Implementing Keychain Management

This module describes how to implement keychain management on. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.

Implementing Keychain Management

This module describes how to implement keychain management on. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.

Restrictions for Implementing Keychain Management

You must be aware that changing the system clock impacts the validity of the keys in the existing configuration.

Configure Keychain

This task configures a name for the keychain.

You can create or modify the name of the keychain.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. commit
  4. show key chain key-chain-name
  5. show run

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0/RP0/CPU0:router(config)# key chain isis-keys
RP/0/RP0/CPU0:router(config-isis-keys)#

Creates a name for the keychain.

Note

 

Configuring only the keychain name without any key identifiers is considered a nonoperation. When you exit the configuration, the router does not prompt you to commit changes until you have configured the key identifier and at least one of the mode attributes or keychain-key configuration mode attributes (for example, lifetime or key string).

Step 3

commit

Commits the configuration changes and remains within the configuration session.

Step 4

show key chain key-chain-name

Example:


RP/0/RP0/CPU0:router# show key chain isis-keys

Key-chain: isis-keys/ -

accept-tolerance -- infinite
Key 8 -- text "1104000E120B520005282820"
  cryptographic-algorithm -- MD5
  Send lifetime:   01:00:00, 29 Jun 2006 - Always valid  [Valid now]
  Accept lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now]

(Optional) Displays the name of the keychain.

Note

 

The key-chain-name argument is optional. If you do not specify a name for the key-chain-name argument, all the keychains are displayed.

Step 5

show run

Example:


 key chain isis-keys
  accept-tolerance infinite
  key 8
   key-string mykey91abcd
   cryptographic-algorithm MD5
   send-lifetime 1:00:00 june 29 2006 infinite
   accept-lifetime 1:00:00 june 29 2006 infinite
   !
  !
 !

Configure Tolerance Specification to Accept Keys

This task configures the tolerance specification to accept keys for a keychain to facilitate a hitless key rollover for applications, such as routing and management protocols.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. accept-tolerance value [infinite]
  4. commit

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0//CPU0:router(config)# key chain isis-keys

Creates a name for the keychain.

Step 3

accept-tolerance value [infinite]

Example:


RP/0//CPU0:router(config-isis-keys)# accept-tolerance infinite

Configures an accept tolerance limit—duration for which an expired or soon-to-be activated keys can be used for validating received packets—for a key that is used by a peer.

  • Use the value argument to set the tolerance range in seconds. The range is from 1 to 8640000.

  • Use the infinite keyword to specify that an accept key is always acceptable and validated when used by a peer.

Step 4

commit

Commits the configuration changes and remains within the configuration session.

Configure Key Identifier for Keychain

This task configures a key identifier for the keychain.

You can create or modify the key for the keychain.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. key key-id
  4. commit

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0//CPU0:router(config)# key chain isis-keys

Creates a name for the keychain.

Step 3

key key-id

Example:


RP/0//CPU0:router(config-isis-keys)# key 8

Creates a key for the keychain. The key ID has to be unique within the specific keychain.

  • Use the key-id argument as a 48-bit integer.

Step 4

commit

Commits the configuration changes and remains within the configuration session.

Configure Text for Key String

This task configures the text for the key string.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. key key-id
  4. key-string [clear | password] key-string-text
  5. Use the commit or end command.

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0//CPU0:router(config)# key chain isis-keys

Creates a name for the keychain.

Step 3

key key-id

Example:


RP/0//CPU0:router(config-isis-keys)# key 8
RP/0//CPU0:router(config-isis-keys-0x8)#

Creates a key for the keychain.

Step 4

key-string [clear | password] key-string-text

Example:


RP/0//CPU0:router(config-isis-keys-0x8)# key-string password 8

Specifies the text string for the key.

  • Use the clear keyword to specify the key string in clear text form; use the password keyword to specify the key in encrypted form.

Step 5

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Determine Valid Keys

This task determines the valid keys for local applications to authenticate the remote peers.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. key key-id
  4. accept-lifetime start-time [duration duration-value | infinite | end-time]
  5. Use the commit or end command.

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0/RP0/CPU0:router(config)# key chain isis-keys

Creates a a name for the keychain.

Step 3

key key-id

Example:


RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Creates a key for the keychain.

Step 4

accept-lifetime start-time [duration duration-value | infinite | end-time]

Example:


RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 october 24 2005 infinite

(Optional) Specifies the validity of the key lifetime in terms of clock time. You can specify the start-time and end-time in hh:mm:ss month DD YYYY format or hh:mm:ss DD month YYYY format.

Step 5

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Configure Keys to Generate Authentication Digest for Outbound Application Traffic

This task configures the keys to generate authentication digest for the outbound application traffic.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. key key-id
  4. send-lifetime start-time [duration duration-value | infinite | end-time]
  5. Use the commit or end command.

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0/RP0/CPU0:router(config)# key chain isis-keys

Creates a name for the keychain.

Step 3

key key-id

Example:


RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Creates a key for the keychain.

Step 4

send-lifetime start-time [duration duration-value | infinite | end-time]

Example:


RP/0/RP0/CPU0:router(config-isis-keys)#key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 october 24 2005 infinite

(Optional) Specifies the set time period during which an authentication key on a keychain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time.

In addition, you can specify a start-time value and one of the following values:

  • duration keyword (seconds)

  • infinite keyword

  • end-time argument

If you intend to set lifetimes on keys, Network Time Protocol (NTP) or some other time synchronization method is recommended.

Step 5

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Configure Cryptographic Algorithm

This task allows the keychain configuration to accept the choice of the cryptographic algorithm.

From Cisco IOS XR Software Release 7.2.1 and later, you must follow the below guidelines while configuring the key chain. These are applicable only for FIPS mode (that is, when crypto fips-mode is configured).

  • You must configure the session with a FIPS-approved cryptographic algorithm. A session configured with non-approved cryptographic algorithm for FIPS (such as, MD5 and HMAC-MD5 ) does not work. This is applicable for OSPF, BGP, RSVP, ISIS, or any application using key chain with non-approved cryptographic algorithm.

  • If you are using any HMAC-SHA algorithm for a session, then you must ensure that the configured key-string has a minimum length of 14 characters. Otherwise, the session goes down.

SUMMARY STEPS

  1. configure
  2. key chain key-chain-name
  3. key key-id
  4. cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1 | AES-128-CMAC-96 | HMAC-SHA-256 | HMAC-SHA1-96]
  5. Use the commit or end command.

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2

key chain key-chain-name

Example:


RP/0/RP0/CPU0:router(config)# key chain isis-keys
RP/0/RP0/CPU0:router(config-isis-keys)#

Creates a name for the keychain.

Step 3

key key-id

Example:


RP/0/RP0/CPU0:router(config-isis-keys)# key 8
RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Creates a key for the keychain.

Step 4

cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1 | AES-128-CMAC-96 | HMAC-SHA-256 | HMAC-SHA1-96]

Example:


RP/0/RP0/CPU0:router(config-isis-keys-0x8)# cryptographic-algorithm MD5

Specifies the choice of the cryptographic algorithm. You can choose from the following list of algorithms:

  • HMAC-MD5

  • HMAC-SHA1-12

  • HMAC-SHA1-20

  • MD5

  • SHA-1

  • HMAC-SHA-256

  • HMAC-SHA1-96

  • AES-128-CMAC-96

The routing protocols each support a different set of cryptographic algorithms:

  • Border Gateway Protocol (BGP) supports HMAC-MD5, HMAC-SHA1-12, HMAC-SHA1-96 and AES-128-CMAC-96.

  • Intermediate System-to-Intermediate System (IS-IS) supports HMAC-MD5, SHA-1, MD5, AES-128-CMAC-96, HMAC-SHA-256, HMAC-SHA1-12, HMAC-SHA1-20, and HMAC-SHA1-96.

  • Open Shortest Path First (OSPF) supports MD5, HMAC-MD5, HMAC-SHA-256, HMAC-SHA1-12, HMAC-SHA1-20, and HMAC-SHA1-96.

Step 5

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Lifetime of Key

If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A keychain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both.

Keychain management groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime.


Note

Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during configuration.

The lifetime of a key is defined by the following options:

  • Start-time—Specifies the absolute time.

  • End-time—Specifies the absolute time that is relative to the start-time or infinite time.

Each key definition within the keychain must specify a time interval for which that key is activated; for example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend that for a given keychain, key activation times overlap to avoid any period of time for which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail.

Multiple keychains can be specified.