Keychain

The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors, and it must include at least one key entry to be valid. Through the use of the keychain mechanism, authentication keys can be changed without affecting the state of the associated protocol adjacencies for OSPF, IS-IS, BGP, LDP, and RSVP-TE.

Each key within a keychain must include the following attributes for the authentication of protocol messages:

In addition, additional attributes can be optionally specified, including:

Table: Keychain mapping shows the mapping between these attributes and the CLI command to set them.

Table: Keychain mapping
Definition CLI

The key identifier expressed as an integer (0...63)

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Authentication algorithm to use with key[i]

config>system>security>keychain>direction>bi>entry with algorithm algorithm parameter

config>system>security>keychain>direction>uni>receive>entry with algorithm algorithm parameter

config>system>security>keychain>direction>uni>send>entry with algorithm algorithm parameter

Shared secret to use with key[i]

config>system>security>keychain>direction>uni>receive>entry with shared secret parameter

config>system>security>keychain>direction>uni>send>entry with shared secret parameter

config>system>security>keychain>direction>bi>entry with shared secret parameter

A vector that determines whether the key[i] is to be used to generate MACs for inbound segments, outbound segments, or both.

config>system>security>keychain>direction

Start time from which key[i] can be used.

config>system>security>keychain>direction>bi>entry>begin-time

config>system>security>keychain>direction>uni>send>entry>begin-time

End time after which key[i] cannot be used by sending TCPs.

Inferred by the begin-time of the next key (youngest key rule).

Start time from which key[i] can be used.

config>system>security>keychain>direction>bi>entry>begin-time

config>system>security>keychain>direction>bi>entry>tolerance

config>system>security>keychain>direction>uni>receive>entry>begin-time

config>system>security>keychain>direction>uni>receive>entry>tolerance

End time after which key[i] cannot be used

config>system>security>keychain>direction>uni>receive>entry>end-time

Table: Security algorithm support per protocol lists the authentication algorithms that can be used in association with specific routing protocols.

Table: Security algorithm support per protocol
Protocol Clear text MD5 HMAC-MD5 HMAC-SHA-1-96 HMAC-SHA-1 HMAC-SHA-256 AES-128-CMAC-96

OSPF

Yes

Yes

Yes

Yes

Yes

IS-IS

Yes

Yes

Yes

Yes

RSVP

Yes

Yes

Yes

BGP

Yes

Yes

Yes

LDP

Yes

Yes

Yes