Halting Md5 Authentication; Managing And Replacing Md5 Keys; Enabling And Disabling Authentication Of Csnps And Psnps - Juniper IGP - CONFIGURATION GUIDE V11.1.X Configuration Manual

JUNOSe 11.0.x IP, IPv6, and IGP Configuration Guide
Example
The following commands configure both key 1 and key 2 to be accepted between
08:00:00 and 23:00:00. When the current time reaches 09:00:00, the router begins
using key 1 to transmit packets. When the current time reaches 10:00:00, the router
begins using key 2 to transmit packets; key 1 is no longer used. Key 2 will continue
to be used until a new key is configured and the new key's startGenTime matches
the current time on the router.

Halting MD5 Authentication

To prevent key expiration from causing your network to revert to an unauthenticated
condition, you cannot halt MD5 authentication by using the timers. When the
stopGenTime time for a key is reached, the router does not stop generating the key
if it was the last key issued. You must delete all keys to halt authentication. Use the
no version of the command to delete a key.

Managing and Replacing MD5 Keys

A key has an infinite lifetime if you do not specify stopGenTime and stopAcceptTime.
(As noted previously, if the last key expires, the router continues to generate that
key.) Many system operators choose to change their keys on a regular basis, such
as every month. If you determine that a key is no longer secure, configure a new
key immediately. We recommend the following practice for configuring new keys:
1.
2.
3.
Each key has an associated key-ID that you specify. The key-ID is sent with the
message digest, so that the receiving routers know which key was used to generate
the digest. You also use the key-ID to delete a key.

Enabling and Disabling Authentication of CSNPs and PSNPs

When the E Series router interoperates with other vendors' routers in the same
network, you might want to enable or disable (suppress) authentication for some
PDU types but not for others. For example, some vendors' routing software might
not authenticate any PDUs, whereas other vendors' routing software might
authenticate CSNPs and PSNPs separately from LSPs.
To facilitate interoperability with other vendors' routers, the E Series router allows
you to enable and disable authentication of CSNPs and PSNPs separately from
authentication of LSPs by using the following commands:
332
Overview
host1(config-router)#area-message-digest-key 1 hmac-md5 mr942s7n start-accept
08:00:00 start-generate 9:00:00 stop-accept 23:00:00 stop-generate 22:59:59
host1(config-router)#area-message-digest-key 2 hmac-md5 dsb38h5f start-accept
08:00:00 start-generate 10:00:00 stop-accept 23:00:00 stop-generate 22:59:59
Configure the new key on all routers in the IS-IS network.
Verify that the new key is working.
Delete the old key from every router.