User Config AES Encryption
Overview
Sensitive information, such as authentication keys configured in plain text, is stored in the OcNOS database in an encrypted format. Currently, by default, this information is encrypted using the 3DES algorithm. With this new feature, users will have the option to store sensitive information encrypted using the Advanced Encryption Standard (AES) algorithm. It ensures confidentiality and integrity in routing protocols like BGP, OSPF, RIP, IS-IS, LDP, BFD, MSDP, and Radius authentication.
Feature Characteristics
| • | Users can choose to encrypt sensitive information using either the 3DES or AES algorithm. |
| • | Global configuration allows users to select the preferred encryption algorithm for data stored within the OcNOS database. |
| • | If sensitive data is already encrypted, OcNOS accepts both AES and 3DES-encrypted data. |
| • | AES-encrypted data must be encrypted by OcNOS, as it adds a tag to differentiate AES from 3DES-encrypted data. |
| • | Users can change the global encryption algorithm at any time without affecting previously configured sensitive data. |
| • | OcNOS maintains internal control over the encryption algorithm used for each piece of sensitive data. |
| • | If no encryption algorithm is specified by the user, OcNOS defaults to using the 3DES algorithm, preserving the existing behavior. |
Benefits
This feature enhance security by using AES 256-bit encryption with Galois/Counter Mode(GCM ).
Configuration
These steps provide a standardized approach to configuring AES Encryption across different routing protocols. These configurations ensure that sensitive routing data is encrypted and secure, protecting network infrastructure from malicious threats.
Configuration Snapshot:
BGP configuration:
3DES encryption algorithm:
router bgp 100
neighbor 10.10.10.11 remote-as 200
neighbor 10.10.10.11 authentication-key 0xb376ebccbde0bb44ebba6c415d533683
AES encryption algorithm:
router bgp 100
neighbor 10.10.10.11 remote-as 200
neighbor 10.10.10.11 authentication-key 0x25fdc4e11aaf5d9caa36b6a904ad7ec476dca3447b42486c119032b2b06e7c1daf8bfde097ed
OSPF configuration:
3DES encryption algorithm:
interface xe49
ip ospf message-digest-key 1 md5 0xebe3bd4b01e1198ff808f31af4a0adf1
AES encryption algorithm:
interface xe1
ip ospf message-digest-key 1 md5 0xc5cf7a352927208c029d58dec379f7459207509788ff04311b04a8ccc06f4eb95171b28fa6
RIP Configuration
3DES encryption algorithm:
interface xe2
ip rip authentication mode md5
ip rip authentication string 0xebe3bd4b01e1198ff808f31af4a0adf1
AES encryption algorithm:
interface xe1
ip rip authentication mode md5
ip rip authentication string 0x528bd88845782cf7595bfb2c60742358f980a733bb208276b60f6e184fcb239724c4585152
IS-IS Key-Chain authentication
3DES encryption algorithm:
key chain TEST
key-id 1
key-string encrypted 0xebe3bd4b01e1198ff808f31af4a0adf1
AES encryption algorithm:
key chain TEST
key-id 1
key-string encrypted 0x93f3323b28293e577235b61aef68418931fa74095b20f5aa989aceadb3b5cdda45d004e5ab
LDP MD5 authentication
LDP MD5 authentication
3DES encryption algorithm:
router ldp
neighbor all auth md5 password encrypt 0x93c51ab33976afff
session-group name 1
auth md5 password encrypt 0x93c51ab33976afff
AES encryption algorithm:
router ldp
neighbor all auth md5 password encrypt 0x7b34695900344ff981d097ca3b76d3f7602c97533ae71fb5a24f6f63b5a1b36a0a2e11f5
session-group name 1
auth md5 password encrypt 0x7b34695900344ff981d097ca3b76d3f7602c97533ae71fb5a24f6f63b5a1b36a0a2e11f5
BFD authentication
3DES encryption algorithm:
interface eth1
bfd auth type simple key-id 100 1 key 0xb376ebccbde0bb44ebba6c415d533683
AES encryption algorithm:
interface eth1
bfd auth type simple key-id 100 1 key 0x25fdc4e11aaf5d9caa36b6a904ad7ec476dca3447b42486c119032b2b06e7c1daf8bfde097ed
MSDP
3DES encryption algorithm:
ip msdp peer 1.1.1.1
ip msdp password 0x93c51ab33976afff9c2308c1131e52b8 peer 1.1.1.1
AES encryption algorithm:
ip msdp peer 1.1.1.1
ip msdp password 0x2bf091e584673fda07def61c29a16ac38ceff092e11fe75d12122fb6d4683b1bfa8d8379f1de peer 1.1.1.1
Radius authentication
3DES encryption algorithm:
radius-server login key 7 0xf6fe51115a8718c8541a2369d0222f7f
radius-server login host 10.3.4.17 seq-num 7 key 7 0x923502641e0b7d352b09d097ceb464da auth-port 4567 timeout 40
AES encryption algorithm
radius-server login key 7 0x1c5c4abfd0cb21baf4d1980261f16f2f9dad69fc5e732b322f6d9c764f864f696ee7668e1f7a
radius-server login host 10.3.4.17 seq-num 7 key 7 0x35404c0de9ca6cb64531aad49b8d7ebf64550c4d52d0201e423f7de5227ccb5c52d8242b12bd auth-port 4567 timeout 40
Validation
Execute the following command to verify the global key-encryption:
OcNOS#show global key-encryption
Current global key-encryption in use is AES.
OcNOS#
Implementation Examples
To choose which global cipher algorithm will be used by OcNOS, the user simply runs the following command:
OcNOS(config)#global key-encryption AES
OcNOS(config)#commit
OcNOS(config)#
The configuration will appear in show running-config:
OcNOS#sh ru
!
...
global key-encryption AES
...
!
end
OcNOS#
global key-encryption
Use this command to configure the global cipher algorithm.
Use no parameter of this command to unconfigure the global cipher algorithm for OcNOS.
Command Syntax
global key-encryption (3DES|AES)
[no] global key-encryptionParameters
key-encryption (3DES|AES)
Specifies the cipher algorithm to be used by OcNOS
Default
3DES encryption
Applicability
This command was introduced in OcNOS 6.6.0 version.
Example
OcNOS(config)#global key-encryption AES
show global key-encryption
Use this command to show global key-encryption.
Command Syntax
Parameters
None
Default
3DES encryption
Applicability
This command was introduced in OcNOS 6.6.0 version.
Example
OcNOS#show global key-encryption
Current global key-encryption in use is AES.
OcNOS#