Troubleshooting guide

4 — TCP enhanced authentication

Alcatel-Lucent 5620 Service Aware Manager 4-3

5620 SAM

System Administrator Guide

When the 5620 SAM attempts to synchronize the keys in a global key chain with the

keys on an NE, the NE does not return the secret key value. After a key chain is

deployed to an NE, the shared secret and the encryption algorithm cannot be

modified. You can delete a key chain or key only when it is not in use by a protocol.

You can specify whether an NE uses a TCP key for sending packets, receiving

packets, or both. Using keys that are configured for both, or send-receive, is general

good practice because communication between NEs cannot be affected by assigning

the wrong key type.

There are two classes of TCP keys:

• Active

• Eligible

Active keys

A key set contains one active key. An active key is a key that TCP uses to generate

authentication information for outbound segments. You cannot delete the active key

in a keychain.

Eligible keys

Each set of keys, called a key chain, contains zero or more eligible keys. An eligible

key is a key that TCP uses to authenticate inbound segments.

4.2 Workflow to configure TCP enhanced authentication for

NEs

1 Create a global key chain that contains at least one key; see Procedure 4-1.

2 Distribute the key chain to the NEs; see Procedure 4-2.

3 Verify the distribution of a global key chain to the NEs; see Procedure 4-3.

4 Assign the key chain to a routing protocol, such as BGP or LDP. See “Protocol

configuration overview” in the 5620 SAM User Guide for more information.

5 If required, identify the differences between a global and local policy or two local

key chains; see Procedure 4-4.

4.3 TCP enhanced authentication procedures

Use the following procedures to perform TCP enhanced authentication management

functions.

Release 13.0 R2 | May 2015 | 3HE 09815 AAAB TQZZA Edition 01