IOS key chain feature

A key chain is simply a data structure that is used within a Cisco router to help manage multiple passwords, which in keychain lingo are called keys. They are also sometimes called shared secrets. These keys are then used to enable secure communication with other devices that also support key-based authentication.

The data structure allows you to create a keychain, and on that keychain, you can create keys with IDs between 0 and 65535. Each key can then be configured with a key-string which is the password itself. Under the configuration of the key, you can add many more parameters such as cryptographic algorithms and lifetime durations.

When applying those keychains to an interface for use with whatever feature requires key authentication, the following must be taken into account (taken from associated Cisco documentation:

If you are using keys as the security method, you must specify the lifetime for the keys and change the keys on a regular basis when they expire. To maintain stability, each party must be able to store and use more than one key for an application at the same time. A keychain is a sequence of keys that are collectively managed for authenticating the same peer, peer group, or both.

Keychain management groups a sequence of keys together under a keychain and associates each key in the keychain with a lifetime.

Any key that is configured without a lifetime is considered invalid; therefore, the key is rejected during configuration.

The lifetime of a key is defined by the following options:

  • Start-time—Specifies the absolute time.
  • End-time—Specifies the absolute time that is relative to the start-time or infinite time.

Each key definition within the keychain must specify a time interval for which that key is activated; for example, lifetime. Then, during a given key's lifetime, routing update packets are sent with this activated key. Keys cannot be used during time periods for which they are not activated. Therefore, we recommend that for a given keychain, key activation times overlap to avoid any period of time for which no key is activated. If a time period occurs during which no key is activated, neighbor authentication cannot occur; therefore, routing updates can fail.

Features that use key-based authentication include OSPF, EIGRP, BGP, and RIP.