tcp-algorithm-id
Function
The tcp-algorithm-id command specifies the ID of TCP algorithm to be configured for the keychain.
The undo tcp-algorithm-id command restores the default TCP algorithm ID specified by IANA.
By default, the TCP algorithm ID specified by IANA is adopted.
Format
tcp-algorithm-id { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | hmac-sha-256 | sha-256 } algorithm-id
undo tcp-algorithm-id { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | hmac-sha-256 | sha-256 }
Parameters
| Parameter | Description | Value |
|---|---|---|
| md5 | Indicates that MD5 is used to encrypt and authenticate
packets. NOTE:
To ensure high security, do not use the
MD5 algorithm. |
The value is 16 bytes. |
| sha-1 | Indicates that SHA-1 is used to encrypt and authenticate packets. | The value is 20 bytes. |
| hmac-md5 | Indicates that HMAC-MD5 is used to encrypt and authenticate packets. | The value is 16 bytes. |
| hmac-sha1-12 | Indicates that HMAC-SHA1-12 is used to encrypt and authenticate packets. | The value is 12 bytes. |
| hmac-sha1-20 | Indicates that HMAC-SHA1-20 is used to encrypt and authenticate packets. | The value is 20 bytes. |
| hmac-sha-256 | Indicates that HMAC-SHA-256 is used to encrypt and authenticate
packets. NOTE:
HAMC-SHA-256 authentication mode is better and more secure than other authentication modes. To ensure high security, HAMC-SHA-256 authentication algorithm is recommended. |
The value is 32 bytes. |
| sha-256 | Indicates that SHA-256 is used to encrypt and authenticate packets. | The value is 32 bytes. |
| algorithm-id | Specifies a TCP algorithm ID to represent the algorithm. | The value ranges from 1 to 63. Default mapping between algorithm IDs and algorithms: md5 for 3, sha-1 for 4, hmac-md5 for 5, hmac-sha1-12 for 2, hmac-sha1-20 for 6, hmac-sha-256 for 7, and sha-256 for 8. |
Usage Guidelines
Usage Scenario
A keychain ensures a secure protocol packet transmission by changing the authentication algorithm and key dynamically. Packets to be transmitted over non-TCP and TCP connections are authenticated using the authentication and encryption algorithms corresponding to a key ID. The difference lies in that the TCP connection needs to be authenticated to enhance the security.
The TCP connection is authenticated using the authentication algorithm specified by the algorithm ID. The algorithm ID is not defined by the IANA. Different vendors use different algorithm IDs to identify authentication algorithms. When two devices of different vendors are connected, ensure that algorithm IDs configured on the two devices are identical.
Prerequisites
The authentication algorithm used to authenticate the TCP connection needs to be specified.
Implementation Procedure
The algorithm IDs configured for the two communication devices must be identical:
Message Digest 5 (MD5): The 128-bit MD5 message digest is calculated based on the entered message of any length.
Secure Hash Algorithm 1 (SHA-1): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
Hash-based Message Authentication Code-MD5 (HMAC-MD5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.
If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.
HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.
HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.
SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.
Precautions
Each algorithm ID uniquely identifies an algorithm.