E-Trunk

Security Policies

• To improve system security, authentication can be configured for an E-Trunk. The E-Trunk transmit end uses the configured password to calculate a packet digest for a heartbeat message and the receive end also calculates the packet digest after receiving the heartbeat message. If the two digests are the same, the heartbeat message is valid. Otherwise, the heartbeat message is invalid and discarded.

• If packets are received, the E-Trunk checks the length, digest, and key parameters of the packets. Invalid packets, such as error packets, are discarded.

• By default, the E-Trunk uses UDP port 1025 to transmit and receive protocol packets. To improve security, the E-Trunk allows users to set E-Trunk port numbers.

Attack Methods

Protocol authentication can be configured to defend against attacks. To prevent attacks, you can set the authentication algorithm to HMAC-SHA1-96, HMAC-SHA2-256, or enhanced-HMAC-SHA256.

Configuration and Maintenance Methods

1. Run the authentication-mode command in the E-Trunk view to configure an E-Trunk authentication or encryption mode.

2. Run the security-key { simple simple-key | cipher { cipher-key1 | cipher-key2 | cipher-key3 } } command in the E-Trunk view to set an authentication key.

   You can specify simple or cipher as needed:

   • If simple is specified, a password is displayed in clear text in the configuration file.

   • If cipher is specified, a ciphertext password is displayed as unidentifiable characters.

     • cipher-key1: specifies a ciphertext password. The value is a string of 32 to 432 characters. It cannot contain spaces.
     • cipher-key2: specifies a 24-character ciphertext password configured in an earlier version. Such a password is automatically converted into a supported format after an upgrade.
     • cipher-key3: specifies a clear text password. The value is a string of 1 to 255 case-sensitive characters. It cannot contain spaces.
   

   If simple is configured, the password is saved in the configuration file in clear text. The users with the least privilege may obtain the password by viewing the configuration file. This causes a network security risk. Therefore, cipher is recommended.

   Two devices whose interfaces join the same E-Trunk interface must have the same password for encrypting packets. After an E-Trunk interface is created, you must manually set an encryption password. Otherwise, E-Trunk negotiation fails to be performed.

3. Run the e-trunk port port-number command in the system view to set an E-Trunk interface number. The value is an integer ranging from 1025 to 65535. The default E-Trunk interface number is 1025.

Configuration and Maintenance Suggestions

To enhance security, you are advised to set a ciphertext password.

Enhanced-HMAC-SHA256 is recommended for authentication and encryption.