Configuring a Key
Context
A key is the authentication rule of a keychain. A key includes an algorithm, a key string, active send time, active receive time, and the key status. A keychain supports a maximum of 64 keys.
There is only one key ID in a keychain. Keys in different keychain may use the same key ID. Only one send key takes effect in a keychain, otherwise applications cannot determine which send key is used to encrypt packets. However, multiple receive keys may take effect in a keychain. A receive key that has the same key ID with the receiving packet is used for decryption.
If the key on the sending end changes, the key on the receiving end also needs to be changed. A delay may occur when the receiving end and the sending end change keys due to time asynchronization on the network. Packets may be lost during the delay. The receive tolerance time can be configured to prevent packet loss during the key change. The receive tolerance time only takes effect on keys on the receiving end. The receive tolerance time advances the start receive time and delays the end receive time.
If no key is configured in a period, no send key is active in that period. Therefore, applications do not send authentication packets to each other. A default send key can be configured to prevent this situation. All keys can be specified as the default send key. A keychain has only one default send key. When no other send keys are active, the default send key takes effect.
Procedure
- Run system-view
The system view is displayed.
- Run keychain keychain-name
The keychain view is displayed.
- Run time mode { utc | lmt }
The time mode for keychain is configured.
- Run key-id key-id
A key-id is configured and the key-id view is displayed to configure a key.
- Run algorithm { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 | simple | sm3 }
An algorithm is configured.
Different protocols support different algorithms.
RIP supports MD5 and simple. BGP and BGP4+ support MD5. IS-IS supports HMAC-MD5 and simple. OSPF supports MD5, simple and HMAC-MD5. MSDP supports MD5. MPLS LDP supports MD5. MPLS TE supports HMAC-MD5.
- Run key-string { plain plain-text | [ cipher ] cipher-text }
A key string is configured.
When configuring an authentication password, select the ciphertext mode because the password is saved in the configuration file as a simple text if you select the plaintext mode, which has a high risk. To ensure device security, change the password periodically.
- Configure the send time. Different time modes use different commands to configure the send time. Table 1 shows commands to configure the send time based on different time modes.
Table 1 Configuring the send time Time Mode
Command to Configure the Send Time
absolute
send-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }
periodic daily
send-time daily start-time to end-time
periodic weekly
send-time day { start-day-name to end-day-name | day-name &<1-7> }
periodic monthly
send-time date { start-date-value to end-date-value | date-value &<1-31> }
periodic yearly
send-time month { start-month-name to end-month-name | month-name &<1-12> }
You are advised to enable network time protocol (NTP) to keep time consistency.
- Configure the receive time. Different time modes use different commands to configure the receive time. Table 2 shows commands to configure the receive time based on different time modes.
Table 2 Configure the receive time Time Mode
Command to Configure Receive Time
absolute
receive-time start-time start-date { duration { duration-value | infinite } | to end-time end-date }
periodic daily
receive-time daily start-time to end-time
periodic weekly
receive-time day { start-day-name to end-day-name | day-name &<1-7> }
periodic monthly
receive-time date { start-date-value to end-date-value | date-value &<1-31> }
periodic yearly
receive-time month { start-month-name to end-month-name | month-name &<1-12> }
- (Optional) Run default send-key-id
The key is configured as the default key for sending packets.