No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic Keychain Functions

Configuring Basic Keychain Functions

This section describes how to configure basic Keychain functions.

Usage Scenario

Keychain is used to provide authentication support to the applications. A keychain can have one or multiple key-ids. Key-id comprises of authentication algorithm and the key-string (secret shared key). Each key-id is associated with send and receive lifetime. Based on the send and receive lifetime, a key-id will be send-active or receive-active or both. When the key-id is send-active or receive-active, it will be used for authenticated communication. When the key-id is send-active, then it will be used to send out authenticated packet. On the receiver side that key-id should be receive-active to process the authenticated packet. The administrator has to configure the key-ids under the keychain in such a way that both sides can communicate without any packet loss.

Pre-configuration Tasks

Before configuring the keychain on the peer routers, configure the Network Time Protocol (NTP) so that the time is consistent on the two routers.

Configuration Procedure

Figure 6-1 Flowchart of configuring basic Keychain function

Creating a Keychain

Procedure

  1. Run system-view

    The system view is entered.

  2. Run keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } }

    Keychain is created and keychain view is entered.

    NOTE:

    When creating a keychain, timing mode is mandatory. Once a keychain is created, to enter the keychain view timing mode need not be specified.

  3. Run commit

    The configurations are committed.

(Optional) Configuring Receive Tolerance of a Keychain

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run keychain keychain-name

    The keychain view is displayed.

  3. Run receive-tolerance { value | infinite }

    The receive tolerance period for the keychain is configured.

    NOTE:

    Receive tolerance can be configured in the following two ways:

    • Specifying a particular receive tolerance value in minutes, which can be a maximum of 10 days (14400 minutes).
    • Specifying an infinite receive tolerance using infinite keyword.

  4. Run commit

    The configurations are committed.

Creating a Key-id in a Keychain

Procedure

  1. Run system-view

    The system view is entered.

  2. Run keychain keychain-name

    The keychain view is entered.

  3. Run key-id key-id

    Key-id is created and key-id view is entered.

    NOTE:

    To configure a key-id in a keychain, a unique id within the keychain is required. This id should be an integer and the value ranges from 0 to 63.

  4. Run commit

    The configurations are committed.

Configuring Key-string of a Key-id

Procedure

  1. Run system-view

    The system view is entered.

  2. Run keychain keychain-name

    The keychain view is entered.

  3. Run key-id key-id

    Key-id is created and key-id view is entered.

  4. Run key-string { plain plain-text | [ cipher ] plain-cipher-text }

    The key-string for the key-id is configured.

    Key-string is the authentication string used while sending and receiving the packets.

    NOTE:

    Key-id will be inactive if the key-string is not configured.

  5. Run commit

    The configurations are committed.

Configuring Authentication Algorithm of a Key-id

Procedure

  1. Run system-view

    The system view is entered.

  2. Run keychain keychain-name keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } }

    The keychain view is entered.

  3. Run key-id key-id

    Key-id is created and key-id view is entered.

  4. Run algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 }

    The authentication algorithm for the key-id is configured.

    NOTE:

    Key-id will be inactive if the authentication algorithm is not configured.

  5. (Optional) Run quit

    Return to the Keychain view.

  6. (Optional) Run digest-length { hmac-sha-256 | sha-256 | hmac-sha1-20 } length

    The digest length of the encryption algorithm is set.

    NOTE:
    • In a version earlier than V800R008C10, the HMAC-SHA-256, SHA-256, and HMAC-SHA1-20 algorithms use a 16-byte digest for encryption and decryption by default.

    • For versions later than V800R010C00, the HMAC-SHA1-20 algorithm uses a 20-byte digest for encryption and decryption by default. You can run the digest-length hmac-sha1-20 16 command to allow for interconnection with an earlier version. By default, the HMAC-SHA-256 and SHA-256 algorithms use a 32-byte digest for encryption and decryption. You can run the digest-length hmac-sha-256 16 or digest-length sha-256 16 command to allow for interconnection with an earlier version.

  7. Run commit

    The configurations are committed.

(Optional) Configuring a Key-id as the Default Send-key-id

Procedure

  1. Run system-view

    The system view is entered.

  2. Run keychain keychain-name

    The keychain view is entered.

  3. Run key-id key-id

    Key-id is created and key-id view is entered.

  4. Run default send-key-id

    The key-id is set as the default send-key-id.

    Only one key-id in a keychain can be configured as the default send-key-id.

  5. Run commit

    The configurations are committed.

Configuring Send-time of a Key-id

Context

The time modes for sending key IDs vary according to keychain configuration modes.

Procedure

  • Absolute Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode absolute

      The keychain is created in absolute timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run send-time start-utc-time { duration { duration-value | infinite } | { to end-utc-time } }

      The send-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Daily Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic daily

      The keychain is created in daily periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run send-time { daily start-time to end-time }

      The send-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Weekly Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic weekly

      The keychain is created in weekly periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run send-time day { start-day-name to end-day-name | day-name &<1-7> }

      The send-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Monthly Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic monthly

      The keychain is created in monthly periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run send-time date { start-date-value to end-date-value | date-value &<1-31> }

      The send-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Yearly Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic yearly

      The keychain is created in yearly periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run send-time month { start-month-name to end-month-name | month-name &<1-12> }

      The send-time for the key-id is configured.

      Send-time for a key-id is configured according to the timing mode defined for the keychain. Only one send key-id in a keychain can be active at a time. The send-time of different key-ids in a keychain must not overlap each other.

      To re-configure send-time, we need to undo the send-time that is currently configured.

    6. Run commit

      The configurations are committed.

Configuring Receive-time of a Key-id

Context

The time modes for receiving key IDs vary according to keychain configuration modes.

Procedure

  • Absolute Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode absolute

      The keychain is created in absolute timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run receive-time start-utc-time { duration { duration-value | infinite } | { to end-utc-time } }

      The receive-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Daily Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic daily

      The keychain is created in daily periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run receive-time { daily start-time to end-time }

      The receive-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Weekly Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic weekly

      The keychain is created in weekly periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run receive-time day { start-day-name to end-day-name | day-name &<1-7> }

      The receive-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Monthly Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic monthly

      The keychain is created in monthly periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run receive-time date { start-date-value to end-date-value | date-value &<1-31> }

      The receive-time for the key-id is configured.

    6. Run commit

      The configurations are committed.

  • Yearly Periodic Timing Mode
    1. Run system-view

      The system view is entered.

    2. Run keychain keychain-name mode periodic yearly

      The keychain is created in yearly periodic timing mode and keychain view is entered.

    3. Run time mode { utc | lmt }

      The time mode for keychain is configured.

    4. Run key-id key-id

      The key-id is created and key-id view is entered.

    5. Run receive-time month { start-month-name to end-month-name | month-name &<1-12> }

      The receive-time for the key-id is configured.

      Receive-time for a key-id is configured in accordance with the timing mode defined for the keychain.

      To re-configure receive time you need to undo the receive time that is currently configured.

    6. Run commit

      The configurations are committed.

Verifying the Keychain Configuration

Prerequisites

The configurations of the keychain are complete.

Procedure

  • Run the display keychain keychain-name command to view the current configuration of a keychain.
  • Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain.

Example

The configurations of the keychain are complete, Run the display keychain keychain-name command to view the current configuration of a keychain, for example:

<HUAWEI> display keychain earth
 Keychain Information:
 ----------------------
 Keychain Name             : earth
   Timer Mode              : Absolute
   Receive Tolerance(min)  : 100
   TCP Kind                : 254
   TCP Algorithm IDs       :
     HMAC-MD5              : 5
     HMAC-SHA1-12          : 2
     HMAC-SHA1-20          : 6
     MD5                   : 3
     SHA1                  : 4
     HMAC-SHA-256          : 7
     SHA-256               : 8
 Number of Key IDs         : 1
 Active Send Key ID        : None
 Active Receive Key IDs    : None
 Default send Key ID       : Not configured

 Key ID Information:
 ----------------------
 Key ID                    : 1
   Key string              : ******
   Algorithm               : MD5
   SEND TIMER              :
     Start time            : 2011-03-10 14:40
     End time              : 2011-03-10 14:50
     Status                : Inactive
   RECEIVE TIMER           :
     Start time            : 2011-03-10 14:40
     End time              : 2011-03-10 14:50
     Status                : Inactive

The configurations of the keychain are complete, Run the display keychain keychain-name key-id key-id command to view the current configuration of a key-id inside a keychain, for example:

<HUAWEI> display keychain earth key-id 1
 Keychain Information:
 ----------------------
 Keychain Name             : earth
   Timer Mode              : Absolute
   Receive Tolerance(min)  : 100
   TCP Kind                : 254
   TCP Algorithm IDs       :
     HMAC-MD5              : 5
     HMAC-SHA1-12          : 2
     HMAC-SHA1-20          : 6
     MD5                   : 3
     SHA1                  : 4
     HMAC-SHA-256          : 7
     SHA-256               : 8

 Key ID Information:
 ----------------------
 Key ID                    : 1
   Key string              : ******
   Algorithm               : MD5
   SEND TIMER              :
     Start time            : 2011-03-10 14:40
     End time              : 2011-03-10 14:50
     Status                : Inactive
   RECEIVE TIMER           :
     Start time            : 2011-03-10 14:40
     End time              : 2011-03-10 14:50
     Status                : Inactive
   DEFAULT SEND KEY ID INFORMATION
     Default               : Not configured
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25952

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next