[Top] [Prev] [Next] [Bottom]
Using SKIP
This document describes Simple Key-Management for Internet Protocols (SKIP), which is an optional security feature that works with OpenROUTE Networks Virtual Private Networks (VPNs).
This document has the following topics:
Introducing SKIP
How SKIP Works
Exporting Algorithms from the United States
Configuring SKIP
SKIP Commands
Introducing SKIP
This chapter describes the SKIP component of OpenROUTE Networks VPN software. VPNs begin with IP Tunnel interfaces, which are virtual paths to other nodes in the virtual network. SKIP provides security to traffic passing through IP tunnels by authenticating and encrypting the data.
This document explains how SKIP works, how to set up SKIP, and defines the SKIP commands.
SKIP works with the IP Tunnel software by encrypting and signing outbound traffic before sending the traffic through the IP tunnel and by decrypting and authenticating inbound traffic from the IP tunnel. This process verifies that a packet actually came from the remote tunnel endpoint and that the packet was not tampered with enroute to the local SKIP peer. It also protects data as it passes through the tunnel.
Figure 1 shows a router that has three IP Tunnel interfaces, each connecting to a different location in the VPN. SKIP authenticates and encrypts traffic on interfaces 2 and 3.
Figure 1 How SKIP Works with the IP Tunnel Software
Terminology
This document uses the following terminology.
|
bulk authentication
|
The algorithm SKIP uses to sign outbound packets. This signature lets the receiver check that the packet was not tampered with or forged. See set authentication. |
|
bulk encryption
|
The algorithm SKIP uses, along with the short-term key, to encrypt user data. See set bulk-encryption. |
|
master encryption key
|
A key, or value, SKIP uses to encrypt short-term keys. It's called a master key because it does not encrypt user data; it only encrypts other keys. Also known as the shared secret. |
|
master encryption algorithm
|
The algorithm SKIP uses to encrypt short-term keys when those keys change. It's called a master algorithm because it does not encrypt user data, it only encrypts other keys. |
|
modulus length
|
Prime numbers with lengths of 512, 1024, and 2048 bits that define the key length of Unsigned Diffie-Hellman (UDH) certificates. |
|
payload
|
The original IP packet being sent using SKIP and the IP Tunnel. |
|
private key
|
A value that a SKIP peer uses, along with a public key, to calculate the master encryption key. |
|
public key
|
A value that a SKIP peer uses, along with their own private key, to calculate the master encryption key. |
|
rekey interval
|
How often SKIP changes its short-term key. |
|
short-term key
|
A key that two SKIP peers use to encrypt and decrypt user data that they send to each other. This key is a random number that changes every rekey interval. |
|
shared secret
|
A key, or value, SKIP uses to encrypt short-term keys when those keys change. Also called the master encryption key. |
|
Unsigned Diffie-Hellman (UDH) certificate
|
UDH certificates provide a simple, secure way for SKIP peers to exchange public keys without requiring a third-party Certificate Authority (CA). |
RFCs Supported
The OpenROUTE Networks IP security for VPNs implements the following RFCs:
Compatibility
This SKIP implementation is compatible with the Sun Microsystems implementation of the Tunnel Mode of SKIP. OpenROUTE routers can securely exchange information with both SunScreen SKIP for Windows 95 and Windows NT software and the SUNScreen EFS and SPF Server systems.
Sun Microsystems implements SKIP key exchange using both SKIP Unsigned Diffie-Hellman (UDH) certificates and X.509 certificates. X.509 certificates are obtained from certificate authorities. OpenROUTE Networks implements key exchange using only UDH certificates.
SKIP is distinct from, and incompatible with, Internet Security Association Key Management Protocol (ISAKMP).
How SKIP Works
SKIP uses keys, also called secrets, to authenticate data and to encrypt and decrypt data. In order for two SKIP peers to communicate, each side needs to use the same key, called a master encryption key (a shared secret). SKIP's key exchange mechanism allows SKIP peers to derive shared secrets from public/private key pairs.
SKIP uses a two-level encryption and authentication process. The first level encrypts and authenticates the process of exchanging keys. The second level encrypts and authenticates actual user data.
When SKIP receives a packet, it
- 1. Identifies the packet source. See Identifying the Packet Source.
- 2. Exchanges public keys with the source using Unsigned Diffie-Hellman (UDH) certificates.
- 3. Calculates a master encryption key, also called a shared secret. To calculate the master encryption key, each SKIP peer uses its own private key along with the other peer's public key.
Note:
If the remote SKIP peer does not support certificates, you can manually set a secret on each peer. See add secret.
- 4. Calculates a short-term encryption key using a random number generator. SKIP repeats this step, which changes the short-term key, at a regular interval. The default interval is one minute.
- 5. Encrypts the short-term encryption key using the master encryption key and a master encryption algorithm and sends the short-term key to the remote peer.
- 6. Uses the short-term key along with the bulk encryption and bulk authentication algorithms to encrypt and authenticate user data it sends to the remote peer.
SKIP is sessionless, which means that each SKIP packet contains algorithms used to compute secrets, authenticate and encrypt data, and compress data. This information is in a header that SKIP adds to IP packets.
Identifying the Packet Source
In addition to the source and destination IP addresses in the outer IP header, SKIP headers can include names, called name-spaces, to identify the packet source and/or destination. Defining a name space allows SKIP peers to identify the source even if the source uses dynamic IP addressing.
This version of SKIP supports the following name spaces:
See also local-name and remote-name.
Exchanging Public Keys Using UDH Certificates
SKIP uses public/private-key cryptography to create a master encryption key. Each SKIP peer has a private key and a public key. SKIP peers exchange public keys and then each peer uses its private key along with the remote peer's public key to calculate the master key.
To send public keys securely from one SKIP peer to another, this SKIP implementation uses Unsigned Diffie-Hellman (UDH) certificates. Other SKIP implementations use a third-party Certificate Authority (CA) to obtain their public keys. However, UDH certificates allow SKIP to get public keys directly from the other SKIP peer. UDH certificates provide a simple, secure way to exchange public keys without requiring a third party CA.
Key Lengths
In addition to public keys, UDH certificates contain two constants called the modulus, which is the key length, and the base. The base is always `2' but there are three different values of the modulus. These values are prime numbers with lengths of 512, 1024, and 2048 bits. Since there are three values for the modulus, there are three possible certificates you can store in the router. The router uses the same one, two, or three certificates to perform the Diffie-Hellman key exchange with all remote peers. Note:
Not all key lengths are available for export from the United States. See Exporting Algorithms from the United States.
Typically, an organization standardizes on one modulus length for simplicity, but some organizations, especially those with offices both inside and outside the United States (U.S.), may need multiple certificates. Sites outside the U.S. can request the certificate with a 512-bit modulus and sites inside the U.S. can request the certificate with a 512-, 1024-, or 2048-bit modulus.
Authenticating UDH Certificates
Each UDH certificate has a unique MD5/UDH signature that SKIP computes by running the MD5 algorithm over the certificate. The receiving router ensures the authenticity of a UDH certificate by comparing the signature to a manually entered value obtained from the administrator of the sending location.
SKIP uses this signature as the SKIP name assigned to the router, client, or server that owns (that is, that created) the certificate. Other routers, clients, or servers use this signature as the destination name in SKIP packets they send to the certificate owner.
The UDH certificate authentication and exchange works as follows:
- 1. Routers, clients, or servers that need to communicate with the owner of a certificate send a Certificate Request message. This message includes the certificate's signature and indicates which certificate, or modulus length, the requester needs.
- 2. The certificate owner sends the certificate to the requester.
- 3. Once the requester receives the returned certificate, the requester computes the MD5 algorithm over the certificate and compares the result to the value stored as the destination name.
Computing and Using Master Keys and Short-Term Keys
Once SKIP peers have exchanged public keys using UDH certificates, each SKIP peer uses its own private key and the other's public key to compute a master encryption key. The Diffie-Hellman algorithm causes the SKIP peers to compute the same key. This master encryption key, which is a 16-byte number, drives the rest of the SKIP encryption process. Note:
You can manually set a master encryption key if the remote device does not support certificates. If you manually set a master encryption key for a destination, the router does not exchange certificates with that destination.
SKIP uses a random number generator to create a short-term key. A rekeying interval defines the lifetime of each short-term key. The default is one minute. When this interval expires, SKIP creates a new short-term key for the destination.
To securely send the new short-term key to the SKIP peer, SKIP encrypts the new short-term key using the master encryption algorithm along with the master encryption key before sending the new key to the SKIP peer.
The router performs the actual encrypting and signing of IP packets using the short-term key along with the bulk encryption and bulk authentication algorithms.
SKIP Data Flows
SKIP supports one or more simultaneous data flows that represent IP tunnels to different remote tunnel endpoints. You define the number of data flows for an IP Tunnel using the set max-users command. The default is 16. At any time, the number of flows from SKIP clients are the same as the number of flows from SKIP to the IP tunnel. These flows map one-to-one.
Figure 2 How SKIP Works with the IP Tunnel Software
Exporting Algorithms from the United States
OpenROUTE provides several encryption and authentication algorithms to provide different levels of encryption or authentication strength.
United States (U.S.) government encryption export policy limits the key size, and hence the strength, of encryption equipment exported outside of the U.S., with the exception of Canada. OpenROUTE Networks provides different software for domestic, export-controlled, and global use. Export-controlled key lengths are available to overseas offices of U.S. corporations or subsidiaries or for organizations that receive export permission from the United States government.
The following table shows the algorithms and key lengths provided in these three versions of software.
Configuring SKIP
This section covers the following:
Using IP Tunnels With SKIP gives examples of configuring SKIP on different types of IP Tunnels.
Securing Access to the Router
SKIP requires secure access to the router itself. You must enable console login with administrative access and passwords to prevent unauthorized entry into the router. If someone gains administrative access to the router, they can easily subvert SKIP by disabling it.
Use the add user command at the Config> prompt to set up a user with administrative access. Adding a user automatically enables console login.
Setting the Time on the Router
You must set the correct time of day and offset from Greenwich Mean Time (GMT) on the router before you configure SKIP. SKIP headers include a time stamp. SKIP peers do not accept packets that have a time difference of more than one hour from the SKIP peer's own time.
In addition, certificates have a not valid before time, which is the time the certificate was created, and a not valid after time, which is five years from the time the certificate was created. If SKIP peers do not have their time synchronized, a SKIP peer could receive a packet before the not valid time and discard the packet.
The router does not allow you to create certificates if you have not set the time of day. However, since the router cannot know if the set time is correct, you must make sure the time of day in the router is correct before adding certificates.
To check the time set on the router, enter time list at the Config> prompt.
To set the time, enter the following commands at the Config> prompt.
Setting Up the Router to Poll a Time Server
GT 60 Series, GT 70 Series, and GTS 100 Series routers do not save the set time when you restart the router. On these platforms, you should initially set the time manually and then set up the router to poll a time server to get the current time. To set up the router to poll a time server, enter the following commands at the Config> prompt.
SKIP Configuration and Monitoring Prompts
SKIP commands are available at the SKIP Config <NET-#> prompt and the SKIP <NET-#> prompt. This section explains the differences between these two prompts and shows how to display the prompts.
SKIP Configuration Prompt
At the SKIP Config <NET-#> prompt, changes you make are saved in the router's configuration memory. These changes do not take effect until you restart the router.
To display the SKIP Config <NET-#> prompt,
- 1. Create an IP tunnel interface and enable SKIP on the interface. The IP Tunnel is interface 5 in this example.
Config>ADD INTERFACE IP-TUNNEL
Adding IP Tunnel as interface 5.
Config>ENABLE SKIP
Interface number [0]? 5
Config>
- 2. Display the circuit configuration prompt. Enter network followed by the number of the IP tunnel interface you want to configure. To see a list of interfaces, enter list interfaces.
Config>NETWORK
What is the network number [0]? 5
Circuit Configuration
Circuit Config <NET-5>
- 3. Display the SKIP configuration prompt.
Circuit Config <NET-5>SKIP
SKIP Configuration
SKIP Config <NET-5>
SKIP Monitoring Prompt
At the SKIP <NET-#> prompt, changes that you make take effect immediately. Unless you explicitly save changes using the save command, they are not saved when you restart the router.
Also, at the SKIP <NET-#> prompt, you can set parameters only for remote peers that are currently reachable and have exchanged certificates to derive a master encryption key. If a remote endpoint is not accessible, it has no runtime configuration and the endpoint does not appear at this prompt.
To display the SKIP <NET-#> prompt,
- 1. At the + prompt, enter network followed by the number of the SKIP interface you want to monitor. To see a list of interface numbers, enter list interface at the + prompt.
+network 5
Circuit <NET-5>
- 2. Enter skip.
Circuit <NET-5> SKIP
SKIP
SKIP <NET-5>
How SKIP Commands Work
SKIP uses the destination name default as a special name whose properties apply to all remote destinations unless you explicitly add and configure destinations.
To configure a specific remote destination, you first add the destination using the add remote command. Once you add a destination other than default, most SKIP commands require that you include the name of the destination to which the command applies. For example, you use the set authentication command to set the algorithm SKIP uses to sign packets:
SKIP Config <NET-5> SET AUTHENTICATION BOSTON MD5
The destination in this command is BOSTON and the algorithm is MD5.
You can partially enter a command and then press Space twice to see a list of all configured SKIP destinations.
SKIP Config <NET-5> SET AUTHENTICATION Space Space
The choices/prefixes are (a complete list):
50.10.20.30
boston
default
roadwarrior
You do not have to set all parameters for destinations that you add. If you do not specifically set a parameter, SKIP uses the value set in the default configuration. In other words, SKIP uses the values specified in the default configuration for all destinations unless you specifically configure a value for a destination. If all parameters required for a destination are the same as the default values, you never have to add that destination to SKIP.
The router in Figure 2 has three VPN tunnels to Boston, 45.10.20.30, and RoadWarrior. The following commands set the default authentication algorithm for all destinations to MD5 and then specify that the algorithm used specifically for RoadWarrior is SHA.
SKIP Config <NET-5>SET AUTHENTICATION DEFAULT MD5SKIP Config <NET-5>SET AUTHENTICATION ROADWARRIOR SHA
Adding Certificates
Two peers computing a master encryption key must use certificates that have the same modulus length. This means you must add certificates whose length matches the modulus length the remote peer uses. For example, Sun Microsystems SunScreen SKIP for Windows uses a 1024-bit modulus, so a router connecting to that SunScreen SKIP client must also have a certificate that has a 1024-bit modulus.
- 1. Create a 1024-bit modulus certificate with the add certificate command.
SKIP Config <NET-5>add certificate 1024
New certificate's MD5/UDH signature is 9C2A-8448-3750-6266-29B8-2B02-3470-7098
When you add a certificate, the software displays the certificate's MD5/UDH signature.
- 2. Relay this signature to the administrator of the remote SKIP peer(s) you will exchange this certificate with. The remote SKIP peer uses this signature to authenticate UDH certificates it receives from this router.
CAUTION:
Do not send the signature over the network. Doing so compromises SKIP's security. Communicate secrets by telephone or paper.
Setting Local Names
SKIP peers use the signature of UDH certificates to authenticate the UDH certificates. See Authenticating UDH Certificates. To do so, the router uses the MD5 signature of its UDH certificate as the router's local name when it sends the certificate to the remote peer.
To set up the router to use the MD5/UDH signature as its local name, you must have already added a certificate with the add certificate command. You then enter the set local-name local/udh command followed by the modulus length of the certificate, 1024 in this example.
SKIP Config <NET-5>set local-name local/udh 1024Note:
You must set this parameter to local/UDH if you are using a dynamically-assigned IP address as the IP tunnel source address. This lets the receiving router identify the source of the packet even when it does not recognize the address in the outer IP header.
Setting Remote Names
If you are using UDH certificates, you must enter the MD5 signature of the remote SKIP peer's UDH certificate. You obtain this signature from the administrator of the remote peer. The local router uses this signature when it requests a certificate from the remote peer, which ensures that the remote peer sends the correct certificate. The signature also lets the local SKIP router validate the UDH certificate that the remote peer provides.
SKIP Config <NET-5> set remote-name jimmy md5/udh
Peer's MD5/UDH Signature? 626F-8EB4-27F4-8A4C-DEB9-DE6F-3FF2-58B3
Other SKIP Destination Parameters
The following table describes the remaining SKIP parameters that you can set for either the default configuration or for a specific destination. The table includes the authentication and encryption algorithms that SKIP uses.
Table 1 SKIP Parameters You Can Set Per Destination
|
Parameter
|
Options
|
Description
|
|---|
|
Authentication
|
None
MD5
SHA |
Sets the algorithm, if any, SKIP uses to sign outbound packets. This signature lets the receiver check that the packet was not tampered with or forged. See set authentication. |
|
Authentication-Required
|
disabled
enabled |
If enabled, the SKIP accepts only signed packets. Doing so guarantees that every packet SKIP receives from the remote peer has a signature SKIP can validate before accepting the packet. The default is enabled. |
|
Bulk-Encrypter
|
None
DES-CBC
DES3-CBC
ARC4/40
ARC4/128 |
Sets the algorithm, if any, this router uses to encrypt IP user data before sending the data to the specified destination. The default is DES-CBC. See set bulk-encryption. |
|
Compression
|
none
STAC-LZS |
Sets the compression algorithm, if any, that SKIP uses to compress data packets before encrypting them. The default is none. See set compression. Note:
Sun Microsystems products do not support compression. |
|
Master-Encrypter
|
DES-CBC
DES3-CBC |
SKIP generates a new short-term key periodically. This parameter sets the algorithm SKIP uses to encrypt the short-term key before sending the short-term key to the specified destination. |
|
Rekey-Interval
|
30 to 3600 seconds |
SKIP generates a new short-term key periodically. This parameter sets how often SKIP creates a new short-term key. The default is 60 seconds. |
|
Secret
|
(16-bytes) |
If the remote peer does not support SKIP UDH, use this command to set a secret, called a master encryption key, on the local router. This secret must be identical to the secret the remote peer uses. See add secret.
Do not send the secret over the network. Doing so compromises SKIP's security. You should communicate secrets by telephone or paper.
|
Preventing the Router from Sending Unencrypted Data Over the Internet
Figure 3 shows a VPN router that is also acting as the gateway to the Internet. In this scenario, if the IP Tunnel with SKIP goes down, the router sends traffic over the next best route. However, if that happens, the router could send traffic over an interface that does not use SKIP, which means the traffic would not be encrypted.
There are two ways to prevent the router from sending unencrypted packets
Figure 3 VPN Router That Is Also An Internet Gateway Router
Setting Up a Discard Route
The following steps show how to set up duplicate static routes for a remote tunnel endpoint. If the IP Tunnel with SKIP goes down, these routes cause the router to discard traffic addressed to the remote tunnel endpoint, rather than send the traffic over a route that might not be set up to encrypt data.
- 1. Add a static route that causes the router to send traffic addressed to the remote tunnel endpoint (128.185.2.2) over the IP Tunnel interface (0.0.0.5).
IP config>ADD ROUTE
IP destination [0.0.0.0]?128.185.2.2
Address mask [0.0.0.0]? 255.255.255.0
Via gateway at [0.0.0.0]?0.0.0.5
Cost [1]?
- 2. Add a second static route to the same destination that causes the router to discard traffic addressed to the remote tunnel endpoint. The address mask of 255.255.255.255 causes the router to discard all traffic addressed to 128.185.2.2. The router uses the route only if the previous route via 0.0.0.5 goes down.
Note:
Make sure the discard route has a cost that is greater than or equal to the cost of the route through the IP Tunnel. Otherwise, the router will send packets to the discard route instead of to the tunnel.
IP config>ADD ROUTE
IP destination [0.0.0.0]?128.185.2.2
Address mask [0.0.0.0]? 255.255.255.255
Via gateway at [0.0.0.0]?0.0.0.0
Cost [1]?
Creating Openings in a Firewall for SKIP Traffic
If you are using SKIP with GTSecure firewall filters or with Network Address Tranlsation (NAT) acting as your firewall, you must allow the following traffic through the firewall:
Creating Openings For SKIP in GTSecure IP Filters
If you are using SKIP with GTSecure IP filters, use the following commands to create a profile that contains three filters to allow SKIP traffic through the firewall. The destination address (da) shown here is an example. Use the actual destination address of the IP tunnel endpoint.
IP Filters Config>add profile passthruIP Filters Config>add filter passthru.skip dir=both da=128.185.2.2 protocol=skipIP Filters Config>add filter passthru.cdp dir=both da=128.185.2.2 prot=udp dp=1639-1640IP Filters Config>add filter passthru.discard dir=both da=128.185.2.2 prot=udp dp=9IP Filters Config>list filter passthru
Listing Filters
Name Dir Address Port Protocol Idle
Action
---------------------------------------------------------------
skip Both ida=128.185.2.2 SKIP Pass Off
cdp Both ida=128.185.2.2 idp=1639-1640 UDP Pass Off
discard Both ida=128.185.2.2 idp=9 UDP Pass Off
After you create the profile, you need to attach it to an interface. Typically, you would attach the profile to the interface where your firewall is currently configured. The following example attaches the passthru profile to interface 5.
IP Filters Config>set interface 5 profiles = passthru
Since IP filters block all traffic, except traffic that you specifically allow by adding filters, the three filters just added create openings in the firewall for SKIP-related traffic. The router drops all traffic that does not match any filters.
Creating Openings For SKIP in NAT
If you are running NAT and SKIP in the same router, the NAT software automatically creates services that let SKIP traffic pass through the NAT interface.
If you are running IP Tunnels with SKIP and NAT on separate routers, you need to add the following services to your NAT configuration. Direct the services to the tunnel endpoint address in the tunnel router.
NAT Config>add service skip
Server's IP address [0.0.0.0]? 10.10.20.1
Server's local port (0 = no port translation) [0]?NAT Config>add service skipcdp
Server's IP address [0.0.0.0]? 10.10.20.1
Server's local port (0 = no port translation) [0]?NAT Config>add service discard
Server's IP address [0.0.0.0]? 10.10.20.1
Server's local port (0 = no port translation) [0]?
SKIP Commands
Table 2 describes the SKIP commands.
Press Space twice after you type a command to display the available parameters for each command. Enter help for information about using the command line interface.
[C] means the command is available at the SKIP Config <NET-#> prompt.
[M] means the command is available at the SKIP <NET-#> prompt.
Add [C]
Adds certificates, remote peers, and secrets to the SKIP configuration.
Syntax: add
- certificate
- remote
- secret
certificate
Creates the router's certificates. Enter a modulus length of 512, 1024, or 2048 after this command to select which certificate to add.
You must enter the same modulus length that the remote site uses because Diffie-Hellman requires the two parties computing a master encryption key to use the same modulus length.
When you add a certificate, the software runs the MD5 algorithm over the certificate to create a signature, and the software displays the certificate's MD5/UDH signature. Relay this signature to the administrator of the remote SKIP peer(s) you will exchange this certificate with. The remote SKIP peer uses this signature to authenticate UDH certificates it receives from this router.
CAUTION:
Do not send the signature over the network. Doing so compromises SKIP's security. Communicate secrets by telephone or paper.
Note:
The router refuses this command if you have not set the time of day on the router. See Setting the Time on the Router.
Example: add certificate 1024
New certificate's MD5/UDH signature is 9C2A-8448-3750-6266-29B8-2B02-3470-7098
remote
Adds a SKIP definition for a specific remote peer. All other SKIP commands use the name you enter here.
Example: add remote
New remote destination name? jimmy
secret
Normally, SKIP peers compute the master encryption key, also called a shared secret, using SKIP UDH certificates. If the remote peer does not support SKIP UDH, use this command to set a shared secret for that peer. Once you add a secret for a destination, the router does not exchange certificates with this destination. To re-enable certificate discovery, delete the secret with the delete secret command.
Enter a 16-byte hexadecimal value as the secret. This secret must be identical to the secret the remote peer uses.
CAUTION:
Do not send the secret over the network. Doing so compromises SKIP's security. Communicate manually-created secrets by telephone or paper.
Example: add secret jimmy
Shared Secret? 28763249
Delete [C]
Deletes certificates, remote peers, and secrets from the SKIP configuration.
Syntax: delete
- certificate
- remote
- secret
certificate
Deletes a certificate that you added. Enter the modulus length of the certificate you want to delete, either 512, 1024, or 2048. To see a list of certificates, enter list certificate. Note:
Do not use this command casually because it invalidates the configuration of other routers and clients that hold the signature of this certificate.
Example: delete certificate 1024
remote
Deletes the configuration and name of a remote peer that you created with the add remote command.
Example: delete remote jimmy
secret
Deletes a shared secret previously added for a remote peer. Removing the secret causes SKIP to use certificate exchange to generate a shared secret for this destination. The following example deletes the secret previously added for the destination jimmy.
Example: delete secret jimmy
Disable [C] [M]
Disables authentication-required for a remote peer, which allows that peer to send packets that do not have a SKIP signature. Authentication-required is enabled by default because it defends against attackers who send forged packets to the router.
The following example disables authentication-required for the destination jimmy.
Syntax: disable authentication-required
Example: disable authentication-required jimmy
Enable [C] [M]
Enables authentication-required on all packets SKIP receives from the remote peer that you specify. Enabling authentication-required defends against attackers who send forged packets. The router drops unsigned packets.
The following example enables authentication-required on all destinations, except those for which you specifically disable authentication-required.
Syntax: enable authentication-required
Example: enable authentication-required default
List [C] [M]
This section explains list commands available at the SKIP configuration and monitoring prompts.
List [C]
Displays configuration parameters of the SKIP interface.
Syntax: list
- certificate
- local-name
- parameters
- remote-name
- secrets
certificate
Displays the certificates configured on the SKIP interface.
Example: list certificate
Mod. Valid Valid Received Signature
Len From To From
512 7/9/97 7/9/02 Local Config 9C6D-229C-20CC-98EB-862A-FB00-5DCC-117
local-name
Lists the SKIP name types and values assigned as the local router's name when it sends packets to each remote destination. NSID is the name-space ID, or type, of name data included in each packet. Set a local name using set local-name. None means that no local name is set for the destination.
Example: list local-name
Destination NSID Local Name
DEFAULT None
misty None
skip-466 LOCAL/UDH Local 1024-bit Certificate MD5 Signature
fancy IPv4 Address 1.2.3.4
parameters
Displays the parameters used with each remote destination. SKIP uses most of these parameters only on outbound packets because incoming packets include parameters on how SKIP is to process the incoming packet. The only exception is the Drop Unsigned parameter. If the authentication-required parameter is enabled (Yes), SKIP drops incoming packets that are not signed.
This display also shows the use of DEFAULT as a destination. The DEFAULT entry defines the characteristics of all remote destinations unless you specifically define an alternate value for those destinations. In the following example, the only values explicitly changed with a set command were the authentication algorithm for the destination boston and the data compression algorithm for the destination misty. All other parameters use the default values.
Example: list parameters
Destination Master Bulk Auth Comp Drop Rekey
Algorithm Algorithm Algorithm Algorithm Unsign Interval
DEFAULT DES-CBC DES-CBC MD5 NONE NO 30
boston DES-CBC DES-CBC SHA NONE NO 30
misty DES-CBC DES-CBC MD5 STAC-LZS NO 30
remote-name
Lists the SKIP name types and values assigned as the name the remote router uses in packets it sends to this router. NSID is the name-space ID, or type, of name data included in each packet. Set a remote name using set remote-name. None means that no remote name is set for the destination.
Example: list remote-name
Destination NSID Remote Name
50.10.20.30 None
misty MD5/UDH DB5E-D8C4-BEF1-1BE0-3BA2-13D8-B1F5-63FC
skip-466 MD5/UDH 2D69-840F-D017-32E4-3DB4-FEF5-2722-32F4
fancy IPv4 Address 50.1.1.1
secrets
Displays secrets you added for specific remote destinations. Note:
You can enter this command only if you have administrative access to the router.
Example: list secrets
Destination Secret
fancy 28763249 87362928 37664364 78929283 76464783 64928762
List [M]
Displays connection information and configuration parameters for remote SKIP peers.
Syntax: list
- certificates
- local-name
- receive counters
- receive parameters
- remote-name
- secrets
- transmit counters
- transmit parameters
certificates
Lists the certificates the router owns as well as certificates the router learned from other SKIP peers.
The Received From column shows the source of each certificate. At the monitoring prompt, this column displays the IP address of other routers and clients from which the router received certificates.
Example: list certificates
Mod. Valid Valid Received Signature
Len From To From
512 7/9/97 7/9/02 Local Config 9C6D-229C-20CC-98EB-862A-FB00-5DCC-117
1024 9/8/97 9/8/02 Local Config FC56-129A-D8AC-A9BC-09F6-1EFB-CFA9-2131
local-name
Lists the SKIP name, types, and values assigned as the local router's name when it sends packets to each remote destination. The NSID is the name space ID, or type, of name data included in each packet.
Example: list local-name
Destination NSID Local Name
misty None
receive counters
Displays statistics counters for each remote destination. These counters describe the packets the router received from those remote peers. Note:
The software counts packets as both encrypted and authenticated if SKIP performs both operations on the packet payload.
Example: list receive counters
Destination Unrecog Auth Auth Encrypted Decrypt Payload
Packets Packets Errors Packets Errors Bytes
misty 0 22 0 22 0 12877
The router generates Event Logging System (ELS) messages whenever it detects an error.
receive parameters
Lists the SKIP algorithms remote peers selected and included in packets the local router most recently received. The only exception is the Drop Unsigned column. If this value is Yes, the local router discards unsigned packets.
Example: list receive parameters
Received Packet Parameters
Destination Master Bulk Auth Comp Drop
Algorithm Algorithm Algorithm Algorithm Unsigned
misty DES-CBC DES-CBC MD5 STAC-LZS NO
remote-name
Lists the SKIP NSID (name space ID) you set for this remote peer using the set remote-name command.
Example: list remote-name
Destination NSID Remote Name
misty MD5/UDH DB5E-D8C4-BEF1-1BE0-3BA2-13D8-B1F5-63FC
secrets
Displays the shared secret, also called the master encryption key, for each destination, whether manually configured or computed from the local router's private key and the remote peer's public key. Note:
The router accepts this command only if you have Administrative-level authorization on the router.
Example: list secrets
Destination Secret
misty AFEBE802 1705E74E 17F20A20 7FD6DAEF BC9D04BE 541A0E5A 3D2E860C CEBB48AB
transmit counters
The router keeps statistics counters for each remote destination. Most of these counters describe packets the router sent to each remote destination.
Example: list transmit counters
Destination Auth Encrypted Payload Compress
Packets Packets Bytes Ratio
misty 499 499 148504 1.63:1
transmit parameters
Displays the SKIP parameters the local router uses when it transmits packets to each remote peer.
Example: list transmit parameters
Transmitted Packet Parameters
Destination Master Bulk Auth Comp Rekey
Algorithm Algorithm Algorithm Algorithm Interval
misty DES-CBC DES-CBC MD5 STAC-LZS 60
bentley DES-CBC ARC4/128 MD5 STAC-LZS 60
Revert [M]
If you make configuration changes at the SKIP <NET-#> prompt, this command restores the saved configuration for the destination that you specify.
Example: revert
destination
Save [M]
Saves changes you make at the SKIP <NET-#> prompt for the destination you specify to permanent memory so they are still present after you restart the router.
Example: save
destination?
Set [C] [M]
Sets various SKIP parameters.
Syntax: set
- authentication
- bulk-encryption
- compression
- local-name
- master-encrypter
- rekey-interval
- remote-name
authentication
Sets the authentication algorithm, if any, SKIP uses to sign packets before sending them. By checking incoming packets against an authentication algorithm, the SKIP receiver can verify that the packet was not tampered with or forged.
You can specify an algorithm to use as the default or for packets destined to a specific peer. You can set the authentication algorithm to None, MD5 (Message-Digest Algorithm), or SHA (Secure Hash Algorithm). The default is MD5.
This command does not affect the algorithm used to authenticate incoming packets. That algorithm is specified in the incoming packets.
The following example sets up SKIP to sign packets it sends to jimmy using the SHA.
Example: set authentication jimmy sha
bulk-encryption
Sets the encryption algorithm SKIP uses to encrypt user data before sending the data to the specified destination. The default is DES-CBC.
This command does not affect the algorithm used to decrypt incoming packets. That algorithm is specified in the incoming packets.
The following example configures SKIP to encrypt packets it sends to jimmy using DES3-CBC.
Example: set bulk-encryption jimmy DES3-CBC
compression
Sets the compression algorithm the router uses to compress user data before sending the data to the specified destination. The default is None.
This command does not affect the algorithm used to decompress incoming packets. That algorithm is specified in the incoming packets.
The following example configures the router to compress packets it sends to jimmy using the STAC-LZS algorithm.
Example: set compression jimmy stac-lzs
local-name
Defines whether SKIP includes a name in the SKIP header to identify itself to remote peers. If SKIP does include a name, this parameter sets the type and value of the name that identifies the local router. SKIP includes this information in packets the router sends to the specified destination. The options are IPv4-address, Local/UDH, or None.
Using the local MD5/UDH signature as the name of the router allows the router to hold one certificate for each length modulus. Each certificate has a different signature, so remote sites can be configured (by specifying the appropriate signature) to request the certificate that matches their own certificate's modulus. Note:
You must set this parameter to local/UDH if you are using a dynamically-assigned IP address as the IP tunnel source address. This lets the receiving router identify the source of the packet even when it does not recognize the address in the outer IP header.
Example: set local-name default IPv4-address
IPv4 Address [0.0.0.0]?
Example: set local-name boston local/udh 512
master-encrypter
Sets the algorithm SKIP uses to encrypt the short-term key before sending the key to the specified destination.
This command does not affect the algorithm used to decrypt the short-term key in inbound packets. That algorithm is specified in the incoming packets.
Press Space twice after you type the destination name and the software displays a list of encryption types available on your router.
Example: set master-encrypter default
The choices/prefixes are (a complete list):
DES-CBC -- Data Encryption Standard with Chaining (RFC-1829)
DES3-CBC -- Triple DES (Data Encryption Standard) with Chaining (RFC-1851)
SKIP Config <NET-5> set master-encrypter default DES3-CBC
rekey-interval
Sets how often, in seconds, the router changes its short-term key for the destination you specify. The default is 60 seconds. The range is 30 to 3600 seconds.
Example: set rekey-interval default
Rekey Interval? 30
remote-name
Sets the type and value of the SKIP name to expect from the remote SKIP peer. This name identifies the remote destination you specify.
If you are using SKIP certificates, you must set this parameter to MD5/UDH and enter the signature of the remote SKIP peer's UDH certificate. You obtain this signature from the administrator of the remote peer. The local router uses this signature when it requests a certificate from the remote peer, which ensures that the remote peer sends the correct certificate. The signature also lets the local SKIP router validate the certificate that the remote peer provides.
The default is None. The following example sets an MD5 signature for the remote SKIP peer called jimmy.
Example: set remote-name jimmy md5/udh
Peer's MD5/UDH Signature? 9C2A-8448-3750-6266-29B8-2B02-3470-7098
[Top] [Prev] [Next] [Bottom]
docs@openroute.com
Copyright © 2000, OpenROUTE Networks, Inc. All rights
reserved.