R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

461

462

463

464

465

466

467

468

469

470

Task Remarks

Configuring rekey parameters Optional.

Configuring basic settings for a GDOI KS group

A device supports multiple GDOI KS groups. A GDOI KS group includes all settings required by a KS in

the group. The following describes basic GDOI KS group settings:

• Group name—Identifies the GDOI KS group on the device.

• Group ID—Identifies the GDOI KS group in the Group Domain VPN. A KS uses the group ID

received from a GM to determine the GDOI KS group that the GM wants to join. Each group can

have only one group ID, which must be a group number or an IP address.

• Key pair—Used to generate local asymmetric key pairs carried in rekey messages. Each GDOI KS

group can reference only one key pair. The public key in the key pair is used as part of the KEK

assigned to GMs. A GM uses the public key to authenticate the KS.

• Rekey ACL—Specifies the source and destination addresses for multicast rekey messages. Each

GDOI KS group can reference only one rekey ACL.

• IPsec policy—Includes an IPsec profile for TEK protection and an ACL that identifies the traffic to be

protected.

Follow these guidelines when you configure basic settings for a GDOI KS group:

• A GDOI KS group can have only one group ID. A newly configured group ID overwrites the

previous one.

• Different GDOI KS groups must have different group IDs.

• To protect unicast traffic, the ACL referenced by the IPsec policy must have rules in pairs. Each pair

of rules identifies a bidirectional traffic flow.

• To protect multicast traffic, the destination address specified in the rekey ACL must be different from

the destination address of any service traffic.

• The ACL referenced by an IPsec policy can have lots of rules, but whether the rules can be assigned

to GMs depends on the size of the GDOI packet and the number of TEKs. For a GDOI KS group that

has only one IPsec policy, you can configure a maximum number of 200 rules for the referenced

ACL. For a GDOI KS group that has multiple IPsec policies, determine the maximum number of rules

(less than 200) according to the size of the GDOI packet and the number of TEKs.

NOTE:

hen a KS continually performs rekey operations, it

enerates lots of TEKs and mi

ht fail to assi

n all

TEKs and ACL rules.

To configure basic settings for a GDOI KS group:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a GDOI KS group

and enter GDOI KS group

view.

gdoi ks group group-name

By default, no GDOI KS group is

created.