Master Key Generation and Distribution
Master Keys are only generated and distributed …
• on request of the FOXMAN-UN when deploying an encrypted tunnel, or
• on request from the FOXMAN-UN ESM.
Master Keys are generated for a particular LSP and distributed to all MPLS tunnel endpoints terminating this LSP.
In the SENC1 Crypto Engine the new Master Key is stored in the Master Key bank which is currently not used. The switching of the active Master Key to the newly deployed Master Key is done according to the procedure described in section DIRAC Key Management.
Please note:
The example below uses the following parameters
→ SENC1 Crypto Engine A identifier = 491091199911
→ SENC1 Crypto Engine B identifier = 491091199912
→ Label switched path identifier = 100
Master Key generation and distribution
→ Generate a new Master Key
Proceed as follows:
1. Login as dirac user on the Linux machine.
2. Open a terminal.
3. Connect to the DIRAC server:
$ /opt/dirac/bin/Cli.sh
4. Check the available Crypto Engines in the DIRAC server:
dirac> crypto-engine --list Ce Id │Engine│Dci│Sci │Status 491092685711 1 15 42 OK 491092685712 2 7 22 OK 491092685721 1 9 33 OK 491092685722 2 2 2 OK 491092685811 1 711 1780 OK 491092685812 2 701 1752 OK 491092685821 1 8 17 OK 491092685822 2 2 2 OK |
5. Check the configured crypto segments:
dirac> crypto-segment --list Segment│Status│Profile │Layer │Active Master Key │Activated At 2 Ok Encrypt & Authenticate LAYER2 6ba5a6c5d9edeed2994b4422448c1730 23-05-2021 07:42:11 |
6. Generate a new Master Key for one of the listed segments:
dirac> master-key --renew --segment_id 2 Result: true Description: “Master key of all crypto engines refreshed: 491092685711” |
7. Check the Master Key usage for the specific segment:
dirac> crypto-segment --list Segment│Status│Profile │Layer │Active Master Key │Activated At 2 Ok Encrypt & Authenticate LAYER2 0fe638ee4427eb3ede3e81cdac8ffd53 24-05-2021 07:19:14 |
Result: The Master Key for a specific segment is renewed.
End of instruction