No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles of Keychain

Principles of Keychain

Keychain is a set of key-ids, each of which uniquely represents authentication information. Authentication information includes the authentication password and algorithm. The dynamic change of authentication information is achieved based on the send and receive time associated with a key-id.

Active Send key-id: When the current system time is within the time range of the configured send time of a key-id, that key-id is "send-active" provided that the key-id has already been configured with an authentication algorithm and password. The authentication information associated with this key-id is used by applications to generate Message Authentication Codes (MACs) when sending packets.

Active Receive key-id: When the current system time is within the time range of the configured receive time of a key-id, that key-id is "receive-active" provided that the key-id has already been configured with an authentication algorithm and password. The authentication information associated with this key-id is used by an application to validate the MACs in the received packets.

The send and receive times can be configured in an absolute time range or periodic time range. Periodic time ranges are Daily periodic, Weekly periodic, Monthly periodic, and Yearly periodic, which means the key-id will be active periodically during certain hours of the day, on certain days of the week, dates of the month, and months of the year, respectively.

In a Keychain, there can be only one active send key-id for any instant in time; active time ranges for a send key-id must not overlap. Keychain supports a default send key-id which is used as the active send key-id when no other key-id is active. Multiple receive key-ids can be active at any time.

When the send key-id on a router changes, the corresponding receive key-id on the peer router should change instantaneously. However, because of clock non-synchronization, there can be a time lag between the changes of key-id on one router and another. During this period, packets can be dropped because of inconsistent key-ids. To prevent this scenario and to facilitate a smooth transition from one receive key-id to another, a grace period, or receive time range, is allowed during which both key-ids are used.

The receive time range is applicable only to receive key-ids. On both the start and end time of a receive key-id, the receive time range is extended by a period equal to that of the receive tolerance period. The receive tolerance configuration is maintained per Keychain.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12662

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next