Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch Security Configuration Guide - Page 240

Enabling invalid SPI recovery, Setting the limit on the number of IKE SAs

Add to My Manuals
Save this manual to your list of manuals

Page 240 highlights

4. If the local device receives no response after two retries, the device considers the peer is dead, and deletes the IKE SA along with the IPsec SAs it negotiated. 5. If the local device receives a response from the peer during the detection process, the peer is considered alive. The local device performs a DPD detection again when the triggering interval is reached or it has traffic to send, depending on the DPD mode. Follow these guidelines when you configure the IKE DPD function: • When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply. • It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection is not triggered during a DPD retry. To configure IKE DPD: Step 1. Enter system view. 2. Enable sending IKE DPD messages. Command Remarks system-view N/A ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } By default, IKE DPD is disabled. Enabling invalid SPI recovery An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic. The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up. Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS attack. Attackers can fabric a great number of invalid SPI notifications to the same peer. To enable invalid SPI recovery: Step 1. Enter system view. 2. Enable invalid SPI recovery. Command system-view ike invalid-spi-recovery enable Remarks N/A By default, the invalid SPI recovery is disabled. Setting the limit on the number of IKE SAs You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs. 231

Section	Page
Title Page	1
Contents	3
Configuring AAA	10
Overview	10
RADIUS	11
Client/server model	11
Information exchange security mechanism	11
User authentication mechanisms	11
Basic RADIUS packet exchange process	12
RADIUS packet format	13
Extended RADIUS attributes	15
HWTACACS	16
Differences between HWTACACS and RADIUS	16
Basic HWTACACS packet exchange process	16
LDAP	18
LDAP directory service	18
LDAP authentication and authorization	18
Basic LDAP packet exchange process	19
AAA implementation on the device	20
User management based on ISP domains and user access types	20
AAA methods	21
AAA for MPLS L3VPNs	22
Protocols and standards	22
RADIUS attributes	23
Commonly used standard RADIUS attributes	23
HP proprietary RADIUS sub-attributes	24
FIPS compliance	26
AAA configuration considerations and task list	26
Configuring AAA schemes	27
Configuring local users	27
Local user configuration task list	28
Configuring local user attributes	28
Configuring user group attributes	30
Displaying and maintaining local users and local user groups	31
Configuring RADIUS schemes	31
Configuration task list	31
Creating a RADIUS scheme	32
Specifying the RADIUS authentication servers	32
Specifying the RADIUS accounting servers and the relevant parameters	33
Specifying the shared keys for secure RADIUS communication	34
Specifying a VPN for the scheme	34
Setting the username format and traffic statistics units	34
Setting the maximum number of RADIUS request transmission attempts	35
Setting the status of RADIUS servers	35
Specifying the source IP address for outgoing RADIUS packets	36
Setting RADIUS timers	37
Configuring the accounting-on feature	38
Configuring the IP addresses of the security policy servers	39
Displaying and maintaining RADIUS	39
Configuring HWTACACS schemes	39
Configuration task list	39
Creating an HWTACACS scheme	40
Specifying the HWTACACS authentication servers	40
Specifying the HWTACACS authorization servers	41
Specifying the HWTACACS accounting servers	41
Specifying the shared keys for secure HWTACACS communication	42
Specifying a VPN for the scheme	42
Setting the username format and traffic statistics units	43
Specifying the source IP address for outgoing HWTACACS packets	43
Setting HWTACACS timers	44
Displaying and maintaining HWTACACS	45
Configuring LDAP schemes	46
Configuration task list	46
Creating an LDAP server	46
Configuring the IP address of the LDAP server	46
Specifying the LDAP version	46
Setting the LDAP server timeout period	47
Configuring administrator attributes	47
Configuring LDAP user attributes	47
Creating an LDAP scheme	48
Specifying the LDAP authentication server	48
Displaying and maintaining LDAP	48
Configuring AAA methods for ISP domains	49
Configuration prerequisites	49
Creating an ISP domain	49
Configuring ISP domain status	50
Configuring authentication methods for an ISP domain	50
Configuration prerequisites	50
Configuration guidelines	50
Configuration procedure	50
Configuring authorization methods for an ISP domain	51
Configuration prerequisites	51
Configuration guidelines	51
Configuration procedure	51
Configuring accounting methods for an ISP domain	52
Configuration prerequisites	52
Configuration guidelines	52
Configuration procedure	52
Enabling the session-control feature	53
Displaying and maintaining AAA	53
AAA configuration examples	54
AAA for SSH users by an HWTACACS server	54
Network requirements	54
Configuration procedure	54
Verifying the configuration	55
Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users	55
Network requirements	55
Configuration procedure	56
Verifying the configuration	57
Authentication and authorization for SSH users by a RADIUS server	57
Network requirements	57
Configuration procedure	57
Verifying the configuration	60
Authentication for SSH users by an LDAP server	60
Network requirements	60
Configuration procedure	60
Verifying the configuration	65
Troubleshooting RADIUS	65
RADIUS authentication failure	65
Symptom	65
Analysis	65
Solution	65
RADIUS packet delivery failure	65
Symptom	65
Analysis	65
Solution	66
RADIUS accounting error	66
Symptom	66
Analysis	66
Solution	66
Troubleshooting HWTACACS	66
Troubleshooting LDAP	66
Symptom	66
Analysis	66
Solution	67
802.1X overview	68
802.1X architecture	68
Controlled/uncontrolled port and port authorization status	68
802.1X-related protocols	69
Packet formats	70
EAP packet format	70
EAPOL packet format	70
EAP over RADIUS	71
EAP-Message	71
Message-Authenticator	71
Initiating 802.1X authentication	71
802.1X client as the initiator	71
Access device as the initiator	72
802.1X authentication procedures	72
A comparison of EAP relay and EAP termination	73
EAP relay	73
EAP termination	75
Configuring 802.1X	77
HP implementation of 802.1X	77
Configuration prerequisites	77
802.1X configuration task list	77
Enabling 802.1X	78
Enabling EAP relay or EAP termination	78
Setting the port authorization state	79
Specifying an access control method	79
Setting the maximum number of concurrent 802.1X users on a port	79
Setting the maximum number of authentication request attempts	80
Setting the 802.1X authentication timeout timers	80
Configuring the online user handshake function	81
Configuring the authentication trigger function	81
Configuration guidelines	82
Configuration procedure	82
Specifying a mandatory authentication domain on a port	82
Configuring the quiet timer	83
Enabling the periodic online user re-authentication function	83
Displaying and maintaining 802.1X	84
802.1X authentication configuration example	84
Network requirements	84
Configuration procedure	84
Verifying the configuration	86
Configuring MAC authentication	87
Overview	87
User account policies	87
Authentication methods	87
Configuration prerequisites	88
Configuration task list	88
Enabling MAC authentication	88
Specifying a MAC authentication domain	89
Configuring the user account format	89
Configuring MAC authentication timers	90
Setting the maximum number of concurrent MAC authentication users on a port	90
Displaying and maintaining MAC authentication	91
Local MAC authentication configuration example	91
Network requirements	91
Configuration procedure	91
Verifying the configuration	92
RADIUS-based MAC authentication configuration example	93
Network requirements	93
Configuration procedure	93
Verifying the configuration	94
Configuring port security	96
Overview	96
Port security features	96
NTK	96
Intrusion protection	96
Port security modes	96
Controlling MAC address learning	98
Performing 802.1X authentication	98
Performing MAC authentication	98
Performing a combination of MAC authentication and 802.1X authentication	98
Configuration task list	99
Enabling port security	99
Setting port security's limit on the number of secure MAC addresses on a port	100
Setting the port security mode	100
Configuring port security features	101
Configuring NTK	101
Configuring intrusion protection	102
Configuring secure MAC addresses	103
Configuration prerequisites	103
Configuration procedure	103
Ignoring authorization information from the server	104
Displaying and maintaining port security	104
autoLearn configuration example	105
Network requirements	105
Configuration procedure	105
Verifying the configuration	105
userLoginWithOUI configuration example	106
Network requirements	106
Configuration procedure	107
Verifying the configuration	108
macAddressElseUserLoginSecure configuration example	110
Network requirements	110
Configuration procedure	110
Verifying the configuration	111
Troubleshooting port security	113
Cannot set the port security mode	113
Symptom	113
Analysis	113
Solution	113
Cannot configure secure MAC addresses	113
Symptom	113
Analysis	113
Solution	113
Configuring password control	114
Overview	114
Password setting	114
Minimum password length	114
Password composition policy	114
Password complexity checking policy	115
Password updating and expiration	115
Password updating	115
Password expiration	115
Early notice on pending password expiration	115
Login with an expired password	116
Password history	116
User login control	116
First login	116
Login attempt limit	116
Maximum account idle time	116
Password not displayed in any form	117
Logging	117
FIPS compliance	117
Password control configuration task list	117
Enabling password control	117
Setting global password control parameters	118
Setting user group password control parameters	119
Setting local user password control parameters	119
Setting super password control parameters	120
Displaying and maintaining password control	121
Password control configuration example	121
Network requirements	121
Configuration procedure	122
Verifying the configuration	123
Managing public keys	124
Overview	124
FIPS compliance	124
Creating a local key pair	125
Configuration guidelines	125
Configuration procedure	125
Distributing a local host public key	126
Exporting a host public key in a specific format to a file	126
Displaying a host public key in a specific format and saving it to a file	126
Displaying a host public key	127
Destroying a local key pair	127
Configuring a peer public key	128
Importing a peer host public key from a public key file	128
Entering a peer public key	128
Displaying and maintaining public keys	129
Example for entering a peer public key	129
Network requirements	129
Configuration procedure	129
Verifying the configuration	130
Example for importing a public key from a public key file	131
Network requirements	131
Configuration procedure	131
Verifying the configuration	133
Configuring SSH	134
Overview	134
How SSH works	134
SSH authentication methods	135
FIPS compliance	136
Configuring the device as an SSH server	136
SSH server configuration task list	136
Generating local DSA or RSA key pairs	136
Configuration guidelines	137
Configuration procedure	137
Enabling the SSH server function	137
Enabling the SFTP server function	137
Configuring the user interfaces for Stelnet clients	138
Configuring a client's host public key	138
Configuring an SSH user	139
Configuration guidelines	139
Configuration procedure	140
Setting the SSH management parameters	140
Configuring the device as an Stelnet client	141
Stelnet client configuration task list	141
Specifying a source IP address or source interface for the Stelnet client	142
Establishing a connection to an Stelnet server	142
Configuring the device as an SFTP client	144
SFTP client configuration task list	144
Specifying a source IP address or source interface for the SFTP client	144
Establishing a connection to an SFTP server	144
Working with SFTP directories	146
Working with SFTP files	146
Displaying help information	146
Terminating the connection with the SFTP server	147
Configuring the device as an SCP client	147
Displaying and maintaining SSH	148
Stelnet configuration examples	149
Password authentication enabled Stelnet server configuration example	149
Network requirements	149
Configuration procedure	149
Publickey authentication enabled Stelnet server configuration example	151
Network requirements	151
Configuration procedure	152
Password authentication enabled Stelnet client configuration example	157
Network requirements	157
Configuration procedure	157
Publickey authentication enabled Stelnet client configuration example	160
Network requirements	160
Configuration procedure	160
SFTP configuration examples	162
Password authentication enabled SFTP server configuration example	162
Network requirements	162
Configuration procedure	162
Publickey authentication enabled SFTP client configuration example	164
Network requirements	164
Configuration procedure	164
SCP file transfer with password authentication	167
Network requirements	167
Configuration procedure	168
Configuring IP source guard	170
Overview	170
Static IP source guard binding entries	170
Dynamic IPv4 source binding entries	171
IP source guard configuration task list	171
Configuring the IPv4 source guard function	171
Enabling IPv4 source guard on an interface	171
Configuring a static IPv4 source guard binding entry on an interface	172
Configuring the IPv6 source guard function	173
Enabling IPv6 source guard on an interface	173
Configuring a static IPv6 source guard binding entry on an interface	173
Displaying and maintaining IP source guard	174
Static IPv4 source guard configuration example	174
Network requirements	174
Configuration procedure	175
Dynamic IPv4 source guard using DHCP snooping configuration example	176
Network requirements	176
Configuration procedure	177
Verifying the configuration	177
Dynamic IPv4 source guard using DHCP relay configuration example	178
Network requirements	178
Configuration procedure	178
Verifying the configuration	178
Static IPv6 source guard configuration example	179
Network requirements	179
Configuration procedure	179
Verifying the configuration	179
Configuring ARP attack protection	180
ARP attack protection configuration task list	180
Configuring unresolvable IP attack protection	180
Configuring ARP source suppression	181
Enabling ARP black hole routing	181
Displaying and maintaining unresolvable IP attack protection	181
Configuration example	181
Network requirements	181
Configuration considerations	182
Configuration procedure	182
Configuring ARP packet rate limit	182
Configuration guidelines	183
Configuration procedure	183
Configuring source MAC-based ARP attack detection	183
Configuration procedure	183
Displaying and maintaining source MAC-based ARP attack detection	184
Configuration example	184
Network requirements	184
Configuration considerations	185
Configuration procedure	185
Configuring ARP packet source MAC consistency check	186
Configuring ARP active acknowledgement	186
Configuring ARP detection	186
Configuring user validity check	186
Configuration guidelines	187
Configuration procedure	187
Configuring ARP packet validity check	187
Configuring ARP restricted forwarding	188
Displaying and maintaining ARP detection	188
User validity check and ARP packet validity check configuration example	189
Network requirements	189
Configuration procedure	189
Configuring ARP automatic scanning and fixed ARP	190
Configuration guidelines	190
Configuration procedure	191
Configuring ARP gateway protection	191
Configuration guidelines	191
Configuration procedure	191
Configuration example	192
Network requirements	192
Configuration procedure	192
Configuring ARP filtering	192
Configuration guidelines	192
Configuration procedure	193
Configuration example	193
Network requirements	193
Configuration procedure	193
Configuring uRPF	195
uRPF check modes	195
uRPF operation	195
Network application	198
Configuration procedure	198
Displaying and maintaining uRPF	199
Configuration example	199
Network requirements	199
Configuration procedure	199
Configuring FIPS	200
Overview	200
Configuration restrictions and guidelines	200
Configuring FIPS mode	201
Entering FIPS mode	201
Automatic reboot	201
Manual reboot	201
Configuration changes in FIPS mode	202
FIPS self-tests	203
Power-up self-tests	203
Conditional self-tests	203
Triggering self-tests	203
Displaying and maintaining FIPS	204
FIPS configuration examples	204
Entering FIPS mode through automatic reboot	204
Network requirements	204
Configuration procedure	204
Verifying the configuration	204
Entering FIPS mode through manual reboot	205
Network requirements	205
Configuration procedure	205
Verifying the configuration	206
Configuring IPsec	207
Overview	207
Security protocols and encapsulation modes	207
Security protocols	207
Encapsulation modes	208
Security association	209
Authentication and encryption	209
Authentication algorithms	209
Encryption algorithms	210
IPsec implementation	210
ACL-based IPsec	210
Protocols and standards	211
FIPS compliance	211
IPsec tunnel establishment	211
Implementing ACL-based IPsec	211
Feature restrictions and guidelines	211
ACL-based IPsec configuration task list	211
Configuring an ACL	212
Keywords in ACL rules	212
Mirror image ACLs	213
Configuring an IPsec transform set	213
Configuring a manual IPsec policy	215
Configuration restrictions and guidelines	215
Configuration procedure	215
Configuring an IKE-based IPsec policy	216
Configuration restrictions and guidelines	217
Directly configuring an IKE-based IPsec policy	217
Configuring an IKE-based IPsec policy by referencing an IPsec policy template	218
Applying an IPsec policy to an interface	220
Enabling ACL checking for de-encapsulated packets	221
Configuring the IPsec anti-replay function	221
Binding a source interface to an IPsec policy	222
Enabling QoS pre-classify	222
Enabling logging of IPsec packets	223
Configuring the DF bit of IPsec packets	223
Displaying and maintaining IPsec	224
IPsec configuration examples	225
Configuring a manual mode IPsec tunnel for IPv4 packets	225
Network requirements	225
Configuration procedure	225
Verifying the configuration	227
Configuring an IKE-based IPsec tunnel for IPv4 packets	227
Network requirements	227
Configuration procedure	228
Verifying the configuration	230
Configuring IKE	231
Overview	231
IKE negotiation process	231
IKE security mechanism	232
Identity authentication	232
DH algorithm	232
PFS	233
Protocols and standards	233
FIPS compliance	233
IKE configuration prerequisites	233
IKE configuration task list	233
Configuring an IKE profile	234
Configuring an IKE proposal	236
Configuring an IKE keychain	237

Match case Limit results 1 per page

231

If the local device receives no response after two retries, the device considers the peer is dead, and

deletes the IKE SA along with the IPsec SAs it negotiated.

If the local device receives a response from the peer during the detection process, the peer is

considered alive. The local device performs a DPD detection again when the triggering interval is

reached or it has traffic to send, depending on the DPD mode.

Follow these guidelines when you configure the IKE DPD function:

•

When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE

profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.

•

It is a good practice to set the triggering interval longer than the retry interval so that a DPD

detection is not triggered during a DPD retry.

To configure IKE DPD:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enable sending IKE DPD

messages.

ike dpd interval

interval-seconds

[

retry

seconds

]

{

on-demand

periodic

}

By default, IKE DPD is disabled.

Enabling invalid SPI recovery

An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs).

One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for

which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to

send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA.

Because no IKE SA is available, the notification is not sent. The originating peer continues sending the

data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.

The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that

an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the

IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.

Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS

attack. Attackers can fabric a great number of invalid SPI notifications to the same peer.

To enable invalid SPI recovery:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enable invalid SPI recovery.

ike invalid-spi-recovery enable

By default, the invalid SPI recovery

is disabled.

Setting the limit on the number of IKE SAs

You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.