Configuring a Key
Context
A key is the authentication rule of a keychain. A key includes an algorithm, a key string, active send time, active receive time, and the key status. A keychain supports a maximum of 64 keys.
There is only one key ID in a keychain. Keys in different keychain may use the same key ID. Only one send key takes effect in a keychain, otherwise applications cannot determine which send key is used to encrypt packets. However, multiple receive keys may take effect in a keychain. A receive key that has the same key ID with the receiving packet is used for decryption.
If the key on the sending end changes, the key on the receiving end also needs to be changed. A delay may occur when the receiving end and the sending end change keys due to time asynchronization on the network. Packets may be lost during the delay. The receive tolerance time can be configured to prevent packet loss during the key change. The receive tolerance time only takes effect on keys on the receiving end. The receive tolerance time advances the start receive time and delays the end receive time.
If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. All keys can be specified as the default send key. A keychain has only one default send key. When no other send keys are active, the default send key takes effect.
Procedure
- Run system-view
The system view is displayed.
- Run keychain keychain-name
The keychain view is displayed.
The keychain keychain-name command displays a specific keychain view. If the keychain specified by keychain-name does not exist, the keychain keychain-name command cannot be executed. To create a keychain, run the keychain keychain-name mode { absolute | periodic { daily | weekly | monthly | yearly } } command.
- (Optional) Run time mode { utc | lmt }
The time mode for keychain is configured.
- utc Specifies that the configured time is in Universal Time Coordinated (UTC) format.
- lmt Specifies that the configured time is in Local Mean Time (LMT) format.
By default, the time mode of Keychain is Local Mean Time (LMT).
- Run key-id key-id
A key-id is configured and the key-id view is displayed to configure a key.
- Run algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 | sm3 }
An algorithm is configured.
HMAC-MD5, MD5, and SHA-1 have potential security risks. HMAC-SHA-256 or SHA-256 is recommended.
- Run key-string { plain plain-text | [ cipher ] cipher-text }
A key string is configured.
When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.
- Configure the send time. Different time modes use different commands to configure the send time. Table 17-2 shows commands to configure the send time based on different time modes.Table 17-2 Configuring the send time
Time Mode
Command to Configure the Send Time
absolute
send-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }
periodic daily
send-time daily start-time to end-time
periodic weekly
send-time day { start-day-name to end-day-name | day-name &<1-7> }
periodic monthly
send-time date { start-date-value to end-date-value | date-value &<1-31> }
periodic yearly
send-time month { start-month-name to end-month-name | month-name &<1-12> }
You are advised to enable network time protocol (NTP) to keep time consistency.
- Configure the receive time. Different time modes use different commands to configure the receive time. Table 17-3 shows commands to configure the receive time based on different time modes.Table 17-3 Configure the receive time
Time Mode
Command to Configure Receive Time
absolute
receive-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }
periodic daily
receive-time daily start-time to end-time
periodic weekly
receive-time day { start-day-name to end-day-name | day-name &<1-7> }
periodic monthly
receive-time date { start-date-value to end-date-value | date-value &<1-31> }
periodic yearly
receive-time month { start-month-name to end-month-name | month-name &<1-12> }
- (Optional) Run default send-key-id
The key is configured as the default key for sending packets.
- (Optional) Run quit
Return to the Keychain view.
- (Optional) Run digest-length { hmac-sha-256 | sha-256 | hmac-sha1-20 } length
The digest length of the encryption algorithm is set.
For versions earlier than V200R002C50, the HMAC-SHA-256, SHA-256, and HMAC-SHA1-20 algorithms use a 16-byte digest for encryption and decryption by default.
For V200R002C50 and V200R003C00, the HMAC-SHA1-20 algorithm uses a 16-byte digest for encryption and decryption by default; the HMAC-SHA-256 and SHA-256 algorithms use a 32-byte digest for encryption and decryption by default. You can run the digest-length 16 command to allow for interconnection with an earlier version.
For versions later than V200R003C00, the HMAC-SHA1-20 algorithm uses a 20-byte digest for encryption and decryption by default. You can run the digest-length hmac-sha1-20 16 command to allow for interconnection with an earlier version. By default, the HMAC-SHA-256 and SHA-256 algorithms use a 32-byte digest for encryption and decryption. You can run the digest-length hmac-sha-256 16 or digest-length sha-256 16 command to allow for interconnection with an earlier version.
- Run commit
The configuration is committed.
