algorithm
Function
The algorithm command configures the authentication algorithm of a key.
The undo algorithm command deletes the authentication algorithm of a key.
By default, no authentication algorithm is configured.
Format
algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 | simple | sm3 }
undo algorithm
Parameters
Parameter |
Description |
Value |
|---|---|---|
hmac-md5 |
Specifies HMAC-MD5 as the authentication algorithm. |
- |
hmac-sha-256 |
Specifies HMAC-SHA-256 as the authentication algorithm. |
- |
hmac-sha1-12 |
Specifies HMAC-SHA1-12 as the authentication algorithm. |
- |
hmac-sha1-20 |
Specifies HMAC-SHA1-20 as the authentication algorithm. |
- |
md5 |
Specifies MD5 as the authentication algorithm. |
- |
sha-1 |
Specifies SHA-1 as the authentication algorithm. |
- |
sha-256 |
Specifies SHA-2565 as the authentication algorithm. |
- |
simple |
Indicates that the configured key is used for packet authentication. |
- |
sm3 |
Specifies SM3 as the authentication algorithm. |
- |
Usage Guidelines
Usage Scenario
A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. A keychain consists of multiple keys, each of which needs to be configured with an authentication algorithm. Different keys are valid within different time periods, ensuring dynamic change of keychain authentication algorithms.
Packets are authenticated and encrypted based on the authentication algorithm and key string associated with a specified key. This improves the packet transmission security.
- MD5(Message Digest 5): The 128-bit MD5 message digest is calculated based on the entered message of any length.
- SHA-1(Secure Hash Algorithm): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
HMAC-MD5(Keyed-Hashing for Message Authentication-md5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.
If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. Then, 0s are added to make up a 512-bit message.
HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.
HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.
SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.
SM3: The 256-bit SM3 message digest is calculated based on the entered message of any length. All the 256 bits are used as the authentication code.
Prerequisites
key-id has been configured.
Precautions
SHA-1 has low security, for higher security purposes, you are advised to specify the hmac-sha-256 or sha2-256 parameter.
Keys configured on the sender and receiver of packets must correspond to the same authentication and encryption algorithms. Otherwise, packet transmission fails for not passing the authentication.
If algorithm is not configured, key will never be active.
RIP supports MD5 and simple.
BGP and BGP4+ support MD5.
IS-IS supports HMAC-MD5 and simple.
OSPF supports MD5, simple and HMAC-MD5.
MSDP supports MD5.
MPLS LDP supports MD5. MPLS TE supports HMAC-MD5.