No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Key

Configuring a Key

Context

A key is the authentication rule of a keychain. A key includes an algorithm, a key string, active send time, active receive time, and the key status. A keychain supports a maximum of 64 keys.

There is only one key ID in a keychain. Keys in different keychain may use the same key ID. Only one send key takes effect in a keychain, otherwise applications cannot determine which send key is used to encrypt packets. However, multiple receive keys may take effect in a keychain. A receive key that has the same key ID with the receiving packet is used for decryption.

If the key on the sending end changes, the key on the receiving end also needs to be changed. A delay may occur when the receiving end and the sending end change keys due to time asynchronization on the network. Packets may be lost during the delay. The receive tolerance time can be configured to prevent packet loss during the key change. The receive tolerance time only takes effect on keys on the receiving end. The receive tolerance time advances the start receive time and delays the end receive time.

If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. All keys can be specified as the default send key. A keychain has only one default send key. When no other send keys are active, the default send key takes effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run keychain keychain-name

    The keychain view is displayed.

    NOTE:

    The keychain keychain-name command displays a specific keychain view. If the keychain specified by keychain-name does not exist, the keychain keychain-name command cannot be executed. To create a keychain, run the keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } } command.

  3. (Optional) Run time mode { utc | lmt }

    The time mode for keychain is configured.

    • utc Specifies that the configured time is in Universal Time Coordinated (UTC) format.
    • lmt Specifies that the configured time is in Local Mean Time (LMT) format.

    By default, the time mode of Keychain is Local Mean Time (LMT).

  4. Run key-id key-id

    A key-id is configured and the key-id view is displayed to configure a key.

  5. Run algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 | sm3 }

    An algorithm is configured.

    Different protocols support different algorithms.

    RIP supports MD5. BGP and BGP4+ support MD5. IS-IS supports HMAC-MD5. OSPF supports MD5 and HMAC-MD5. MSDP supports MD5. MPLS LDP supports MD5. TRILL supports HMAC-MD5.

    NOTE:

    HMAC-MD5 and MD5 have potential security risks. HMAC-SHA-256 or SHA-256 is recommended.

  6. Run key-string { plain plain-text | [ cipher ] cipher-text }

    A key string is configured.

    NOTE:

    When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.

  7. Configure the send time. Different time modes use different commands to configure the send time. Table 17-2 shows commands to configure the send time based on different time modes.

    Table 17-2 Configuring the send time

    Time Mode

    Command to Configure the Send Time

    absolute

    send-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }

    periodic daily

    send-time daily start-time to end-time

    periodic weekly

    send-time day { start-day-name to end-day-name | day-name &<1-7> }

    periodic monthly

    send-time date { start-date-value to end-date-value | date-value &<1-31> }

    periodic yearly

    send-time month { start-month-name to end-month-name | month-name &<1-12> }

    NOTE:
    You are advised to enable network time protocol (NTP) to keep time consistency.

  8. Configure the receive time. Different time modes use different commands to configure the receive time. Table 17-3 shows commands to configure the receive time based on different time modes.

    Table 17-3 Configure the receive time

    Time Mode

    Command to Configure Receive Time

    absolute

    receive-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }

    periodic daily

    receive-time daily start-time to end-time

    periodic weekly

    receive-time day { start-day-name to end-day-name | day-name &<1-7> }

    periodic monthly

    receive-time date { start-date-value to end-date-value | date-value &<1-31> }

    periodic yearly

    receive-time month { start-month-name to end-month-name | month-name &<1-12> }

  9. (Optional) Run default send-key-id

    The key is configured as the default key for sending packets.

  10. (Optional) Run quit

    Return to the Keychain view.

  11. (Optional) Run digest-length { hmac-sha-256 | sha-256 | hmac-sha1-20 } length

    The digest length of the encryption algorithm is set.

    NOTE:
    • For versions earlier than V200R002C50, the HMAC-SHA-256, SHA-256, and HMAC-SHA1-20 algorithms use a 16-byte digest for encryption and decryption by default.

    • For V200R002C50 and V200R003C00, the HMAC-SHA1-20 algorithm uses a 16-byte digest for encryption and decryption by default; the HMAC-SHA-256 and SHA-256 algorithms use a 32-byte digest for encryption and decryption by default. You can run the digest-length 16 command to allow for interconnection with an earlier version.

    • For versions later than V200R003C00, the HMAC-SHA1-20 algorithm uses a 20-byte digest for encryption and decryption by default. You can run the digest-length hmac-sha1-20 16 command to allow for interconnection with an earlier version. By default, the HMAC-SHA-256 and SHA-256 algorithms use a 32-byte digest for encryption and decryption. You can run the digest-length hmac-sha-256 16 or digest-length sha-256 16 command to allow for interconnection with an earlier version.

  12. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 29239

Downloads: 97

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next