[Top] [Prev] [Next] [Bottom]

Using SKIP

This document describes Simple Key-Management for Internet Protocols (SKIP), which is an optional security feature that works with OpenROUTE Networks Virtual Private Networks (VPNs).

This document has the following topics:

Exporting Algorithms from the United States

Introducing SKIP

This chapter describes the SKIP component of OpenROUTE Networks VPN software. VPNs begin with IP Tunnel interfaces, which are virtual paths to other nodes in the virtual network. SKIP provides security to traffic passing through IP tunnels by authenticating and encrypting the data.

This document explains how SKIP works, how to set up SKIP, and defines the SKIP commands.

Using IP Tunnels describes IP Tunnels, how to set up IP Tunnels, and defines the IP Tunnel commands.
Using IP Tunnels With SKIP gives examples of how to assemble several types of VPNs using IP Tunnels and SKIP.
Using VPNs With NAT gives examples of how to set up VPNs using IP Tunnels with SKIP when Network Address Translation (NAT) is also running.

SKIP works with the IP Tunnel software by encrypting and signing outbound traffic before sending the traffic through the IP tunnel and by decrypting and authenticating inbound traffic from the IP tunnel. This process verifies that a packet actually came from the remote tunnel endpoint and that the packet was not tampered with enroute to the local SKIP peer. It also protects data as it passes through the tunnel.

Figure 1 shows a router that has three IP Tunnel interfaces, each connecting to a different location in the VPN. SKIP authenticates and encrypts traffic on interfaces 2 and 3.

Figure 1 How SKIP Works with the IP Tunnel Software

Terminology

This document uses the following terminology.

bulk authentication

The algorithm SKIP uses to sign outbound packets. This signature lets the receiver check that the packet was not tampered with or forged. See set authentication.

bulk encryption

The algorithm SKIP uses, along with the short-term key, to encrypt user data. See set bulk-encryption.

master encryption key

A key, or value, SKIP uses to encrypt short-term keys. It's called a master key because it does not encrypt user data; it only encrypts other keys. Also known as the shared secret.

master encryption algorithm

The algorithm SKIP uses to encrypt short-term keys when those keys change. It's called a master algorithm because it does not encrypt user data, it only encrypts other keys.

modulus length

Prime numbers with lengths of 512, 1024, and 2048 bits that define the key length of Unsigned Diffie-Hellman (UDH) certificates.

payload

The original IP packet being sent using SKIP and the IP Tunnel.

private key

A value that a SKIP peer uses, along with a public key, to calculate the master encryption key.

public key

A value that a SKIP peer uses, along with their own private key, to calculate the master encryption key.

rekey interval

How often SKIP changes its short-term key.

short-term key

A key that two SKIP peers use to encrypt and decrypt user data that they send to each other. This key is a random number that changes every rekey interval.

shared secret

A key, or value, SKIP uses to encrypt short-term keys when those keys change. Also called the master encryption key.

Unsigned Diffie-Hellman (UDH) certificate

UDH certificates provide a simple, secure way for SKIP peers to exchange public keys without requiring a third-party Certificate Authority (CA).

bulk authentication	The algorithm SKIP uses to sign outbound packets. This signature lets the receiver check that the packet was not tampered with or forged. See set authentication.
bulk encryption	The algorithm SKIP uses, along with the short-term key, to encrypt user data. See set bulk-encryption.
master encryption key	A key, or value, SKIP uses to encrypt short-term keys. It's called a master key because it does not encrypt user data; it only encrypts other keys. Also known as the shared secret.
master encryption algorithm	The algorithm SKIP uses to encrypt short-term keys when those keys change. It's called a master algorithm because it does not encrypt user data, it only encrypts other keys.
modulus length	Prime numbers with lengths of 512, 1024, and 2048 bits that define the key length of Unsigned Diffie-Hellman (UDH) certificates.
payload	The original IP packet being sent using SKIP and the IP Tunnel.
private key	A value that a SKIP peer uses, along with a public key, to calculate the master encryption key.
public key	A value that a SKIP peer uses, along with their own private key, to calculate the master encryption key.
rekey interval	How often SKIP changes its short-term key.
short-term key	A key that two SKIP peers use to encrypt and decrypt user data that they send to each other. This key is a random number that changes every rekey interval.
shared secret	A key, or value, SKIP uses to encrypt short-term keys when those keys change. Also called the master encryption key.
Unsigned Diffie-Hellman (UDH) certificate	UDH certificates provide a simple, secure way for SKIP peers to exchange public keys without requiring a third-party Certificate Authority (CA).

RFCs Supported

The OpenROUTE Networks IP security for VPNs implements the following RFCs:

RFC 1825, The Security Architecture of the Internet (IPSEC).
RFC 1826, IP Authentication Header.
RFC 1827, IP Encapsulating Security Payload (ESP), which defines the packet formats for IP layer authentication and encryption.
RFC 1828, IP Authentication Using Keyed MD5
RFC 1829, The Encapsulating Security Payload (ESP) DES-CBC Transform
RFC 1851, The Encapsulating Security Payload (ESP) Triple DES Transform
RFC 1852, IP Authentication Using Keyed SHA

Compatibility

This SKIP implementation is compatible with the Sun Microsystems implementation of the Tunnel Mode of SKIP. OpenROUTE routers can securely exchange information with both SunScreen SKIP for Windows 95 and Windows NT software and the SUNScreen EFS and SPF Server systems.

Sun Microsystems implements SKIP key exchange using both SKIP Unsigned Diffie-Hellman (UDH) certificates and X.509 certificates. X.509 certificates are obtained from certificate authorities. OpenROUTE Networks implements key exchange using only UDH certificates.

SKIP is distinct from, and incompatible with, Internet Security Association Key Management Protocol (ISAKMP).

Using Hardware to Perform Compression, Encryption, and Authentication

Some OpenROUTE routers come with hardware that can perform compression, encryption, and authentication. Using hardware rather than software to perform these tasks greatly increases the speed of OpenROUTE VPNs.

The SKIP software provides a command that lets you choose whether the router hardware or software performs compression, encryption, and authentication. See set driver.

How SKIP Works

SKIP uses keys, also called secrets, to authenticate data and to encrypt and decrypt data. In order for two SKIP peers to communicate, each side needs to use the same key, called a master encryption key (a shared secret). SKIP's key exchange mechanism allows SKIP peers to derive shared secrets from public/private key pairs.

SKIP uses a two-level encryption and authentication process. The first level encrypts and authenticates the process of exchanging keys. The second level encrypts and authenticates actual user data.

When SKIP receives a packet, it

1. Identifies the packet source. See Identifying the Packet Source.

2. Exchanges public keys with the source using Unsigned Diffie-Hellman (UDH) certificates.

3. Calculates a master encryption key, also called a shared secret. To calculate the master encryption key, each SKIP peer uses its own private key along with the other peer's public key.

Note: If the remote SKIP peer does not support certificates, you can manually set a secret on each peer. See add secret.

4. Calculates a short-term encryption key using a random number generator. SKIP repeats this step, which changes the short-term key, at a regular interval. The default interval is one minute.

5. Encrypts the short-term encryption key using the master encryption key and a master encryption algorithm and sends the short-term key to the remote peer.

6. Uses the short-term key along with the bulk encryption and bulk authentication algorithms to encrypt and authenticate user data it sends to the remote peer.

SKIP is sessionless, which means that each SKIP packet contains algorithms used to compute secrets, authenticate and encrypt data, and compress data. This information is in a header that SKIP adds to IP packets.

Identifying the Packet Source

In addition to the source and destination IP addresses in the outer IP header, SKIP headers can include names, called name-spaces, to identify the packet source and/or destination. Defining a name space allows SKIP peers to identify the source even if the source uses dynamic IP addressing.

This version of SKIP supports the following name spaces:

No Name. SKIP headers do not include an additional name.
Local/UDH name or MD5/UDH name uses UDH certificate signatures as the name of the packet source and/or destination. Use these names if you are using UDH certificates.
IPv4 addresses. You can assign an IP address that SKIP includes in its headers. The IPv4 address is often used with third-party Certificate Authorities, which this SKIP implementation does not currently support.

Exchanging Public Keys Using UDH Certificates

SKIP uses public/private-key cryptography to create a master encryption key. Each SKIP peer has a private key and a public key. SKIP peers exchange public keys and then each peer uses its private key along with the remote peer's public key to calculate the master key.

To send public keys securely from one SKIP peer to another, this SKIP implementation uses Unsigned Diffie-Hellman (UDH) certificates. Other SKIP implementations use a third-party Certificate Authority (CA) to obtain their public keys. However, UDH certificates allow SKIP to get public keys directly from the other SKIP peer. UDH certificates provide a simple, secure way to exchange public keys without requiring a third party CA.

Key Lengths

In addition to public keys, UDH certificates contain two constants called the modulus, which is the key length, and the base. The base is always `2' but there are three different values of the modulus. These values are prime numbers with lengths of 512, 1024, and 2048 bits. Since there are three values for the modulus, there are three possible certificates you can store in the router. The router uses the same one, two, or three certificates to perform the Diffie-Hellman key exchange with all remote peers.

Note: Not all key lengths are available for export from the United States. See Exporting Algorithms from the United States.

Typically, an organization standardizes on one modulus length for simplicity, but some organizations, especially those with offices both inside and outside the United States (U.S.), may need multiple certificates. Sites outside the U.S. can request the certificate with a 512-bit modulus and sites inside the U.S. can request the certificate with a 512-, 1024-, or 2048-bit modulus.

Authenticating UDH Certificates

Each UDH certificate has a unique MD5/UDH signature that SKIP computes by running the MD5 algorithm over the certificate. The receiving router ensures the authenticity of a UDH certificate by comparing the signature to a manually entered value obtained from the administrator of the sending location.

SKIP uses this signature as the SKIP name assigned to the router, client, or server that owns (that is, that created) the certificate. Other routers, clients, or servers use this signature as the destination name in SKIP packets they send to the certificate owner.

The UDH certificate authentication and exchange works as follows:

1. Routers, clients, or servers that need to communicate with the owner of a certificate send a Certificate Request message. This message includes the certificate's signature and indicates which certificate, or modulus length, the requester needs.

2. The certificate owner sends the certificate to the requester.

3. Once the requester receives the returned certificate, the requester computes the MD5 algorithm over the certificate and compares the result to the value stored as the destination name.

If the result does not match the destination name, the certificate has been compromised and cannot be used.
If the result does match the destination name, SKIP can use it to compute the master encryption key used for subsequent communication.

Computing and Using Master Keys and Short-Term Keys

Once SKIP peers have exchanged public keys using UDH certificates, each SKIP peer uses its own private key and the other's public key to compute a master encryption key. The Diffie-Hellman algorithm causes the SKIP peers to compute the same key. This master encryption key, which is a 16-byte number, drives the rest of the SKIP encryption process.

Note: You can manually set a master encryption key if the remote device does not support certificates. If you manually set a master encryption key for a destination, the router does not exchange certificates with that destination.

SKIP uses a random number generator to create a short-term key. A rekeying interval defines the lifetime of each short-term key. The default is one minute. When this interval expires, SKIP creates a new short-term key for the destination.

To securely send the new short-term key to the SKIP peer, SKIP encrypts the new short-term key using the master encryption algorithm along with the master encryption key before sending the new key to the SKIP peer.

The router performs the actual encrypting and signing of IP packets using the short-term key along with the bulk encryption and bulk authentication algorithms.

SKIP Data Flows

SKIP supports one or more simultaneous data flows that represent IP tunnels to different remote tunnel endpoints. You define the number of data flows for an IP Tunnel using the set max-users command. The default is 16. At any time, the number of flows from SKIP clients are the same as the number of flows from SKIP to the IP tunnel. These flows map one-to-one.

Figure 2 How SKIP Works with the IP Tunnel Software

Exporting Algorithms from the United States

OpenROUTE provides several encryption and authentication algorithms to provide different levels of encryption or authentication strength.

United States (U.S.) government encryption export policy limits the key size, and hence the strength, of encryption equipment exported outside of the U.S., with the exception of Canada. OpenROUTE Networks provides different software for domestic, export-controlled, and global use. Export-controlled key lengths are available to overseas offices of U.S. corporations or subsidiaries or for organizations that receive export permission from the United States government.

The following table shows the algorithms and key lengths provided in these three versions of software.

Algorithm U.S. and Canada Key Lengths Export-controlled Key Lengths Global Key
Lengths

DES 56
56
Not Exportable

Triple DES 168 (Three 56-bit keys)
Not Exportable
Not Exportable

ARC4 40, 128
40
40

RC4 40, 128
40
40

Diffie-Hellman Modulus 512, 1024, 2048
1024
512

Algorithm	U.S. and Canada Key Lengths	Export-controlled Key Lengths	Global Key Lengths
DES	56	56	Not Exportable
Triple DES	168 (Three 56-bit keys)	Not Exportable	Not Exportable
ARC4	40, 128	40	40
RC4	40, 128	40	40
Diffie-Hellman Modulus	512, 1024, 2048	1024	512

Configuring SKIP

This section covers the following:

Using IP Tunnels With SKIP gives examples of configuring SKIP on different types of IP Tunnels.

Securing Access to the Router

SKIP requires secure access to the router itself. You must enable console login with administrative access and passwords to prevent unauthorized entry into the router. If someone gains administrative access to the router, they can easily subvert SKIP by disabling it.

Use the add user command at the Config> prompt to set up a user with administrative access. Adding a user automatically enables console login.

Setting the Time on the Router

You must set the correct time of day and offset from Greenwich Mean Time (GMT) on the router before you configure SKIP. SKIP headers include a time stamp. SKIP peers do not accept packets that have a time difference of more than one hour from the SKIP peer's own time.

In addition, certificates have a not valid before time, which is the time the certificate was created, and a not valid after time, which is five years from the time the certificate was created. If SKIP peers do not have their time synchronized, a SKIP peer could receive a packet before the not valid time and discard the packet.

The router does not allow you to create certificates if you have not set the time of day. However, since the router cannot know if the set time is correct, you must make sure the time of day in the router is correct before adding certificates.

To check the time set on the router, enter time list at the Config> prompt.

To set the time, enter the following commands at the Config> prompt.

To set the time of day, enter time set.
To set the offset from GMT, enter time offset.

Setting Up the Router to Poll a Time Server

GT 60 Series, GT 70 Series, and GTS 100 Series routers do not save the set time when you restart the router. On these platforms, you should initially set the time manually and then set up the router to poll a time server to get the current time. To set up the router to poll a time server, enter the following commands at the Config> prompt.

To set the address of the time server, enter time host followed by the IP address of the server. Remember, the router cannot access an external server over a SKIP tunnel since it is SKIP that needs the time of day.
To set the interval after which the router polls the time server for the current time, enter time sync followed by the number of seconds.

SKIP Configuration and Monitoring Prompts

SKIP commands are available at the SKIP Config <NET-#> prompt and the SKIP <NET-#> prompt. This section explains the differences between these two prompts and shows how to display the prompts.

SKIP Configuration Prompt

At the SKIP Config <NET-#> prompt, changes you make are saved in the router's configuration memory. These changes do not take effect until you restart the router.

To display the SKIP Config <NET-#> prompt,

1. Create an IP tunnel interface and enable SKIP on the interface. The IP Tunnel is interface 5 in this example.

Config>ADD INTERFACE IP-TUNNEL
Adding IP Tunnel as interface 5.

Config>ENABLE SKIP
Interface number [0]? 5
Config>

2. Display the circuit configuration prompt. Enter network followed by the number of the IP tunnel interface you want to configure. To see a list of interfaces, enter list interfaces.

Config>NETWORK
What is the network number [0]? 5
Circuit Configuration

Circuit Config <NET-5>

3. Display the SKIP configuration prompt.

Circuit Config <NET-5>SKIP
SKIP Configuration

SKIP Config <NET-5>

SKIP Monitoring Prompt

At the SKIP <NET-#> prompt, changes that you make take effect immediately. Unless you explicitly save changes using the save command, they are not saved when you restart the router.

Also, at the SKIP <NET-#> prompt, you can set parameters only for remote peers that are currently reachable and have exchanged certificates to derive a master encryption key. If a remote endpoint is not accessible, it has no runtime configuration and the endpoint does not appear at this prompt.

To display the SKIP <NET-#> prompt,

1. At the + prompt, enter network followed by the number of the SKIP interface you want to monitor. To see a list of interface numbers, enter list interface at the + prompt.

+network 5

Circuit <NET-5>

2. Enter skip.

Circuit <NET-5> SKIP
SKIP

SKIP <NET-5>

How SKIP Commands Work

SKIP uses the destination name default as a special name whose properties apply to all remote destinations unless you explicitly add and configure destinations.

To configure a specific remote destination, you first add the destination using the add remote command. Once you add a destination other than default, most SKIP commands require that you include the name of the destination to which the command applies. For example, you use the set authentication command to set the algorithm SKIP uses to sign packets:

SKIP Config <NET-5> SET AUTHENTICATION BOSTON MD5

The destination in this command is BOSTON and the algorithm is MD5.

You can partially enter a command and then press Space twice to see a list of all configured SKIP destinations.

SKIP Config <NET-5> SET AUTHENTICATION Space Space
The choices/prefixes are (a complete list):

 50.10.20.30
 boston
 default
 roadwarrior

You do not have to set all parameters for destinations that you add. If you do not specifically set a parameter, SKIP uses the value set in the default configuration. In other words, SKIP uses the values specified in the default configuration for all destinations unless you specifically configure a value for a destination. If all parameters required for a destination are the same as the default values, you never have to add that destination to SKIP.

The router in Figure 2 has three VPN tunnels to Boston, 45.10.20.30, and RoadWarrior. The following commands set the default authentication algorithm for all destinations to MD5 and then specify that the algorithm used specifically for RoadWarrior is SHA.

SKIP Config <NET-5>SET AUTHENTICATION DEFAULT MD5SKIP Config <NET-5>SET AUTHENTICATION ROADWARRIOR SHA

Adding Certificates

Two peers computing a master encryption key must use certificates that have the same modulus length. This means you must add certificates whose length matches the modulus length the remote peer uses. For example, Sun Microsystems SunScreen SKIP for Windows uses a 1024-bit modulus, so a router connecting to that SunScreen SKIP client must also have a certificate that has a 1024-bit modulus.

1. Create a 1024-bit modulus certificate with the add certificate command.

SKIP Config <NET-5>add certificate 1024
New certificate's MD5/UDH signature is 9C2A-8448-3750-6266-29B8-2B02-3470-7098

When you add a certificate, the software displays the certificate's MD5/UDH signature.

2. Relay this signature to the administrator of the remote SKIP peer(s) you will exchange this certificate with. The remote SKIP peer uses this signature to authenticate UDH certificates it receives from this router.

CAUTION:
Do not send the signature over the network. Doing so compromises SKIP's security. Communicate secrets by telephone or paper.

Setting Local Names

SKIP peers use the signature of UDH certificates to authenticate the UDH certificates. See Authenticating UDH Certificates. To do so, the router uses the MD5 signature of its UDH certificate as the router's local name when it sends the certificate to the remote peer.

To set up the router to use the MD5/UDH signature as its local name, you must have already added a certificate with the add certificate command. You then enter the set local-name local/udh command followed by the modulus length of the certificate, 1024 in this example.

SKIP Config <NET-5>set local-name local/udh 1024

Note: You must set this parameter to local/UDH if you are using a dynamically-assigned IP address as the IP tunnel source address. This lets the receiving router identify the source of the packet even when it does not recognize the address in the outer IP header.

Setting Remote Names

If you are using UDH certificates, you must enter the MD5 signature of the remote SKIP peer's UDH certificate. You obtain this signature from the administrator of the remote peer. The local router uses this signature when it requests a certificate from the remote peer, which ensures that the remote peer sends the correct certificate. The signature also lets the local SKIP router validate the UDH certificate that the remote peer provides.

SKIP Config <NET-5> set remote-name jimmy md5/udh
Peer's MD5/UDH Signature? 626F-8EB4-27F4-8A4C-DEB9-DE6F-3FF2-58B3

Other SKIP Destination Parameters

The following table describes the remaining SKIP parameters that you can set for either the default configuration or for a specific destination. The table includes the authentication and encryption algorithms that SKIP uses.

Table 1 SKIP Parameters You Can Set Per Destination

Parameter Options Description

Authentication None
MD5
SHA
Sets the algorithm, if any, SKIP uses to sign outbound packets. This signature lets the receiver check that the packet was not tampered with or forged. See set authentication.

Authentication-Required disabled
enabled
If enabled, the SKIP accepts only signed packets. Doing so guarantees that every packet SKIP receives from the remote peer has a signature SKIP can validate before accepting the packet. The default is enabled.

Bulk-Encrypter None
DES-CBC
DES3-CBC
ARC4/40
ARC4/128
RC4/40
RC4/128
Sets the algorithm, if any, this router uses to encrypt IP user data before sending the data to the specified destination. The default is DES-CBC. See set bulk-encryption.
Note: The algorithms available depend on your hardware platform and on whether you are using hardware or software to run encryption.

Compression none
STAC-LZS
Sets the compression algorithm, if any, that SKIP uses to compress data packets before encrypting them. The default is none. See set compression.
Note: Sun Microsystems products do not support compression.

Compression performance low
medium
high
For routers that perform compression using hardware rather than software, you can set the compression ratio. See set compression performance.

Driver hardware
software
This command applies to router platforms that provide hardware to assist in running compression, encryption, and authentication. It lets you choose whether the router hardware or software performs these tasks. Performing these tasks using hardware rather than software results in better performance, and the default behavior is to use hardware. See set driver.

Master-Encrypter DES-CBC
DES3-CBC
SKIP generates a new short-term key periodically. This parameter sets the algorithm SKIP uses to encrypt the short-term key before sending the short-term key to the specified destination.

Rekey-Interval 30 to 3600 seconds
SKIP generates a new short-term key periodically. This parameter sets how often SKIP creates a new short-term key. The default is 60 seconds.

Secret (16-bytes)
If the remote peer does not support SKIP UDH, use this command to set a secret, called a master encryption key, on the local router. This secret must be identical to the secret the remote peer uses. See add secret.
Do not send the secret over the network. Doing so compromises SKIP's security. You should communicate secrets by telephone or paper.

Table 1 SKIP Parameters You Can Set Per Destination
Parameter	Options	Description
Authentication	None MD5 SHA	Sets the algorithm, if any, SKIP uses to sign outbound packets. This signature lets the receiver check that the packet was not tampered with or forged. See set authentication.
Authentication-Required	disabled enabled	If enabled, the SKIP accepts only signed packets. Doing so guarantees that every packet SKIP receives from the remote peer has a signature SKIP can validate before accepting the packet. The default is enabled.
Bulk-Encrypter	None DES-CBC DES3-CBC ARC4/40 ARC4/128 RC4/40 RC4/128	Sets the algorithm, if any, this router uses to encrypt IP user data before sending the data to the specified destination. The default is DES-CBC. See set bulk-encryption. Note: The algorithms available depend on your hardware platform and on whether you are using hardware or software to run encryption.
Compression	none STAC-LZS	Sets the compression algorithm, if any, that SKIP uses to compress data packets before encrypting them. The default is none. See set compression. Note: Sun Microsystems products do not support compression.
Compression performance	low medium high	For routers that perform compression using hardware rather than software, you can set the compression ratio. See set compression performance.
Driver	hardware software	This command applies to router platforms that provide hardware to assist in running compression, encryption, and authentication. It lets you choose whether the router hardware or software performs these tasks. Performing these tasks using hardware rather than software results in better performance, and the default behavior is to use hardware. See set driver.
Master-Encrypter	DES-CBC DES3-CBC	SKIP generates a new short-term key periodically. This parameter sets the algorithm SKIP uses to encrypt the short-term key before sending the short-term key to the specified destination.
Rekey-Interval	30 to 3600 seconds	SKIP generates a new short-term key periodically. This parameter sets how often SKIP creates a new short-term key. The default is 60 seconds.
Secret	(16-bytes)	If the remote peer does not support SKIP UDH, use this command to set a secret, called a master encryption key, on the local router. This secret must be identical to the secret the remote peer uses. See add secret. Do not send the secret over the network. Doing so compromises SKIP's security. You should communicate secrets by telephone or paper.

Preventing the Router from Sending Unencrypted Data Over the Internet

Figure 3 shows a VPN router that is also acting as the gateway to the Internet. In this scenario, if the IP Tunnel with SKIP goes down, the router sends traffic over the next best route. However, if that happens, the router could send traffic over an interface that does not use SKIP, which means the traffic would not be encrypted.

There are two ways to prevent the router from sending unencrypted packets

Set up static routes that cause the router to discard packets addressed to the remote tunnel endpoint if the IP Tunnel goes down. See Setting Up a Discard Route.
Set up IP filters that allow the router to send only SKIP-related traffic to the remote tunnel endpoint and that block all other traffic. See Creating Openings in a Firewall for SKIP Traffic.

Figure 3 VPN Router That Is Also An Internet Gateway Router

Setting Up a Discard Route

The following steps show how to set up duplicate static routes for a remote tunnel endpoint. If the IP Tunnel with SKIP goes down, these routes cause the router to discard traffic addressed to the remote tunnel endpoint, rather than send the traffic over a route that might not be set up to encrypt data.

1. Add a static route that causes the router to send traffic addressed to the remote tunnel endpoint (128.185.2.2) over the IP Tunnel interface (0.0.0.5).

IP config>ADD ROUTE
IP destination [0.0.0.0]?128.185.2.2
Address mask [0.0.0.0]? 255.255.255.0
Via gateway at [0.0.0.0]?0.0.0.5
Cost [1]?

2. Add a second static route to the same destination that causes the router to discard traffic addressed to the remote tunnel endpoint. The address mask of 255.255.255.255 causes the router to discard all traffic addressed to 128.185.2.2. The router uses the route only if the previous route via 0.0.0.5 goes down.

Note: Make sure the discard route has a cost that is greater than or equal to the cost of the route through the IP Tunnel. Otherwise, the router will send packets to the discard route instead of to the tunnel.

IP config>ADD ROUTE
IP destination [0.0.0.0]?128.185.2.2
Address mask [0.0.0.0]? 255.255.255.255
Via gateway at [0.0.0.0]?0.0.0.0
Cost [1]?

Creating Openings in a Firewall for SKIP Traffic

If you are using SKIP with GTSecure firewall filters, you must allow the following traffic through the firewall:

IP protocol type 57 (SKIP) to and from the Tunnel endpoint router. Type 57 packets contain SKIP encrypted and authenticated data.
UDP packets with port numbers 1639 and 1640. The SKIP Certificate Discovery Protocol uses these port numbers.
UDP packets with port number 9. UDP discard packets use port 9. SKIP uses these packets to test the reachability of the remote tunnel endpoint.

Creating Openings For SKIP in GTSecure IP Filters

If you are using SKIP with GTSecure IP filters, use the following commands to create a profile that contains three filters to allow SKIP traffic through the firewall. The destination address (da) shown here is an example. Use the actual destination address of the IP tunnel endpoint.

IP Filters Config>add profile passthruIP Filters Config>add filter passthru.skip dir=both da=128.185.2.2 protocol=skipIP Filters Config>add filter passthru.cdp dir=both da=128.185.2.2 prot=udp dp=1639-1640IP Filters Config>add filter passthru.discard dir=both da=128.185.2.2 prot=udp dp=9IP Filters Config>list filter passthru

Listing Filters
Name      Dir  Address              Port       Protocol    Idle
                                                     Action
---------------------------------------------------------------
skip      Both ida=128.185.2.2                 SKIP  Pass   Off
cdp       Both ida=128.185.2.2   idp=1639-1640 UDP   Pass   Off
discard   Both ida=128.185.2.2   idp=9         UDP   Pass   Off

After you create the profile, you need to attach it to an interface. Typically, you would attach the profile to the interface where your firewall is currently configured. The following example attaches the passthru profile to interface 5.

IP Filters Config>set interface 5 profiles = passthru

Since IP filters block all traffic, except traffic that you specifically allow by adding filters, the three filters just added create openings in the firewall for SKIP-related traffic. The router drops all traffic that does not match any filters.

Creating Openings For SKIP in NAT

If you are running NAT and SKIP in the same router, the NAT software automatically creates services that let SKIP traffic pass through the NAT interface.

If you are running IP Tunnels with SKIP and NAT on separate routers, you need to add the following services to your NAT configuration. Direct the services to the tunnel endpoint address in the tunnel router.

NAT Config>add service skip
Server's IP address [0.0.0.0]? 10.10.20.1
Server's local port (0 = no port translation) [0]?NAT Config>add service skipcdp
Server's IP address [0.0.0.0]? 10.10.20.1
Server's local port (0 = no port translation) [0]?NAT Config>add service discard
Server's IP address [0.0.0.0]? 10.10.20.1
Server's local port (0 = no port translation) [0]?

SKIP Commands

Table 2 describes the SKIP commands.

Press Space twice after you type a command to display the available parameters for each command. Enter help for information about using the command line interface.

[C] means the command is available at the SKIP Config <NET-#> prompt.

[M] means the command is available at the SKIP <NET-#> prompt.

Table 2 SKIP Commands

Command Description

Add [C] Adds certificates, remote peers, and secrets to the SKIP configuration.

Delete [C] Deletes certificates, remote peers, and secrets from the SKIP configuration.

Disable [C] [M] Disables authentication-required from a remote peer, which allows that peer to send packets that do not have a SKIP signature.

Enable [C] [M] Enables authentication-required on all packets the router receives from a remote peer

List [C] [M] Lists different configuration properties of SKIP.

Revert [M] Restores current configuration from permanent memory.

Save [M] Saves current (running) configuration to permanent memory.

Set [C] [M] Sets various SKIP parameters.

Table 2 SKIP Commands
Command	Description
Add [C]	Adds certificates, remote peers, and secrets to the SKIP configuration.
Delete [C]	Deletes certificates, remote peers, and secrets from the SKIP configuration.
Disable [C] [M]	Disables authentication-required from a remote peer, which allows that peer to send packets that do not have a SKIP signature.
Enable [C] [M]	Enables authentication-required on all packets the router receives from a remote peer
List [C] [M]	Lists different configuration properties of SKIP.
Revert [M]	Restores current configuration from permanent memory.
Save [M]	Saves current (running) configuration to permanent memory.
Set [C] [M]	Sets various SKIP parameters.

Add [C]

Adds certificates, remote peers, and secrets to the SKIP configuration.

Syntax: add

certificate
remote
secret

certificate

Creates the router's certificates. Enter a modulus length of 512, 1024, or 2048 after this command to select which certificate to add.

You must enter the same modulus length that the remote site uses because Diffie-Hellman requires the two parties computing a master encryption key to use the same modulus length.

When you add a certificate, the software runs the MD5 algorithm over the certificate to create a signature, and the software displays the certificate's MD5/UDH signature. Relay this signature to the administrator of the remote SKIP peer(s) you will exchange this certificate with. The remote SKIP peer uses this signature to authenticate UDH certificates it receives from this router.

CAUTION:
Do not send the signature over the network. Doing so compromises SKIP's security. Communicate secrets by telephone or paper.

Note: The router refuses this command if you have not set the time of day on the router. See Setting the Time on the Router.

Example: add certificate 1024

New certificate's MD5/UDH signature is 9C2A-8448-3750-6266-29B8-2B02-3470-7098

remote

Adds a SKIP definition for a specific remote peer. All other SKIP commands use the name you enter here.

Example: add remote

New remote destination name? jimmy

secret

Normally, SKIP peers compute the master encryption key, also called a shared secret, using SKIP UDH certificates. If the remote peer does not support SKIP UDH, use this command to set a shared secret for that peer. Once you add a secret for a destination, the router does not exchange certificates with this destination. To re-enable certificate discovery, delete the secret with the delete secret command.

Enter a 16-byte hexadecimal value as the secret. This secret must be identical to the secret the remote peer uses.

CAUTION:
Do not send the secret over the network. Doing so compromises SKIP's security. Communicate manually-created secrets by telephone or paper.

Example: add secret jimmy

Shared Secret? 28763249

Delete [C]

Deletes certificates, remote peers, and secrets from the SKIP configuration.

Syntax: delete

certificate
remote
secret

Disable [C] [M]

Disables authentication-required for a remote peer, which allows that peer to send packets that do not have a SKIP signature. Authentication-required is enabled by default because it defends against attackers who send forged packets to the router.

The following example disables authentication-required for the destination jimmy.

Syntax: disable authentication-required

Example: disable authentication-required jimmy

Enable [C] [M]

Enables authentication-required on all packets SKIP receives from the remote peer that you specify. Enabling authentication-required defends against attackers who send forged packets. The router drops unsigned packets.

The following example enables authentication-required on all destinations, except those for which you specifically disable authentication-required.

Syntax: enable authentication-required

Example: enable authentication-required default

List [C] [M]

This section explains list commands available at the SKIP configuration and monitoring prompts.

List [C]

Displays configuration parameters of the SKIP interface.

Syntax: list

certificate
driver
local-name
parameters
remote-name
secrets

certificate

Displays the certificates configured on the SKIP interface.

Example: list certificate

Mod.  Valid    Valid     Received                      Signature
Len   From      To         From
512  7/9/97  7/9/02 Local Config  9C6D-229C-20CC-98EB-862A-FB00-5DCC-117


Mod. Len	The modulus length of the certificate.
Valid From	The date the certificate was created. The certificate is not valid before this date.
Valid To	A certificate is valid until this date, which is five years after the certificate was created.
Received From	The source of the certificate. At the configuration prompt, this column always displays Local Config, which means the certificate is in the local router configuration.
Signature	Displays the signature of the certificate. You communicate this signature to the administrators of remote SKIP peers that will request this certificate.

driver

Shows whether you have your router set up to perform encryption, compression, and authentication using hardware or software. This feature is not available on all router platforms. See set driver.

Example: list driver

Destination     Driver
DEFAULT         HARDWARE
gtx1500-37      SOFTWARE

local-name

Lists the SKIP name types and values assigned as the local router's name when it sends packets to each remote destination. NSID is the name-space ID, or type, of name data included in each packet. Set a local name using set local-name. None means that no local name is set for the destination.

Example: list local-name

Destination     NSID           Local Name

DEFAULT         None

misty           None
skip-466        LOCAL/UDH      Local 1024-bit Certificate MD5 Signature
fancy           IPv4 Address   1.2.3.4

parameters

Displays the parameters used with each remote destination. SKIP uses most of these parameters only on outbound packets because incoming packets include parameters on how SKIP is to process the incoming packet. The only exception is the Drop Unsigned parameter. If the authentication-required parameter is enabled (Yes), SKIP drops incoming packets that are not signed.

This display also shows the use of DEFAULT as a destination. The DEFAULT entry defines the characteristics of all remote destinations unless you specifically define an alternate value for those destinations. In the following example, the values explicitly changed with a set command were the bulk and authentication algorithms for the destination boston and the bulk and data compression algorithms for the destination misty. All other parameters use the default values.

Example: list parameters

Destination Master    Bulk      Auth      Comp    Comp  Drop    Rekey 
            Algorithm Algorithm Algorithm Algorithm Perf  Unsign Interval
DEFAULT     DES-CBC   DES-CBC   MD5       NONE     HIGH  NO      30 
boston      DES-CBC   RC4/128   SHA       NONE     HIGH  NO      30 
misty       DES-CBC   ARC4/128  SHA       STAC-LZS N/A   NO      30

remote-name

Lists the SKIP name types and values assigned as the name the remote router uses in packets it sends to this router. NSID is the name-space ID, or type, of name data included in each packet. Set a remote name using set remote-name. None means that no remote name is set for the destination.

Example: list remote-name

Destination     NSID            Remote Name       

50.10.20.30     None
misty           MD5/UDH         DB5E-D8C4-BEF1-1BE0-3BA2-13D8-B1F5-63FC
skip-466        MD5/UDH         2D69-840F-D017-32E4-3DB4-FEF5-2722-32F4
fancy           IPv4 Address    50.1.1.1

secrets

Displays secrets you added for specific remote destinations.

Note: You can enter this command only if you have administrative access to the router.

Example: list secrets

Destination Secret 

fancy      28763249 87362928 37664364 78929283 76464783 64928762

List [M]

Displays connection information and configuration parameters for remote SKIP peers.

Syntax: list

certificates
driver
local-name
receive counters
receive parameters
remote-name
secrets
transmit counters
transmit parameters

certificates

Lists the certificates the router owns as well as certificates the router learned from other SKIP peers.

The Received From column shows the source of each certificate. At the monitoring prompt, this column displays the IP address of other routers and clients from which the router received certificates.

Example: list certificates

Mod.  Valid    Valid     Received                    Signature
Len   From      To         From
 512 7/9/97 7/9/02 Local Config 9C6D-229C-20CC-98EB-862A-FB00-5DCC-117
1024 9/8/97 9/8/02 Local Config FC56-129A-D8AC-A9BC-09F6-1EFB-CFA9-2131

driver

Shows whether you have your router set up to perform encryption, compression, and authentication using hardware or software. This feature is not available on all router platforms. See set driver.

Example: list driver

Destination     Driver
DEFAULT         HARDWARE
gtx1500-37      SOFTWARE

local-name

Lists the SKIP name, types, and values assigned as the local router's name when it sends packets to each remote destination. The NSID is the name space ID, or type, of name data included in each packet.

Example: list local-name

Destination     NSID            Local Name        

misty           None

receive counters

Displays statistics counters for each remote destination. These counters describe the packets the router received from those remote peers.

Note: The software counts packets as both encrypted and authenticated if SKIP performs both operations on the packet payload.

Example: list receive counters

Destination   Unrecog     Auth      Auth   Encrypted   Decrypt  Payload 
              Packets   Packets    Errors   Packets    Errors   Bytes

misty         0          22         0        22         0       12877


Unrecog Packets	SKIP packets (IP protocol 57) that were unrecognized because they had one of the following: An invalid SKIP version (1.0 is the valid version). Name Space ID does not match those configured for the remote destination. Local router does not support the algorithm used. Invalid Security Parameter Indices (1 is valid).
Auth Packets	Packets received that were signed.
Auth Errors	Signed packets the router dropped because their signature was the incorrect length for the selected algorithm or because the signature computed on the incoming packet did not match the signature in the packet. (A mismatched signature indicates the packet may have been corrupted or tampered with during transmission).
Encrypted Packets	Packets received that were encrypted.
Decrypt Errors	Number of encrypted packets whose decryption failed. None of the encryption algorithms OpenROUTE supports can fail, so this counter is always zero.
Payload bytes	Number of bytes received within SKIP packets, not including the SKIP packet header or signature data.

The router generates Event Logging System (ELS) messages whenever it detects an error.

receive parameters

Lists the SKIP algorithms remote peers selected and included in packets the local router most recently received. The only exception is the Drop Unsigned column. If this value is Yes, the local router discards unsigned packets.

Example: list receive parameters

                        Received Packet Parameters

Destination     Master     Bulk       Auth       Comp        Drop    
                Algorithm  Algorithm  Algorithm  Algorithm   Unsigned  
misty           DES-CBC    DES-CBC    MD5        STAC-LZS    NO

remote-name

Lists the SKIP NSID (name space ID) you set for this remote peer using the set remote-name command.

Example: list remote-name

Destination     NSID            Remote Name        

misty           MD5/UDH         DB5E-D8C4-BEF1-1BE0-3BA2-13D8-B1F5-63FC

secrets

Displays the shared secret, also called the master encryption key, for each destination, whether manually configured or computed from the local router's private key and the remote peer's public key.

Note: The router accepts this command only if you have Administrative-level authorization on the router.

Example: list secrets

Destination     Secret

misty           AFEBE802 1705E74E 17F20A20 7FD6DAEF BC9D04BE 541A0E5A 3D2E860C CEBB48AB

transmit counters

The router keeps statistics counters for each remote destination. Most of these counters describe packets the router sent to each remote destination.

Example: list transmit counters

Destination    Auth      Encrypted     Payload      Compress 
               Packets   Packets       Bytes        Ratio    
misty          499       499           148504       1.63:1


Auth Packets	Packets signed before transmission.
Encrypted Packets	Packets transmitted with encryption. If SKIP is configured to encrypt and sign packets, each packet causes this counter and the Auth Packets counter to increment.
Payload Bytes	Number of bytes transmitted via SKIP, not including the SKIP packet headers, signature data, or data compression.
Compress Ratio	Compression factor for data the router recently sent to the specified destination. This counter is always 1.00:1 if compression is disabled. The actual amount of data sent into the IP tunnel is approximately the number of payload bytes divided by the compression ratio.

transmit parameters

Displays the SKIP parameters the local router uses when it transmits packets to each remote peer.

Example: list transmit parameters

Transmitted Packet Parameters

Destination  Master     Bulk      Auth      Comp      Comp   Rekey 
             Algorithm  Algorithm Algorithm Algorithm Perf   Interval 

misty        DES-CBC    DES-CBC   MD5       STAC-LZS  LOW    60   
bentley      DES-CBC    ARC4/128  MD5       STAC-LZS  N/A    60

Revert [M]

If you make configuration changes at the SKIP <NET-#> prompt, this command restores the saved configuration for the destination that you specify.

Example: revert

destination

Save [M]

Saves changes you make at the SKIP <NET-#> prompt for the destination you specify to permanent memory so they are still present after you restart the router.

Example: save

destination?

Set [C] [M]

Sets various SKIP parameters.

Syntax: set

authentication
bulk-encryption
compression
compression performance
driver
local-name
master-encrypter
rekey-interval
remote-name

authentication

Sets the authentication algorithm, if any, SKIP uses to sign packets before sending them. By checking incoming packets against an authentication algorithm, the SKIP receiver can verify that the packet was not tampered with or forged.

You can specify an algorithm to use as the default or for packets destined to a specific peer. You can set the authentication algorithm to None, MD5 (Message-Digest Algorithm), or SHA (Secure Hash Algorithm). The default is MD5.

This command does not affect the algorithm used to authenticate incoming packets. That algorithm is specified in the incoming packets.

The following example sets up SKIP to sign packets it sends to jimmy using the SHA.

Example: set authentication jimmy sha

None

SKIP does not sign packets it sends to the destination you specify.

MD5

SKIP signs packets using the RSA Data Security, Inc. MD5 Message-Digest Algorithm (RFC-1828).

SHA

SKIP signs packets using the Secure Hash Algorithm (NIST FIPS-180).

None	SKIP does not sign packets it sends to the destination you specify.
MD5	SKIP signs packets using the RSA Data Security, Inc. MD5 Message-Digest Algorithm (RFC-1828).
SHA	SKIP signs packets using the Secure Hash Algorithm (NIST FIPS-180).

bulk-encryption

Sets the encryption algorithm SKIP uses to encrypt user data before sending the data to the specified destination. The default is DES-CBC.

The algorithms available for this command varies depending on which software you have purchased and whether you are using hardware or software to run encryption.

This command does not affect the algorithm used to decrypt incoming packets. That algorithm is specified in the incoming packets.

The following example configures SKIP to encrypt packets it sends to jimmy using DES3-CBC.

Example: set bulk-encryption jimmy DES3-CBC

None

SKIP does not encrypt data it sends to the destination you specify.

DES-CBC

Data Encryption Standard (DES) with Chaining (RFC-1829). DES-CBC can be exported from the United States.

DES3-CBC

Triple DES with Chaining (RFC-1851). DES3-CBC cannot be exported from the United States.

ARC4/40

ARC4 with 40-bit keys. ARC4/40 can be exported from the United States. (This algorithm is available only if you are using software to run encryption.)

ARC4/128

ARC4 with 128-bit keys. ARC4/128 cannot be exported from the United States. (This algorithm is available only if you are using software to run encryption.)

RC4/40

RC4 with 40-bit keys. RC4/40 can be exported from the United States. (This algorithm is available only if you are using hardware to run encryption.)

RC4/128

RC4 with 128-bit keys. ARC4/128 cannot be exported from the United States. (This algorithm is available only if you are using hardware to run encryption.)

None	SKIP does not encrypt data it sends to the destination you specify.
DES-CBC	Data Encryption Standard (DES) with Chaining (RFC-1829). DES-CBC can be exported from the United States.
DES3-CBC	Triple DES with Chaining (RFC-1851). DES3-CBC cannot be exported from the United States.
ARC4/40	ARC4 with 40-bit keys. ARC4/40 can be exported from the United States. (This algorithm is available only if you are using software to run encryption.)
ARC4/128	ARC4 with 128-bit keys. ARC4/128 cannot be exported from the United States. (This algorithm is available only if you are using software to run encryption.)
RC4/40	RC4 with 40-bit keys. RC4/40 can be exported from the United States. (This algorithm is available only if you are using hardware to run encryption.)
RC4/128	RC4 with 128-bit keys. ARC4/128 cannot be exported from the United States. (This algorithm is available only if you are using hardware to run encryption.)

compression

Sets the compression algorithm the router uses to compress user data before sending the data to the specified destination. The default is None.

This command does not affect the algorithm used to decompress incoming packets. That algorithm is specified in the incoming packets.

The following example configures the router to compress packets it sends to jimmy using the STAC-LZS algorithm.

Example: set compression jimmy stac-lzs

none

The router does not compress user data to this destination.

STAC-LZS

The router uses the STAC-LZS algorithm to compress data to this destination.

none	The router does not compress user data to this destination.
STAC-LZS	The router uses the STAC-LZS algorithm to compress data to this destination.

compression performance

This command applies to router platforms that contain hardware that can perform compression.

If your router is set up to run compression using hardware (see set driver), this command lets you set the compression ratio to high, medium, or low for a specified destination. The default is high.

Generally, a higher compression ratio takes more time to process on the router, but results in a smaller amount of data being sent over a link. Therefore, a high compression ratio is preferred for lower-speed links. On high-speed connections, sending a smaller amount of data is not as crucial, so you could use a lower compression ratio, which takes less processing time on the router.

You can set a different compression ratio for different destinations. The following example sets compression performance for the destination jimmy to low.

Example: set compression performance jimmy low

low

Low compression ratio, high traffic throughput. This selection is preferred for high-speed connections.

medium

Medium compression ratio, average traffic throughput.

high

High compression ratio, lower traffic throughput. This selection is preferred for low-speed performance.

low	Low compression ratio, high traffic throughput. This selection is preferred for high-speed connections.
medium	Medium compression ratio, average traffic throughput.
high	High compression ratio, lower traffic throughput. This selection is preferred for low-speed performance.

driver

This command applies to router platforms that provide hardware to assist in running compression, encryption, and authentication. It lets you choose whether the router hardware or software performs these tasks. Performing these tasks using hardware rather than software results in better performance, and the default behavior is to use hardware.

As new algorithms become available, there may be circumstances where software provides support for these new algorithms before hardware supports them. Therefore, you may want the software to perform compression or authentication. You may also need to set this command to software to be compatible with equipment at the other end of some tunnels.

Note: If your router does not contain the hardware that runs compression, encryption, and authentication, the only option available with this command is software.

Like other SKIP commands, you can set the driver to hardware or software for different tunnels. The following example selects the driver for the destination jimmy to software.

Example: set driver jimmy software

hardware

Rotuer hardware performs compression, encryption, and authentication.

software

Router software performs compression, encryption, and authentication.

hardware	Rotuer hardware performs compression, encryption, and authentication.
software	Router software performs compression, encryption, and authentication.

local-name

Defines whether SKIP includes a name in the SKIP header to identify itself to remote peers. If SKIP does include a name, this parameter sets the type and value of the name that identifies the local router. SKIP includes this information in packets the router sends to the specified destination. The options are IPv4-address, Local/UDH, or None.

Using the local MD5/UDH signature as the name of the router allows the router to hold one certificate for each length modulus. Each certificate has a different signature, so remote sites can be configured (by specifying the appropriate signature) to request the certificate that matches their own certificate's modulus.

Example: set local-name default IPv4-address

IPv4 Address [0.0.0.0]?

Example: set local-name boston local/udh 512

None

SKIP does not include a name in the SKIP header to identify itself. The remote SKIP peer identifies this local router solely by the source IP address in packets the local router sends.

Local/UDH

Uses an MD5 signature as the local router's name. You must have already added a certificate with the add certificate command. You must include the modulus length of the certificate you added, either 512, 1024, or 2048.

IPv4-address

Lets you enter an IP address to use as the local router's name. This option is used with third-party Certificate Authorities, which this SKIP implementation does not currently support.

None	SKIP does not include a name in the SKIP header to identify itself. The remote SKIP peer identifies this local router solely by the source IP address in packets the local router sends.
Local/UDH	Uses an MD5 signature as the local router's name. You must have already added a certificate with the add certificate command. You must include the modulus length of the certificate you added, either 512, 1024, or 2048.
IPv4-address	Lets you enter an IP address to use as the local router's name. This option is used with third-party Certificate Authorities, which this SKIP implementation does not currently support.

master-encrypter

Sets the algorithm SKIP uses to encrypt the short-term key before sending the key to the specified destination.

This command does not affect the algorithm used to decrypt the short-term key in inbound packets. That algorithm is specified in the incoming packets.

Press Space twice after you type the destination name and the software displays a list of encryption types available on your router.

Example: set master-encrypter default

The choices/prefixes are (a complete list):
DES-CBC   -- Data Encryption Standard with Chaining (RFC-1829)
DES3-CBC  -- Triple DES (Data Encryption Standard) with Chaining (RFC-1851)
SKIP Config <NET-5> set master-encrypter default DES3-CBC


DES-CBC	Data Encryption Standard (DES) with Chaining (RFC-1829).
DES3-CBC	Triple DES with Chaining (RFC-1851). DES3-CBC cannot be exported from the United States.

rekey-interval

Sets how often, in seconds, the router changes its short-term key for the destination you specify. The default is 60 seconds. The range is 30 to 3600 seconds.

Example: set rekey-interval default

Rekey Interval? 30

remote-name

Sets the type and value of the SKIP name to expect from the remote SKIP peer. This name identifies the remote destination you specify.

If you are using SKIP certificates, you must set this parameter to MD5/UDH and enter the signature of the remote SKIP peer's UDH certificate. You obtain this signature from the administrator of the remote peer. The local router uses this signature when it requests a certificate from the remote peer, which ensures that the remote peer sends the correct certificate. The signature also lets the local SKIP router validate the certificate that the remote peer provides.

The default is None. The following example sets an MD5 signature for the remote SKIP peer called jimmy.

Example: set remote-name jimmy md5/udh

Peer's MD5/UDH Signature? 9C2A-8448-3750-6266-29B8-2B02-3470-7098


None	The remote SKIP peer does not include additional information in the SKIP header to identify itself.
MD5/UDH	The remote peer includes the 16-byte UDH certificate signature you enter here in packets it sends to this SKIP peer. The local SKIP peer uses this signature to request the remote unit's certificate and to validate the certificate once it is received.
IPv4-address	Lets you enter an IP address to use as the local router's name. This option is used with third-party Certificate Authorities, which this SKIP implementation does not currently support.

[Top] [Prev] [Next] [Bottom]

docs@openroute.com