Download Alcatel 2.2-R02 Troubleshooting guide

Release 13.0 R2 | May 2015 | 3HE 09815 AAAB TQZZA Edition 01
4 — TCP enhanced authentication
When the 5620 SAM attempts to synchronize the keys in a global key chain with the
keys on an NE, the NE does not return the secret key value. After a key chain is
deployed to an NE, the shared secret and the encryption algorithm cannot be
modified. You can delete a key chain or key only when it is not in use by a protocol.
You can specify whether an NE uses a TCP key for sending packets, receiving
packets, or both. Using keys that are configured for both, or send-receive, is general
good practice because communication between NEs cannot be affected by assigning
the wrong key type.
There are two classes of TCP keys:
• Active
• Eligible
Active keys
A key set contains one active key. An active key is a key that TCP uses to generate
authentication information for outbound segments. You cannot delete the active key
in a keychain.
Eligible keys
Each set of keys, called a key chain, contains zero or more eligible keys. An eligible
key is a key that TCP uses to authenticate inbound segments.
4.2
4.3
Workflow to configure TCP enhanced authentication for
NEs
1
Create a global key chain that contains at least one key; see Procedure 4-1.
2
Distribute the key chain to the NEs; see Procedure 4-2.
3
Verify the distribution of a global key chain to the NEs; see Procedure 4-3.
4
Assign the key chain to a routing protocol, such as BGP or LDP. See “Protocol
configuration overview” in the 5620 SAM User Guide for more information.
5
If required, identify the differences between a global and local policy or two local
key chains; see Procedure 4-4.
TCP enhanced authentication procedures
Use the following procedures to perform TCP enhanced authentication management
functions.
Alcatel-Lucent 5620 Service Aware Manager
5620 SAM
System Administrator Guide
4-3