Keychain Authentication

TCP enhanced authentication uses keychains that are associated with every protected TCP connection.

The keychain concept supported by BGP and LDP has also been extended to the OSPF, IS-IS, and RSVP-TE protocols.

The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors; the keychain must include at least one key entry to be valid. The keychain mechanism also allows authentication keys to be changed without affecting the state of the associated protocol adjacencies.

Each key within a keychain must include the following attributes for the authentication of protocol messages:

• key identifier – unique identifier, expressed as a decimal integer

• authentication algorithm – see Table: Security Algorithm Support Per Protocol

• authentication key – used by the authentication algorithm to authenticate packets

• direction – packet stream direction in which the key is applied (receive direction, send direction, or both)

• begin time – the time at which a new authentication key can be used

Optionally, each key can include the following attributes:

• end time – the time at which the authentication key becomes inactive (applies to received packets only)

• tolerance – period in which both old and new authentication key values can overlap and both keys will be allowed on received packets (applies to received packets only)

For added security, support for the Secure Hash Algorithm (SHA) has been added. Table: Security Algorithm Support Per Protocol lists the security algorithms supported per protocol.