Either the existing authentication-key command or the new auth-keychain command can be used by the protocols, but both cannot be supported at the same time. If both commands are configured, the auth-keychain configuration will be applied and the authentication-key command will be ignored.
A keychain cannot be referenced by a protocol until it has been configured.
If a keychain is referenced by a protocol, the keychain cannot be deleted.
If multiple keys in a keychain are valid at the same time, the newest key (key with the most current start time) is used.
If a protocol sends a packet that is configured to use a keychain, the most current key from that keychain is used.
If a protocol receives a packet that is configured to use a keychain, the current key set is returned to authenticate the received packet.
The key set includes the currently active keys (based on the current system time) and the begin/end time associated with each key in the specified keychain.
If a tolerance value is set for a key, the key is returned as part of the key set if the current time is within the key’s begin time, plus or minus the tolerance value. For example, if the begin time is 12:00 p.m. and the tolerance is 600 seconds, the new key should be included from 11:55 a.m. and the key to be replaced should be included until 12:05 p.m.
The end time and tolerance attributes apply only to received packets. Transmitted packets always use the newest key, regardless of the tolerance value.
If a keychain exists but there are no active key entries with an authentication type that matches the type supported by the protocol, inbound protocol packets will not be authenticated and will be discarded and no outbound protocol packets will be sent.
If a keychain exists but the last key entry has expired, a log entry will be raised indicating that all keychain entries have expired.
The OSPF and RSVP-TE protocols require that the protocols continue to authenticate inbound and outbound traffic using the last valid authentication key.
The IS-IS protocol requires that the protocol not revert to an unauthenticated state and requires that the old key not be used; therefore, when the last key has expired, all traffic will be discarded.
For information about associating keychains with protocols, see the 7705 SAR Routing Protocols Guide (for OSPF, IS-IS, and BGP), the 7705 SAR MPLS Guide (for RSVP-TE and LDP), and the 7705 SAR Services Guide (for OSPF and BGP in a VPRN service).