The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors, and it must include at least one key entry to be valid. Through the use of the keychain mechanism, authentication keys can be changed without affecting the state of the associated protocol adjacencies for OSPF, IS-IS, BGP, LDP, and RSVP-TE.
Each key within a keychain must include the following attributes for the authentication of protocol messages:
key identifier
authentication algorithm
authentication key
direction
start time
In addition, additional attributes can be optionally specified, including:
end time
tolerance
Table: Keychain mapping shows the mapping between these attributes and the CLI command to set them.
Definition | CLI |
---|---|
The key identifier expressed as an integer (0...63) |
config>system>security>keychain>direction>bi>entry config>system>security>keychain>direction>uni>receive>entry config>system>security>keychain>direction>uni>send>entry |
Authentication algorithm to use with key[i] |
config>system>security>keychain>direction>bi>entry with algorithm algorithm parameter config>system>security>keychain>direction>uni>receive>entry with algorithm algorithm parameter config>system>security>keychain>direction>uni>send>entry with algorithm algorithm parameter |
Shared secret to use with key[i] |
config>system>security>keychain>direction>uni>receive>entry with shared secret parameter config>system>security>keychain>direction>uni>send>entry with shared secret parameter config>system>security>keychain>direction>bi>entry with shared secret parameter |
A vector that determines whether the key[i] is to be used to generate MACs for inbound segments, outbound segments, or both. |
config>system>security>keychain>direction |
Start time from which key[i] can be used. |
config>system>security>keychain>direction>bi>entry>begin-time config>system>security>keychain>direction>uni>send>entry>begin-time |
End time after which key[i] cannot be used by sending TCPs. |
Inferred by the begin-time of the next key (youngest key rule). |
Start time from which key[i] can be used. |
config>system>security>keychain>direction>bi>entry>begin-time config>system>security>keychain>direction>bi>entry>tolerance config>system>security>keychain>direction>uni>receive>entry>begin-time config>system>security>keychain>direction>uni>receive>entry>tolerance |
End time after which key[i] cannot be used |
config>system>security>keychain>direction>uni>receive>entry>end-time |
Table: Security algorithm support per protocol lists the authentication algorithms that can be used in association with specific routing protocols.
Protocol | Clear text | MD5 | HMAC-MD5 | HMAC-SHA-1-96 | HMAC-SHA-1 | HMAC-SHA-256 | AES-128-CMAC-96 |
---|---|---|---|---|---|---|---|
OSPF |
Yes |
Yes |
— |
Yes |
Yes |
Yes |
— |
IS-IS |
Yes |
— |
Yes |
— |
Yes |
Yes |
— |
RSVP |
Yes |
— |
Yes |
— |
Yes |
— |
— |
BGP |
— |
Yes |
— |
Yes |
— |
— |
Yes |
LDP |
— |
Yes |
— |
Yes |
— |
— |
Yes |