The hrp checksum encryption-key command specifies the SHA256 algorithm and user-defined key used by the active and standby devices to calculate the HRP packet checksum.
The undo hrp checksum encryption-key command restores the encryption algorithm used to calculate the HRP packet checksum to the default algorithm, namely, the CRC algorithm.
| Parameter | Description | Value |
|---|---|---|
| encryption-key | Specifies the key used by the active and standby devices to calculate the HRP packet checksum using the SHA256 algorithm. |
|
By default, the active/standby device uses the CRC algorithm to calculate the HRP packet checksum.
Application Scenarios
In hot standby networking, two FWs use heartbeat interfaces to send and receive VGMP packets, HRP heartbeat packets, HRP link detection packets, HRP data packets, and consistency check packets (hereinafter referred to as HRP packets) to inform the peer of its configuration and status information. When the heartbeat interfaces of the two FWs are connected through a switch or router, you can run the hrp checksum encryption-key command to enable the two FWs to use the SHA256 verification algorithm with higher security to calculate the checksum of HRP packets.
Configuration Impact
The hrp checksum encryption-key configuration takes effect only after the hrp checksum enable command is used. After hrp checksum enable is configured, the sender in the two FWs calculates the checksum of an HRP packet to be sent using the verification algorithm set in the hrp checksum encryption-key command during data encapsulation. After receiving the HRP packet, the receiver in the two FWs calculates the checksum based on the verification algorithm set in the hrp checksum encryption-key command, and checks whether the checksum of the HRP packet is the same as that of the sender. If the two values are the same, the HRP packet is received. Otherwise, the HRP packet is denied.
hrp checksum enable and hrp checksum encryption-key support backup. After two FWs are configured in hot standby mode, the hrp checksum enable command needs to be run only on the active device.
Precautions
The hrp checksum enable and hrp checksum encryption-key configurations on the two FWs must be the same. Otherwise, HRP packets will be discarded due to validity check failures.
During the HRP packet checksum calculation, certain CPU resources are occupied, which affects the processing performance of the FW. In addition, a more secure algorithm has a higher impact on performance. If high device performance is required, you can use the default verification algorithm (that is, run the undo hrp checksum encryption-key command) or disable the HRP packet validity check function temporarily. After this function is disabled, the integrity and correctness of the HRP packets exchanged between the active and standby FWs cannot be guaranteed.