Implementing Type 6 Password Encryption

You can use Type 6 password encryption to securely store plain text key strings for authenticating BGP, IP SLA, IS-IS, MACsec, OSPF, and RSVP sessions.

Feature History for Implementing Type 6 Password Encryption

Release

Modification

Release 7.0.1

This feature was introduced.

How to Implement Type 6 Password Encryption

Scenario - The following 3-step process explains the Type 6 password encryption process for authenticating BGP sessions between two routers, R1 and R2.


Note

Follow the first two steps for all Type 6 password encryption scenarios. The third step, Creating BGP Sessions, is specific to BGP. To enable Type 6 password encryption for OSPF, IS-IS, or other protocol sessions (the final step), refer the respective configuration guide. For MACsec authentication, refer the Configure MACsec chapter.

Enabling Type6 Feature and Creating a Primary Key (Type 6 Server)

The primary key is the password or key that encrypts all plain text key strings in the router configuration. An Advance Encryption Standard (AES) symmetric cipher does the encryption. The router configuration does not store the primary key. You cannot see or access the primary key when you connect to the router.

Configuration

/* Enter the primary key details */
R1 & R2 # key config-key password-encryption 

Fri Jul 19 12:22:45.519 UTC
New password Requirements: Min-length 6, Max-length 64 
Characters restricted to [A-Z][a-z][0-9]
Enter new key : 
Enter confirm key : 
Master key operation is started in background

/* Enable Type 6 password encryption */
R1 & R2 (config)# password6 encryption aes 
R1 & R2 (config)# commit 
Fri Jul 19 12:22:45.519 UTC

Modifying the Primary Key


Note

The Type 6 primary key update results in configuration change of the key chain and the other clients using Type 6. Hence, it is recommended to perform the primary key update operation during a maintenance window, and not while the live session is active. Else, you might experience session flaps due to these configuration changes.

The primary key is not saved to the running configuration, but the changes are persistent across reloads. Please note that the primary key update cannot be rolled back.

Enter the key config-key password-encryption command, and the old key and new key information. 


R1 & R2# key config-key password-encryption  

New password Requirements: Min-length 6, Max-length 64 
Characters restricted to [A-Z][a-z][0-9]
Enter old key : 
Enter new key : 
Enter confirm key : 
Master key operation is started in background

Deleting the Primary Key 


R1 & R2# configure
R1 & R2 (config)# no password6 encryption aes 
R1 & R2 (config)# commit
R1 & R2 (config)# exit 
R1 & R2# key config-key password-encryption delete 

WARNING: All type 6 encrypted keys will become unusable
Continue with master key deletion ? [yes/no]:yes
Master key operation is started in background

Verification

Verify that the primary key configuration and Type 6 feature configuration state are in the Enabled state. The Master key Inprogress field displays No. It indicates that the primary key activity is complete (created, modified, or deleted). When you disable a primary key, Disabled is displayed for all the three states. 


R1 & R2#show type6 server

Fri Jul 19 12:23:49.154 UTC
Server detail information:
=============================================
AES config State       :       Enabled
Masterkey config State :       Enabled
Type6 feature State    :       Enabled
Master key Inprogress  :       No

Verify Type 6 trace server details. 


R1 & R2#show type6 trace server all 

Fri Jul 19 12:26:05.111 UTC
Client file lib/type6/type6_server_wr 
25 wrapping entries (18496 possible, 64 allocated, 0 filtered, 25 total)
Jul 19 09:59:27.168 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 ***** Type6 server process started Respawn count (1) ****
…
…
Jul 19 12:22:59.908 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 User has started Master key operation (CREATE)
Jul 19 12:22:59.908 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 Created Master key in TAM successfully
Jul 19 12:23:00.265 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 Master key Available set to (AVAILABLE)
Jul 19 12:23:00.272 lib/type6/type6_server_wr 0/RP0/CPU0 t7145 Master key inprogress set to (NOT INPROGRESS)

From Cisco IOS XR Software Release 7.0.2 and later, you can use the show type6 masterkey update status command to display the update status of the primary key. Prior to this release, you could use the show type6 clients command for the same purpose. 


Router#show type6 masterkey update status
Thu Sep 17 06:48:56.595 UTC
Type6 masterkey operation is NOT inprogress



Router#show type6 masterkey update status
Thu Sep 17 06:50:07.980 UTC
Type6 masterkey operation is inprogress

Masterkey upate status information:
Client Name                Status
=====================================
keychain                   INPROGRESS

Clear Type 6 Client State

You can use the clear type6 client command in XR EXEC mode to clear the Type 6 client state.

If the primary key update operation is stuck at any stage, then you can use this clear command to clear that state. You can track the primary key update operation using the show type6 server command output. If the Master key Inprogress field in that output displays as YES , then you can use show type6 masterkey update status command (or, show type6 clients command, prior to Release 7.0.2) to check which client has not completed the operation. Accordingly, you can clear that particular client using the clear command.

Associated Commands

  • clear type6 client

  • key config-key password-encryption

  • password6 encryption aes

  • show type6

Implementing Key Chain for BGP Sessions (Type 6 Client)

For detailed information about key chains, refer the Implementing Keychain Management chapter.

If you enable Type 6 password encryption, plain-text keys are encrypted using Type 6 encryption. Enter plain-text key-string input in alphanumeric form. If you enable MACsec with Type 6 password encryption, the key-string input is in hexadecimal format.

Configuration

/* Enter the key chain details */
R1 & R2# configure
R1 & R2(config)# key chain type6_password
R1 & R2(config-type6_password)# key 1

Enter the Type 6 encrypted format using the key-string password6 command.


Note
Using the key-string command, you can enter the password in clear text format or Type 6 encrypted (already encrypted password) format, as used in this scenario.

Note
Enable the same key string for all the routers. 
R1 & R2 (config-type6_password-1)# key-string password6 606745575e6565$
R1 & R2 (config-type6_password-1)# cryptographic-algorithm MD5
R1 & R2 (config-type6_password-1)# accept-lifetime 1:00:00 october 24 2005 infinite
R1 & R2 (config-type6_password-1)# send-lifetime 1:00:00 october 24 2005 infinite
R1 & R2 (config-type6_password-1)# commit

Verification

Verify key chain trace server information.


R1 & R2# show key chain trace server both

Sat Jul 20 16:44:08.768 UTC
Client file lib/kc/kc_srvr_wr 
4 wrapping entries (18496 possible, 64 allocated, 0 filtered, 4 total)
Jul 20 16:43:26.342 lib/kc/kc_srvr_wr 0/RP0/CPU0 t312 *********kc_srvr process started*********
Jul 20 16:43:26.342 lib/kc/kc_srvr_wr 0/RP0/CPU0 t312 (kc_srvr) Cerrno DLL registration successfull
Jul 20 16:43:26.349 lib/kc/kc_srvr_wr 0/RP0/CPU0 t312 (kc_srvr) Initialised sysdb connection
Jul 20 16:43:26.612 lib/kc/kc_srvr_wr 0/RP0/CPU0 t317 (kc_srvr_type6_thread) Succesfully registered as a type6 client

Verify configuration details for the key chain. 


R1 & R2# show key chain type6_password 

Sat Jul 20 17:05:12.803 UTC

Key-chain: type6_password -
  Key 1 -- text "606745575e656546435a4c4a47694647434253554f49414a4f59655a486950566"
    Cryptographic-Algorithm -- MD5
    Send lifetime --  01:00:00, 24 Oct 2005 - Always valid  [Valid now]
    Accept lifetime -- 01:00:00, 24 Oct 2005 - Always valid [Valid now] 
Verify Type 6 client information.

Associated Commands

  • key chain

  • key-string password6

  • show key chain trace server both

Creating a BGP Session (Type 6 Password Encryption Use Case)

This example provides iBGP session creation configuration. To know how to configure the complete iBGP network, refer the BGP Configuration Guide for the platform.

Configuration

/* Create BGP session on Router1 */
R1# configure
R1(config)# router bgp 65537

Ensure that you use the same key chain name for the BGP session and the Type 6 encryption (for example, type6_password in this scenario).

Ensure that you use the same session and keychain for all routers (R1 and R2 in this case). 


R1 (config-bgp)# session-group bgp-type6-session keychain type6_password
R1 (config-bgp)# neighbor 10.1.1.11 remote-as 65537 
R1 (config-bgp)# commit 

/* Create BGP session on Router2 */
R2 (config)# router bgp 65537 
R2 (config-bgp)# session-group bgp-type6-session keychain type6_password
R2 (config-bgp)# neighbor 10.1.1.1 remote-as 65537 
R2 (config-bgp)# commit

Verification

Verify that the BGP NBR state is in the Established state, on R1 and R2. 


R1# show bgp sessions
Neighbor      VRF      Spk    AS      InQ  OutQ  NBRState     NSRState
10.1.1.11     default  0      65537   0    0     Established  None


R2# show bgp sessions
Neighbor      VRF      Spk    AS      InQ  OutQ  NBRState     NSRState
10.1.1.1     default  0      65537   0    0     Established  None

Associated Commands

  • session-group

  • show BGP sessions