hit counter script

Support For Non-Current Encryptions And Decryptions; Support For Icsr Configurations - Cisco ASR 5500 System Administration Manual

Hide thumbs Also See for ASR 5500:
Table of Contents

Advertisement

Support for Non-Current Encryptions and Decryptions

Important
For release 15.0 and higher, another type of encryption algorithm can be specified. The Global Configuration
mode cli-encrypt-algorithm command allows an operator to configure the password/secret encryption
algorithm. The default encryption/password algorithm for releases prior to 21.0 is MD-5 as described above
(option A). A second password encryption algorithm (option B) uses AES-CTR-128 for encryption and
HMAC-SHA1 for authentication. The encryption key protects the confidentiality of passwords, while the
authentication key protects their integrity. For release 21.0 and higher Algorithm B is the default. Passwords
encrypted with this key will have "+B" prefixes in the configuration file.
For release 19.2 and higher, a third type of encryption algorithm can be specified (option C). This algorithm
specifies the use of the HMAC-SHA512 cipher algorithm for encryption and authentication. Passwords
encrypted with this key will have "+C" prefixes in the configuration file.
Also for release 19.2 and higher, the encryption key is hashed from the chassis ID and a 16-byte Initialization
Vector (IV) obtained from an internal random number generator. No two passwords are encrypted using the
same encryption key/IV pair. The Security Administrator must set a chassis key in order to generate the chassis
ID and resulting encryption key. A default chassis key based on a local MAC address is no longer supported.
The syntax for the cli-encrypt-algorithm command is:
config
cli-encrypt-algorithm { A | B | C }
Support for Non-Current Encryptions and Decryptions
The system supports previously formatted encrypted passwords. The syntax of the encrypted passwords
indicates which methodology was used for encryption. If the system does not see a prefix before the encrypted
password, the earlier encryption method using a fixed key will be used. If the encrypted password includes
the "+A" prefix, the decryption method uses the chassis key and random salt.
If the user saves a new configuration, the generated file will always contain passwords encrypted by the most
recent method. The user cannot generate the earlier DES-based encryption values. However, all future StarOS
releases will continue to support plain-text password entry for all two-way encryptable passwords
The recommended process for changing the chassis key without causing a "lock-out" state is as follows:
• Load the configuration file of the last good configuration using the previous chassis key.
• Change the chassis key to the new desired value.
• Save the configuration with this new chassis key.
Refer to Configuring a Chassis Key in System Settings for additional information.

Support for ICSR Configurations

Inter-Chassis Session Recovery (ICSR) is a redundancy configuration that employs two identically configured
chassis/instances as a redundant pair.
ICSR pairs share the same chassis key. If the ISCR detects that the two chassis/instances have incompatible
chassis keys, an error message is logged but the ICSR system will continue to run. Without the matching
ASR 5500 System Administration Guide, StarOS Release 21.5
76
For release 21.0 and higher, the default is Algorithm B.
System Security

Advertisement

Table of Contents
loading

Table of Contents