This module describes how to implement keychain management on. Keychain management is a common method of authentication to configure shared secrets on all entities that exchange secrets such as keys, before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.
Feature History for Implementing Keychain Management
You must be in a user group associated with a task group that includes the proper task IDs. The command reference guides include the task IDs required for each command. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Restrictions for Implementing Keychain Management
You must be aware that changing the system clock impacts the validity of the keys in the existing configuration.
Information About Implementing Keychain Management
The keychain by itself has no relevance; therefore, it must be used by an application that
needs to communicate by using the keys (for authentication) with its peers. The keychain
provides a secure mechanism to handle the keys and rollover based on the lifetime. Border
Gateway Protocol (BGP), Open Shortest Path First (OSPF), and Intermediate
System-to-Intermediate System (IS-IS) use the keychain to implement a hitless key rollover
for authentication. BGP uses TCP authentication, which enables the authentication option
and sends the Message Authentication Code (MAC) based on the cryptographic algorithm
configured for the keychain. For information about BGP, OSPF, and IS-IS keychain
Resource Reservation Protocol (RSVP) uses keychain for authentication. For more
information about RSVP, see the Cisco ASR 9000 Series Aggregation Services Router
MPLS Configuration Guide.
IP Service Level Agreements (IP SLAs) use a keychain for MD5 authentication for the
IP SLA control message. For more information about IP SLAs, see the
Cisco ASR 9000 Series Aggregation Services Router System Monitoring
Configuration Guide and the key-chain command in the
Cisco ASR 9000 Series Aggregation Services Router System Monitoring Comand
To implement keychain management, you must understand the concept of key lifetime, which is
explained in the next section.
If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A keychain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both.
Keychain management groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime.
Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during configuration.
The lifetime of a key is defined by the following options:
Start-time—Specifies the absolute time.
End-time—Specifies the absolute time that is relative to the start-time or infinite time.
Each key definition within the keychain must specify a time interval for which that key is activated; for example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend that for a given keychain, key activation times overlap to avoid any period of time for which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail.
Configuring only the keychain name without any key identifiers is considered a
nonoperation. When you exit the configuration, the router does not prompt you
to commit changes until you have configured the key identifier and at least one
of the global configuration mode attributes or keychain-key configuration mode
attributes (for example, lifetime or key string).
Use the commit or end command.
commit—Saves the configuration changes, and remains within the configuration session.
end—Prompts to take one of these actions:
Yes— Saves configuration changes and exits the configuration session.
No—Exits the configuration session without committing the configuration changes.
Cancel—Remains in the configuration mode, without committing the configuration changes.
show key chainkey-chain-name
RP/0/RSP0/CPU0:router# show key chain isis-keys
(Optional) Displays the name of the keychain.
The key-chain-name argument is optional. If you do
not specify a name for the key-chain-name argument,
all the keychains are displayed.
No new or modified RFCs are supported by this feature.
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.