Configuring Security Parameters
Configuring Security Parameters
Configure Control Plane Security Parameters
Cisco Viptela device uses DTLS connection for control plane operation by default. DTLS uses UDP protocols. However it is possible to switch from DTLS to TLS connection after changing some configuration as TLS runs on TCP. The main reason to use TLS is that if you are using vSmart to be server, firewall protects TCP servers better than UDP servers.
To configure control plane tunnel protocol on a vSmart controller:
Once this configuration is done, all tunnel between vSmart and vEdge router and between vSmart to vManage will use TLS whereas connection to vBond will always be on DTLS.TLS will always take precedence over DTLS over scenario where large number of vSmart controller are there in domain and one vSmart controller TLS is configured. In this that vSmart will make TLS connection to all other vSmart controller and all other vSmart controller will make DTLS connection to all other vSmart controller except TLS vSmart controller.By default vSmart controller listen on 23456 for TLS, if required to be changed use:
Range: 1025 to 65535
To see the control plane security information, use following commands:
if any plan is to configure TLS on vManage , as control plane protocols than enable port forwarding on NAT device and if you are using DTS than nothing is required.On vManage a process called vdaemon who is responsible for port forwarding and to see information about these process and about number of port being forwarded use following command:
To see the listening ports, use the show control local-properties command:
The above example shows it is using TLS port 23456 and if you are using vManage behind NAT, following ports needs to be opened on NAT device:
- 23456 (base - instance 0 port)
- 23456 + 100 (base + 100)
- 23456 + 200 (base + 200)
- 23456 + 300 (base + 300)
Configure Data Plane Security Parameters
For authentication, in data plane , IPSEC by default uses AH-SHA1 HMAC and ESP HMAC-SHA1.
Use following information to change parameters:
Details of these parameters are given below:
- ah-sha1-hmac enables following parameters such as AH-SHA1 HMAC and ESP HMAC-SHA1
ah-no-id enables a modified version of following parameters such as AH-SHA1 HMAC and ESP HMAC-SHA1. This option accommodates some non-Viptela devices such as Apple AirPort Express NAT.
- sha1-hmac enables ESP HMAC-SHA1.
- None Provides no authentication
All vEdge router advertise their authentication type in TLOC properties and each negotiate and use strongest authentication type that is configured on both routers. if one vEdge router advertises AH-HMAC-SHA1, ESP HMAC-SHA1, and none, and a second vEdge router advertises ESP HMAC-SHA1 and none, the two routers negotiate to use ESP HMAC-SHA1 on the IPsec tunnel connection between them and if no authentication parameters are configured , no Ipsec tunnel is established.
There are two types of Encryption used in IPSec tunnel AES-256-GCM or AES-256-CBC. For unicast traffic if remote site support AES-256-GCM, that encryption algorithm is used. Otherwise, AES-256-CBC is used. For multicast traffic, the encryption algorithm is AES-256-CBC.
Change the Rekeying Timer
For data traffic , vEdge router uses Encryption algorithm mentioned in above section , each vEdge Router by default use a key which is valid for 86400 sec. and timer range is 10 sec to 1209600 sec ( 14 days ). To change the rekey timer value:
The configuration looks like this:
When the IPsec keys are compromised, you can generate new keys immediately, without modifying the configuration of the vEdge router. To do this, issue the request security ipsec-rekey command on the compromised vEdge router.
Below example shows that local SA has SPI ( Keys ) of 256 bits
If by any means , Keys are compromised , you can use request security ipsec-rekey to generate the new set of keys , and if you do that SPI changes to 257.
Once new keys are generated vEdge router will send over its all DTLS or TKS peers and will start using it as soon as they receive them but the OLD SPI 256 will be used for shorter period of time until it goes time out.
If you want to stop using compromised key immediately, use request security ipsec-rekey command twice
Change the Size of the Anti-Replay Window
To provide anti-reply protection, IPSEC assigns a unique sequence number to each data stream packet, which further helps protection against an attacker duplicating data packets. With this protection, sender assigns monotonically increasing sequence numbers, and the destination checks these sequence numbers to detect duplicates. As we know packets do not reach in order number, destination maintains sliding window of sequence number that it will accept.
Packets whose sequence number falls left of the sliding window range are said to be old or duplicates and due to which destination drops them. Destination always checks the highest sequence number packets it received and adjust the sliding window when it receives the packet with higher value.
By default, the sliding window is set to 512 packets. It can be set to any value between 64 and 8192 that is a power of 2 (that is, 64, 128, 256, 512, 1024, 2048, 4096, or 8192). To modify the anti-replay window size, use the replay-window command, specifying the size of the window: