Table of Contents
Advertisement
JUNOSe 11.0.x IP Services Configuration Guide
3.
4.
Generally, only Step 4 is required each time a phase 1 negotiation happens. The first
three steps are required only if keys are compromised or router certificates require
renewal.
Generating Public/Private Key Pairs
The ERX router needs at least one valid pair of public/private keys whenever it uses
any of the public key methods for authenticating an IKE peer. The ERX router can
generate its own public/private key pairs. The public/private key pair supports the
RSA standard (1024 or 2048 bits).
The private key is used only by the ERX router. It is never exchanged with any other
nodes. It is used to place a digital signature on IKE authentication messages. When
generated, it is securely stored internally to the ERX router in nonvolatile storage
(NVS). Access to the private key is never allowed, not even to a system administrator
or a network management system. Private key storage includes protection
mechanisms to prevent improper private key usage, including encryption with 3DES
using a unique internally generated key. The key is also tied to SRP-specific data to
prevent swapping flash disks between routers.
The public key is used in the generation of the router certificate request, which is
sent to a CA. Based on the certificate request, the CA generates a public key certificate
for the E Series router.
The router public/private key pair is a global system attribute. It does not matter how
many IPSec Service modules (ISMs) exist in the router; only one set of keys is available
at any given moment. The private/public key pair applies across all virtual routers
and is persistent across reloads and booting to factory defaults.
Obtaining a Root CA Certificate
The ERX router enables the use of either a manual or automatic method to download
the root CA's self-signed certificate. The standards supported for obtaining root CAs
are X.509v3, base64, and basic-encoding-rules (BER)–encoded certificates.
216
IKE Authentication with Digital Certificates
The router requires at least one root CA certificate to send to IKE peers and also
to verify that a peer's certificate is genuine.
Obtaining a public key certificate
The router requires at least one public key certificate, which binds the router
identity to its public key. The CA verifies the identity represented on the certificate
and then signs the certificate. The router sends the certificate to IKE peers during
negotiations to advertise the router public key.
Authenticating the peer
As part of IKE negotiations, the router receives its peer's digital signature in a
message exchange. The router must verify the digital signature by using the
peer's public key. The public key is contained in the peer's certificate, which
often is received during the IKE negotiation. To ensure that the peer certificate
is valid, the router verifies its digital signature by using the CA public key
contained in the root CA certificate. The router and its IKE peer require at least
one common trusted root CA for authentication to work.
Advertisement
Table of Contents
