Implementing Keychain Management oncisco IOS XR Software

Transcription

1 Implementing Keychain Management oncisco IOS XR Software This module describes how to implement keychain management on Cisco IOS XR software. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, befe establishing trust with each other. Routing protocols and netwk management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers. Feature Histy f Implementing Keychain Management on the Cisco XR Series Router Release Modification Release This feature was introduced on Cisco XR Series Router. Release Suppt f the MAC authentication algithm was added. Suppt f hitless key rollover and key acceptance tolerance were added. Release Suppt f hitless key rollover f Open Shtest Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) was added. Release No modification. Release No modification. Release No modification. Release No modification. Contents Prerequisites f Configuring Keychain Management, page SC-218 Restrictions f Implementing Keychain Management, page SC-218 Infmation About Implementing Keychain Management, page SC-218 How to Implement Keychain Management, page SC-219 Configuration Examples f Implementing Keychain Management, page SC-231 Additional References, page SC-231 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-217

2 Prerequisites f Configuring Keychain Management Implementing Keychain Management oncisco IOS XR Software Prerequisites f Configuring Keychain Management You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required f each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrat f assistance. Restrictions f Implementing Keychain Management You must be aware that changing the system clock impacts the validity of the keys in the existing configuration. Infmation About Implementing Keychain Management The keychain by itself has no relevance; therefe, it must be used by an application that needs to communicate by using the keys (f authentication) with its peers. The keychain provides a secure mechanism to handle the keys and rollover based on the lifetime. Bder Gateway Protocol (BGP), Open Shtest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain to implement a hitless key rollover f authentication. BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algithm configured f the keychain. F infmation about BGP, OSPF, and IS-IS keychain configurations, see Cisco IOS XR Routing Configuration GuideTo implement keychain management, you must understand the concept of key lifetime, which is explained in the next section. Lifetime of a Key If you are using keys as the security method, you must specify the lifetime f the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to ste and use me than one key f an application at the same time. A keychain is a sequence of keys that are collectively managed f authenticating the same peer, peer group, both. Keychain management groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime. Note Any key that is configured without a lifetime is considered invalid; therefe, the key is rejected during configuration. The lifetime of a key is defined by the following options: Start-time Specifies the absolute time. End-time Specifies the absolute time that is relative to the start-time infinite time. Each key definition within the keychain must specify a time interval f which that key is activated; f example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods f which they are not activated. Therefe, we recommend that f a given keychain, key activation times overlap to avoid any period of time f which no key is activated. If a time period occurs during which no key is activated, neighb authentication cannot occur; therefe, routing updates can fail. SC-218 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

3 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Multiple keychains can be specified. How to Implement Keychain Management This section contains the following procedures: Configuring a Keychain, page SC-219 (required) Configuring a Tolerance Specification to Accept Keys, page SC-221 (required) Configuring a Key Identifier f the Keychain, page SC-222 (required) Configuring the Text f the Key String, page SC-223 (required) Determining the Valid Keys, page SC-225 (optional) Configuring the Keys to Generate Authentication Digest f the Outbound Application Traffic, page SC-227 (required) Configuring the Cryptographic Algithm, page SC-228 (required) Configuring a Keychain SUMMARY STEPS This task configures a name f the keychain. You can create modify the name of the keychain. 1. configure 2. key chain key-chain-name 3. end 4. show key chain key-chain-name Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-219

4 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 Step 3 Step 4 RP/0/0/CPU0:router# configure key chain key-chain-name RP/0/0/CPU0:router(config)# key chain isis-keys RP/0/0/CPU0:router(config-isis-keys)# end RP/0/0/CPU0:router(config-isis-keys)# end RP/0/0/CPU0:router(config-isis-keys)# show key chain key-chain-name RP/0/0/CPU0:router# show key chain isis-keys Creates a name f the keychain. Note Configuring only the keychain name without any key identifiers is considered a nonoperation. When you exit the configuration, the router does not prompt you to changes until you have configured the key identifier and at least one of the global configuration mode attributes keychain-key configuration mode attributes (f example, lifetime key string). Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. (Optional) Displays the name of the keychain. Note The key-chain-name argument is optional. If you do not specify a name f the key-chain-name argument, all the keychains are displayed. What to Do Next After completing keychain configuration, see the Configuring a Tolerance Specification to Accept Keys section. SC-220 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

5 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Configuring a Tolerance Specification to Accept Keys SUMMARY STEPS DETAILED STEPS This task configures the tolerance specification to accept keys f a keychain to facilitate a hitless key rollover f applications, such as routing and management protocols. 1. configure 2. key chain key-chain-name 3. accept-tolerance value [infinite] 4. end Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. RP/0/0/CPU0:router(config)# key chain isis-keys Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-221

6 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software Step 3 Step 4 Command Action accept-tolerance value [infinite] RP/0/0/CPU0:router(config-isis-keys)# accept-tolerance infinite end RP/0/0/CPU0:router(config-isis-keys)# end RP/0/0/CPU0:router(config-isis-keys)# Configures a tolerance value to accept keys f the keychain. Use the value argument to set the tolerance range in seconds. The range is from 1 to Use the infinite keywd to specify that the tolerance specification is infinite. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring a Key Identifier f the Keychain SUMMARY STEPS This task configures a key identifier f the keychain. You can create modify the key f the keychain. 1. configure 2. key chain key-chain-name 3. key key-id 4. end SC-222 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

7 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 Step 4 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id RP/0/0/CPU0:router(config-isis-keys)# key 8 end end Creates a key f the keychain. The key ID number is translated from decimal to hexadecimal to create the command mode subprompt. Use the key-id argument as a 48-bit integer. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. What to Do Next After configuring a key identifier f the keychain, see the Configuring the Text f the Key String section. Configuring the Text f the Key String This task configures the text f the key string. Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-223

8 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software SUMMARY STEPS 1. configure 2. key chain key-chain-name 3. key key-id 4. key-string [clear passwd] key-string-text 5. end DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id Creates a key f the keychain. RP/0/0/CPU0:router(config-isis-keys)# key 8 SC-224 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

9 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Step 4 Step 5 Command Action key-string [clear passwd] key-string-text key-string passwd 8 end end Specifies the text string f the key. Use the clear keywd to specify the key string in clear text fm; use the passwd keywd to specify the key in encrypted fm. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. What to Do Next After configuring the text f the key string, see the Configuring the Keys to Generate Authentication Digest f the Outbound Application Traffic section. Determining the Valid Keys This task determines the valid keys f local applications to authenticate the remote peers. SUMMARY STEPS 1. configure 2. key chain key-chain-name 3. key key-id 4. accept-lifetime start-time [duration duration-value infinite end-time] 5. end Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-225

10 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id Creates a key f the keychain. Step 4 RP/0/0/CPU0:router(config-isis-keys)# key 8 accept-lifetime start-time [duration duration-value infinite end-time] (Optional) Specifies the validity of the key lifetime in terms of clock time. Step 5 RP/0/0/CPU0:router(config-isis-keys)# key 8 accept-lifetime 1:00:00 october infinite end end Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. SC-226 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

11 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management Configuring the Keys to Generate Authentication Digest f the Outbound Application Traffic SUMMARY STEPS DETAILED STEPS This task configures the keys to generate authentication digest f the outbound application traffic. 1. configure 2. key chain key-chain-name 3. key key-id 4. send-lifetime start-time [duration duration-value infinite end-time] 5. end Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys key key-id Creates a key f the keychain. RP/0/0/CPU0:router(config-isis-keys)# key 8 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-227

12 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software Step 4 Step 5 Command Action send-lifetime start-time [duration duration-value infinite end-time] RP/0/0/CPU0:router(config-isis-keys)# key 8 send-lifetime 1:00:00 october infinite end end (Optional) Specifies the set time period during which an authentication key on a keychain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time. In addition, you can specify a start-time value and one of the following values: duration keywd (seconds) infinite keywd end-time argument If you intend to set lifetimes on keys, Netwk Time Protocol (NTP) some other time synchronization method is recommended. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. Configuring the Cryptographic Algithm This task allows the keychain configuration to accept the choice of the cryptographic algithm. SUMMARY STEPS 1. configure 2. key chain key-chain-name 3. key key-id 4. cryptographic-algithm [HMAC-MD5 HMAC-SHA1-12 HMAC-SHA1-20 MD5 SHA-1] SC-228 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

13 Implementing Keychain Management oncisco IOS XR Software How to Implement Keychain Management 5. end DETAILED STEPS Step 1 Command Action configure Enters global configuration mode. Step 2 RP/0/0/CPU0:router# configure key chain key-chain-name Creates a name f the keychain. Step 3 RP/0/0/CPU0:router(config)# key chain isis-keys RP/0/0/CPU0:router(config-isis-keys)# key key-id Creates a key f the keychain. RP/0/0/CPU0:router(config-isis-keys)# key 8 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-229

14 How to Implement Keychain Management Implementing Keychain Management oncisco IOS XR Software Command Action Step 4 cryptographic-algithm [HMAC-MD5 HMAC-SHA1-12 HMAC-SHA1-20 MD5 SHA-1] Step 5 cryptographic-algithm MD5 end end Specifies the choice of the cryptographic algithm. You can choose from the following list of algithms: HMAC-MD5 HMAC-SHA1-12 HMAC-SHA1-20 MD5 SHA-1 The routing protocols each suppt a different set of cryptographic algithms: Bder Gateway Protocol (BGP) suppts only HMAC-MD5 and HMAC-SHA1-12. Intermediate System-to-Intermediate System (IS-IS) suppts only HMAC-MD5. Open Shtest Path First (OSPF) suppts only MD5 and HMAC-MD5. Saves configuration changes. When you issue the end command, the system prompts you to changes: Unted changes found, them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without ting the configuration changes. Entering cancel leaves the router in the current configuration session without exiting ting the configuration changes. Use the command to save the configuration changes to the running configuration file and remain within the configuration session. SC-230 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router

15 Implementing Keychain Management oncisco IOS XR Software Configuration Examples f Implementing Keychain Management Configuration Examples f Implementing Keychain Management This section provides the following configuration example: Configuring Keychain Management: Example, page SC-231 Configuring Keychain Management: Example The following example shows how to configure keychain management: configure key chain isis-keys accept-tolerance infinite key 8 key-string mykey91abcd cryptographic-algithm MD5 send-lifetime 1:00:00 june infinite accept-lifetime 1:00:00 june infinite end Unted changes found, them? [yes]: yes show key chain isis-keys Key-chain: isis-keys/ - accept-tolerance -- infinite Key 8 -- text " E120B " cryptographic-algithm -- MD5 Send lifetime: 01:00:00, 29 Jun Always valid [Valid now] Accept lifetime: 01:00:00, 29 Jun Always valid [Valid now] Additional References The following sections provide references related to implementing keychain management. Related Documents Related Topic Keychain management commands: complete command syntax, command modes, command histy, defaults, usage guidelines, and examples Document Title Keychain Management Commands on Cisco IOS XR Software module in Cisco IOS XR System Security Command Reference Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router SC-231

16 Additional References Implementing Keychain Management oncisco IOS XR Software Standards Standards No new modified standards are suppted by this feature, and suppt f existing standards has not been modified by this feature. Title MIBs MIBs MIBs Link To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locat found at the following URL and choose a platfm under the Cisco Access Products menu: RFCs RFCs No new modified RFCs are suppted by this feature. Title Technical Assistance Description The Cisco Technical Suppt website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even me content. Link SC-232 Cisco IOS XR System Security Configuration Guide f the Cisco XR Series Router