No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Implementation of Keychains for TCP Applications

Implementation of Keychains for TCP Applications

TCP Applications Send Packets Using the Keychain

In the donica draft, TCP uses enhanced TCP authentication options to send TCP authentication packets. Figure 15-4 shows the format of the enhanced authentication option packet:

Figure 15-4  Format of enhanced TCP authentication option

The donica draft has not been standardized, and IANA has not defined the kind value and algorithm ID. Vendors use different kind values and algorithm IDs. To enable devices of different vendors to communication with each other, you can configure the TCP kind value and the mapping between the TCP algorithm and algorithm ID.

The command output is as follows: A TCP application sends packets using the keychain in the procedures as shown in Figure 15-5.
  1. The application requests the ID, TCP kind value, and TCP algorithm ID of the active send key.

  2. If the active send key exists, the keychain provides information about the request.

  3. The application fills the specified TCP kind value, TCP algorithm ID, and key ID entries in the enhanced TCP authentication options.

  4. The application provides data for MAC calculation.

  5. The keychain module calculates the MAC based on the algorithm and key string configured for the active send key and returns the MAC.

  6. The application fills the MAC entry in the enhanced TCP authentication options and sends the packet.

Figure 15-5  A TCP application sends packets using the keychain

A TCP Application Receives Packets Using the Keychain

A TCP application receives packets using the keychain in the procedures, as shown in Figure 15-6.
  1. The receiving end receives a TCP packet carrying authentication information.

  2. The receiving end provides data packets, key ID, TCP algorithm ID, TCP kind value, and the MAC to be verified for the keychain.

  3. The keychain checks whether the TCP type value and algorithm ID in the received packet is the same as those in the local end. If not, the keychain sends a Reject packet.

  4. The keychain module checks whether the receive key having the same key ID with the received packet is active. If the receive key is not active, the keychain sends a Reject packet.

  5. If the receive key is active, the keychain module uses the algorithm and key string configured on the key to recalculate the MAC and checks whether the new MAC and the received MAC are the same.

  6. A message indicating authentication success or failure is returned.

  7. The application receives or discards the packets based on the authentication result.

Figure 15-6  A TCP application receives packets using the keychain
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 125788

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next