The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors; the keychain must include at least one key entry to be valid.
Each key within a keychain must include the following attributes for the authentication of protocol messages:
key identifier
authentication algorithm
authentication key
direction
begin time
Optionally, each key can include an end time and tolerance.
Use the following CLI commands to configure a keychain:
config>system>security
keychain name
description description-string
direction
bi
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
begin-time [date] [hours-minutes] [UTC]
tolerance {seconds | forever}
uni
receive
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
begin-time [date] [hours-minutes] [UTC]
tolerance {seconds | forever}
send
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
begin-time [date] [hours-minutes] [UTC]The following example displays a keychain configuration:
A:ALU-1>config>system>security># info detail
----------------------------------------------
...
keychain "ospf-md5"
description "MD5 keychain for OSPF interfaces"
tcp-option-number
send 254
receive 254
exit
direction
bi
entry 0 key "VyScMGuUfEQw9vxb9YWEG8oEeyRxTrGC.aFwWKzlO1E
" hash2 algorithm message-digest
no shutdown
begin-time 2016/06/01 00:00:00 UTC
no option
exit
entry 1 key "VyScMGuUfEQw9vxb9YWEG6rfIEGa/.sGbxt3BaeWYO.
" hash2 algorithm message-digest
no shutdown
begin-time 2016/06/09 00:00:00 UTC
no option
tolerance 600
exit
exit
exit
no shutdown
exit
keychain "rsvp-md5"
description "MD5 keychain for RSVP interfaces"
tcp-option-number
send 254
receive 254
exit
direction
uni
send
entry 0 key "f4L8216viTz8OMIKEcNfF/0BxU12MaZskrUHlTN
YMwY" hash2 algorithm message-digest
no shutdown
begin-time 2016/06/01 00:00:00 UTC
exit
entry 1 key "f4L8216viTz8OMIKEcNfF0VmwDJEUYqX1ob50zL
E0HY" hash2 algorithm message-digest
no shutdown
begin-time 2016/06/09 00:00:00 UTC
exit
exit
receive
entry 0 key "dE.xAjca3DLqssbdJ8zc8vblBwYsvFXL57dvJEu
RQHE" hash2 algorithm message-digest
no shutdown
begin-time 2016/06/01 00:00:00 UTC
tolerance 600
exit
entry 1 key "dE.xAjca3DLqssbdJ8zc4ty4BxUSFV5xl9ejgfr
YHGG" hash2 algorithm message-digest
no shutdown
begin-time 2016/06/09 00:00:00 UTC
tolerance 600
exit
exit
exit
----------------------------------------------
A:ALU-1>config>system>security#In the above example, two separate keychains are created, ‟ospf-md5” and ‟rsvp-md5”, each with two possible keys.
For ospf-md5:
entry 0 is valid starting at midnight (UTC) on 2016/06/01
entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0
there is an overlap (tolerance) period of 600 seconds in which packets with either key (entry 0 or entry 1) will be accepted
For rsvp-md5:
for transmitted packets:
send key entry 0 is valid starting at midnight (UTC) on 2016/06/01
send key entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0
for received packets:
receive key entry 0 is valid starting at midnight (UTC) on 2016/06/01
receive key entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0
there is an overlap (tolerance) period of 600 seconds in which receive packets with either key (entry 0 or entry 1) will be accepted