Cisco IOS XR System Security Configuration Guide, Release 3.3
Implementing Key Chain Management on Cisco IOS XR Software
Downloads: This chapterpdf (PDF - 233.0KB) The complete bookPDF (PDF - 1.83MB) | Feedback

Implementing Key Chain Management on Cisco IOS XR Software

Table Of Contents

Implementing Key Chain Management on Cisco IOS XR Software

Contents

Restrictions for Implementing Key Chain Management

Information About Implementing Key Chain Management

Lifetime of a Key

How to Implement Key Chain Management

Configuring a Key Chain

What to Do Next

Configuring a Key Identifier for the Key Chain

What to Do Next

Configuring the Text for the Key String

What to Do Next

Determining the Valid Keys

Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic

Configuration Examples for Implementing Key Chain Management

Configuring Key Chain Management: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Implementing Key Chain Management on Cisco IOS XR Software


Key chain management is a common method of authentication to configure shared secrets on all the entities, which exchange secrets such as keys before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.

Feature History for Implementing Key Chain Management on Cisco IOS XR Software

Release
Modification

Release 3.3.0

This feature was introduced on Cisco CRS-1 and Cisco XR 12000 Series Router.


Contents

Restrictions for Implementing Key Chain Management

Information About Implementing Key Chain Management

How to Implement Key Chain Management

Configuration Examples for Implementing Key Chain Management

Additional References

Restrictions for Implementing Key Chain Management

You must be aware that changing the system clock impacts the validity of the keys in the existing configuration.

Information About Implementing Key Chain Management

The key chain by itself has no relevance; therefore, it must be used by an application that needs to communicate by using the keys (for authentication) with its peers. The key chain provides a secure mechanism to handle the keys and rollover based on the lifetime.

To implement key chain management, you must understand the following concept:

Lifetime of a Key

Lifetime of a Key

If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A key chain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both.

Key chain management groups a sequence of keys together under a key chain and associates each key in the key chain with a lifetime.


Note Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during configuration.


The lifetime of a key is defined by the following options:

Start-time—Specifies the absolute time.

End-time—Specifies the absolute time that is relative to the start-time or infinite time.

Each key definition within the key chain must specify a time interval for which that key is activated, for example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend that for a given key chain, key activation times overlap to avoid any period of time for which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail.

Multiple key chains can be specified.

How to Implement Key Chain Management

This section contains the following procedures:

Configuring a Key Chain (required)

Configuring a Key Identifier for the Key Chain (required)

Configuring the Text for the Key String (required)

Determining the Valid Keys (optional)

Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic (required)

Configuring a Key Chain

This task configures a name for the key chain.

You can create or modify the name of the key chain.

SUMMARY STEPS

1. configure

2. key chain key-chain-name

3. end

or

commit

4. show key chain key-chain-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

key chain key-chain-name

Example:

RP/0/RP0/CPU0:router(config)# key chain isis-keys

RP/0/RP0/CPU0:router(config-isis-keys)#

Creates a name for the key chain.

Note Configuring only the key chain name without any key identifiers is considered a nonoperation. When you exit the configuration, the router does not prompt you to commit changes until you have configured the key identifier and at least one of the global configuration mode or keychain-key configuration mode (for example, lifetime or key string).

Step 3 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# end

or

RP/0/RP0/CPU0:router(config-isis-keys)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 4 

show key chain key-chain-name

Example:

RP/0/RP0/CPU0:router# show key chain isis-keys

(Optional) Displays the name of the key chain.

Note The key-chain-name argument is optional. If you do not specify a name for the key-chain-name argument, all the key chains are displayed.

What to Do Next

After completing key chain configuration, see the Configuring a Key Identifier for the Key Chain section.

Configuring a Key Identifier for the Key Chain

This task configures a key identifier for the key chain.

You can create or modify the key for the key chain.

SUMMARY STEPS

1. configure

2. key chain key-chain-name

3. key key-id

4. end

or

commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

key chain key-chain-name

Example:

RP/0/RP0/CPU0:router(config)# key chain isis-keys

Creates a name for the key chain.

Step 3 

key key-id

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

Creates a key for the key chain. The key ID number is translated from decimal to hexadecimal to create the command mode subprompt.

Step 4 

end

or

commit

Example:

RP/0/RP0/CPU0:router(config-isis-keys-0x8)# end

or

RP/0/RP0/CPU0:router(config-isis-keys-0x8)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

What to Do Next

After configuring a key identifier for the key chain, see the Configuring the Text for the Key String section.

Configuring the Text for the Key String

This task configures the text for the key string.

SUMMARY STEPS

1. configure

2. key chain key-chain-name

3. key key-id

4. key-string [clear | password] key-string-text

5. end

or

commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

key chain key-chain-name

Example:

RP/0/RP0/CPU0:router(config)# key chain isis-keys

Creates a name for the key chain.

Step 3 

key key-id

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Creates a key for the key chain.

Step 4 

key-string [clear | password] key-string-text

Example:

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# key-string password 8

Specifies the text string for the key.

Use the clear keyword to specify the key string in clear text form; use the password keyword to specify the key in encrypted form.

Step 5 

end

or

commit

Example:

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# end

or

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

What to Do Next

After configuring the text for the key string, see the Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic section.

Determining the Valid Keys

This task determines the valid keys for local applications to authenticate the remote peers.

SUMMARY STEPS

1. configure

2. key chain key-chain-name

3. key key-id

4. accept-lifetime start-time [duration durationvalue | infinite | end-time]

5. end

or

commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

key chain key-chain-name

Example:

RP/0/RP0/CPU0:router(config)# key chain isis-keys

Creates a a name for the key chain.

Step 3 

key key-id

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Creates a key for the key chain.

Step 4 

accept-lifetime start-time [duration durationvalue | infinite | end-time]

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)# accept-lifetime 1:00:00 october 24 2005 infinite

(Optional) Specifies the validity of the key lifetime in terms of clock time.

Step 5 

end

or

commit

Example:

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# end

or

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic

This task configures the keys to generate authentication digest for the outbound application traffic.

SUMMARY STEPS

1. configure

2. key chain key-chain-name

3. key key-id

4. send-lifetime start-time [duration durationvalue | infinite | end-time]

5. end

or

commit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

RP/0/RP0/CPU0:router# configure

Enters global configuration mode.

Step 2 

key chain key-chain-name

Example:

RP/0/RP0/CPU0:router(config)# key chain isis-keys

Creates a a name for the key chain.

Step 3 

key key-id

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)#

Creates a key for the key chain.

Step 4 

send-lifetime start-time [duration durationvalue | infinite | end-time]

Example:

RP/0/RP0/CPU0:router(config-isis-keys)# key 8

RP/0/RP0/CPU0:router(config-isis-keys-0x8)# send-lifetime 1:00:00 october 24 2005 infinite

(Optional) Specifies the set time period during which an authentication key on a key chain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time.

In addition, you can specify a start-time value and one of the following values:

duration keyword (seconds)

infinite keyword

end-time argument

If you intend to set lifetimes on keys, Network Time Protocol (NTP) or some other time synchronization method is recommended.

Step 5 

end

or

commit

Example:

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# end

or

RP/0/RP0/CPU0:myhost(config-isis-keys-0x8)# commit

Saves configuration changes.

When you issue the end command, the system prompts you to commit changes:

Uncommitted changes found, commit them before 
exiting(yes/no/cancel)? 
[cancel]:
 
        

Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.

Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.

Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.

Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Configuration Examples for Implementing Key Chain Management

This section provides the following configuration example:

Configuring Key Chain Management: Example

Configuring Key Chain Management: Example

The following example shows how to configure key chain management:

configure
key chain isis-keys
key 8
key-string mykey91abcd
send-lifetime 1:00:00 october 24 2005 infinite
accept-lifetime 1:00:00 october 24 2005 infinite
end
 
   
Uncommitted changes found, commit them? [yes]: yes
 
   
show key chain isis-keys
 
   
Key-chain: isis-keys/ -
 
   
Key 8 -- text "8"
  Send lifetime:   01:00:00, 24 Oct 2005 - Always valid  [Valid now]
  Accept lifetime: 01:00:00, 24 Oct 2005 - Always valid [Valid now]

Additional References

The following sections provide references related to implementing key chain management.

Related Documents

Related Topic
Document Title

Key chain management commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Key Chain Management Commands on Cisco IOS XR Software


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

There are no applicable MIBs for this module. The XML interface is available.

To locate and download MIBs for selected platforms using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL:

http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport