No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
TCP Applications of Keychain

TCP Applications of Keychain

In TCP application of Keychain, authentication is done at the TCP level, not at the application level. An application specifies that TCP will use Keychain to extract authentication information. TCP initializes or de-initializes itself with the Keychain module through the exposed Keychain initialization API.

TCP uses the Enhanced Authentication Option for authenticated communication, as specified in the TCPM Working Group draft (draft-bonica-tcp-auth-06.txt). The following figure shows the Option format.

Figure 6-3 TCP Enhanced Authentication Option format

Because the draft is not a standard yet, the Internet Assigned Numbers Authority (IANA) has not defined the kind value (Option type) nor the algorithm-id for some algorithms. Thus different vendors use different values. To be interoperable with other vendors, the kind value and TCP algorithm-id of TCP are configurable and are maintained in Keychain.

The Keychain API provides a query function for applications to obtain TCP kind and algorithm-id values.

When a TCP application needs to send packets, it performs the process shown in the following figure.

Figure 6-4 Process to send packets in TCP
  1. To set the Enhanced Authentication Option, the application queries the Keychain module to get the active send key-id authentication information.
  2. From the authentication information obtained, the application generates packet data and sends it to Keychain to generate a MAC. Keychain calculates the MAC and sends it to the application.
  3. The application fills in the TCP kind value, TCP algorithm-id that corresponds to the active send key-id algorithm, and generated MAC in the Enhanced Authentication Option format and sends out the packet.

When the TCP application receives a packet, it performs the process shown in the following figure.

Figure 6-5 Process to receive packets in TCP based application
  • The application extracts authentication information from the packet and provides it to Keychain for validation.
  • Keychain checks whether the TCP algorithm-id in the packet matches the TCP algorithm-id that corresponds to the received key-id algorithm. If algorithm-ids do not match, then a failure message will be returned.
  • Keychain re-calculates the MAC and compares the generated MAC and received MAC. If they match, then a success message is returned to the application; otherwise, a failure message is returned.
  • The application accepts or rejects the packet based on the Keychain validation.
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12732

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next