R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

471

472

473

474

475

476

477

478

479

480

Configuring rekey parameters

The following describes the rekey parameters:

• Rekey encryption—Specifies the encryption algorithm used by the KEK.

• Rekey lifetime—Specifies the lifetime of the KEK.

• Rekey transport unicast—Enables unicasting rekey messages. By default, the KS multicasts rekey

messages. Configure this setting only when the network does not support multicasting because

unicast transmission increases overheads and affects device performance.

• Rekey retransmit—Specifies the interval between rekey retransmissions and the maximum number

of retransmissions.

To configure rekey parameters:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter GDOI KS group view.

gdoi ks group group-name

N/A

3. Specify the encryption

algorithm used by the KEK.

rekey encryption { 3des-cbc |

aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 | des-cbc }

By default, the KEK uses the

3DES-CBC encryption

algorithm.

4. Specify the lifetime of the KEK.

rekey lifetime seconds

number-of-seconds

By default, the KEK lifetime is

86400 seconds.

5. Enable unicasting rekey

messages.

rekey transport unicast

By default, the KS multicasts

rekey messages.

6. Specify the interval between

rekey retransmissions and the

maximum number of

retransmissions.

rekey retransmit { interval interval |

number number } *

By default, the retransmission

interval is 10 seconds, and the

maximum number of

retransmissions is 2.

Displaying and maintaining GDOI KS

Execute display commands in any view, and execute reset commands in user view.

Task Command

Display GDOI KS group information. display gdoi ks [ group group-name ]

Display GDOI KS group ACL information. display gdoi ks acl [ group group-name ]

Display GDOI KS redundancy information. display gdoi ks redundancy [ group group-name ]

Display information about online GDOI KS

group members.

display gdoi ks members [ group group-name ] [ ip

ip-address ]

Display GDOI KS group rekey information. display gdoi ks rekey [ group group-name ]

Display GDOI KS group policy information. display gdoi ks policy [ group group-name ]

Clear GDOI KS group information. reset gdoi ks [ group group-name ]

Reset GDOI KS redundancy roles. reset gdoi ks redundancy role [ group group-name ]

Clear GDOI KS group member information. reset gdoi ks members [ group group-name ]