R2511-HP MSR Router Series Security Configuration Guide(V5)
472
Ste
p
Command
Remarks
3. Specify the source address
for packets sent by the KS.
source address ip-address
By default, the KS uses the
source address specified in the
first rule of the rekey ACL as the
source address of sent packets.
For information about the rekey
ACL, see "Configuring basic
settings for a G
DOI KS group."
Configuring rekey parameters
The following describes the rekey parameters:
• Rekey encryption—Specifies the encryption algorithm used by the KEK.
• Rekey lifetime—Specifies the lifetime of the KEK.
• Rekey transport unicast—Enables unicasting rekey messages. By default, the KS multicasts rekey
messages. Configure this setting only when the network does not support multicasting because
unicast transmission increases overheads and affects device performance.
• Rekey retransmit—Specifies the interval between rekey retransmissions and the maximum number
of retransmissions.
To configure rekey parameters:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enter GDOI KS group view.
gdoi ks group group-name
N/A
3. Specify the encryption
algorithm used by the KEK.
rekey encryption { 3des-cbc |
aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | des-cbc }
Optional.
By default, the KEK uses the
3DES-CBC encryption
algorithm.
4. Specify the lifetime of the KEK.
rekey lifetime seconds
number-of-seconds
Optional.
By default, the KEK lifetime is
86400 seconds.
5. Enable unicasting rekey
messages.
rekey transport unicast
Optional.
By default, the KS multicasts
rekey messages.
6. Specify the interval between
rekey retransmissions and the
maximum number of
retransmissions.
rekey retransmit { interval interval |
number number } *
Optional.
By default, the retransmission
interval is 10 seconds, and the
maximum number of
retransmissions is 2.
Displaying and maintaining GDOI KS
Execute display commands in any view and reset commands in user view.