tcp-algorithm-id

Function

The tcp-algorithm-id command specifies an algorithm ID to represent a TCP authentication algorithm supported by the keychain.

The undo tcp-algorithm-id command restores the default settings.

By default, mapping between the TCP authentication algorithm and algorithm ID supported by IANA is used.

Format

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 } algorithm-id

undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | sha-256 }

Parameters

Parameter	Description	Value
hmac-md5	Specifies the HMAC-MD5 authentication algorithm.	-
hmac-sha-256	Specifies the HMAC-SHA-256 authentication algorithm.	-
hmac-sha1-12	Specifies the HMAC-SHA1-12 authentication algorithm.	-
hmac-sha1-20	Specifies the HMAC-SHA1-20 authentication algorithm.	-
md5	Specifies the MD5 authentication algorithm.	-
sha-1	Specifies the SHA-11 authentication algorithm.	-
sha-256	Specifies the SHA-256 authentication algorithm.	-
algorithm-id	Specifies the algorithm ID to represent a TCP authentication algorithm.	The value ranges from 1 to 63. Default algorithm IDs for algorithm types are: md5 is 3, hmac-sha-256 is 7, hmac-md5 is 5, hmac-sha1-12 is 2, hmac-sha1-20 is 6 and sha-256 is 8.

Views

Keychain view

Default Level

2: Configuration Level

Usage Guidelines

Usage Scenario

A keychain ensures secure protocol packet transmission by dynamically changing the authentication algorithm and key string. Packets to be transmitted over non-TCP and TCP connections are authenticated using authentication and encryption algorithms and key string corresponding to a key. The TCP connection needs to be authenticated to enhance security.

The TCP connection is authenticated using the authentication algorithm specified by the algorithm ID. The algorithm ID is not defined by IANA. Different vendors use different algorithm IDs to identify authentication algorithms. When two devices of different vendors are connected, ensure that algorithm IDs configured on the two devices are the same.

The characteristics of each authentication algorithm are as follows:

MD5(Message Digest 5): The 128-bit MD5 message digest is calculated based on the entered message of any length.
SHA-1(Secure Hash Algorithm): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
HMAC-MD5(Keyed-Hashing for Message Authentication-md5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. Then, 0s are added to make up a 512-bit message.
HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.
HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.
SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.
SM3: The 256-bit SM3 message digest is calculated based on the entered message of any length. All the 256 bits are used as the authentication code.

Prerequisites

Before configuring algorithm IDs for the communicating parties, run the tcp-kind command to configure TCP types for the communicating parties.

Precautions

SHA-1 has low security, for higher security purposes, you are advised to specify the hmac-sha-256 or sha2-256 parameter.

Each algorithm has a unique algorithm ID. And the algorithm IDs configured for the two communication devices must be identical.

Example

# Specify 1 as the algorithm ID of hmac-sha-256.

<HUAWEI> system-view
[HUAWEI] keychain huawei mode absolute
[HUAWEI-keychain-huawei] tcp-algorithm-id hmac-sha-256 1