Administrator For Assistance - Cisco CRS-1 - Carrier Routing System Router Configuration Manual

Ios xr system security configuration guide

Hide thumbs Also See for CRS-1 - Carrier Routing System Router:

Administration manual (436 pages)

Getting started manual (289 pages)

Troubleshooting manual (264 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

page of 232

/ 232
Contents
Table of Contents
Bookmarks

Table of Contents

Prerequisites for Configuring Keychain Management

•

Restrictions for Implementing Keychain Management

You must be aware that changing the system clock impacts the validity of the keys in the existing

configuration.

Information About Implementing Keychain Management

The keychain by itself has no relevance; therefore, it must be used by an application that needs to

communicate by using the keys (for authentication) with its peers. The keychain provides a secure

mechanism to handle the keys and rollover based on the lifetime. Border Gateway Protocol (BGP), Open

Shortest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain

to implement a hitless key rollover for authentication. BGP uses TCP authentication, which enables the

authentication option and sends the Message Authentication Code (MAC) based on the cryptographic

algorithm configured for the keychain. For information about BGP, OSPF, and IS-IS keychain

configurations, see Cisco IOS XR Routing Configuration GuideTo implement keychain management,

you must understand the concept of key lifetime, which is explained in the next section.

Lifetime of a Key

If you are using keys as the security method, you must specify the lifetime for the keys and change the

keys on a regular basis when they expire. To maintain stability, each party must be able to store and use

more than one key for an application at the same time. A keychain is a sequence of keys that are

collectively managed for authenticating the same peer, peer group, or both.

Keychain management groups a sequence of keys together under a keychain and associates each key in

the keychain with a lifetime.

Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during

Note

configuration.

The lifetime of a key is defined by the following options:

•

Each key definition within the keychain must specify a time interval for which that key is activated; for

example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated

key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend

that for a given keychain, key activation times overlap to avoid any period of time for which no key is

activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur;

therefore, routing updates can fail.

Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router

SC-154

You must be in a user group associated with a task group that includes the proper task IDs. The

command reference guides include the task IDs required for each command.

If you suspect user group assignment is preventing you from using a command, contact your AAA