Keychain module

Keychain is a utility module that can be used by any application or routing protocol that uses authentication keys to establish secure communication with peers and validate the control packets.

Keychain module provides a secure infrastructure to prevent unauthorized routing updates to the network and ensures that only trusted routers participate in routing updates. Apart from authentication, keychain module provides a mechanism to ensure key rollover based on the lifetime or duration specified for each key used for authentication. The keys are rolled over to the next key if active and within the range of key IDs used by the protocols.

How keychain module works

Keychain module is independent of the protocols or applications that use it. The protocol packets use one of the active keys from the keychain profile. The keychain profile may have multiple keys with different attributes, such as authentication algorithms, passwords, and lifetimes.
Note: In FastIron 08.0.70, only OSPFv2 and OSPFv3 use the keychain module.

Each key in the keychain has a lifetime associated with it and a key is considered active if it is within the configured time range and has an authentication algorithm and a password. When a key expires, the keychain module notifies the application about the expiry of the key. This helps in changing the key periodically. Optionally, a tolerance value can be configured for the accept-keys and send-keys for the keychain to facilitate extension of the lifetime of the keys outside the active lifetime duration (prior to the start of the lifetime or after the end of the lifetime). The tolerance period helps to extend the period of the keys and works to smoothen the transition to a new key by the protocol. Keys cannot be used for authentication during the period that they are not active. Therefore, the lifetime of the keys must be configured so that the key activation periods of the keys overlap with each other to ensure that active keys are available at any time, which is critical for key rollover.

Note: All participating routers must have Network Time Protocol (NTP) enabled before setting the lifetime on the keys.

An application uses the keychain module to generate and send a message digest using the key and the specified algorithm and also validates that message digest it is carrying is correct while receiving the packets. When an application requests keys from the keychain module for sending and accepting the packets, the keychain module supplies all the active keys from the keychain and the application picks the desired key based on the inherent criteria of the protocol or application. The sending peer picks the key based on the lifetime and cryptographic algorithm, giving the application an option to choose the cryptographic algorithm that matches its criteria. The receiving peer decides on the key with which it authenticates based on the incoming key ID. When a keychain is configured under a protocol, all the packets generated by the protocol, such as routing updates and hello packets, are validated with that key ID. The same procedure is followed for receiving packets because the key ID will be used to validate the packets. It is imperative that the neighbors and participating routers have the same configuration at the other end.