How to Implement Type 6 Password Encryption
Scenario - The following 3-step process explains the Type 6 password encryption process for authenticating BGP sessions between two routers, R1 and R2.
Follow the first two steps for all Type 6 password encryption scenarios. The third step, Creating BGP Sessions, is specific to BGP. Similarly, you can enable Type 6 password encryption for OSPF, IS-IS, or other protocol sessions. For details on creating these protocol sessions, see the content in Configure>Routing listed here. For MACsec authentication, refer the Configure MACsec chapter.
Enabling Type6 Feature and Creating a Primary Key (Type 6 Server)
The Type6 encryption key, hereafter referred to as primary key in this chapter, is the password or key that encrypts all plain text key strings in the router configuration. An Advance Encryption Standard (AES) symmetric cipher does the encryption. The router configuration does not store the primary key. You cannot see or access the primary key when you connect to the router.
Creating the Primary Key
Use the key config-key password-encryption command to create the primary key.
Configuration Example
R1 & R2 # key config-key password-encryption
Fri Jul 19 12:22:45.519 UTC
New password Requirements: Min-length 6, Max-length 64
Characters restricted to [A-Z][a-z][0-9]
Enter new key :
Enter confirm key :
Master key operation is started in background
Once the command is executed, the Master key operation—creating, updating, or deleting the primary key—happens in the background. You can use the show type6 server command to view the status of the primary key operation.
When the key is created, it is stored internally; not as part of the router configuration. The router does not display the primary key as part of the running configuration. So, you cannot see or access the primary key when you connect to the router.
Enabling Type 6 Password Encryption
/* Enable Type 6 password encryption */
R1 & R2 (config)# password6 encryption aes
R1 & R2 (config)# commit
Fri Jul 19 12:22:45.519 UTC
Modifying the Primary Key
 Note |
The Type 6 primary key update results in configuration change of the key chain and the other clients using Type 6. As the failure of router being configured can disrupt the product network, it is recommended to perform the primary key update operation during a maintenance window. Else, routing protocol sessions might fail. The primary key is not saved to the running configuration, but the changes are persistent across reloads. The primary key update cannot be rolled back. That is, once the primary key is modified, you cannot revert to the older key using the rollback configuration command. |
Enter the key config-key password-encryption command, and the old key and new key information.
R1 & R2# key config-key password-encryption
New password Requirements: Min-length 6, Max-length 64
Characters restricted to [A-Z][a-z][0-9]
Enter old key :
Enter new key :
Enter confirm key :
Master key operation is started in background
Deleting the Primary Key
R1 & R2# configure
R1 & R2 (config)# no password6 encryption aes
R1 & R2 (config)# commit
R1 & R2 (config)# exit
R1 & R2# key config-key password-encryption delete
WARNING: All type 6 encrypted keys will become unusable
Continue with master key deletion ? [yes/no]:yes
Master key operation is started in background
Verification
Verify that the primary key configuration and Type 6 feature configuration state are in the Enabled state. The Master key Inprogress field displays No to indicate that the primary key activity is complete (created, modified, or deleted). When you disable a primary key, Disabled is displayed for all the three states.
R1 & R2#show type6 server
Fri Jul 19 12:23:49.154 UTC
Server detail information:
=============================================
AES config State : Enabled
Masterkey config State : Enabled
Type6 feature State : Enabled
Master key Inprogress : No
Verify Type 6 trace server details.
R1 & R2#show type6 trace server all
Fri Jul 19 12:26:05.111 UTC
Client file lib/type6/type6_server_wr
25 wrapping entries (18496 possible, 64 allocated, 0 filtered, 25 total)
Jul 19 09:59:27.168 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 ***** Type6 server process started Respawn count (1) ****
…
…
Jul 19 12:22:59.908 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 User has started Master key operation (CREATE)
Jul 19 12:22:59.908 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 Created Master key in TAM successfully
Jul 19 12:23:00.265 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 Master key Available set to (AVAILABLE)
Jul 19 12:23:00.272 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 Master key inprogress set to (NOT INPROGRESS)
From Cisco IOS XR Software Release 7.0.2 and later, you can use the show type6 masterkey update status command to display the update status of the primary key. Prior to this release, you could use the show type6 clients command for the same purpose.
Router#show type6 masterkey update status
Thu Sep 17 06:48:56.595 UTC
Type6 masterkey operation is NOT inprogress
Router#show type6 masterkey update status
Thu Sep 17 06:50:07.980 UTC
Type6 masterkey operation is inprogress
Masterkey upate status information:
Client Name Status
=====================================
keychain INPROGRESS
Clear Type 6 Client State
You can use the clear type6 client command in XR EXEC mode to clear the Type 6 client state.
If the primary key update operation is stuck at any stage, then you can use this clear command to clear that state. You can track the primary key update operation using the show type6 server command output. If the Master key Inprogress field in that output displays as YES , then you can use show type6 masterkey update status command (or, show type6 clients command, prior to Release 7.0.2) to check which client has not completed the operation. Accordingly, you can clear that particular client using the clear command.
Associated Commands
-
clear type6 client
-
key config-key password-encryption
-
password6 encryption aes
-
show type6
Implementing Key Chain for BGP Sessions (Type 6 Client)
For detailed information about key chains, refer the Implementing Keychain Management chapter.
If you enable Type 6 password encryption, plain-text keys are encrypted using Type 6 encryption. Enter plain-text key-string input in alphanumeric form. If you enable MACsec with Type 6 password encryption, the key-string input is in hexadecimal format.
Configuration
/* Enter the key chain details */
R1 & R2# configure
R1 & R2(config)# key chain my-test-keychain
R1 & R2(config-type6_password)# key 1
Enter the Type 6 encrypted format using the key-string password6 command.
Note |
Using the key-string command, you can enter the password in clear text format or Type 6 encrypted (already encrypted password) format, as used in this scenario. |
Note |
Enable the same key string for all the routers. |
R1 & R2 (config-type6_password-1)# key-string password6 606745575e6565$
R1 & R2 (config-type6_password-1)# cryptographic-algorithm MD5
R1 & R2 (config-type6_password-1)# accept-lifetime 1:00:00 october 24 2005 infinite
R1 & R2 (config-type6_password-1)# send-lifetime 1:00:00 october 24 2005 infinite
R1 & R2 (config-type6_password-1)# commit
Verification
Verify key chain trace server information.
R1 & R2# show key chain trace server both
Sat Jul 20 16:44:08.768 UTC
Client file lib/kc/kc_srvr_wr
4 wrapping entries (18496 possible, 64 allocated, 0 filtered, 4 total)
Jul 20 16:43:26.342 lib/kc/kc_srvr_wr 0/RP0/CPU0 t312 *********kc_srvr process started*********
Jul 20 16:43:26.342 lib/kc/kc_srvr_wr 0/RP0/CPU0 t312 (kc_srvr) Cerrno DLL registration successfull
Jul 20 16:43:26.349 lib/kc/kc_srvr_wr 0/RP0/CPU0 t312 (kc_srvr) Initialised sysdb connection
Jul 20 16:43:26.612 lib/kc/kc_srvr_wr 0/RP0/CPU0 t317 (kc_srvr_type6_thread) Succesfully registered as a type6 client
Verify configuration details for the key chain.
R1 & R2# show key chain type6_password
Sat Jul 20 17:05:12.803 UTC
Key-chain: my-test-keychain -
Key 1 -- text "606745575e656546435a4c4a47694647434253554f49414a4f59655a486950566"
Cryptographic-Algorithm -- MD5
Send lifetime -- 01:00:00, 24 Oct 2005 - Always valid [Valid now]
Accept lifetime -- 01:00:00, 24 Oct 2005 - Always valid [Valid now]
Verify Type 6 client information.
Associated Commands
-
key chain
-
key-string password6
-
show key chain trace server both
Creating a BGP Session (Type 6 Password Encryption Use Case)
This example provides iBGP session creation configuration. To know how to configure the complete iBGP network, refer the BGP Configuration Guide for the platform.
Configuration Example
/* Create BGP session on Router1 */
R1# configure
R1(config)# router bgp 65537
Ensure that you use the same key chain name for the BGP session and the Type 6 encryption (for example, my-test-keychain in this scenario).
R1 (config-bgp)# neighbor 10.1.1.11 remote-as 65537
R1 (config-bgp)# keychain my-test-keychain
R1 (config-bgp)# address-family ipv4 unicast
R1 (config-bgp)# commit
Repeat the above steps on Router 2 as well.
Ensure that you use the same session and keychain for all the routers (R1 and R2 in this case).
/* Create BGP session on Router2 */
R2 (config)# router bgp 65537
R2 (config-bgp)# neighbor 10.1.1.1 remote-as 65537
R2 (config-bgp)# keychain my-test-keychain
R2 (config-bgp)# address-family ipv4 unicast
R2 (config-bgp)# commit
Verification
On the routers R1 and R2, verify that the BGP NBR state is in the Established state.
R1# show bgp sessions
Neighbor VRF Spk AS InQ OutQ NBRState NSRState
10.1.1.11 default 0 65537 0 0 Established None
R2# show bgp sessions
Neighbor VRF Spk AS InQ OutQ NBRState NSRState
10.1.1.1 default 0 65537 0 0 Established None
Associated Commands
-
session-group
-
show BGP sessions
Feedback