effect after it is applied to applications. Based on processing procedures, the keychain can be applied to non-TCP applications and TCP applications.

A Non-TCP Application Sends Packets Using the Keychain

A non-TCP application sends packets using the keychain in the procedures as shown in Figure 15-2.
  1. The application requests the ID of the active send key and the algorithm of the keychain.

  2. If an active send key exists, the keychain module provides the ID and algorithm of the active send key. If no active send key exists, the application sends the packet without encryption.

  3. After receiving the ID and algorithm of the active send key, the application converts the algorithm into the algorithm ID in a protocol and encapsulates the algorithm ID and the key ID in the packet.

  4. The application provides data for MAC calculation.

  5. The keychain module calculates the MAC using the algorithm and key defined by the active send key and returns the MAC to the application.

  6. The application generates a packet carrying authentication information and sends the packet.

Figure 15-2  A non-TCP application sends packets using the keychain

A Non-TCP Application Receives Packets Using the Keychain

A non-TCP application receives packets using the keychain in the procedures as shown in Figure 15-3.
  1. The receiving end receives a packet carrying authentication information.

  2. The application on the receiving end converts the received algorithm ID into the keychain algorithm.

  3. The application on the receiving end provides data packets, key ID, algorithm, and the MAC to be verified.

  4. The keychain module checks whether the receive key having the same key ID with the received packet is active. If the receive key is not active, the keychain sends a Reject packet.

  5. If the receive key is active, the keychain module uses the algorithm and key string configured on the key to recalculate the MAC and checks whether the new MAC and the received MAC are the same.

  6. A message indicating authentication success or failure is returned.

  7. The application receives or discards the packets based on the authentication result.

Figure 15-3  A non-TCP application receives packets using the keychain
NOTE:
IS-IS uses the keychain authentication and the packet does not carry the key ID. When the receive end receives the IS-IS packet carrying authentication information, the device will check all the active receive keys to find a receive key which has the same algorithm for verification.
Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 222822

Downloads: 720

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next