Keychain is a set of key-ids, each of which uniquely represents authentication information. Authentication information includes the authentication password and algorithm. The dynamic change of authentication information is achieved based on the send and receive time associated with a key-id.
Active Send key-id: When the current system time is within the time range of the configured send time of a key-id, that key-id is "send-active" provided that the key-id has already been configured with an authentication algorithm and password. The authentication information associated with this key-id is used by applications to generate Message Authentication Codes (MACs) when sending packets.
Active Receive key-id: When the current system time is within the time range of the configured receive time of a key-id, that key-id is "receive-active" provided that the key-id has already been configured with an authentication algorithm and password. The authentication information associated with this key-id is used by an application to validate the MACs in the received packets.
The send and receive times can be configured in an absolute time range or periodic time range. Periodic time ranges are Daily periodic, Weekly periodic, Monthly periodic, and Yearly periodic, which means the key-id will be active periodically during certain hours of the day, on certain days of the week, dates of the month, and months of the year, respectively.
In a Keychain, there can be only one active send key-id for any instant in time; active time ranges for a send key-id must not overlap. Keychain supports a default send key-id which is used as the active send key-id when no other key-id is active. Multiple receive key-ids can be active at any time.
When the send key-id on a router changes, the corresponding receive key-id on the peer router should change instantaneously. However, because of clock non-synchronization, there can be a time lag between the changes of key-id on one router and another. During this period, packets can be dropped because of inconsistent key-ids. To prevent this scenario and to facilitate a smooth transition from one receive key-id to another, a grace period, or receive time range, is allowed during which both key-ids are used.
The receive time range is applicable only to receive key-ids. On both the start and end time of a receive key-id, the receive time range is extended by a period equal to that of the receive tolerance period. The receive tolerance configuration is maintained per Keychain.