No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Key

Configuring a Key

Context

A key is the authentication rule of a keychain. A key includes an algorithm, a key string, active send time, active receive time, and the key status. A keychain supports a maximum of 64 keys.

There is only one key ID in a keychain. Keys in different keychain may use the same key ID. Only one send key takes effect in a keychain, otherwise applications cannot determine which send key is used to encrypt packets. However, multiple receive keys may take effect in a keychain. A receive key that has the same key ID with the receiving packet is used for decryption.

If the key on the sending end changes, the key on the receiving end also needs to be changed. A delay may occur when the receiving end and the sending end change keys due to time asynchronization on the network. Packets may be lost during the delay. The receive tolerance time can be configured to prevent packet loss during the key change. The receive tolerance time only takes effect on keys on the receiving end. The receive tolerance time advances the start receive time and delays the end receive time.

If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. All keys can be specified as the default send key. A keychain has only one default send key. When no other send keys are active, the default send key takes effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run keychain keychain-name

    The keychain view is displayed.

  3. (Optional) Run time mode { utc | lmt }

    The time mode for keychain is configured.

  4. Run key-id key-id

    A key-id is configured and the key-id view is displayed to configure a key.

  5. Run algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 | simple }

    An algorithm is configured.

    Different protocols support different algorithms.

    RIP supports MD5 and simple. BGP and BGP4+ support MD5. IS-IS supports MD5 and simple. OSPF supports MD5, simple and hmac-md5. MSDP supports MD5. MPLS LDP supports MD5. MPLS TE supports HMAC-MD5.

    NOTE:

    HMAC-MD5 and MD5 have potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

    The authentication algorithm specified by simple is not secure. HMAC-SHA-256 or SHA-256 is recommended.

  6. Run key-string { plain plain-text | [ cipher ] cipher-text }

    A key string is configured.

    NOTE:

    When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.

  7. Configure the send time. Different time modes use different commands to configure the send time. Table 19-1 shows commands to configure the send time based on different time modes.

    Table 19-1  Configuring the send time

    Time Mode

    Command to Configure the Send Time

    absolute

    send-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }

    periodic daily

    send-time daily start-time to end-time

    periodic weekly

    send-time day { start-day-name to end-day-name | day-name &<1-7> }

    periodic monthly

    send-time date { start-date-value to end-date-value | date-value &<1-31> }

    periodic yearly

    send-time month { start-month-name to end-month-name | month-name &<1-12> }

    NOTE:
    You are advised to enable network time protocol (NTP) to keep time consistency.

  8. Configure the receive time. Different time modes use different commands to configure the receive time. Table 19-2 shows commands to configure the receive time based on different time modes.

    Table 19-2  Configure the receive time

    Time Mode

    Command to Configure Receive Time

    absolute

    receive-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }

    periodic daily

    receive-time daily start-time to end-time

    periodic weekly

    receive-time day { start-day-name to end-day-name | day-name &<1-7> }

    periodic monthly

    receive-time date { start-date-value to end-date-value | date-value &<1-31> }

    periodic yearly

    receive-time month { start-month-name to end-month-name | month-name &<1-12> }

  9. (Optional) Run default send-key-id

    The key is configured as the default key for sending packets.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 135405

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next