cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
216
Views
15
Helpful
4
Replies

OSPF - Key Chain Doubt

Hi all,

 

hope to find everyone well.

 

It's the following, I applied a key chain until the year 2035 in OSPF but I have some doubts regarding if the keys will change smoothly and that my costumer will not loose connection while the keys are changing. The key will change around 6 in 6 months.

 

Please, is the below all correct?:

 

key chain TEXT
key 1
key-string "Key"
accept-lifetime local 15:30:00 Dec 16 2021 10:00:00 Jun 13 2022
send-lifetime local 15:30:00 Dec 16 2021 10:00:00 May 13 2022
cryptographic-algorithm hmac-sha-256
key 2
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2022 10:00:00 Dec 12 2022
send-lifetime local 09:59:59 May 13 2022 10:00:00 Nov 12 2022
cryptographic-algorithm hmac-sha-256
key 3
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2022 10:00:00 Jun 13 2023
send-lifetime local 09:59:59 Nov 12 2022 10:00:00 May 13 2023
cryptographic-algorithm hmac-sha-256
key 4
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2023 10:00:00 Dec 12 2023
send-lifetime local 09:59:59 May 13 2023 10:00:00 Nov 12 2023
cryptographic-algorithm hmac-sha-256
key 5
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2023 10:00:00 Jun 13 2024
send-lifetime local 09:59:59 Nov 12 2023 10:00:00 May 13 2024
cryptographic-algorithm hmac-sha-256
key 6
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2024 10:00:00 Dec 12 2024
send-lifetime local 09:59:59 May 13 2024 10:00:00 Nov 12 2024
cryptographic-algorithm hmac-sha-256
key 7
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2024 10:00:00 Jun 13 2025
send-lifetime local 09:59:59 Nov 12 2024 10:00:00 May 13 2025
cryptographic-algorithm hmac-sha-256
key 8
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2025 10:00:00 Dec 12 2025
send-lifetime local 09:59:59 May 13 2025 10:00:00 Nov 12 2025
cryptographic-algorithm hmac-sha-256
key 9
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2025 10:00:00 Jun 13 2026
send-lifetime local 09:59:59 Nov 12 2025 10:00:00 May 13 2026
cryptographic-algorithm hmac-sha-256
key 10
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2026 10:00:00 Dec 12 2026
send-lifetime local 09:59:59 May 13 2026 10:00:00 Nov 12 2026
cryptographic-algorithm hmac-sha-256
key 11
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2026 10:00:00 Jun 13 2027
send-lifetime local 09:59:59 Nov 12 2026 10:00:00 May 13 2027
cryptographic-algorithm hmac-sha-256
key 12
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2027 10:00:00 Dec 12 2027
send-lifetime local 09:59:59 May 13 2027 10:00:00 Nov 12 2027
cryptographic-algorithm hmac-sha-256
key 13
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2027 10:00:00 Jun 13 2028
send-lifetime local 09:59:59 Nov 12 2027 10:00:00 May 13 2028
cryptographic-algorithm hmac-sha-256
key 14
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2028 10:00:00 Dec 12 2028
send-lifetime local 09:59:59 May 13 2028 10:00:00 Nov 12 2028
cryptographic-algorithm hmac-sha-256
key 15
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2028 10:00:00 Jun 13 2029
send-lifetime local 09:59:59 Nov 12 2028 10:00:00 May 13 2029
cryptographic-algorithm hmac-sha-256
key 16
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2029 10:00:00 Dec 12 2029
send-lifetime local 09:59:59 May 13 2029 10:00:00 Nov 12 2029
cryptographic-algorithm hmac-sha-256
key 17
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2029 10:00:00 Jun 13 2030
send-lifetime local 09:59:59 Nov 12 2029 10:00:00 May 13 2030
cryptographic-algorithm hmac-sha-256
key 18
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2030 10:00:00 Dec 12 2030
send-lifetime local 09:59:59 May 13 2030 10:00:00 Nov 12 2030
cryptographic-algorithm hmac-sha-256
key 19
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2030 10:00:00 Jun 13 2031
send-lifetime local 09:59:59 Nov 12 2030 10:00:00 May 13 2031
cryptographic-algorithm hmac-sha-256
key 20
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2031 10:00:00 Dec 12 2031
send-lifetime local 09:59:59 May 13 2031 10:00:00 Nov 12 2031
cryptographic-algorithm hmac-sha-256
key 21
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2031 10:00:00 Jun 13 2032
send-lifetime local 09:59:59 Nov 12 2031 10:00:00 May 13 2032
cryptographic-algorithm hmac-sha-256
key 22
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2032 10:00:00 Dec 12 2032
send-lifetime local 09:59:59 May 13 2032 10:00:00 Nov 12 2032
cryptographic-algorithm hmac-sha-256
key 23
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2032 10:00:00 Jun 13 2033
send-lifetime local 09:59:59 Nov 12 2032 10:00:00 May 13 2033
cryptographic-algorithm hmac-sha-256
key 24
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2033 10:00:00 Dec 12 2033
send-lifetime local 09:59:59 May 13 2033 10:00:00 Nov 12 2033
cryptographic-algorithm hmac-sha-256
key 25
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2033 10:00:00 Jun 13 2034
send-lifetime local 09:59:59 Nov 12 2033 10:00:00 May 13 2034
cryptographic-algorithm hmac-sha-256
key 26
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2034 10:00:00 Dec 12 2034
send-lifetime local 09:59:59 May 13 2034 10:00:00 Nov 12 2034
cryptographic-algorithm hmac-sha-256
key 27
key-string "Key"
accept-lifetime local 10:00:00 Dec 11 2034 10:00:00 Jun 13 2035
send-lifetime local 09:59:59 Nov 12 2034 10:00:00 May 13 2035
cryptographic-algorithm hmac-sha-256
key 28
key-string "Key"
accept-lifetime local 10:00:00 Jun 12 2035 infinite
send-lifetime local 09:59:59 May 13 2035 infinite
cryptographic-algorithm hmac-sha-256

 

If the switches are alive until then, on the year 2035 (the max allowed don the IOS) the key will become infinite. This is a lot of key to go trough all the years, but this is how the costumer wants. 

 

Is the above correct, please? 

 

Thank you

 

1 Accepted Solution

Accepted Solutions

OK I see what you are saying. According to your configs it looks like the keys are accepted a month before they are actually sent. If I read that right then yes that plenty of time for the keys to change over. Your configs should work for what you are trying to accomplish and you wont experience any outages pending any major time malfunction of the devices.

 

Secondly. This is just a personal opinion from a security perspective. Unless ALL those keys HAVE to be on the router I would add them as time got closer to them being used. If someone got unauthorized access to this device they could see the usable keys for the next decade.

View solution in original post

4 Replies 4

David Ruess
Rising star
Rising star

Hello,

 

Unless those times are specifically requested then I would do this:

 

Firstly: Make sure some kind of NTP or time synchronous device is in play to make sure ALL devices have nearly the exact time.

Secondly: Accept lifetime of keys should be about 1 minute (or at least some seconds) before the sending lifetime of the new key in the sequence. Basically you should have the times overlap to be safe.

 

And repeat that down the line.

 

If the times are non-negotiable...then you could possibly have a split second outage to re-sync if the times are even a bit skewed.

 

This also recommends you overlap times.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_chapter_01111.pdf

 

Hope this helps.

Thank you David for the reply.

 

All the devices are syncing with a Stratum 1 device in order to avoid any issue but I'm confused... I followed this example to do my config:

 

Example:

key chain stan
key 1
key-string 12345
accept-lifetime 00:00:00 JAN 1 2022 23:59:59 MAR 31 2022
send-lifetime 00:00:00 JAN 1 2022 23:59:59 FEB 28 2022
cryptographic-algorithm hmac-sha-512

key 2
key-string 23456
accept-lifetime 00:00:00 MAR 30 2022 23:59:59 MAY 29 2022
send-lifetime 00:00:00 FEB 28 2022 23:59:59 APRIL 30 2022
cryptographic-algorithm hmac-sha-512


key 3
key-string 34567
accept-lifetime 00:00:00 MAY 28 2022 23:59:59 AUG 31 2022
send-lifetime 00:00:00 APRIL 30 2022 23:59:59 JULY 30 2022
cryptographic-algorithm hmac-sha-512




key 4
key-string 78910
accept-lifetime 00:00:00 AUG 30 2022 23:59:59 OCT 31 2022
send-lifetime 00:00:00 JULY 30 2022 23:59:59 SEPT 31 2022
cryptographic-algorithm hmac-sha-512


key 5
key-string 11121
accept-lifetime 00:00:00 OCT 30 2022 23:59:59 DEC 31 2022
send-lifetime 00:00:00 SEPT 30 2022 23:59:59 NOV 31 2022
cryptographic-algorithm hmac-sha-512







In this example the send lifetime is always a month before the accept lifetime, but in the cisco manual it's the other way around:




key 1
key-string 7 uaeqdyito
accept-lifetime 00:00:00 Aug 12 2013 23:59:59 May 12 2013
send-lifetime 00:00:00 Sep 12 2013 23:59:59 Aug 12 2013
key 2
Configuring Keychain Management
9
Configuring Keychain Management
Determining Active Key Lifetimes
key-string 7 eekgsdyd
accept-lifetime 00:00:00 Nov 12 2013 23:59:59 Mar 12 2013
send-lifetime 00:00:00 Dec 12 2013 23:59:59 Feb 12 2013 


 

Honestly I'm confused... Will my config not work correctly? 

OK I see what you are saying. According to your configs it looks like the keys are accepted a month before they are actually sent. If I read that right then yes that plenty of time for the keys to change over. Your configs should work for what you are trying to accomplish and you wont experience any outages pending any major time malfunction of the devices.

 

Secondly. This is just a personal opinion from a security perspective. Unless ALL those keys HAVE to be on the router I would add them as time got closer to them being used. If someone got unauthorized access to this device they could see the usable keys for the next decade.

Thank you for the reply David

Uffff, I'm glad everything is as it should be. Was worried that the
costumer would loose the entire system in May...
I agree, adding the keys from time to time would be much better and that
was in fact my idea but the costumer (consultant) wants the keys added like
this in chain and I can't argue with him...

Thank you for your help David
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers