HPE JG619A Configuration Guide

HPE FlexFabric 12900E Switch Series

Security Configuration Guide

Software

version: Release 5210

Document version: 6W100-20230424

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

i

Contents

Configuring keychains ··················································································· 1

About keychains ················································································································································· 1

Operating mechanism ································································································································ 1

Time modes ··············································································································································· 1

Restrictions and guidelines: Keychain configuration ·························································································· 1

Configuring a keychain in absolute time mode ·································································································· 1

Configuring a keychain in periodic time mode ··································································································· 2

Verifying and maintaining keychains ·················································································································· 4

Keychain configuration examples ······················································································································ 4

Example: Configuring keychains ················································································································ 4

Managing public keys ···················································································· 9

About public key management ··························································································································· 9

Asymmetric key algorithm overview ··········································································································· 9

Usage of asymmetric key algorithms ········································································································· 9

Public key management tasks at a glance ········································································································· 9

Creating a local key pair··································································································································· 10

Importing a local key pair ································································································································· 11

Distributing a local host public key ··················································································································· 11

About distribution of local host public keys ······························································································ 11

Exporting a host public key ······················································································································ 12

Displaying a host public key ····················································································································· 12

Configuring a peer host public key ··················································································································· 13

About peer host public key configuration ································································································· 13

Restrictions and guidelines for peer host public key configuration ·························································· 13

Importing a peer host public key from a public key file ············································································ 13

Entering a peer host public key ················································································································ 13

Destroying a local key pair ······························································································································· 14

Configuring master keys ·································································································································· 14

Setting a master key ································································································································ 14

Clearing master keys ······························································································································· 15

Verifying and maintaining public keys ·············································································································· 16

Examples of public key management ·············································································································· 16

Example: Entering a peer host public key ································································································ 16

Example: Importing a public key from a public key file ············································································ 18

Configuring PKI ··························································································· 21

About PKI ························································································································································· 21

PKI terminology ········································································································································ 21

PKI architecture ········································································································································ 22

Retrieval, usage, and maintenance of a digital certificate ········································································ 23

PKI applications ······································································································································· 23

Support for MPLS L3VPN ························································································································ 24

PKI tasks at a glance ······································································································································· 24

Configuring a PKI entity ··································································································································· 25

About PKI entities ····································································································································· 25

Restrictions and guidelines for PKI entity configuration ··········································································· 25

PKI entity tasks at a glance ······················································································································ 25

Configuring the DN for the PKI entity ······································································································· 25

Configuring a PKI domain ································································································································ 27

About PKI domains ·································································································································· 27

PKI domain tasks at a glance ··················································································································· 27

Creating a PKI domain ····························································································································· 27

Specifying the trusted CA ························································································································· 28

Specifying the PKI entity name ················································································································ 28

Specifying the certificate request reception authority··············································································· 28

Specifying the certificate request URL ····································································································· 28

ii

Specifying the VPN instance where the certificate request reception authority and the CRL repository

belong ······················································································································································ 29

Setting the SCEP polling interval and maximum polling attempts ··························································· 29

Specifying the LDAP server ····················································································································· 29

Specifying the fingerprint for root CA certificate verification····································································· 29

Specifying the key pair for certificate request ·························································································· 30

Specifying the intended purpose for the certificate ·················································································· 30

Specifying the source IP address for PKI protocol packets ····································································· 31

Specifying the encryption algorithm for certificate files in PKCS#7 format ·············································· 31

Specifying the storage path for certificates and CRLs ····················································································· 32

Requesting a certificate···································································································································· 32

About certificate request configuration ····································································································· 32

Restrictions and guidelines for certificate request configuration ······························································ 32

Prerequisites for certificate request configuration ···················································································· 33

Enabling the automatic online certificate request mode··········································································· 33

Manually submitting an online certificate request ···················································································· 34

Manually submitting a certificate request in offline mode ········································································· 34

Aborting a certificate request ··························································································································· 35

Obtaining certificates········································································································································ 35

Verifying PKI certificates ·································································································································· 36

About certification verification ·················································································································· 36

Restrictions and guidelines for certificate verification ·············································································· 37

Verifying certificates with CRL checking ·································································································· 37

Verifying certificates without CRL checking ····························································································· 38

Exporting certificates ········································································································································ 38

Removing a certificate······································································································································ 39

Configuring a certificate-based access control policy ······················································································ 40

About certificate-based access control policies ······················································································· 40

Procedure ················································································································································· 40

Enabling local certificate expiration notification ······························································································· 41

Obtaining the CRL············································································································································ 41

Verifying and maintaining PKI ·························································································································· 42

PKI configuration examples ····························································································································· 43

Example: Requesting a certificate from an RSA Keon CA server ···························································· 43

Example: Requesting a certificate from a Windows Server 2003 CA server ··········································· 45

Example: Requesting a certificate from an OpenCA server ····································································· 49

Example: Importing and exporting certificates ························································································· 52

Troubleshooting PKI configuration ··················································································································· 57

Failed to obtain the CA certificate ············································································································ 57

Failed to obtain local certificates ·············································································································· 58

Failed to request local certificates ············································································································ 58

Failed to obtain CRLs ······························································································································· 59

Failed to import the CA certificate ············································································································ 60

Failed to import the local certificate ·········································································································· 60

Failed to export certificates ······················································································································ 61

Failed to set the storage path ··················································································································· 61

Configuring crypto engines ·········································································· 62

About crypto engines ······································································································································· 62

Verifying and maintaining crypto engines ········································································································ 62

Displaying crypto engine information ······································································································· 62

Displaying and clearing crypto engine statistics ······················································································· 62

Configuring SSH ·························································································· 63

About SSH ······················································································································································· 63

SSH applications ······································································································································ 63

How SSH works ······································································································································· 63

SSH authentication methods ···················································································································· 64

SSH support for Suite B ··························································································································· 65

Configuring the device as an SSH server ········································································································ 65

SSH server tasks at a glance ··················································································································· 65

Generating local key pairs ························································································································ 66

iii

Specifying the SSH service port ··············································································································· 67

Enabling the Stelnet server ······················································································································ 67

Enabling the SFTP server ························································································································ 67

Enabling the SCP server ·························································································································· 68

Enabling NETCONF over SSH ················································································································ 68

Configuring the user lines for SSH login ·································································································· 68

Configuring a client's host public key ······································································································· 69

Configuring an SSH user ························································································································· 70

Configuring the SSH management parameters ······················································································· 71

Specifying a PKI domain for the SSH server ··························································································· 73

Disconnecting SSH sessions ··················································································································· 74

Configuring the device as an Stelnet client ······································································································ 74

Stelnet client tasks at a glance················································································································· 74

Generating local key pairs ························································································································ 74

Specifying the source IP address for outgoing SSH packets ··································································· 74

Establishing a connection to an Stelnet server ························································································ 75

Deleting server public keys saved in the public key file on the Stelnet client··········································· 76

Establishing a connection to an Stelnet server based on Suite B ···························································· 76

Configuring the device as an SFTP client ········································································································ 77

SFTP client tasks at a glance ··················································································································· 77

Generating local key pairs ························································································································ 77

Specifying the source IP address for outgoing SFTP packets ································································· 77

Establishing a connection to an SFTP server ·························································································· 78

Deleting server public keys saved in the public key file on the SFTP client············································· 79

Establishing a connection to an SFTP server based on Suite B ······························································ 79

Working with SFTP directories ················································································································· 80

Working with SFTP files ··························································································································· 81

Displaying help information ······················································································································ 81

Terminating the connection with the SFTP server ··················································································· 82

Configuring the device as an SCP client ·········································································································· 82

SCP client tasks at a glance ···················································································································· 82

Generating local key pairs ························································································································ 82

Specifying the source IP address for outgoing SCP packets ··································································· 83

Establishing a connection to an SCP server ···························································································· 83

Deleting server public keys saved in the public key file on the SCP client ·············································· 84

Establishing a connection to an SCP server based on Suite B································································ 85

Specifying algorithms for SSH2 ······················································································································· 85

About algorithms for SSH2 ······················································································································· 85

Specifying key exchange algorithms for SSH2 ························································································ 85

Specifying public key algorithms for SSH2 ······························································································ 85

Specifying encryption algorithms for SSH2 ······························································································ 86

Specifying MAC algorithms for SSH2 ······································································································ 86

Verifying and maintaining SSH ························································································································ 86

Displaying public key information ············································································································· 86

Verifying SSH server running status ······································································································· 87

Verifying SSH client configuration ············································································································ 87

Displaying SSH2 algrithms ······················································································································· 87

Stelnet configuration examples ························································································································ 87

Example: Configuring the device as an Stelnet server (password authentication) ·································· 87

Example: Configuring the device as an Stelnet server (publickey authentication) ··································· 90

Example: Configuring the device as an Stelnet client (password authentication) ···································· 95

Example: Configuring the device as an Stelnet client (publickey authentication) ···································· 99

Example: Configuring Stelnet based on 128-bit Suite B algorithms······················································· 101

SFTP configuration examples ························································································································ 105

Example: Configuring the device as an SFTP server (password authentication) ·································· 105

Example: Configuring the device as an SFTP client (publickey authentication) ···································· 107

Example: Configuring SFTP based on 192-bit Suite B algorithms························································· 111

SCP configuration examples ·························································································································· 115

Example: Configuring SCP with password authentication ····································································· 115

Example: Configuring SCP file transfer with a Linux SCP client ···························································· 116

Example: Configuring SCP based on Suite B algorithms ······································································ 118

NETCONF over SSH configuration examples ······························································································· 125

iv

Example: Configuring NETCONF over SSH with password authentication ··········································· 125

Configuring SSL ························································································ 127

About SSL ······················································································································································ 127

SSL security services ····························································································································· 127

SSL protocol stack ································································································································· 127

SSL protocol versions ···························································································································· 128

Restrictions and guidelines: SSL configuration ······························································································ 128

SSL tasks at a glance ···································································································································· 128

Configuring an SSL server policy ··················································································································· 129

Configuring an SSL client policy ···················································································································· 130

Disabling SSL protocol versions for the SSL server ······················································································ 131

Disabling SSL session renegotiation·············································································································· 132

Enabling the server-preferred order during cipher suite negotiation ······························································ 132

Verifying and maintaining SSL ······················································································································· 132

Configuring packet filter ············································································· 134

About packet filtering with ACLs ···················································································································· 134

Packet filter tasks at a glance ························································································································ 134

Applying an ACL to filter packets globally ······································································································ 134

Applying an ACL to an interface for packet filtering ······················································································· 134

Applying an ACL to an Ethernet service instance for packet filtering····························································· 135

Applying an ACL to a service template for packet filtering ····································································· 135

Configuring logging and SNMP notifications for packet filtering ···································································· 136

Setting the packet filtering default action ······································································································· 136

Verifying and maintaining packet filter ··········································································································· 136

Verifying the packet filter running status ································································································ 136

Displaying packet filter statistics ············································································································ 137

Clearing packet filter statistics················································································································ 137

Packet filter configuration examples ·············································································································· 137

Example: Configuring interface-based packet filter················································································ 137

Configuring DHCP snooping ······································································ 140

About DHCP snooping ··································································································································· 140

Application of trusted and untrusted ports······························································································ 140

DHCP snooping support for Option 82 ··································································································· 141

DHCP snooping on a DRNI network ······································································································ 142

Restrictions and guidelines: DHCP snooping configuration ··········································································· 143

DHCP snooping tasks at a glance ················································································································· 143

Configuring basic DHCP snooping features ·································································································· 144

Configuring basic DHCP snooping features in a common network ······················································· 144

Configuring basic DHCP snooping features in a VXLAN network ························································· 145

Configuring DHCP snooping support for Option 82 ······················································································· 147

Configuring DHCP snooping entry auto backup ···························································································· 148

Setting the maximum number of DHCP snooping entries ············································································· 148

Configuring DHCP packet rate limit ··············································································································· 149

Configuring DHCP snooping security features ······························································································ 149

Enabling DHCP starvation attack protection ·························································································· 149

Enabling DHCP-REQUEST attack protection ························································································ 150

Configuring a DHCP packet blocking port······························································································ 150

Enabling the giaddr field check in DHCP requests ························································································ 151

Enabling client offline detection on the DHCP snooping device ···································································· 151

Enabling DHCP snooping logging and packet drop alarm ············································································· 152

Enabling DHCP snooping logging ·········································································································· 152

Configuring packet drop alarm ··············································································································· 152

Disabling DHCP snooping on an interface ····································································································· 153

Verifying and maintaining DHCP snooping ···································································································· 153

Verifying DHCP snooping configuration ································································································· 153

Displaying and clearing DHCP snooping entries ··················································································· 153

Displaying and clearing DHCP packet statistics on the DHCP snooping device ··································· 154

Displaying DRNI status information ······································································································· 154

Displaying and clearing DRNI synchronization statistics for DHCP snooping entries···························· 154

v

DHCP snooping configuration examples ······································································································· 154

Example: Configuring basic DHCP snooping features globally ····························································· 154

Example: Configuring basic DHCP snooping features for a VLAN ························································ 155

Example: Configuring DHCP snooping support for Option 82 ······························································· 156

Configuring DHCPv6 snooping ·································································· 159

About DHCPv6 snooping ······························································································································· 159

Application of trusted and untrusted ports······························································································ 159

DHCPv6 snooping on a DRNI network ·································································································· 160

Restrictions and guidelines: DHCPv6 snooping configuration ······································································· 161

DHCPv6 snooping tasks at a glance·············································································································· 161

Configuring basic DHCPv6 snooping features ······························································································· 162

Configuring basic DHCPv6 snooping features in a common network ···················································· 162

Configuring basic DHCPv6 snooping features in a VXLAN network ······················································ 163

Configuring DHCP snooping support for Option 18 ······················································································· 164

Configuring DHCP snooping support for Option 37 ······················································································· 164

Configuring DHCPv6 snooping entry auto backup························································································· 165

Setting the maximum number of DHCPv6 snooping entries ·········································································· 165

Configuring DHCPv6 packet rate limit············································································································ 166

Enabling DHCPv6-REQUEST check ············································································································· 166

Configuring a DHCPv6 packet blocking port ·································································································· 167

Enabling Relay-Forward packet check··········································································································· 167

Enabling client offline detection on the DHCPv6 snooping device ································································ 168

Enabling DHCPv6 snooping logging and alarm ····························································································· 168

Enabling DHCPv6 snooping logging ······································································································ 168

Configuring packet drop alarm ··············································································································· 168

Verifying and maintaining DHCPv6 snooping ································································································ 169

Displaying trusted port information········································································································· 169

Displaying and clearing DHCPv6 snooping entries ················································································ 169

Displaying and clearing DHCPv6 packet statistics for DHCPv6 snooping ············································· 170

Displaying DRNI status information ······································································································· 170

Displaying and clearing DRNI synchronization statistics for DHCPv6 snooping entries ························ 170

DHCPv6 snooping configuration examples···································································································· 170

Example: Configuring DHCPv6 snooping ······························································································ 170

Configuring ARP attack protection ····························································· 172

About ARP attack protection ·························································································································· 172

ARP attack protection tasks at a glance ········································································································ 172

Configuring unresolvable IP attack protection ······························································································· 172

About unresolvable IP attack protection································································································· 172

Configuring ARP source suppression ···································································································· 173

Configuring ARP blackhole routing ········································································································ 173

Verifying and maintaining unresolvable IP attack protection·································································· 174

Example: Configuring unresolvable IP attack protection········································································ 174

Configuring ARP packet rate limit ·················································································································· 175

Configuring source MAC-based ARP attack detection ·················································································· 176

About source MAC-based ARP attack detection ··················································································· 176

Restrictions and guidelines ···················································································································· 176

Procedure ··············································································································································· 176

Displaying and maintaining source MAC-based ARP attack detection ·················································· 177

Example: Configuring source MAC-based ARP attack detection ·························································· 177

Configuring ARP packet source MAC consistency check ·············································································· 178

About ARP packet source MAC consistency check ··············································································· 178

Procedure ··············································································································································· 178

Display and maintenance commands for ARP packet source MAC consistency check ························ 178

Configuring ARP active acknowledgement ···································································································· 178

Configuring authorized ARP··························································································································· 179

About authorized ARP ···························································································································· 179

Procedure ··············································································································································· 179

Example: Configuring authorized ARP on a DHCP server ···································································· 180

Example: Configuring authorized ARP on a DHCP relay agent ····························································· 181

Configuring ARP attack detection ·················································································································· 182

vi

About ARP attack detection ··················································································································· 182

Restrictions and guidelines: ARP attack detection ················································································· 183

Configuring user validity check ·············································································································· 183

Configuring ARP packet validity check ·································································································· 184

Configuring ARP restricted forwarding ··································································································· 185

Ignoring ingress ports of ARP packets during user validity check ························································· 186

Enabling ARP attack detection logging ·································································································· 186

Verifying and maintaining ARP attack detection ···················································································· 187

Configuring ARP scanning and fixed ARP ····································································································· 187

Triggering an ARP scanning ·················································································································· 188

Configuring automatic ARP scanning ···································································································· 188

Configuring fixed ARP ···························································································································· 189

Configuring ARP gateway protection ············································································································· 189

About ARP gateway protection ·············································································································· 189

Restrictions and guidelines ···················································································································· 189

Procedure ··············································································································································· 189

Example: Configuring ARP gateway protection ····················································································· 189

Configuring ARP filtering ································································································································ 190

ARP filtering ··········································································································································· 190

Restrictions and guidelines ···················································································································· 190

Procedure ··············································································································································· 191

Example: Configuring ARP filtering ········································································································ 191

Configuring ARP sender IP address checking ······························································································· 192

About ARP sender IP address checking ································································································ 192

Procedure ··············································································································································· 192

Configuring ND attack defense ·································································· 193

About ND attack defense ······························································································································· 193

Configuring ND packet rate limit ···················································································································· 193

Enabling source MAC consistency check for ND messages ········································································· 194

Configuring ND attack detection ···················································································································· 195

About ND attack detection ····················································································································· 195

Restrictions and guidelines for ND attack detection configuration ························································· 195

Configuring ND attack detection for a VSI ····························································································· 196

Enabling ND attack detection logging ···································································································· 196

Verifying and maintaining ND attack detection ······················································································ 197

Enabling ND scanning···································································································································· 197

Configuring attack detection and prevention ·············································· 198

About attack detection and prevention ··········································································································· 198

Attacks that the device can prevent ··············································································································· 198

Single-packet attacks ····························································································································· 198

Scanning attacks ···································································································································· 199

Flood attacks ·········································································································································· 200

TCP fragment attack ······························································································································ 201

Login DoS attack ···································································································································· 201

Login dictionary attack ··························································································································· 201

Attack detection and prevention tasks at a glance ························································································· 202

Configuring and applying an attack defense policy ························································································ 202

Creating an attack defense policy ·········································································································· 202

Configuring a single-packet attack defense policy ················································································· 202

Configuring a scanning attack defense policy ························································································ 204

Configuring a flood attack defense policy ······························································································ 204

Configuring attack detection exemption ································································································· 209

Applying an attack defense policy to the device ···················································································· 210

Enabling log non-aggregation for single-packet attack events ······································································ 210

Configuring TCP fragment attack prevention ································································································· 211

Enabling the login delay ································································································································· 211

Verifying and maintaining attack detection and prevention ············································································ 211

Verifying attack defense configuration ··································································································· 211

Displaying attack detection and prevention entries ················································································ 211

Displaying and clearing attack detection and prevention statistics ························································ 212

vii

Configuring IP source guard ······································································ 214

About IPSG ···················································································································································· 214

IPSG operating mechanism ··················································································································· 214

Static IPSG bindings ······························································································································ 214

Dynamic IPSG bindings ························································································································· 215

Restrictions and guidelines: IPSG configuration ···························································································· 215

IPSG tasks at a glance··································································································································· 216

Configuring the IPv4SG feature ····················································································································· 216

Enabling IPv4SG on an interface ··········································································································· 216

Configuring a static IPv4SG binding ······································································································ 216

Configuring the IPv6SG feature ····················································································································· 217

Enabling IPv6SG on an interface ··········································································································· 217

Configuring a static IPv6SG binding ······································································································ 218

Verifying and maintaining IPSG ····················································································································· 219

Displaying IPv4SG binding information ·································································································· 219

Displaying IPv6SG binding information ·································································································· 219

IPSG configuration examples ························································································································ 219

Example: Configuring static IPv4SG ······································································································ 219

Example: Configuring DHCP snooping-based dynamic IPv4SG ··························································· 220

Example: Configuring DHCP relay agent-based dynamic IPv4SG ························································ 221

Example: Configuring static IPv6SG ······································································································ 222

Example: Configuring DHCPv6 snooping-based dynamic IPv6SG address bindings ··························· 223

Example: Configuring DHCPv6 snooping-based dynamic IPv6SG prefix bindings ······························· 224

Example: Configuring DHCPv6 relay agent-based dynamic IPv6SG ···················································· 225

Configuring uRPF ······················································································ 227

About uRPF···················································································································································· 227

uRPF application scenario ····················································································································· 227

uRPF check modes ································································································································ 227

Network application ································································································································ 227

Restrictions and guidelines: uRPF configuration ··························································································· 228

Enabling uRPF globally ·································································································································· 228

Enabling uRPF on an interface ······················································································································ 228

Verifying and maintaining uRPF····················································································································· 229

Document conventions and icons ······························································ 230

Conventions ··················································································································································· 230

Network topology icons ·································································································································· 231

Support and other resources ····································································· 232

Accessing Hewlett Packard Enterprise Support····························································································· 232

Accessing updates ········································································································································· 232

Websites ················································································································································ 233

Customer self repair ······························································································································· 233

Remote support ······································································································································ 233

Documentation feedback ······················································································································· 233

Index ·········································································································· 235

1

Configuring keychains

About keychains

A keychain, a sequence of keys, provides dynamic authentication to ensure secure communication

by periodically changing the key and authentication algorithm without service interruption.

Operating mechanism

Each key in a keychain has a key string, authentication algorithm, sending lifetime, and receiving

lifetime. When the system time is within the lifetime of a key in a keychain, an application uses the

key to authenticate incoming and outgoing packets. The keys in the keychain take effect one by one

according to the sequence of the configured lifetimes. In this way, the authentication algorithms and

keys are dynamically changed to implement dynamic authentication.

Time modes

A keychain operates in absolute time mode or periodic time mode. The lifetime for a key varies by

time mode.

•

Absolute time mode—Each time point during a key's lifetime is the UTC time and is not

affected by the system's time zone or daylight saving time.

•

Periodic time mode—A key's lifetime is calculated based on the local time and is affected by

the system's time zone and daylight saving time.

 daily—The lifetime for a key is from the specified start time to the specified end time of each

day.

 weekly—The lifetime for a key is from the specified start day to the specified end day of

each week.

 monthly—The lifetime for a key is from the specified start date to the specified end date of

each month.

 yearly—The lifetime for a key is from the specified start month to the specified end month of

each year.

Restrictions and guidelines: Keychain

configuration

Follow these guidelines when you configure a keychain:

•

To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set

non-overlapping sending lifetimes for the keys in the keychain.

•

The keys used by the local device and the peer device must have the same authentication

algorithm and key string.

Configuring a keychain in absolute time mode

1. Enter system view.

system-view

2. Create a keychain and enter keychain view.

2

keychain keychain-name mode absolute

3. (Optional.) Configure TCP authentication.

 Set the kind value in the TCP Enhanced Authentication Option.

tcp-kind kind-value

By default, the kind value is 254.

 Set an algorithm ID for a TCP authentication algorithm.

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id

By default, the algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5

authentication algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.

When the local device uses TCP to communicate with a peer device from another vendor, make

sure both devices have the same kind value and algorithm ID settings. If they do not, modify the

settings on the local device.

4. (Optional.) Set a tolerance time for accept keys in the keychain.

accept-tolerance { value | infinite }

By default, no tolerance time is configured for accept keys in a keychain.

If authentication information is changed, information mismatch occurs on the local and peer

devices, and the service might be interrupted. Use this command to ensure continuous packet

authentication.

5. Create a key and enter key view.

key key-id

6. Configure the key.

 Specify an authentication algorithm for the key.

authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 |

md5 }

By default, no authentication algorithm is specified for a key.

 Configure a key string for the key.

key-string { cipher | plain } string

By default, no key string is configured.

 Set the sending lifetime in UTC mode for the key.

send-lifetime utc start-time start-date { duration { duration-value

| infinite } | to end-time end-date }

By default, the sending lifetime is not configured for a key.

 Set the receiving lifetime in UTC mode for the key.

accept-lifetime utc start-time start-date { duration

{ duration-value | infinite } | to end-time end-date }

By default, the receiving lifetime is not configured for a key.

 (Optional.) Specify the key as the default send key.

default-send-key

By default, a keychain does not have a default send key.

You can specify only one key as the default send key in a keychain.

Configuring a keychain in periodic time mode

1. Enter system view.

system-view

2. Create a keychain and enter keychain view.

3

keychain keychain-name mode periodic { daily | monthly | weekly |

yearly }

3. (Optional.) Configure TCP authentication.

 Set the kind value in the TCP Enhanced Authentication Option.

tcp-kind kind-value

By default, the kind value is 254.

 Set an algorithm ID for a TCP authentication algorithm.

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id

By default, the algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5

authentication algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.

When the local device uses TCP to communicate with a peer device from another vendor, make

sure both devices have the same kind value and algorithm ID settings. If they do not, modify the

settings on the local device.

4. (Optional.) Set a tolerance time for accept keys in the keychain.

accept-tolerance { value | infinite }

By default, no tolerance time is configured for accept keys in a keychain.

If authentication information is changed, information mismatch occurs on the local and peer

devices, and the service might be interrupted. Use this command to ensure continuous packet

authentication.

5. Create a key and enter key view.

key key-id

6. Configure the key.

 Specify an authentication algorithm for the key.

authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 |

md5 }

By default, no authentication algorithm is specified for a key.

 Configure a key string for the key.

key-string { cipher | plain } string

By default, no key string is configured.

 Set the daily, weekly, monthly, or yearly sending lifetime in periodic time mode for the key.

send-lifetime daily start-day-time to end-day-time

send-lifetime date { month-day&<1-31> | start-month-day to

end-month-day }

send-lifetime day { week-day | start-week-day to end-week-day }

send-lifetime month { month | start-month to end-month }

By default, the sending lifetime is not configured for a key.

 Set the daily, weekly, monthly, or yearly receiving lifetime in periodic time mode for the key.

accept-lifetime daily start-day-time to end-day-time

accept-lifetime date { month-day&<1-31> | start-month-day to

end-month-day }

accept-lifetime day { week-day | start-week-day to end-week-day }

accept-lifetime month { month | start-month to end-month }

By default, the receiving lifetime is not configured for a key.

 (Optional.) Specify the key as the default send key.

default-send-key

4

By default, a keychain does not have a default send key.

You can specify only one key as the default send key in a keychain.

Verifying and maintaining keychains

To display keychain information, execute the following command in any view:

display keychain [ name keychain-name [ key key-id ] ]

Keychain configuration examples

Example: Configuring keychains

Network configuration

As shown in Figure 1, establish an OSPF neighbor relationship between Device A and Device B, and

use a keychain to authenticate packets between the devices. Configure key 1 and key 2 for the

keychain and make sure key 2 is used immediately when key 1 expires.

Figure 1 Network diagram

Procedure

1. Configure Device A:

# Configure IP addresses for interfaces. (Details not shown.)

# Configure OSPF.

<DeviceA> system-view

[DeviceA] ospf 1 router-id 1.1.1.1

[DeviceA-ospf-1] area 0

[DeviceA-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] quit

[DeviceA-ospf-1] quit

# Create a keychain named abc, and specify the absolute time mode for it.

[DeviceA] keychain abc mode absolute

# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string

and the sending and receiving lifetimes for the key.

[DeviceA-keychain-abc] key 1

[DeviceA-keychain-abc-key-1] authentication-algorithm md5

[DeviceA-keychain-abc-key-1] key-string plain 123456

[DeviceA-keychain-abc-key-1] send-lifetime utc 10:00:00 2019/02/06 to 11:00:00

2019/02/06

[DeviceA-keychain-abc-key-1] accept-lifetime utc 10:00:00 2019/02/06 to 11:00:00

2019/02/06

[DeviceA-keychain-abc-key-1] quit

# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string

and the sending and receiving lifetimes for the key.

[DeviceA-keychain-abc] key 2

HGE1/0/1

192.1.1.2/24

HGE1/0/1

192.1.1.1/24

Device BDevice A

5

[DeviceA-keychain-abc-key-2] authentication-algorithm hmac-md5

[DeviceA-keychain-abc-key-2] key-string plain pwd123

[DeviceA-keychain-abc-key-2] send-lifetime utc 11:00:00 2019/02/06 to 12:00:00

2019/02/06

[DeviceA-keychain-abc-key-2] accept-lifetime utc 11:00:00 2019/02/06 to 12:00:00

2019/02/06

[DeviceA-keychain-abc-key-2] quit

[DeviceA-keychain-abc] quit

# Configure HundredGigE 1/0/1 to use keychain abc for authentication.

[DeviceA] interface HundredGigE1/0/1

[DeviceA-HundredGigE1/0/1] ospf authentication-mode keychain abc

[DeviceA-HundredGigE1/0/1] quit

2. Configure Device B:

# Configure IP addresses for interfaces. (Details not shown.)

# Configure OSPF.

<DeviceB> system-view

[DeviceB] ospf 1 router-id 2.2.2.2

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] quit

# Create a keychain named abc, and specify the absolute time mode for it.

[DeviceB] keychain abc mode absolute

# Create key 1 for keychain abc, specify an authentication algorithm, and configure a key string

and the sending and receiving lifetimes for the key.

[DeviceB-keychain-abc] key 1

[DeviceB-keychain-abc-key-1] authentication-algorithm md5

[DeviceB-keychain-abc-key-1] key-string plain 123456

[DeviceB-keychain-abc-key-1] send-lifetime utc 10:00:00 2019/02/06 to 11:00:00

2019/02/06

[DeviceB-keychain-abc-key-1] accept-lifetime utc 10:00:00 2019/02/06 to 11:10:00

2019/02/06

[DeviceB-keychain-abc-key-1] quit

# Create key 2 for keychain abc, specify an authentication algorithm, and configure a key string

and the sending and receiving lifetimes for the key.

[DeviceB-keychain-abc] key 2

[DeviceB-keychain-abc-key-2] key-string plain pwd123

[DeviceB-keychain-abc-key-2] authentication-algorithm hmac-md5

[DeviceB-keychain-abc-key-2] send-lifetime utc 11:00:00 2019/02/06 to 12:00:00

2019/02/06

[DeviceB-keychain-abc-key-2] accept-lifetime utc 11:00:00 2019/02/06 to 12:00:00

2019/02/06

[DeviceB-keychain-abc-key-2] quit

[DeviceB-keychain-abc] quit

# Configure HundredGigE 1/0/1 to use keychain abc for authentication.

[DeviceB] interface HundredGigE1/0/1

[DeviceB-HundredGigE1/0/1] ospf authentication-mode keychain abc

[DeviceB-HundredGigE1/0/1] quit

6

Verifying the configuration

1. When the system time is within the lifetime from 10:00:00 to 11:00:00 on the day 2019/02/06,

verify the status of the keys in keychain abc.

# Display keychain information on Device A. The output shows that key 1 is the valid key.

[DeviceA] display keychain

Keychain name : abc

Mode : absolute

Accept tolerance : 0

TCP kind value : 254

TCP algorithm value

HMAC-MD5 : 5

HMAC-SHA-256 : 7

MD5 : 3

Default send key ID : None

Active send key ID : 1

Active accept key IDs: 1

Key ID : 1

Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==

Algorithm : md5

Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Send status : Active

Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Accept status : Active

Key ID : 2

Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==

Algorithm : hmac-md5

Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Send status : Inactive

Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Accept status : Inactive

# Display keychain information on Device B. The output shows that key 1 is the valid key.

[DeviceB]display keychain

Keychain name : abc

Mode : absolute

Accept tolerance : 0

TCP kind value : 254

TCP algorithm value

HMAC-MD5 : 5

HMAC-SHA-256 : 7

MD5 : 3

Default send key ID : None

Active send key ID : 1

Active accept key IDs: 1

7

Key ID : 1

Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==

Algorithm : md5

Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Send status : Active

Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Accept status : Active

Key ID : 2

Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==

Algorithm : hmac-md5

Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Send status : Inactive

Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Accept status : Inactive

2. When the system time is within the lifetime from 11:00:00 to 12:00:00 on the day 2019/02/06,

verify the status of the keys in keychain abc.

# Display keychain information on Device A. The output shows that key 2 becomes the valid

key.

[DeviceA]display keychain

Keychain name : abc

Mode : absolute

Accept tolerance : 0

TCP kind value : 254

TCP algorithm value

HMAC-MD5 : 5

HMAC-SHA-256 : 7

MD5 : 3

Default send key ID : None

Active send key ID : 2

Active accept key IDs: 2

Key ID : 1

Key string : $c$3$dYTC8QeOKJkwFwP2k/rWL+1p6uMTw3MqNg==

Algorithm : md5

Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Send status : Inactive

Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Accept status : Inactive

Key ID : 2

Key string : $c$3$7TSPbUxoP1ytOqkdcJ3K3x0BnXEWl4mOEw==

Algorithm : hmac-md5

Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Send status : Active

Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Accept status : Active

8

# Display keychain information on Device B. The output shows that key 2 becomes the valid

key.

[DeviceB]display keychain

Keychain name : abc

Mode : absolute

Accept tolerance : 0

TCP kind value : 254

TCP algorithm value

HMAC-MD5 : 5

HMAC-SHA-256 : 7

MD5 : 3

Default send key ID : None

Active send key ID : 1

Active accept key IDs: 1

Key ID : 1

Key string : $c$3$/G/Shnh6heXWprlSQy/XDmftHa2JZJBSgg==

Algorithm : md5

Send lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Send status : Inactive

Accept lifetime : 10:00:00 2019/02/06 to 11:00:00 2019/02/06

Accept status : Inactive

Key ID : 2

Key string : $c$3$t4qHAw1hpZYN0JKIEpXPcMFMVT81u0hiOw==

Algorithm : hmac-md5

Send lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Send status : Active

Accept lifetime : 11:00:00 2019/02/06 to 12:00:00 2019/02/06

Accept status : Active

9

Managing public keys

About public key management

This chapter describes public key management for the following asymmetric key algorithms:

•

Revest-Shamir-Adleman Algorithm (RSA).

•

Digital Signature Algorithm (DSA).

•

Elliptic Curve Digital Signature Algorithm (ECDSA).

Asymmetric key algorithm overview

Asymmetric key algorithms are used by security applications to secure communications between

two parties, as shown in Figure 2. Asymmetric key algorithms use two separate keys (one public and

one private) for encryption and decryption. Symmetric key algorithms use only one key.

Figure 2 Encryption and decryption

A key owner can distribute the public key in plain text on the network but must keep the private key in

privacy. It is mathematically infeasible to calculate the private key even if an attacker knows the

algorithm and the public key.

Usage of asymmetric key algorithms

Security applications (such as SSH, SSL, and PKI) use the asymmetric key algorithms for the

following purposes:

•

Encryption and decryption—Any public key receiver can use the public key to encrypt

information, but only the private key owner can decrypt the information.

•

Digital signature—The key owner uses the private key to digitally sign information to be sent.

The receiver decrypts the information with the sender's public key to verify information

authenticity.

RSA, DSA, and ECDSA can all perform digital signature, but only RSA can perform encryption and

decryption.

Public key management tasks at a glance

To manage public keys, perform the following tasks:

1. Creating a local key pair

2. Importing a local key pair

3. Distributing a local host public key

Choose one of the following tasks:

 Exporting a host public key

Receiver

Key

Plain text Cipher text Plain text

Sender

Encryption Decryption

Key

10

 Displaying a host public key

To enable the peer device to authenticate the local device, you must distribute the local device's

public key to the peer device.

4. Configuring a peer host public key

Choose one of the following tasks:

 Importing a peer host public key from a public key file

 Entering a peer host public key

To encrypt information sent to a peer device or authenticate the digital signature of the peer

device, you must configure the peer device's public key on the local device.

5. (Optional.) Destroying a local key pair

6. (Optional.) Configuring master keys

Creating a local key pair

Restrictions and guidelines

When you create a local key pair, follow these guidelines:

•

The key algorithm must be the same as required by the security application.

•

When you create an RSA or DSA key pair, enter an appropriate key modulus length at the

prompt. The longer the key modulus length, the higher the security, and the longer the key

generation time.

When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve

determines the ECDSA key length. The longer the key length, the higher the security, and the

longer the key generation time.

See Table 1 for more information about key modulus lengths and key lengths.

•

If you do not assign the key pair a name, the system assigns the default name to the key pair

and marks the key pair as default. You can also assign the default name to another key pair, but

the system does not mark the key pair as default. The key pair name must be unique among all

manually named key pairs that use the same key algorithm. If a name conflict occurs, the

system asks whether you want to overwrite the existing key pair.

•

The key pairs are automatically saved and can survive system reboots.

Table 1 A comparison of different types of asymmetric key algorithms

Type

Generated key pairs

Modulus/key length

RSA

• One host key pair, if you specify a key pair

name.

• One server key pair and one host key pair, if

you do not specify a key pair name.

Both key pairs use their default names.

NOTE:

Only SSH 1.5 uses the RSA server key pair.

Key modulus length: 512 to 2048 bits.

Default: 1024 bits.

To ensure security, use a minimum of

768 bits.

DSA One host key pair.

Key modulus length: 512 to 2048 bits.

Default: 1024 bits.

To ensure security, use a minimum of

768 bits.

ECDSA One host key pair. Key length: 192, 256, 384, or 521 bits.

11

Procedure

1. Enter system view.

system-view

2. Create a local key pair.

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1

| secp521r1 ] | rsa } [ name key-name ]

Importing a local key pair

About this task

This task imports a key pair from a key pair file to the device. The imported key pairs are

automatically saved and can survive system reboots.

Perform this task when the key pair to be imported is saved in a different file than the certificate. If the

key pair and the certificate are saved in the same file, the device can obtain the key pair by importing

the certificate.

Restrictions and guidelines

The device supports importing the RSA host key pair but not the RSA server key pair.

If you do not assign the key pair a name, the system assigns the default name to the key pair and

marks the key pair as default. You can also assign the default name to another key pair, but the

system does not mark the key pair as default. The name of a key pair must be unique among all

manually named key pairs that use the same key algorithm. If a name conflict occurs, the system

asks whether you want to overwrite the existing key pair.

To import the encrypted key pair into the device successfully, provide the decryption password.

See Table 2 for information about supported key modulus lengths and key lengths.

Table 2 Length of key pair

Type Modulus/key length

RSA Key modulus length: 512 to 2048 bits.

ECDSA Key length: 192, 256, 384, or 521 bits.

Prerequisites

Before performing this task, save the key pair file to the local storage directory of the device through

FTP or other methods.

Procedure

1. Enter system view.

system-view

2. Import a local key pair.

public-key local import { ecdsa | rsa } [ key-name ] filename filename

Distributing a local host public key

About distribution of local host public keys

You must distribute a local host public key to a peer device so the peer device can perform the

following operations:

Page is loading ...

HPE JG619A Configuration Guide

This manual is also suitable for

HPE JG619A Configuration Guide

Related papers

Other documents