R3303-HP HSR6800 Routers Security Configuration Guide

Keepalive

The primary periodically sends hello messages to secondary KSs. If secondary KSs receive no hello

messages within a specific interval, they consider the primary KS has failed, and re-elect a new primary

KS. During the election, the secondary KSs do not accept registrations from GMs.

Protocols and standards

• RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)

• RFC 3547, The Group Domain of Interpretation(GDOI)

• RFC 3740, The Multicast Group Security Architecture

• RFC 5374, Multicast Extensions to the Security Architecture for the Internet Protocol

Configuration restrictions and guidelines

The IKE settings on the KSs and GMs must match. Otherwise, phase-1 IKE negotiation will fail.

Configuring the GDOI KS

Complete the following tasks before you configure the GDOI KS:

• IKE configuration—Configure an IKE proposal and IKE peers for phase-1 IKE negotiation with GMs.

Each IKE peer is identified by the address of the GM's registration interface. If KS redundancy is

needed, you also need to configure an IKE proposal and IKE peers for phase-1 IKE negotiation with

other KSs. Each IKE peer is identified by the address of the KS. For more information about IKE, see

Configuring IKE.

• IPsec configuration—Configure an IPsec profile for TEK generation. For more information about

IPsec, see Configuring IPsec.

• ACL configuration—Configure an ACL to match the traffic protected by TEK and specify the source

and destination addresses for multicast rekey messages.

GDOI KS configuration task list

Task Remarks

Configuring basic settings for a GDOI KS group Required.

Configuring GDOI KS redundancy Optional.