No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Concepts of Keychains

Basic Concepts of Keychains

A keychain is a set of encryption rules, called keys. A key includes an algorithm, a key string, and the send/receive time. The algorithm and key string are used to encrypt and decrypt packets. The send and receive time indicate that during the period, packets are sent and received using the algorithm and key string.

key

A key includes an algorithm, a key string, and the send/receive time. The keychain support algorithms such as MD5, SHA-1, SHA-256, HMAC-MD5, HMAC-SHA1-12, and HMAC-SHA1-20. An application must support the algorithm configured in the keychain if the keychain is applied to the application. The key string is a string configured by users.

The active time includes the active send time and the active receive time. The device dynamically changes keys by setting the send and receive time. Keys are classified into the following types:

  • Active send key: When the system time is within the send time range, the key is the active send key. When the application sends a packet, the algorithm and key configured by the key generate a Message Authentication Code (MAC) on the sending end.

  • Active receive key: When the system time is within the receive time range, the key is the active receive key. When the application receives a packet, the algorithm and key configured by the key generate a MAC on the receiving end.

Message Authentication Code

A MAC is a character string. The MAC is calculated from data packets and key string using the algorithm.

Keychain Time Mode

Keychain time has an absolute time mode and a periodic time mode.

Absolute time mode uses the Coordinated Universal Time (UTC) format.

Periodic time mode sets a specific time period during which a keychain functions. Periodic time mode includes the following types:
  • Daily: The key in a keychain takes effect at a specified time each day.
  • Weekly: The key in a keychain takes effect on a specified day or days each week.
  • Monthly: The key in a keychain takes effect on a specified day or days each month.
  • Yearly: The key in a keychain takes effect in a specified month or months each year.
Only one time mode can be specified in a keychain. The time mode must be specified when the keychain is created. The send time and receive time of the key are configured based on the time mode of the keychain.

Default Send Key

If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. When no other send keys are active, the default send key takes effect.

Receive Tolerance Time

When the send key on the device changes, the receive key on the receiving end must be changed. A delay may occur when keys change due to time asynchronization. Packets may be lost during this period. To prevent this situation, a smooth transit is needed in the receive key change. The smooth transit time is called the receive tolerance time.

The receive tolerance time only takes effect on the receive key and can be configured on each keychain. As shown in Figure 19-1, when the receive tolerance time is configured, the start receive time is advanced and the end receive time is delayed.

Figure 19-1  Valid Time Range of Tolerance Time

TCP kind-value and TCP algorithm-id

TCP applications are connected using TCP authentication. TCP uses enhanced TCP authentication options to send TCP authentication packets.

  • Vendors use different kind-values to represent the enhanced TCP authentication option. To enable devices of different vendors to communicate with each other, the kind-value can be configured based on the TCP kind of the peer device.

  • There is an algorithm-id field in the enhanced TCP authentication option, indicating the type of the algorithm. The algorithm-id is not defined by the Internet Assigned Numbers Authority (IANA), so different vendors use different algorithm-id to represent algorithms. The mapping between the algorithm-id and the algorithm can be configured to enable devices of different vendors to communicate with each other.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 125514

Downloads: 230

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next