Assigning time-dependent keys to a chain
A time-dependent key has Accept or Send time constraints. It is valid only during the times that are defined for the key . If a time-dependent key is used, there is usually more than one key in the key chain entry.
Syntax
[no] key-chain chain_name key key_id
Generates or deletes a key in the key chain entry
chain_name . Using the optional
no
form of the command deletes the key. The
key_id is any number from 0-255.
[key-string key_str]
This option specifies the key value referenced by the protocol using the key. The <key_str
> can be any string up to 14 characters in length.
{accept-lifetime < mm/dd/yy [ yy ] hh:mm:ss | now >}
Specifies the start date and time of the valid period in which the switch can use this key to authenticate inbound packets.
{duration < mm/dd/yy [ yy ] hh:mm:ss | seconds >}
Specifies the time period during which the switch can use this key to authenticate inbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time ( which is the accept-lifetime setting).
{send-lifetime < mm/dd/yy [ yy ] hh:mm:ss | now>}
Specifies the start date and time of the valid period in which the switch can transmit this key as authentication for outbound packets.
{duration < mm/dd/yy [ yy ] hh:mm:ss | seconds >}
Specifies the time period during which the switch can use this key to authenticate outbound packets. Duration is either an end date and time or the number of seconds to allow after the start date and time ( which is the accept-lifetime setting).
show key-chain chain_name
Displays the detail information about the keys used in the key chain named <chain_name
>.
Using time-dependent keys requires that all the switches have accurate, synchronized time settings. You can manually set the time or use the Time protocol feature included in the switches. See time protocols in the management and configuration guide for your switch.
Example
Given transmission delays and the variations in the time value from switch to switch, it is advisable to include some flexibility in the Accept lifetime of the keys you configure. Otherwise, the switch may disregard some packets because either their key has expired while in transport or there are significant time variations between switches.
To see the result of Adding time-dependent keys to a key chain entry:
Use
show key-chain
to display the key status at the time the command is issued. Using the information from the example configuration in
Adding time-dependent keys to a key chain entry and
Display of time-dependent keys in the key chain entry if you execute show key-chain at 8:05 on 01/19/03, the display would appear as follows:
The "HPSwitch1" key chain entry is a time-independent key and will not expire. "HPSwitch2" uses time-dependent keys, which result in this data:
Expired=1 |
Key 1 has expired because its lifetime ended at 8:10 on 01/18/03, the previous day. |
Active=2 |
Key 2 and 3 are both active for 10 minutes from 8:00 to 8:10 on 1/19/03. |
Keys 4 and 5 are either not yet active or expired. The total number of keys is 5.