JUNIPER NETWORKS Junos OS FIPS Evaluated Devices User Guide

Engineering Kuphweka
Junos® OS
FIPS Evaluated Configuration Guide for
MX960, MX480, ndi MX240 Devices

Zamkatimu kubisa

1 JUNIPER NETWORKS Junos OS FIPS Evaluated Devices

2 Zathaview

3 Kukonza Zizindikiro Zoyang'anira ndi Mwayi

4 Kukonza Maudindo ndi Njira Zotsimikizira

5 Kukhazikitsa kulumikizana kwa SSH ndi Console

6 Kukonza MACsec

7 Kukonza MACsec yokhala ndi keychain ya Layer 2 Traffic

8 Kukonza Logging Zochitika

9 Kudziyesa Pawekha pa Chipangizo

10 Malamulo Ogwira Ntchito

11 Zolemba / Zothandizira

11.1 Maumboni

JUNIPER NETWORKS Junos OS FIPS Evaluated Devices

MASULIDWA
20.3X75-D30

Malingaliro a kampani Juniper Networks, Inc.
1133 Njira Yatsopano
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, logo ya Juniper Networks, Juniper, ndi Junos ndi zilembo zolembetsedwa za Juniper Networks, Inc.
ku United States ndi mayiko ena. Zizindikiro zina zonse, zizindikiritso zautumiki, zizindikiritso zolembetsedwa, kapena zizindikiritso zantchito zolembetsedwa ndi katundu wa eni ake.
Juniper Networks sakhala ndi udindo pazolakwika zilizonse m'chikalatachi. Juniper Networks ili ndi ufulu wosintha, kusintha, kusamutsa, kapena kuwunikiranso bukuli popanda chidziwitso.
Junos® OS FIPS Evaluated Configuration Guide for MX960, MX480, ndi MX240 Devices 20.3X75-D30
Copyright © 2023 Juniper Networks, Inc. Ufulu wonse ndi wotetezedwa.
Zomwe zili mu chikalatachi ndi zapano kuyambira tsiku lomwe lili patsamba lamutu.
CHAKA CHA 2000 CHIZINDIKIRO
Juniper Networks hardware ndi mapulogalamu a mapulogalamu ndi Chaka cha 2000 chikugwirizana. Junos OS alibe malire odziwika okhudzana ndi nthawi mpaka chaka cha 2038. Komabe, ntchito ya NTP imadziwika kuti ili ndi zovuta m'chaka cha 2036.
THAWANI NTCHITO GUZANI LA LICENSE
Chogulitsa cha Juniper Networks chomwe ndi mutu wa zolemba zaukadaulozi chili ndi (kapena cholinga chake kuti chigwiritsidwe ntchito ndi) pulogalamu ya Juniper Networks. Kugwiritsa ntchito mapulogalamuwa kumatsatira zomwe zili pa End User License Agreement (“EULA”) zomwe zatumizidwa ku https://support.juniper.net/support/eula/. Mwa kutsitsa, kukhazikitsa kapena kugwiritsa ntchito mapulogalamuwa, mukuvomereza zomwe EULA ikuchita.

Za Bukuli
Gwiritsani ntchito bukhuli kuti mugwiritse ntchito zida za MX960, MX480, ndi MX240 mu Federal Information Processing Standards (FIPS) 140-2 Level 1 chilengedwe. FIPS 140-2 imatanthawuza magawo achitetezo a hardware ndi mapulogalamu omwe amagwira ntchito zachinsinsi.
ZINTHU ZOKHUDZANA NAZO
Zofunikira Zofanana ndi Zitsimikizo za FIPS

Zathaview

Kumvetsetsa Junos OS mu FIPS Mode
M'GAWO INO

Mapulatifomu Othandizira ndi Zida Zamagetsi | 2
Za Cryptographic Boundary pa Chipangizo Chanu | 3
Momwe Mawonekedwe a FIPS Akusiyanirana ndi Mawonekedwe Osakhala a FIPS | 3
Mtundu Wovomerezeka wa Junos OS mu FIPS Mode | 3

Federal Information Processing Standards (FIPS) 140-2 imatanthawuza milingo yachitetezo cha hardware ndi mapulogalamu omwe amagwira ntchito zachinsinsi. Router iyi ya Juniper Networks yomwe ikuyenda ndi Juniper Networks Junos system (Junos OS) mumayendedwe a FIPS imagwirizana ndi FIPS 140-2 Level 1 standard.
Kugwiritsa ntchito rauta iyi mu FIPS 140-2 Level 1 kumafuna kupangitsa ndi kukonza mawonekedwe a FIPS pazida kuchokera pa Junos OS command-line interface (CLI).
Crypto Officer imathandizira mawonekedwe a FIPS mu Junos OS ndikukhazikitsa makiyi ndi mapasiwedi adongosolo ndi ogwiritsa ntchito ena a FIPS.
Mapulatifomu Othandizira ndi Zida Zamagetsi
Pazinthu zomwe zafotokozedwa m'chikalatachi, mapulatifomu otsatirawa amagwiritsidwa ntchito kuti ayenerere satifiketi ya FIPS:

MX960, MX480, ndi MX240 zida zoyikidwa ndi RE-S-1800X4 ndi LC MPC7E-10G (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-platform.html,
https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html,ndi
https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-platform.html).
MX960, MX480, ndi MX240 zida zoyikidwa ndi RE-S-X6 ndi LC MPC7E-10G (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-platform.html, https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html,ndi
https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-platform.html).

Za Cryptographic Boundary pa Chipangizo Chanu
Kutsata kwa FIPS 140-2 kumafuna malire odziwika bwino achinsinsi kuzungulira gawo lililonse la cryptographic pachipangizo. Junos OS mumkhalidwe wa FIPS imalepheretsa gawo la cryptographic kukhazikitsa pulogalamu iliyonse yomwe siili gawo la FIPS-certified algorithms, ndipo imalola kuti ma algorithms ovomerezeka ndi FIPS agwiritsidwe ntchito. Palibe zofunikira zotetezera (CSPs), monga mawu achinsinsi ndi makiyi, omwe angathe kuwoloka malire achinsinsi a gawoli mumtundu wosalembedwa.
CHENJEZO: Ma Virtual Chassis sagwiritsidwa ntchito mumayendedwe a FIPS. Osakonza Virtual Chassis mumayendedwe a FIPS.

Momwe FIPS Mode imasiyanirana ndi Mawonekedwe Osakhala a FIPS
Junos OS mumayendedwe a FIPS amasiyana motere kuchokera ku Junos OS mumayendedwe osakhala a FIPS:

Kudziyesa nokha kwa ma algorithms onse a cryptographic kumachitika poyambira.
Kudziyesa kwachisawawa kwa nambala ndi kupanga makiyi kumachitika mosalekeza.
Ma algorithms ofooka a cryptographic monga Data Encryption Standard (DES) ndi MD5 ndi oyimitsa.

Maulaliki ofooka kapena osabisidwa sayenera kukonzedwa.
Mawu achinsinsi ayenera kusungidwa ndi ma aligorivimu amphamvu anjira imodzi omwe salola kutsekedwa.
Mawu achinsinsi a woyang'anira akuyenera kukhala kutalika kwa zilembo 10.

Mtundu Wovomerezeka wa Junos OS mu FIPS Mode
Kuti muwone ngati kutulutsidwa kwa Junos OS ndikovomerezeka kwa NIST, onani tsamba la mlangizi wotsatira pa Juniper Networks. Web tsamba (https://apps.juniper.net/compliance/).
ZINTHU ZOKHUDZANA NAZO
Kuzindikiritsa Kutumiza Kwazinthu Zotetezedwa | 7

Kumvetsetsa Terminology ya FIPS ndi Ma algorithms Othandizira a Cryptographic
M'GAWO INO
Terminology | 4
Zothandizira Cryptographic Algorithms | 5
Gwiritsani ntchito matanthauzo a mawu a FIPS, ndi ma aligorivimu othandizira kukuthandizani kumvetsetsa Junos OS mumayendedwe a FIPS.

Terminology
Critical Security parameter (CSP)
Zambiri zokhudzana ndi chitetezo - mwachitsanzoample, makiyi achinsinsi ndi achinsinsi achinsinsi ndi data yotsimikizira monga mawu achinsinsi ndi manambala ozindikiritsa anthu (PIN)— zomwe kuwulula kapena kusinthidwa kungathe kusokoneza chitetezo cha cryptographic module kapena zambiri zomwe imateteza. Kuti mudziwe zambiri, onani "Kumvetsetsa Malo Ogwirira Ntchito a Junos OS mu FIPS Mode" patsamba 16.
Cryptographic module
Seti ya hardware, mapulogalamu, ndi firmware yomwe imagwiritsa ntchito chitetezo chovomerezeka (kuphatikizapo cryptographic algorithms ndi key generation) ndipo ili mkati mwa malire a cryptographic.
FIPS
Federal Information Processing Standards. FIPS 140-2 imatchula zofunikira pachitetezo ndi ma module a cryptographic. Junos OS mu FIPS mode imagwirizana ndi FIPS 140-2 Level 1.
Ntchito yokonza FIPS
Udindo womwe Crypto Officer amatenga pokonza zolimbitsa thupi kapena kukonza zinthu zomveka bwino monga kuwunika kwa hardware kapena mapulogalamu. Pakutsatizana ndi FIPS 140-2, Crypto Officer imayimitsa Routing Engine polowa ndi kutuluka pa ntchito yokonza FIPS kuti afufute makiyi onse achinsinsi ndi achinsinsi komanso ma CSP osatetezedwa.
ZINDIKIRANI: Ntchito yokonza FIPS sikuthandizira pa Junos OS mumayendedwe a FIPS.
KATS
Mayeso odziwika a mayankho. Kudziyesa nokha kwadongosolo komwe kumatsimikizira kutulutsa kwa ma cryptographic algorithms ovomerezeka pa FIPS ndikuyesa kukhulupirika kwa ma module a Junos OS. Kuti mumve zambiri, onani "Kumvetsetsa Mayeso Odziyesera a FIPS" patsamba 73.
SSH
Protocol yomwe imagwiritsa ntchito kutsimikizira kolimba ndi kubisa kuti mufikire kutali ndi netiweki yopanda chitetezo. SSH imapereka malowedwe akutali, kukhazikitsa pulogalamu yakutali, file copy, ndi ntchito zina. Amapangidwa ngati m'malo otetezeka a rlogin, rsh, ndi rcp m'malo a UNIX. Kuti muteteze zomwe zatumizidwa pamalumikizidwe oyang'anira, gwiritsani ntchito SSHv2 pakusintha kwa CLI. Mu Junos OS, SSHv2 imayatsidwa mwachisawawa, ndipo SSHv1, yomwe siimaonedwa kuti ndi yotetezeka, imayimitsidwa. Zeroization
Kufufutidwa kwa ma CSP onse ndi zina zomwe zidapangidwa ndi ogwiritsa ntchito pachipangizo chisanagwire ntchito ngati FIPS cryptographic module kapena pokonzekera kukonzanso zida kuti zigwire ntchito mosakhazikika.
Ofesi ya Crypto amatha kuyimitsa dongosololi ndi lamulo la CLI.
Ma algorithms a Cryptographic Othandizira
Table 1 patsamba 6 ikufotokoza mwachidule chithandizo chapamwamba cha protocol algorithm.
Gulu 1: Ma Protocols Ololedwa mu FIPS Mode

Ndondomeko	Kusinthana Kwakukulu	Kutsimikizira	Cipher	Umphumphu
SSHv2	• dh-group14-sha1 • ECDH-sha2-nistp256 • ECDH-sha2-nistp384 • ECDH-sha2-nistp521	Host (module): • ECDSA P-256 • SSH-RSA Makasitomala (wogwiritsa): • ECDSA P-256 • ECDSA P-384 • ECDSA P-521 • SSH-RSA	• AES CTR 128 • AES CTR 192 • AES CTR 256 • AES CBC 128 • AES CBC 256	• HMAC-SHA-1 • HMAC-SHA-256 • HMAC-SHA-512

Table 2 patsamba 6 imatchula ma ciphers omwe amathandizidwa ndi MACsec LC.
Table 2: MACsec LC Anathandiza Ciphers
MACsec LC Ma Ciphers Othandizira
AES-GCM-128
AES-GCM-256
Kukhazikitsa kulikonse kwa algorithm kumawunikidwa ndi mayeso angapo odziwika bwino (KAT). Kulephera kulikonse kodziyesa kumabweretsa vuto la FIPS.
ZOCHITA ZABWINO: Potsatira FIPS 140-2, gwiritsani ntchito ma cryptographic algorithms ovomerezeka ndi FIPS Mu Junos OS mu FIPS mode.
Ma algorithms otsatirawa a cryptographic amathandizidwa mumayendedwe a FIPS. Njira zofananira zimagwiritsa ntchito kiyi yomweyo pakubisa ndi kubisa, pomwe njira za asymmetric zimagwiritsa ntchito makiyi osiyanasiyana pakubisa ndi kubisa.
AES
The Advanced Encryption Standard (AES), yofotokozedwa mu FIPS PUB 197. Njira ya AES imagwiritsa ntchito makiyi a 128, 192, kapena 256 bits kubisa ndi kumasulira deta mu midadada ya 128 bits.
ECDH
Elliptic Curve Diffie-Hellman. Kusiyana kwa Diffie-Hellman key exchange algorithm yomwe imagwiritsa ntchito zilembo zachinsinsi potengera ma algebraic ma curve ozungulira pagawo lomaliza. ECDH imalola maphwando awiri, aliyense ali ndi elliptic curve pagulu ndi payekha, kuti akhazikitse chinsinsi chogawana panjira yosatetezeka. Chinsinsi chogawana chitha kugwiritsidwa ntchito ngati kiyi kapena kupeza kiyi ina yolembera mauthenga otsatira pogwiritsa ntchito symmetric key cipher.
ECDSA
Elliptic Curve Digital Signature Algorithm. Kusiyanasiyana kwa Digital Signature Algorithm (DSA) yomwe imagwiritsa ntchito zilembo zachinsinsi potengera ma algebraic ma curve opindika m'malo opanda malire. Kukula pang'ono kwa elliptic curve kumatsimikizira kuvutikira kwa kiyi. Kiyi yapagulu yomwe imakhulupirira kuti ndiyofunika ku ECDSA ndi pafupifupi kuwirikiza kawiri kukula kwa chitetezo, pang'onopang'ono. ECDSA pogwiritsa ntchito P-256, P-384, ndi P-521 zokhotakhota zitha kukhazikitsidwa pansi pa OpenSSH.
Mtengo wa HMAC
Kutanthauzidwa ngati "Keyed-Hashing for Message Authentication" mu RFC 2104, HMAC imaphatikiza ma aligorivimu a hashing ndi makiyi a cryptographic kuti atsimikizire uthenga. Kwa Junos OS mumayendedwe a FIPS, HMAC imagwiritsa ntchito mawonekedwe a cryptographic hashi SHA-1, SHA-256, ndi SHA-512 pamodzi ndi kiyi yachinsinsi.
SHA-256 ndi SHA-512
Tetezani ma hash algorithms (SHA) a mulingo wa SHA-2 wofotokozedwa mu FIPS PUB 180-2. Yopangidwa ndi NIST, SHA-256 imapanga 256-bit hash digest, ndipo SHA-512 imapanga 512-bit hash digest.
ZINTHU ZOKHUDZANA NAZO
Kumvetsetsa Mayesero a FIPS | 73
Kumvetsetsa Zeroization Kuchotsa Dongosolo Ladongosolo la FIPS Mode | 25
Kuzindikiritsa Kutumiza Kwazinthu Zotetezedwa
Pali njira zingapo zomwe zimaperekedwa pakubweretsa kuwonetsetsa kuti kasitomala alandila chinthu chomwe sichinakhale tampedwa ndi. Wogula akuyenera kuyang'ana zotsatirazi atalandira chipangizo kuti atsimikizire kukhulupirika kwa nsanja.

Lebo yotumizira—Tsimikizirani kuti lebulo yotumizira ikuwonetsa bwino dzina la kasitomala ndi adilesi komanso chipangizocho.

Zopaka zakunja—Yang'anani bokosi lotumizira lakunja ndi tepi. Onetsetsani kuti tepi yotumizira sinadulidwe kapena kusokonezedwa mwanjira ina. Onetsetsani kuti bokosilo silinadulidwe kapena kuonongeka kuti mulowetse chipangizocho.
Mkati mwazopaka - Yang'anani chikwama chapulasitiki ndikusindikiza. Onetsetsani kuti chikwamacho sichidulidwa kapena kuchotsedwa. Onetsetsani kuti chisindikizocho sichinasinthe.

Ngati kasitomala azindikira vuto pakuwunika, ayenera kulumikizana ndi woperekayo nthawi yomweyo. Perekani nambala yoyitanitsa, nambala yolondolera, ndi kufotokozera zavuto lomwe ladziwika kwa wothandizira.
Kuonjezera apo, pali macheke angapo omwe angakhoze kuchitidwa kuti atsimikizire kuti kasitomala walandira bokosi lotumizidwa ndi Juniper Networks osati kampani yosiyana yomwe imadziwonetsera ngati Juniper Networks. Wogula akuyenera kuyang'ana zotsatirazi atalandira chipangizocho kuti atsimikizire kuti chipangizocho ndi chowona:

Tsimikizirani kuti chipangizocho chidayitanidwa pogwiritsa ntchito oda yogula. Zida za Juniper Networks sizimatumizidwa popanda kugula.

Chidacho chikatumizidwa, zidziwitso zotumizidwa zimatumizidwa ku adilesi ya imelo yoperekedwa ndi kasitomala akalamula. Tsimikizirani kuti zidziwitso za imelo zalandiridwa. Tsimikizirani kuti imeloyo ili ndi izi:
Gulani nambala ya oda
Nambala ya oda ya Juniper Networks yomwe imagwiritsidwa ntchito potsata zomwe zatumizidwa
Nambala yolondolera yonyamula katundu yomwe yatumizidwa
Mndandanda wazinthu zomwe zatumizidwa kuphatikiza manambala achinsinsi
Adilesi ndi ma adilesi a onse ogulitsa ndi kasitomala

Onetsetsani kuti kutumizako kudayambitsidwa ndi Juniper Networks. Kuti muwonetsetse kuti kutumiza kunayambitsidwa ndi Juniper Networks, muyenera kuchita izi:
Fananizani nambala yotsatirira yonyamula ya nambala ya oda ya Juniper Networks yolembedwa mu chidziwitso cha kutumiza kwa Juniper Networks ndi nambala yolondolera pa phukusi lolandilidwa.

Lowani ku Juniper Networks pa intaneti yothandizira makasitomala pa https://support.juniper.net/support/ku view udindo wa dongosolo. Fananizani nambala yolondolera yonyamula katundu kapena nambala ya oda ya Juniper Networks yolembedwa mu chidziwitso cha kutumiza kwa Juniper Networks ndi nambala yolondolera pa phukusi lolandilidwa.

Kumvetsetsa Management Interfaces
Mawonekedwe otsatirawa a kasamalidwe atha kugwiritsidwa ntchito pamasinthidwe owunikiridwa:

Local Management Interfaces - Doko la RJ-45 lothandizira pazida limapangidwa ngati RS-232 data terminal zida (DTE). Mutha kugwiritsa ntchito mawonekedwe a mzere wolamula (CLI) padokoli kuti mukonze chipangizocho kuchokera pa terminal.
Ma Protocol a Remote Management - Chipangizochi chitha kuyendetsedwa kutali ndi mawonekedwe aliwonse a Ethernet. SSHv2 ndiye njira yokhayo yovomerezeka yoyang'anira kutali yomwe ingagwiritsidwe ntchito pokonzekera kowunikiridwa. Ma protocol akutali a J-Web ndipo Telnet sizipezeka kuti zigwiritsidwe ntchito pa chipangizochi.

Kukonza Zizindikiro Zoyang'anira ndi Mwayi

Kumvetsetsa Malamulo Achinsinsi Ogwirizana a Woyang'anira Wovomerezeka
Woyang'anira wovomerezeka amalumikizidwa ndi kalasi yolowera, ndipo woyang'anira amapatsidwa zilolezo zonse. Deta imasungidwa kwanuko kuti mutsimikizire mawu achinsinsi osakhazikika.
ZINDIKIRANI: Osagwiritsa ntchito zilembo zowongolera pama passwords.
Gwiritsani ntchito malangizo otsatirawa ndi njira zosinthira pama passwords komanso posankha mawu achinsinsi amaakaunti ovomerezeka. Mawu achinsinsi ayenera kukhala:

Zosavuta kukumbukira kuti ogwiritsa ntchito asayesedwe kuzilemba.

Zosintha nthawi ndi nthawi.
Zachinsinsi komanso zosagawana ndi aliyense.
Khalani ndi zilembo 10 zosachepera. Pafupipafupi achinsinsi kutalika ndi zilembo 10.
[ sintha ] administrator@host# khazikitsani mawu achinsinsi olowera osachepera 10
Muphatikizepo zilembo zazikulu ndi zazing'ono, manambala, ndi zilembo zapadera monga, “!”, “@”, “#”, “$”, “%”, “^”, “ &", "*", "(", ndi ")".
Pakhale kusintha kosachepera pa nkhani imodzi, manambala amodzi kapena angapo, ndi chizindikiro chimodzi kapena zingapo zopumira.
Muli ndi magulu. Zilembo zovomerezeka zimaphatikizapo zilembo zazikulu, zing'onozing'ono, manambala, zizindikiro zopumira, ndi zilembo zina zapadera.
[ sinthani ] administrator@host# khazikitsani mawu achinsinsi osinthira mtundu-maseti
Khalani ndi chiwerengero chochepera cha seti ya zilembo kapena kusintha kwa zilembo. Chiwerengero chocheperako cha ma seti ofunikira m'mawu achinsinsi a Junos FIPS ndi 3.
[ sintha ] administrator@host# khazikitsani mawu achinsinsi olowera pang'ono-kusintha 3
Ma hashing algorithm yama passwords amatha kukhala SHA256 kapena SHA512 (SHA512 ndiye njira yokhazikika ya hashing).
[ sintha ] administrator@host# khazikitsani password yolowera sha512
ZINDIKIRANI: Chipangizochi chimathandizira ECDSA (P-256, P-384, ndi P-521) ndi RSA (2048, 3072, ndi 4092 modulus bit length) mitundu yamakiyi.
Mawu achinsinsi osalimba ndi awa:
Mawu omwe angapezeke mkati kapena kukhalapo ngati mawonekedwe ololedwa mu dongosolo file monga /etc/passwd.
Dzina lokhala ndi dongosolo (nthawi zonse lingaliro loyamba).
Mawu aliwonse opezeka mudikishonale. Izi zikuphatikiza madikishonale ena kupatula Chingerezi, ndi mawu opezeka m'mabuku monga Shakespeare, Lewis Carroll, Roget's Thesaurus, ndi zina zotero. Kuletsa kumeneku kumaphatikizapo mawu odziwika ndi mawu ochokera kumasewera, mawu, makanema, ndi makanema apawayilesi.
Zilolezo pa chilichonse mwazomwe zili pamwambapa. Za example, liwu lotanthauzira mawu lokhala ndi mavawelo osinthidwa ndi manambala (mwachitsanzoample f00t) kapena ndi manambala owonjezeredwa kumapeto.
Mawu achinsinsi aliwonse opangidwa ndi makina. Ma algorithms amachepetsa malo osakira pamapulogalamu ongoyerekeza mawu achinsinsi motero sayenera kugwiritsidwa ntchito.
Mawu achinsinsi amphamvu otha kugwiritsidwanso ntchito atha kuzikidwa pa zilembo zochokera ku mawu omwe mumakonda kapena mawu, ndiyeno kugwirizana ndi mawu ena, osagwirizana, limodzi ndi manambala owonjezera ndi zizindikiro zopumira.

ZINTHU ZOKHUDZANA NAZO
Kuzindikiritsa Kutumiza Kwazinthu Zotetezedwa | 7

Kukonza Maudindo ndi Njira Zotsimikizira

Kumvetsetsa Maudindo ndi Ntchito za Junos OS
M'GAWO INO
Crypto Officer Udindo ndi Udindo | 15
FIPS Udindo ndi Udindo Wogwiritsa Ntchito | 15
Zomwe Zimayembekezereka kwa Ogwiritsa Ntchito Onse a FIPS | 16
Woyang'anira Chitetezo amalumikizidwa ndi kalasi yolowera chitetezo-admin, yomwe ili ndi chilolezo chofunikira chololeza woyang'anira kuchita ntchito zonse zofunika kuyang'anira Junos OS. Ogwiritsa ntchito oyang'anira (Security Administrator) ayenera kupereka chizindikiritso chapadera ndi data yotsimikizika asanapatsidwe mwayi uliwonse wowongolera.
Maudindo ndi maudindo a Security Administrator ndi awa:

Security Administrator amatha kuyang'anira kwanuko komanso kutali.
Pangani, sinthani, fufutani maakaunti a oyang'anira, kuphatikiza makonzedwe a zolephera zotsimikizira.
Yambitsaninso akaunti ya Administrator.
Udindo wokonza ndi kukonza zinthu za cryptographic zokhudzana ndi kukhazikitsidwa kwa maulumikizidwe otetezeka kupita ndi kuchokera kuzinthu zomwe zawunikidwa.

Dongosolo la Juniper Networks Junos (Junos OS) lomwe likuyenda mosagwirizana ndi FIPS limalola kuthekera kosiyanasiyana kwa ogwiritsa ntchito, ndipo kutsimikizika kumatengera chidziwitso. Mosiyana ndi izi, mulingo wa FIPS 140-2 umatanthawuza maudindo awiri ogwiritsa ntchito: Crypto Officer ndi wogwiritsa ntchito FIPS. Maudindowa amafotokozedwa malinga ndi kuthekera kwa ogwiritsa ntchito a Junos OS.
Mitundu ina yonse ya ogwiritsa ntchito Junos OS mumayendedwe a FIPS (woyendetsa, wogwiritsa ntchito, ndi zina zotero) iyenera kugwera m'magulu awiriwa: Crypto Officer kapena wogwiritsa ntchito FIPS. Pazifukwa izi, kutsimikizika kwa ogwiritsa ntchito mumayendedwe a FIPS kumatengera gawo m'malo motengera zomwe zili.
Crypto Officer imagwira ntchito zonse zokhudzana ndi FIPS-mode-mode ndikupereka ziganizo zonse ndi malamulo a Junos OS mu FIPS mode. Crypto Officer ndi masinthidwe a ogwiritsa ntchito a FIPS ayenera kutsatira malangizo a Junos OS mumayendedwe a FIPS.
Crypto Officer Udindo ndi Maudindo
Crypto Officer ndiye amene ali ndi udindo wothandizira, kukonza, kuyang'anira, ndi kusamalira Junos OS mu FIPS mode pa chipangizo. Ofesi ya Crypto imayika bwino Junos OS pa chipangizocho, imathandizira mawonekedwe a FIPS, imakhazikitsa makiyi ndi mapasiwedi a ogwiritsa ntchito ena ndi ma module a mapulogalamu, ndikuyambitsa chipangizocho musanalumikizane ndi netiweki.
ZOCHITIKA ZABWINO: Tikupangira kuti Crypto Officer ayendetse dongosololi motetezeka posunga mawu achinsinsi otetezedwa ndikuwunika kafukufuku files.
Zilolezo zomwe zimasiyanitsa Crypto Officer kuchokera kwa ogwiritsa ntchito ena a FIPS ndizobisika, chitetezo, kukonza, ndi kuwongolera. Kuti mugwirizane ndi FIPS, perekani Crypto Officer ku gulu lolowera lomwe lili ndi zilolezo zonsezi. Wogwiritsa ntchito yemwe ali ndi chilolezo cha Junos OS kukonza amatha kuwerenga files okhala ndi zofunikira zotetezera (CSPs).
ZINDIKIRANI: Junos OS mumayendedwe a FIPS sigwirizana ndi gawo lokonzekera la FIPS 140-2, lomwe ndi losiyana ndi chilolezo chokonzekera cha Junos OS.
Mwa ntchito zokhudzana ndi Junos OS mu FIPS mode, Crypto Officer akuyembekezeka:

Khazikitsani mawu achinsinsi oyambira. Utali wa mawu achinsinsi ayenera kukhala osachepera 10 zilembo.
Bwezerani mawu achinsinsi a ogwiritsa ntchito ndi ma aligorivimu ovomerezeka ndi FIPS.
Unikani chipika ndi kufufuza files kwa zochitika zosangalatsa.
Fufutani zopangidwa ndi ogwiritsa ntchito files, makiyi, ndi deta mwa zero zero chipangizo.

FIPS Udindo ndi Udindo
Ogwiritsa ntchito onse a FIPS, kuphatikizapo Crypto Officer, angathe view kasinthidwe. Wogwiritsa ntchito yekhayo yemwe wasankhidwa ngati Crypto Officer angasinthe kasinthidwe.
Zilolezo zomwe zimasiyanitsa ma Crypto Officers kuchokera kwa ogwiritsa ntchito ena a FIPS ndizobisika, chitetezo, kukonza, ndi kuwongolera. Kuti zigwirizane ndi FIPS, perekani wogwiritsa ntchito FIPS ku kalasi yomwe ilibe zilolezo izi.
Wogwiritsa ntchito FIPS angathe view mawonekedwe koma sangathe kuyambitsanso kapena kuyimitsa ziro chipangizo.
Zomwe Zimayembekezereka kwa Ogwiritsa Ntchito Onse a FIPS
Ogwiritsa ntchito onse a FIPS, kuphatikiza ndi Crypto Officer, ayenera kutsatira malangizo achitetezo nthawi zonse.
Ogwiritsa ntchito onse a FIPS ayenera:

Sungani mawu achinsinsi onse mwachinsinsi.
Sungani zipangizo ndi zolemba pamalo otetezeka.
Ikani zida m'malo otetezeka.
Onani audit files nthawi ndi nthawi.
Tsatirani malamulo ena onse achitetezo a FIPS 140-2.
Tsatirani malangizo awa:
• Ogwiritsa ntchito ndi odalirika.
• Ogwiritsa ntchito amatsatira malangizo onse achitetezo.
• Ogwiritsa ntchito samasokoneza dala chitetezo
• Ogwiritsa ntchito amakhala osamala nthawi zonse.

ZINTHU ZOKHUDZANA NAZO
Chida cha Juniper Networks chomwe chimagwiritsa ntchito Juniper Networks Junos opaleshoni (Junos OS) mumayendedwe a FIPS chimapanga mtundu wapadera wa hardware ndi mapulogalamu ogwiritsira ntchito mapulogalamu omwe ndi osiyana ndi chilengedwe cha chipangizo chomwe sichili ndi FIPS:

Malo a Hardware a Junos OS mu FIPS Mode
Junos OS mumayendedwe a FIPS imakhazikitsa malire obisika mu chipangizocho kuti palibe zofunikira zachitetezo (CSPs) zomwe zitha kuwoloka pogwiritsa ntchito mawu osavuta. Chigawo chilichonse cha hardware cha chipangizo chomwe chimafuna malire a cryptographic for FIPS 140-2 compliance ndi gawo losiyana la cryptographic. Pali mitundu iwiri ya hardware yokhala ndi malire a cryptographic mu Junos OS mumayendedwe a FIPS: imodzi pa Injini iliyonse ya Routing ndi imodzi ya chassis yonse yomwe imaphatikizapo LC MPC7E-10G khadi. Chigawo chilichonse chimapanga gawo losiyana la cryptographic. Kulankhulana kokhudza ma CSP pakati pa malo otetezedwawa kuyenera kuchitika pogwiritsa ntchito kubisa.
Njira za Cryptographic sizolowa m'malo mwa chitetezo chakuthupi. Zidazi ziyenera kukhala pamalo otetezeka. Ogwiritsa ntchito amitundu yonse sayenera kuwulula makiyi kapena mawu achinsinsi, kapena kulola zolembedwa kapena zolemba kuti ziwonedwe ndi anthu osaloledwa.
Malo a Mapulogalamu a Junos OS mu FIPS Mode
Chida cha Juniper Networks chomwe chimagwiritsa ntchito Junos OS mumayendedwe a FIPS chimapanga mtundu wapadera wamalo osasinthika osasinthika. Kukwaniritsa chilengedwe ichi pa chipangizo, dongosolo limalepheretsa kuphedwa kwa binary iliyonse file yomwe sinali gawo la Junos OS yovomerezeka mumayendedwe a FIPS. Chida chikakhala mu FIPS mode, chimatha kuyendetsa Junos OS yokha.
Pulogalamu ya Junos OS mu FIPS mode software imakhazikitsidwa pambuyo poti Crypto Officer amathandizira bwino mawonekedwe a FIPS pa chipangizo. Chithunzi cha Junos OS chomwe chimaphatikizapo mawonekedwe a FIPS chikupezeka pa Juniper Networks webmalo ndipo akhoza kuikidwa pa chipangizo ntchito.
Pakutsata kwa FIPS 140-2, tikupangira kuti mufufute zonse zopangidwa ndi ogwiritsa ntchito files ndi data poyimitsa ziro chipangizocho musanatsegule mawonekedwe a FIPS.
Kugwiritsa ntchito chipangizo chanu pa FIPS Level 1 kumafuna kugwiritsa ntchito tampzolemba zowoneka bwino kuti asindikize Ma Routing Engines mu chassis.
Kuyatsa mawonekedwe a FIPS kumalepheretsa ma protocol ndi ntchito zambiri za Junos OS. Makamaka, simungathe kukhazikitsa mautumiki otsatirawa mu Junos OS mumayendedwe a FIPS:

chala
ftp
rlogin
telenet
tftp
xnm-clear-text

Kuyesa kukonza mautumikiwa, kapena kuyika masinthidwe ndi mautumikiwa kusinthidwa, kumabweretsa cholakwika cha masinthidwe.
Mutha kugwiritsa ntchito SSH kokha ngati ntchito yofikira kutali.
Ma passwords onse okhazikitsidwa kwa ogwiritsa ntchito atakwezedwa ku Junos OS mumayendedwe a FIPS ayenera kugwirizana ndi Junos OS mumayendedwe a FIPS. Mawu achinsinsi ayenera kukhala pakati pa zilembo 10 ndi 20 m'litali ndipo amafuna kugwiritsa ntchito mitundu yosachepera itatu mwa zilembo zisanu (zilembo zazikulu ndi zazing'ono, manambala, zizindikiro zopumira, ndi zilembo za kiyibodi, monga % ndi &, osaphatikizidwa ndi zina. magulu anayi).
Kuyesera kukonza mawu achinsinsi omwe sagwirizana ndi malamulowa kumabweretsa cholakwika. Mawu achinsinsi ndi makiyi onse omwe amagwiritsidwa ntchito kutsimikizira anzawo ayenera kukhala osachepera zilembo 10 muutali, ndipo nthawi zina utali uyenera kufanana ndi kukula kwa digest.
ZINDIKIRANI: Osaphatikizira chipangizocho ku netiweki mpaka Ofisala wa Crypto akamaliza kukonzanso kuchokera kulumikizano yakomweko.
Kuti mutsatire mosamalitsa, musayang'ane zambiri zotayira pakompyuta yanu mu Junos OS mumayendedwe a FIPS chifukwa ma CSP ena amatha kuwonetsedwa m'mawu osavuta.
Zofunika Zachitetezo Zofunikira
Critical security parameters (CSPs) ndi zidziwitso zokhudzana ndi chitetezo monga makiyi a cryptographic ndi mawu achinsinsi omwe angasokoneze chitetezo cha cryptographic module kapena chitetezo cha chidziwitso chotetezedwa ndi module ngati awululidwa kapena kusinthidwa.
Zeroization ya dongosolo imachotsa zotsatizana zonse za CSPs pokonzekera kugwiritsa ntchito chipangizo kapena Routing Engine ngati gawo la cryptographic.
Gulu 3 patsamba 19 limatchula ma CSP pazida zomwe zimagwiritsa ntchito Junos OS.
Table 3: Zofunika Zachitetezo Zofunikira

CSP	Kufotokozera	Zeroize	Gwiritsani ntchito
SSHv2 kiyi yachinsinsi yachinsinsi	Kiyi ya ECDSA / RSA yomwe imagwiritsidwa ntchito kuzindikiritsa wolandirayo, yopangidwa nthawi yoyamba SSH ikakonzedwa.	Zeroize command.	Amagwiritsidwa ntchito pozindikiritsa wokhala nawo.
Makiyi a gawo la SSHv2	Kiyi ya Session yogwiritsidwa ntchito ndi SSHv2 komanso ngati kiyi yachinsinsi ya Diffie-Hellman. Kubisa: AES-128, AES-192, AES-256. MACs: HMAC-SHA-1, HMAC- SHA-2-256, HMAC-SHA2-512. Kusinthana kwakukulu: dh-group14-sha1, ECDH-sha2-nistp-256, ECDH-sha2- nistp-384, ndi ECDH-sha2-nistp-521.	Kuzungulira kwamphamvu ndikuyimitsa gawo.	Kiyi ya Symmetric yomwe imagwiritsidwa ntchito kubisa deta pakati pa wolandira ndi kasitomala.
Kiyi yotsimikizira wogwiritsa	Hashi yachinsinsi cha wogwiritsa ntchito: SHA256, SHA512.	Zeroize command.	Amagwiritsidwa ntchito kutsimikizira wogwiritsa ntchito ku cryptographic module.
Kiyi yotsimikizika ya Crypto Officer	Hash yachinsinsi cha Crypto Officer: SHA256, SHA512.	Zeroize command.	Amagwiritsidwa ntchito kutsimikizira Crypto Officer ku cryptographic module.
Mbewu ya HMAC DRBG	Mbewu ya deterministic randon bit generator (DRBG).	Mbewu sizisungidwa ndi gawo la cryptographic.	Ntchito mbewu DRBG.
Mtengo wa HMAC DRBG V	Mtengo (V) wa kutalika kwa block block (outlen) mu ma bits, omwe amasinthidwa nthawi iliyonse pomwe ma outlet ena amapangidwa.	Mphamvu kuzungulira.	Mtengo wapatali wa magawo DRBG.

CSP	Kufotokozera	Zeroize	Gwiritsani ntchito
Mtengo wapatali wa magawo HMAC DRBG	Mtengo waposachedwa wa kiyi ya outlen-bit, yomwe imasinthidwa kamodzi nthawi iliyonse pomwe makina a DRBG apanga ma pseudorandom bits.	Mphamvu kuzungulira.	Mtengo wapatali wa magawo DRBG.
Chithunzi cha NDRNG	Imagwiritsidwa ntchito ngati chingwe cholowetsa entropy ku HMAC DRBG.	Mphamvu kuzungulira.	Mtengo wapatali wa magawo DRBG.

Mu Junos OS mumayendedwe a FIPS, ma CSP onse ayenera kulowa ndikusiya gawo la cryptographic mu mawonekedwe obisika.
CSP iliyonse yosungidwa ndi algorithm yosavomerezeka imatengedwa kuti ndi mawu osavuta ndi FIPS.
NTCHITO YABWINO: Kuti zisagwirizane ndi FIPS, sinthani chipangizocho pamalumikizidwe a SSH chifukwa ndi maulalo obisika.
Mawu achinsinsi am'deralo amathamangitsidwa ndi SHA256 kapena SHA512 algorithm. Kubwezeretsa mawu achinsinsi sikutheka mu Junos OS mumayendedwe a FIPS. Junos OS mumayendedwe a FIPS sangathe kuyambiranso kukhala wogwiritsa ntchito m'modzi popanda mawu achinsinsi olondola.
Kumvetsetsa Mafotokozedwe Achinsinsi ndi Malangizo a Junos OS mu FIPS Mode
Ma passwords onse omwe akhazikitsidwa kwa ogwiritsa ntchito ndi Crypto Officer ayenera kugwirizana ndi Junos OS yotsatira mumayendedwe a FIPS. Kuyesa kukonza mawu achinsinsi omwe sagwirizana ndi izi kumabweretsa cholakwika.

Utali. Mawu achinsinsi ayenera kukhala pakati pa zilembo 10 ndi 20.
Zofunikira zoyika zilembo. Mawu achinsinsi ayenera kukhala ndi zilembo zitatu mwa zisanu zotsatirazi:
Zilembo zazikulu
Zilembo zazing'ono
Manambala
Zizindikiro zopumira
Zilembo za kiyibodi zomwe sizinaphatikizidwe m'magulu ena anayi - monga chizindikiro cha peresenti (%) ndi ampndi (&)

Zofunikira zotsimikizira. Mawu achinsinsi ndi makiyi onse omwe amagwiritsidwa ntchito kutsimikizira anzawo akuyenera kukhala ndi zilembo 10, ndipo nthawi zina kuchuluka kwa zilembo ziyenera kufanana ndi kukula kwa digest.
Kubisa mawu achinsinsi. Kuti musinthe njira yosungira (SHA512) phatikizani mawu amtundu pa [edit system login password] mulingo wowongolera.

Malangizo achinsinsi amphamvu. Mawu achinsinsi amphamvu, ogwiritsiridwanso ntchito atha kuzikidwa pa zilembo zochokera ku mawu omwe amakonda kwambiri ndiyeno kugwirizana ndi mawu ena osagwirizana, limodzi ndi manambala owonjezera ndi zizindikiro zopumira. Nthawi zambiri, mawu achinsinsi amphamvu ndi awa:

Zosavuta kukumbukira kuti ogwiritsa ntchito asayesedwe kuzilemba.
Zopangidwa ndi zilembo zosakanikirana ndi zilembo. Pakutsatiridwa kwa FIPS kumaphatikizapo kusintha kumodzi kwa vuto, manambala amodzi kapena angapo, ndi chizindikiro chimodzi kapena zingapo zopumira.
Zosintha nthawi ndi nthawi.
Osawululidwa kwa aliyense.
Makhalidwe a mawu achinsinsi ofooka. Musagwiritse ntchito mawu achinsinsi ofooka awa:

Mawu omwe angapezeke mkati kapena kukhalapo ngati mawonekedwe ololedwa mu dongosolo files monga /etc/passwd.
Dzina lokhala ndi dongosolo (nthawi zonse lingaliro loyamba).
Liwu lililonse kapena mawu omwe amapezeka mudikishonale kapena malo ena odziwika bwino, kuphatikiza madikishonale ndi zolemba m'zinenero zina kupatula Chingerezi; ntchito ndi olemba akale kapena otchuka; kapena mawu wamba ndi ziganizo zochokera masewera, mawu, mafilimu kapena mapulogalamu a pa TV.
Zilolezo pa chilichonse mwazomwe zili pamwambazi, mwachitsanzoample, liwu lotanthauzira mawu lokhala ndi zilembo zosinthidwa ndi manambala ( r00t) kapena manambala owonjezeredwa kumapeto.

Mawu achinsinsi aliwonse opangidwa ndi makina. Ma algorithms amachepetsa malo osakira pamapulogalamu ongoyerekeza mawu achinsinsi motero sayenera kugwiritsidwa ntchito.

Kutsitsa Mapulogalamu Apulogalamu kuchokera ku Juniper Networks
Mutha kutsitsa pulogalamu ya Junos OS pachida chanu kuchokera ku Juniper Networks webmalo.
Musanayambe kutsitsa pulogalamuyi, onetsetsani kuti muli ndi Juniper Networks Web akaunti ndi mgwirizano wovomerezeka wothandizira. Kuti mupeze akaunti, lembani fomu yolembetsa ku Juniper Networks webtsamba: https://userregistration.juniper.net/.
Kutsitsa phukusi la mapulogalamu kuchokera ku Juniper Networks:

Kugwiritsa ntchito a Web msakatuli, tsatirani maulalo kutsitsa URL pa Juniper Networks webtsamba. https://support.juniper.net/support/downloads/

Lowani ku Juniper Networks kutsimikizira dongosolo pogwiritsa ntchito dzina lolowera (nthawi zambiri adilesi yanu ya imelo) ndi mawu achinsinsi operekedwa ndi oimira Juniper Networks.
Koperani mapulogalamu. Mwaona Kutsitsa Mapulogalamu.

ZINTHU ZOKHUDZANA NAZO
Kukhazikitsa ndi Kukweza Guide
Kuyika Mapulogalamu pa Chipangizo Chokhala ndi Injini Imodzi Yoyendera
Mutha kugwiritsa ntchito njirayi kuti mukweze Junos OS pachida ndi Injini Yoyendetsa imodzi.
Kukhazikitsa zokwezera mapulogalamu pa chipangizo chokhala ndi Routing Engine imodzi:

Koperani pulogalamu phukusi monga tafotokozera mu Kutsitsa Mapulogalamu Apulogalamu kuchokera ku Juniper Networks.

Ngati simunatero, lumikizani ku doko la console pa chipangizocho kuchokera pa chipangizo chanu choyang'anira, ndikulowetsani ku Junos OS CLI.
(Mwachidziwitso) Bwezerani zosintha zomwe zilipo panopa ku njira yosungira yachiwiri. Onani Upangiri Wokhazikitsa Mapulogalamu ndi Kukweza kwa malangizo ogwirira ntchitoyi.
(Mwachidziwitso) Koperani phukusi la mapulogalamu ku chipangizo. Tikukulimbikitsani kuti mugwiritse ntchito FTP kukopera file ku /var/tmp/ directory.
Izi ndizosankha chifukwa Junos OS ikhoza kukwezedwanso chithunzi cha pulogalamuyo chikasungidwa kutali. Malangizowa akufotokoza ndondomeko yokweza mapulogalamu pazochitika zonsezi.

Ikani phukusi latsopano pa chipangizochi: Kwa REMX2K-X8: user@host> pemphani vmhost software add
Kwa RE1800: user@host> pemphani pulogalamu yowonjezera
Sinthani phukusi ndi imodzi mwanjira izi:
• Kuti mupeze pulogalamu yamapulogalamu mu bukhu lapafupi pa chipangizocho, gwiritsani ntchito /var/tmp/package.tgz.
• Pa pulogalamu ya pulogalamu pa seva yakutali, gwiritsani ntchito imodzi mwa njira zotsatirazi, m'malo mwa phukusi losinthika ndi dzina la phukusi la mapulogalamu.
• ftp://hostname/pathname/package.tgz
• ftp://hostname/pathname/package.tgz
Yambitsaninso chipangizo kuti mutsegule kuyika:
Za REMX2K-X8:
user@host> pemphani vmhost kuyambiranso
Kwa RE1800:
user@host> pemphani dongosolo kuyambiranso
Kuyambitsanso kukatha, lowani ndikugwiritsa ntchito lamulo lachiwonetsero kuti muwonetsetse kuti pulogalamu yatsopanoyi yakhazikitsidwa bwino.
user@host> chiwonetsero chazithunzi
Chitsanzo: mx960
Junos: 20.3X75-D30.1
JUNOS OS Kernel 64-bit [20210722.b0da34e0_builder_stable_11-204ab] JUNOS OS libs [20210722.b0da34e0_builder_stable_11-204ab] JUNOS OSda20210722b_0b b] Zambiri za nthawi ya JUNOS OS [34.b0da11e204_builder_stable_20210722-0ab] JUNOS network stack ndi zofunikira [34_builder_junos_0_x11_d204] JUNOS libs [20210812.200100_builder_junos_203_x75_d30] JUNOS OS libs compat20210812.200100 [203table_75. Kugwirizana kwa UNOS OS 30-bit [32.b20210722da0e34_builder_stable_0-11ab] JUNOS libs compat204 [32_builder_junos_20210722_x0_d34] JUN0bulder. _x11_d204] JUNOS sflow mx [32_builder_junos_20210812.200100_x203_d75] JUNOS py extensions30 [20210812.200100_builder_junos_203_x75_d30] JUNOS py extensions [20210812.200100_203 75] JUNOS py base30 [2_builder_junos_20210812.200100_x203_d75] JUNOS py base [30_builder_junos_20210812.200100_x203_d75] JUN30table OSda_2bulder_20210812.200100] JUN203table OSda_75 ab] JUNOS OS boot-ve files [20210722.b0da34e0_builder_stable_11-204ab] JUNOS ndi telemetry [20.3X75-D30.1] JUNOS Security Intelligence [20210812.200100_builder_junos_203_d75 m30_x32] libs_20210812.200100 m203_x75 30_builder_junos_20210812.200100_x203_d75] JUNOS mx nthawi yogwiritsira ntchito [30_builder_junos_20.3_x75_d30.1] JUNOS RPD Telemetry Application [20210812.200100X203-D75 .30] Redis [20210812.200100_builder_junos_203_x75_d30] JUNOS probe utility [20210812.200100_builder_junos_203_x75_d30] JUNOS common platform20.3x75 [30.1 junos_bulder_20210812.200100. 203_d75] JUNOS Openconfig [30X20210812.200100-D203] JUNOS mtx netiweki modules [75_builder_junos_30_x20210812.200100_d203] JUNOS modules [75_UNOS_30 [20210812.200100_builder_junos_203_x75_d30] JUNOS mx libs [20210812.200100_builder_junos_203_x75_d30] JUNOS SQL Sync Daemon [20210812.200100. d203] JUNOS mtx Data Plane Crypto Support [75_builder_junos_30_x20210812.200100_d203] JUNOS daemons [75_builder_junos_30_x20210812.200100_d203s_d75] JUNOS daemons [30. _junos_20210812.200100_x203_d75] JUNOS appidd-mx daemon yozindikiritsa ntchito [30_builder_junos_XNUMX_xXNUMX_dXNUMX] JUNOS Services URL Zosefera phukusi [20210812.200100_builder_junos_203_x75_d30] JUNOS Services TLB Service PIC Phukusi [20210812.200100_builder_junos_203_x75_d30] JUNOS Services Telemetry_20210812.200100_203. 75_d30] JUNOS Services TCP-LOG [20210812.200100_builder_junos_203_x75_d30] JUNOS Services SSL [20210812.200100_builder_junos_203_x75_d30] JUNOS Services 20210812.200100_builder_junos_203_x75_d30_20210812.200100_203_75 junos_30_x20210812.200100_d203] JUNOS Services Stateful Firewall [75_builder_junos_30_x20210812.200100_d203] JUNOS Services RTCOM [75_builder_junos_30_x20210812.200100_d203] JUNOS Services RPM [75dnos_30. Phukusi la JUNOS Services PCEF [20210812.200100_builder_junos_203_x75_d30] JUNOS Services NAT [XNUMX_builder_junos_XNUMX_xXNUMX_dXNUMX] JUNOS Services Mobile Subscriber Service
[20210812.200100_builder_junos_203_x75_d30] JUNOS Services MobileNext Software phukusi [20210812.200100_builder_junos_203_x75_d30] JUNOS Services Logging Report Framework20210812.200100ju203 phukusi75julder_30 phukusi20210812.200100julder_203. x75_d30] Phukusi la JUNOS Services LL-PDF Container [20210812.200100_builder_junos_203_x75_d30] JUNOS Services Jflow Container phukusi [20210812.200100_builder_junos_203_x75 Phukusi la UNOS Deepion Deep] 30_builder_junos_20210812.200100_x203_d75] JUNOS Services IPSec [30_builder_junos_20210812.200100_x203_d75] JUNOS Services IDS [30dnos_20210812.200100. JUNOS IDP Services [203_builder_junos_75_x30_d20210812.200100] JUNOS Services HTTP Content Management phukusi [203_builder_junos_75_x30_d20210812.200100] JUNOSs203 Crypto_junos75 Crypto_30_XNUMXCrypto_XNUMX. XNUMX_dXNUMX] JUNOS Services Captive Portal ndi Content Delivery Container phukusi
[20210812.200100_builder_junos_203_x75_d30] JUNOS Services COS [20210812.200100_builder_junos_203_x75_d30] JUNOS AppId Services [20210812.200100. Phukusi la JUNOS Services AACL Container [203_builder_junos_75_x30_d20210812.200100] JUNOS Services AACL Container phukusi [203_builder_junos_75_x30_d20210812.200100] JUNOS203SDNSDN 75_x30_d20210812.200100] JUNOS Extension Toolkit [203_builder_junos_75_x30_d20210812.200100 ] JUNOS Packet Forwarding Engine Engine Support (wrlinux203) [75_builder_junos_30_x9_d20210812.200100] JUNOS Packet Forwarding Engine Support (ulc) [203_builder_junos75PCSupports_30PCSupdate 20210812.200100) [203X75-D30] JUNOS Packet Forwarding Engine Support (X3) [ 20.3_builder_junos_75_x30.1_d2000] JUNOS Packet Forwarding Engine FIPS Support [20210812.200100X203-D75] JUNOS Packet Forwarding Engine Support (M/T Common)
[20210812.200100_builder_junos_203_x75_d30] JUNOS Packet Forwarding Engine Support (kumbuyo)

Kumvetsetsa Zeroization Kuchotsa Dongosolo Ladongosolo la FIPS Mode
M'GAWO INO
Chifukwa chiyani Zeroize? | | 26
Pamene Zeroize? | | 26
Zeroization imafufutiratu zidziwitso zonse zamasinthidwe a Routing Engines, kuphatikiza mawu achinsinsi, zinsinsi, ndi makiyi achinsinsi a SSH, kubisa kwanuko, kutsimikizika kwanuko, ndi IPsec.
Crypto Officer amayambitsa zeroization polowetsa lamulo la ntchito vmhost zeroize osatumiza kwa REMX2K-X8 ndikupempha dongosolo zero zero kwa RE1800.
CHENJEZO: Chitani zeroization dongosolo mosamala. Pambuyo pomaliza zeroization, palibe deta yomwe yatsala pa Routing Engine. Chipangizocho chimabwezeretsedwa ku fakitale yosasinthika, popanda ogwiritsa ntchito kapena makonzedwe files.
Zeroization ikhoza kutenga nthawi. Ngakhale masinthidwe onse amachotsedwa mumasekondi pang'ono, njira ya zeroization imapitilira kutulutsa zonse zofalitsa, zomwe zingatenge nthawi yayitali kutengera kukula kwa media.
Chifukwa chiyani Zeroize?
Chipangizo chanu sichimaganiziridwa kuti ndi chovomerezeka cha FIPS cryptographic module mpaka zonse zofunikira zachitetezo (CSPs) zitalowetsedwa-kapena kulowetsedwanso-pamene chipangizochi chili mu FIPS.
Pakutsata kwa FIPS 140-2, muyenera kuyimitsa zero kuti muchotse zidziwitso zachinsinsi musanayimitse mawonekedwe a FIPS pa chipangizocho.
Pamene Zeroize?
Monga Crypto Officer, chitani zeroization muzochitika izi:

Musanatsegule kachitidwe ka FIPS: Kuti mukonzekeretse chipangizo chanu kuti chizigwira ntchito ngati gawo la FIPS cryptography module, chitani zeroization musanalowetse mawonekedwe a FIPS.
Musanayimitse kachitidwe ka FIPS: Kuti muyambe kukonzanso chipangizo chanu kuti chizigwira ntchito mopanda FIPS, chitani zeroization musanayimitse mawonekedwe a FIPS pa chipangizocho.
ZINDIKIRANI: Juniper Networks sichithandizira kukhazikitsa mapulogalamu osagwiritsa ntchito FIPS m'malo a FIPS, koma kutero kungakhale kofunikira m'malo ena oyesera. Onetsetsani kuti zeroze dongosolo poyamba.

Zeroizing System
Kuti zeroze chipangizo chanu, tsatirani ndondomeko ili m'munsiyi:

Lowani ku chipangizochi ngati Crypto Officer komanso kuchokera ku CLI, lowetsani lamulo ili.
Za REMX2K-X8:
crypto-officer@host> pemphani vmhost zeroize osatumiza VMHost Zeroization : Fufutani deta yonse, kuphatikiza kasinthidwe ndi chipika files ? [inde, ayi] (ayi) inde
re0:
Za REMX2K-X8:
crypto-officer@host> pempho dongosolo ziroze
System Zeroization : Chotsani deta yonse, kuphatikizapo kasinthidwe ndi chipika files ?
[inde, ayi] (ayi) inde
re0:
Kuti muyambe ndondomeko ya zeroization, lembani inde mwamsanga:
Fufutani zonse, kuphatikiza masinthidwe ndi zolemba files? [inde, ayi] (ayi) inde Chotsani deta yonse, kuphatikizapo kasinthidwe ndi log files? [inde, ayi] (ayi) inde
re0: ————————chenjezo: zeroizing
re0……
Ntchito yonseyo imatha kutenga nthawi yayitali kutengera kukula kwa media, koma magawo onse ofunikira otetezedwa (CSPs) amachotsedwa mkati mwa masekondi angapo. Malo akuthupi ayenera kukhala otetezeka mpaka ndondomeko ya zeroization itatha.

Kuyatsa FIPS Mode
Pamene Junos OS yaikidwa pa chipangizo ndipo chipangizocho chikugwiritsidwa ntchito, chimakhala chokonzeka kukonzedwa.
Poyamba, mumalowa ngati muzu wogwiritsa ntchito popanda mawu achinsinsi. Mukalowa ngati muzu, kulumikizana kwanu kwa SSH kumathandizidwa mwachisawawa.
Monga Crypto Officer, muyenera kukhazikitsa mizu yachinsinsi yogwirizana ndi zofunikira za FIPS mu "Kumvetsetsa Mafotokozedwe Achinsinsi ndi Malangizo a Junos OS mu FIPS Mode" patsamba 20. Mukatsegula mawonekedwe a FIPS mu Junos OS pa chipangizo, simungathe kukhazikitsa mawu achinsinsi. pokhapokha ngati akwaniritsa mulingo uwu.
Mawu achinsinsi am'deralo amasungidwa ndi hash algorithm yotetezedwa SHA256 kapena SHA512. Kubwezeretsa mawu achinsinsi sikutheka mu Junos OS mumayendedwe a FIPS. Junos OS mumayendedwe a FIPS sangathe kuyambiranso kukhala wogwiritsa ntchito m'modzi popanda mawu achinsinsi olondola.
Kuti mutsegule mawonekedwe a FIPS mu Junos OS pachida:

Tsegulani chipangizocho kuti mufufute ma CSP onse musanalowe mu FIPS. Onani "Kumvetsetsa Zeroization Kuchotsa Deta ya Dongosolo la FIPS Mode" patsamba 25 kuti mumve zambiri.
Chidacho chikafika mu 'Amnesiac mode', lowetsani pogwiritsa ntchito dzina lolowera ndi mawu achinsinsi "" (palibe kanthu).
FreeBSD/amd64 (Amnesiac) (ttyu0) lolowera: mizu
- JUNOS 20.3X75-D30.1 Kernel 64-bit JNPR-11.0-20190701.269d466_buil root@:~ #cli root>

Konzani mizu yotsimikizika ndi mawu achinsinsi osachepera zilembo 10 kapena kupitilira apo.
mizu> sinthani Kulowa kosinthika [edit] root# set system root-authentication plain-text-password
Mawu Achinsinsi Atsopano:
Lembaninso mawu achinsinsi atsopano: [edit] root# commit wamaliza
Kwezani kasinthidwe pa chipangizo ndi kupanga kasinthidwe kwatsopano. Konzani crypto-officer ndikulowa ndi mbiri ya crypto-officer.
Ikani phukusi la fips-mode lofunikira pa Routing Engine KATS.
root@hostname> pemphani pulogalamu yamapulogalamu onjezani kusankha: //fips-mode.tgz
Ma fips-mode otsimikizika osainidwa ndi PackageDevelopmentEc_2017 njira ECDSA256+SHA256

Kwa zida za MX Series,
• Konzani ma fips a malire a chassis pokhazikitsa ma fips chassis level 1 ndikudzipereka.
• Konzani RE boundary fips pokhazikitsa ma system fips level 1 ndikudzipereka.
Chipangizocho chikhoza kuwonetsa mawu achinsinsi Obisika ayenera kukonzedwanso kuti agwiritse ntchito chenjezo logwirizana ndi FIPS kuti afufute ma CSP akale pamasinthidwe omwe adapakidwa.
Mukachotsa ndikusinthanso ma CSP, kudzipereka kumadutsa ndipo chipangizocho chiyenera kuyambiranso kuti chilowe mu FIPS mode. [edit] crypto-officer@hostname# perekani
Kupanga kiyi ya RSA /etc/ssh/fips_ssh_host_key
Kupanga kiyi ya RSA2 /etc/ssh/fips_ssh_host_rsa_key
Kupanga kiyi ya ECDSA /etc/ssh/fips_ssh_host_ecdsa_key
[edit] dongosolo
kuyambitsanso ndikofunikira kuti musinthe kupita ku FIPS level 1 kudzipereka kwathunthu [edit] crypto-officer@hostname# run request vmhost reboot
Pambuyo poyambitsanso chipangizocho, kuyesa kwa FIPS kudzayenda ndipo chipangizocho chimalowa mu FIPS. crypto-officer@hostname: fips>

ZINTHU ZOKHUDZANA NAZO
Kumvetsetsa Mafotokozedwe Achinsinsi ndi Malangizo a Junos OS mu FIPS Mode | 20
Kukonza Crypto Officer ndi FIPS User Identification ndi Access
M'GAWO INO
Kukonza Crypto Officer Access | 30
Kukonza Kufikira kwa Ogwiritsa Ntchito pa FIPS | 32
Crypto Officer imathandizira mawonekedwe a FIPS pa chipangizo chanu ndipo imagwira ntchito zonse zosinthira za Junos OS mumayendedwe a FIPS ndi kutulutsa Junos OS yonse mumayendedwe a FIPS ndi malamulo. Crypto Officer ndi masinthidwe a ogwiritsa ntchito a FIPS ayenera kutsatira Junos OS mumayendedwe a FIPS.
Kukonza Crypto Officer Access
Junos OS mumayendedwe a FIPS imapereka kuchuluka kwa zilolezo za ogwiritsa ntchito kuposa zomwe zalamulidwa ndi FIPS 140-2.
Pakutsata kwa FIPS 140-2, aliyense wogwiritsa ntchito FIPS ali ndi chinsinsi, chitetezo, kukonza, ndi kuwongolera zilolezo zokhazikitsidwa ndi Crypto Officer. Nthawi zambiri gulu laogwiritsa ntchito kwambiri limakwanira Ofisa wa Crypto.
Kukonza mwayi wolowera kwa Crypto Officer:

Lowetsani ku chipangizocho ndi mawu achinsinsi ngati simunachite kale, ndipo lowetsani njira yosinthira: root@hostname> sinthani Kulowetsa masinthidwe [edit] root@hostname#
Tchulani wogwiritsa ntchito crypto-office ndikupatsa Crypto Officer ID ya ogwiritsa (mwachitsanzoample, 6400, yomwe iyenera kukhala nambala yapadera yokhudzana ndi akaunti yolowera pakati pa 100 mpaka 64000) ndi kalasi (kwa kaleample, wogwiritsa ntchito wamkulu). Mukagawa kalasi, mumapereka zilolezo - mwachitsanzoample, chinsinsi, chitetezo, kukonza, ndi kuwongolera.
Kuti muwone mndandanda wazololeza, onani Kumvetsetsa Magawo Amwayi a Junos OS.
[edit] root@hostname# khazikitsani lolowera dzina lolowera uid value class class-name
Za exampLe:
[edit] root@hostname# khazikitsani wogwiritsa ntchito crypto-officer uid 6400 class-user-user

Potsatira malangizo a mu “Kumvetsetsa Mafotokozedwe Achinsinsi ndi Malangizo a Junos OS mu FIPS Mode” patsamba 20, perekani kwa Crypto Officer mawu achinsinsi omveka bwino kuti atsimikizire kulowa. Khazikitsani mawu achinsinsi polemba mawu achinsinsi pambuyo pa mawu achinsinsi atsopano ndikulembanso mawu achinsinsi.
[edit] root@hostname# khazikitsani dongosolo lolowera wosuta kalasi-name kutsimikizika (plain-testpassword |
mawu achinsinsi)
Za exampLe:
[edit] root@hostname# khazikitsani wogwiritsa ntchito crypto-officer class super-user authentication plaintext-password
Mukasankha, wonetsani kasinthidwe:
[edit] root@hostname# edit system
[edit system] root@hostname# show
Lowani muakaunti {
wogwiritsa ntchito crypto-office {
mitundu 6400;
kutsimikizira {
encrypted-password" ”; ## CHINSINSI-DATA
}
kalasi wapamwamba-wogwiritsa;
}
}
Ngati mwamaliza kukonza chipangizocho, pangani kasinthidwe ndikutuluka:
[edit] root@hostname# kudzipereka kwathunthu
root@hostname# kutuluka

Kukonza Kufikira kwa Ogwiritsa Ntchito mu FIPS
Wogwiritsa ntchito fips amatanthauzidwa ngati wogwiritsa ntchito aliyense wa FIPS yemwe alibe chinsinsi, chitetezo, kukonza, ndi kuwongolera zilolezo zokhazikitsidwa.
Monga Crypto Officer mumakhazikitsa ogwiritsa ntchito FIPS. Ogwiritsa ntchito ma FIPS sangapatsidwe zilolezo zomwe nthawi zambiri zimasungidwa kwa Crypto Officer - mwachitsanzoample, chilolezo kuti ziroze dongosolo.
Kukonza mwayi wolowera kwa wogwiritsa ntchito FIPS:

Lowani ku chipangizocho ndi mawu achinsinsi anu a Crypto Officer ngati simunatero, ndikulowetsani kasinthidwe:
crypto-officer@hostname:fips> sinthani
Kulowetsa kasinthidwe kachitidwe
[edit] crypto-officer@hostname:fips#
Perekani wogwiritsa ntchito, dzina lolowera, ndikupatseni wogwiritsa ID (mwachitsanzoample, 6401, yomwe iyenera kukhala nambala yapadera pakati pa 1 mpaka 64000) ndi kalasi. Mukagawa kalasi, mumapereka zilolezo - mwachitsanzoample, clear, network, resetview,ndi view-kusintha.
[Sinthani] crypto-officer@hostname:fips# khazikitsani dzina lolowera uid mtengo kalasi-name Kwa wakaleampLe:
[edit] crypto-officer@hostname:fips# khazikitsani wogwiritsa ntchito fips-user1 uid 6401 kalasi yowerengera-yokha

Kutsatira malangizowo mu "Kumvetsetsa Mafotokozedwe Achinsinsi ndi Malangizo a Junos OS mu
FIPS Mode” patsamba 20, perekani mawu achinsinsi kwa wogwiritsa ntchito ku FIPS kuti atsimikizire kulowa. Khazikitsani mawu achinsinsi polemba mawu achinsinsi pambuyo pa mawu achinsinsi atsopano ndikulembanso mawu achinsinsi.
[Sinthani] crypto-officer@hostname:fips# khazikitsani wosuta kalasi-dzina lovomerezeka (plain-text-password | encrypted-password)
Za exampLe:
[edit] crypto-officer@hostname:fips# khazikitsani wogwiritsa ntchito fips-user1 kalasi yowerengera-yokha kutsimikizira mawu achinsinsi
Mukasankha, wonetsani kasinthidwe:
[edit] crypto-officer@hostname:fips# edit system [edit system] crypto-officer@hostname:fips# show
Lowani muakaunti {
wosuta fips-user1 {
mitundu 6401;
kutsimikizira {
encrypted-password" ”; ## CHINSINSI-DATA
}
kuwerenga kwa kalasi kokha;
}
}
Ngati mwamaliza kukonza chipangizocho, pangani kasinthidwe ndikutuluka:
[edit] crypto-officer@hostname:fips# commit
crypto-officer@hostname:fips# kutuluka

Kukhazikitsa kulumikizana kwa SSH ndi Console

Kukonza SSH pa Kukonzekera Koyesedwa kwa FIPS
SSH kudzera mu mawonekedwe owongolera akutali amaloledwa kusinthidwa kowunikiridwa. Mutuwu ukufotokoza momwe mungasinthire SSH kudzera mu kasamalidwe kakutali.
Ma algorithms otsatirawa omwe akuyenera kukonzedwa kuti atsimikizire SSH pa FIPS.
Kusintha SSH pa DUT:

Tchulani ma aligorivimu ovomerezeka a SSH host-key pazantchito zamakina.
[edit] user@host# set system services ssh hostkey-algorithm ssh-ecdsa
user@host# set system services ssh hostkey-algorithm no-ssh-dss
user@host# khazikitsani ntchito za ssh hostkey-algorithm ssh-rsa
Tchulani makiyi a SSH-kusinthanitsa kwa makiyi a Diffie-Hellman pazantchito zamakina.
[edit] user@host# set system services ssh key-exchange dh-group14-sha1
user@host# set system services ssh key-exchange ecdh-sha2-nistp256
user@host# set system services ssh key-exchange ecdh-sha2-nistp384
user@host# set system services ssh key-exchange ecdh-sha2-nistp521

Tchulani ma aligorivimu onse ovomerezeka otsimikizira uthenga wa SSHv2
[edit] user@host# set system services ssh macs hmac-sha1
user@host# khazikitsani ntchito za ssh macs hmac-sha2-256
user@host# khazikitsani ntchito za ssh macs hmac-sha2-512
Tchulani ma ciphers ololedwa pa protocol 2.
[edit] user@host# set system services ssh ciphers aes128-cbc
user@host# khazikitsani ntchito zamakina ssh ciphers aes256-cbc
user@host# set system services ssh ciphers aes128-ctr
user@host# set system services ssh ciphers aes256-ctr
user@host# khazikitsani ntchito zamakina ssh ciphers aes192-cbc
user@host# set system services ssh ciphers aes192-ctr
SSH hostkey algorithm yothandizidwa:
ssh-ecdsa Lolani kupanga makiyi a ECDSA
ssh-rsa Lolani kupanga makiyi a RSA host
Kuthandizira SSH key-exchange aligorivimu:
ecdh-sha2-nistp256 The EC Diffie-Hellman pa nistp256 yokhala ndi SHA2-256
ecdh-sha2-nistp384 The EC Diffie-Hellman pa nistp384 yokhala ndi SHA2-384
ecdh-sha2-nistp521 The EC Diffie-Hellman pa nistp521 yokhala ndi SHA2-512
Algorithm ya MAC yothandizidwa:
hmac-sha1 Hash-based MAC pogwiritsa ntchito Secure Hash Algorithm (SHA1)
hmac-sha2-256 Hash-based MAC pogwiritsa ntchito Secure Hash Algorithm (SHA2)
hmac-sha2-512 Hash-based MAC pogwiritsa ntchito Secure Hash Algorithm (SHA2)
SSH ciphers algorithm:
aes128-cbc 128-bit AES yokhala ndi Cipher Block Chaining
aes128-ctr 128-bit AES yokhala ndi Counter Mode
aes192-cbc 192-bit AES yokhala ndi Cipher Block Chaining
aes192-ctr 192-bit AES yokhala ndi Counter Mode
aes256-cbc 256-bit AES yokhala ndi Cipher Block Chaining
aes256-ctr 256-bit AES yokhala ndi Counter Mode

Kukonza MACsec

Kumvetsetsa Media Access Control Security (MACsec) mumayendedwe a FIPS
Media Access Control Security (MACsec) ndi ukadaulo wachitetezo wamba wa 802.1AE IEEE womwe umapereka kulumikizana kotetezeka kwa magalimoto onse pa maulalo a Ethernet. MACsec imapereka chitetezo chokhazikika pamalumikizidwe a Efaneti pakati pa ma node olumikizidwa mwachindunji ndipo imatha kuzindikira ndikuletsa ziwopsezo zambiri zachitetezo, kuphatikiza kukana ntchito, kulowerera, munthu-pakati, kuseketsa, kumenya ma waya, komanso kusewera.
MACsec imakupatsani mwayi woti muteteze ulalo wa Ethernet pafupifupi pafupifupi magalimoto onse, kuphatikiza mafelemu a Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), ndi ma protocol ena omwe nthawi zambiri samatetezedwa pa ulalo wa Ethernet chifukwa cholephera ndi njira zina zachitetezo. MACsec itha kugwiritsidwa ntchito limodzi ndi ma protocol ena achitetezo monga IP Security (IPsec) ndi Secure Sockets Layer (SSL) kuti apereke chitetezo chakumapeto kwa netiweki.
MACsec ndiyokhazikika mu IEEE 802.1AE. Muyezo wa IEEE 802.1AE ukhoza kuwoneka pa bungwe la IEEE webtsamba pa IEEE 802.1: KULAMBIRA NDI MANAGEMENT.
Kukhazikitsa kulikonse kwa algorithm kumawunikidwa ndi mndandanda wa mayeso odziwika a mayankho (KAT) odziyesera okha ndi ma crypto algorithms kutsimikizika (CAV). Ma algorithms otsatirawa amawonjezedwa makamaka a MACsec.

Advanced Encryption Standard (AES) -Nambala Yotsimikizika ya Mauthenga a Cipher (CMAC)
Advanced Encryption Standard (AES) Key Kukulunga
Kwa MACsec, pokonzekera, gwiritsani ntchito lamulo lofulumira kuti mulowetse mtengo wachinsinsi wa zilembo 64 za hexadecimal kuti mutsimikizire.
[Sinthani] crypto-officer@hostname:fips# mwachangu chitetezo macsec kulumikizana-mgwirizano pre-shared-key cak
Keke Yatsopano (chinsinsi):
Lembaninso keke yatsopano (chinsinsi):

Kusintha Nthawi
Kuti musinthe nthawi mwamakonda, zimitsani NTP ndikukhazikitsa tsiku.

Letsani NTP.
[edit] crypto-officer@hostname:fips# yambitsani magulu a global system ntp
crypto-officer@hostname:fips# yambitsani dongosolo ntp
crypto-officer@hostname:fips# commit
crypto-officer@hostname:fips# kutuluka

Kukhazikitsa tsiku ndi nthawi. Tsiku ndi nthawi ndi YYYYMMMDDHHMM.ss
[edit] crypto-officer@hostname:fips# tsiku lokhazikitsidwa 201803202034.00
crypto-officer@hostname:fips# set cli timestamp
Khazikitsani MACsec Key Agreement (MKA) tsatanetsatane wotetezedwa.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec cholumikizira-chogwirizanitsa-dzina lotetezeka-njira yotetezedwa-njira-dzina lolowera (lolowera | lotuluka) crypto-officer@hostname:fips# set security macsec connectivity-association connectivityasociation -name otetezeka-channel otetezedwa-channel-name encryption (MACsec) crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation-name secure-channel secure-channel-name id mac-address /”mac-address crypto- officer@hostname:fips# set security macsec connectivity-association connectivityassociation-name safe-channel-channel-name id port-id port-id-number crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation-name otetezeka -channel security-channel-name offset “(0|30|50) crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation-name secure-channel secure-channel-name security-association security-associationnumber key- chingwe
Khazikitsani MKA ku mode chitetezo.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano-mgwirizano-dzina chitetezo-njira yachitetezo

Perekani mgwirizano wolumikizidwa wokhazikika ndi mawonekedwe odziwika a MACsec.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo macsec cholumikizira mawonekedwe-dzina cholumikizirachiyanjano cholumikizira-chochita-dzina

Kukonza Static MACsec yokhala ndi ICMP Traffic
Kukonza Static MACsec pogwiritsa ntchito ICMP traffic pakati pa chipangizo cha R0 ndi chipangizo cha R1:
mu R0:

Pangani kiyi yomwe mudagawana kale pokonza dzina lachinsinsi la mgwirizano wolumikizana (CKN) ndi kiyi yolumikizirana (CAK)
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo macsec kulumikizana-mgwirizano CA1 pre-sharedkey ckn 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 pre-sharedkey cak 23456789223344556677889922233344 crypto-officer@hostname:fips# set security macsec kulumikizana-gulu CA1 off

Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log
crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file kukula 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions mbendera zonse
Perekani kufufuza kwa mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana. [edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 chitetezo-mode static-cak

Khazikitsani seva yofunika kwambiri ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka key-serverpriority 1
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-chogwirizana CA1 mka transmitinterval 3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka ayenera kuteteza
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 kuphatikizapo-sci

Perekani mgwirizano wolumikizira ku mawonekedwe.
[edit] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name connectivityassociation
CA1
crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet adilesi 10.1.1.1/24

mu R1:

Pangani kiyi yomwe mudagawana kale pokonza dzina lachinsinsi la mgwirizano wolumikizana (CKN) ndi kiyi yolumikizirana (CAK)
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 pre-sharedkey ckn 2345678922334455667788992223334445556667778889992222333344445555 chitetezo macsec#1 ivity-association CA23456789223344556677889922233344 pre-sharedkey cak 1 crypto-officer@hostname:fips # khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA30 offset XNUMX
Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file kukula 4000000000 crypto-officer@hostname:fips# set chitetezo macsec traceoptions mbendera zonse

Perekani kufufuza kwa mawonekedwe. [Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana. [edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 chitetezo-mode static-cak
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-chogwirizana CA1 mka transmitinterval 3000

Yambitsani chitetezo cha MKA. [edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka ayenera kuteteza crypto-officer@hostname:fips# set security macsec connectivity-association CA1 kuphatikizapo-sci
Perekani mgwirizano wolumikizira ku mawonekedwe. [Sinthani] crypto-officer@hostname:fips# seti chitetezo macsec interfaces mawonekedwe-dzina cholumikizirachiyanjano CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet adilesi 10.1.1.2/24

Kukonza MACsec ndi keychain pogwiritsa ntchito ICMP Traffic
Kukonza MACsec ndi keychain pogwiritsa ntchito ICMP traffic pakati pa chipangizo cha R0 ndi chipangizo cha R1:
mu R0:

Perekani mtengo wololera pamakiyi otsimikizira. [edit] crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 tolerance 20
Pangani mawu achinsinsi oti mugwiritse ntchito. Ndi mndandanda wa manambala a hexadecimal mpaka zilembo 64 kutalika. Mawu achinsinsi angaphatikizepo mipata ngati chingwe cha zilembo chili ndi ma quotation marks. Zinsinsi zachinsinsi za keychain zimagwiritsidwa ntchito ngati CAK.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 kutsimikizika kwachitetezo-key-chain key-chain macsec- kc1 kiyi 0 nthawi yoyambira 2018-03-20.20:35 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 macsec-kc1. 1 crypto-officer@hostname:fips# set chitetezo kutsimikizika-key-chains key-chain macsec-kc2018 kiyi 03 nthawi yoyambira 20.20-37-1:2 crypto-officer@hostname:fips# set chitetezo-key-chains key-chain macsec-kc2345678922334455667788992223334445556667778889992222333344445553 key 1 key-name 2 2018 crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc03 key 20.20 nthawi yoyambira 39-1-3:2345678922334455667788992223334445556667778889992222333344445554 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chain key- unyolo macsec-kc1 kiyi 3 kiyi-dzina 2018 crypto-officer@hostname-hostname-keychain-key-key-key-key-key-set-keychain-key-key-key-key-key-key-key-seat 03-20.20-41:1 crypto-officer@hostname:fips # khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc4 key 2345678922334455667788992223334445556667778889992222333344445555 key-name 1host-seti-chitsimikizo- cryptokey-seti-chitsimikizo sec-kc4 kiyi 2018 nthawi yoyambira 03-20.20- 43:1 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc5 key 2345678922334455667788992223334445556667778889992222333344445556 key-name 1host ine:fips# khazikitsani chitsimikizo chachitetezo-key-chain key-chain macsec- kc5 kiyi 2018 nthawi yoyambira 03-20.20-45:1 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc6 key 2345678922334455667788992223334445556667778889992222333344445557 key-name 1 6 crypto-officer@hostname:fips# set chitetezo kutsimikizika-key-chains key-chain macsec-kc2018 fungulo 03 nthawi yoyambira 20.20-47-1:7 crypto-officer@hostname:fips# set chitetezo-key-chains key-chain macsec-kc2345678922334455667788992223334445556667778889992222333344445558 key 1 key-name 7 2018 crypto-officer@hostname:fips# set authentication-key-chains key-chain macsec-kc03 key 20.20 nthawi yoyambira 49-XNUMX-XNUMX:XNUMX Gwiritsani ntchito lamulo lofulumira kuti mulowetse chinsinsi chachinsinsi. Za example, mtengo wachinsinsi wachinsinsi ndi 2345678922334455667788992223334123456789223344556677889922233341. [edit] crypto-officer@hostname:fips# prompt security keychains-keychain-key-keychain Lembaninso cak yatsopano (chinsinsi): crypto-officer @hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 kiyi 0 chinsinsi Chatsopano cak (chinsinsi):
Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# kutsimikizira chitetezo-key-chains key-chain macseckc1 key 2 secret New cak (chinsinsi):
Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# kutsimikizira chitetezo-key-chains key-chain macseckc1 key 3 chinsinsi Chatsopano cak (chinsinsi): Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 chinsinsi 4 chinsinsi Cak yatsopano (chinsinsi): Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chains key-chain macseckc1 kiyi 5 chinsinsi Chatsopano cak (chinsinsi): Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# mwamsanga kutsimikizira chitetezo-key-chains key-chain macseckc1 key 6 secret New cak (chinsinsi): Lembaninso cak (chinsinsi): crypto-officer @hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 kiyi 7 chinsinsi Chatsopano cak (chinsinsi): Lembaninso cak (chinsinsi):
Gwirizanitsani dzina la keychain lomwe mudagawana kale ndi mgwirizano wamalumikizidwe.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo macsec kulumikizana-mgwirizano CA1 pre-sharedkey-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips # khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 cipher-suite gcm-aes-256
ZINDIKIRANI: Mtengo wa cipher ukhozanso kukhazikitsidwa ngati cipher-suite gcm-aes-128.

Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file kukula 4000000000 crypto-officer@hostname:fips# set chitetezo macsec traceoptions mbendera zonse
Perekani kufufuza kwa mawonekedwe. [Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana. [Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo macsec kulumikizana-mgwirizano CA1 chitetezo mode static-cak

Khazikitsani seva yofunika kwambiri ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka keyserver-priority 1
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-chogwirizana CA1 mka transmitinterval 3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 kuphatikiza-sci

Perekani mgwirizano wolumikizira ku mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec cholumikizira mawonekedwe-dzina kulumikizanachiyanjano CA1
crypto-officer@hostname:fips#
set interfaces mawonekedwe-dzina gawo 0 banja inet adilesi 10.1.1.1/24

Kukonza MACsec ndi keychain ya ICMP traffic:
mu R1:

Perekani mtengo wololera pamakiyi otsimikizira.
[edit] crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 tolerance 20

Pangani mawu achinsinsi oti mugwiritse ntchito. Ndi mndandanda wa manambala a hexadecimal mpaka zilembo 64 kutalika. Mawu achinsinsi angaphatikizepo mipata ngati chingwe cha zilembo chili ndi ma quotation marks. Zinsinsi zachinsinsi za keychain zimagwiritsidwa ntchito ngati CAK.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551 kutsimikizika kwachitetezo-key-chain key-chain macsec- kc1 kiyi 0 nthawi yoyambira 2018-03-20.20:35 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552 macsec-kc1. 1 crypto-officer@hostname:fips# set chitetezo kutsimikizika-key-chains key-chain macsec-kc2018 kiyi 03 nthawi yoyambira 20.20-37-1:2 crypto-officer@hostname:fips# set chitetezo-key-chains key-chain macsec-kc2345678922334455667788992223334445556667778889992222333344445553 key 1 key-name 2 2018 crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc03 key 20.20 nthawi yoyambira 39-1-3:2345678922334455667788992223334445556667778889992222333344445554 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chain key- unyolo macsec-kc1 kiyi 3 kiyi-dzina 2018 crypto-officer@hostname-hostname-keychain-key-key-key-key-key-set-keychain-key-key-key-key-key-key-key-seat 03-20.20-41:1 crypto-officer@hostname:fips # khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc4 key 2345678922334455667788992223334445556667778889992222333344445555 key-name 1host-seti-chitsimikizo- cryptokey-seti-chitsimikizo sec-kc4 kiyi 2018 nthawi yoyambira 03-20.20- 43:1 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc5 key 345678922334455667788992223334445556667778889992222333344445556 key-name 1host5 :fips# khazikitsani chitsimikiziro chachitetezo-key-chain key-chain macsec- kc2018 kiyi 03 nthawi yoyambira 20.20-45-1:6 crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc2345678922334455667788992223334445556667778889992222333344445557 key 1 key-name 6 2018 crypto-officer@hostname:fips# set chitetezo kutsimikizika-key-chains key-chain macsec-kc03 fungulo 20.20 nthawi yoyambira 47-1-7:2345678922334455667788992223334445556667778889992222333344445558 crypto-officer@hostname:fips# set chitetezo-key-chains key-chain macsec-kc1 key 7 key-name 2018 03 crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc20.20 kiyi 49 nthawi yoyambira XNUMX-XNUMX-XNUMX:XNUMX
Gwiritsani ntchito lamulo lofulumira kuti mulowetse mtengo wachinsinsi. Za example, mtengo wachinsinsi wachinsinsi ndi 2345678922334455667788992223334123456789223344556677889922233341.
[edit] crypto-officer@hostname:fips# chinsinsi chachitetezo-key-chains key-chain macseckc1 key 0 chinsinsi
Keke Yatsopano (chinsinsi):
Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# kutsimikizira chitetezo-key-chains key-chain macseckc1 key 1 Chinsinsi Chatsopano Cak (chinsinsi): Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 chinsinsi 2 chinsinsi Cak yatsopano (chinsinsi): Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 kiyi 3 chinsinsi Chatsopano cak (chinsinsi): Lembaninso cak yatsopano (chinsinsi): crypto-officer@hostname:fips# mwamsanga kutsimikizira chitetezo-key-chains key-chain macseckc1 key 4 secret New cak (chinsinsi): Lembaninso cak yatsopano
(chinsinsi):
crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chains key-chain macseckc1 kiyi 5 chinsinsi Chatsopano Cak (chinsinsi): Lembaninso cak (chinsinsi):
crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 kiyi 6 chinsinsi Chatsopano cak (chinsinsi):
Lembaninso keke yatsopano (chinsinsi):
crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 kiyi 7 chinsinsi Chatsopano cak (chinsinsi):
Lembaninso keke yatsopano (chinsinsi):
Gwirizanitsani dzina la keychain lomwe mudagawana kale ndi mgwirizano wamalumikizidwe.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 pre-shared- key-chain macsec-kc1
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file kukula 4000000000 crypto-officer@hostname:fips# set chitetezo macsec traceoptions mbendera zonse

Perekani kufufuza kwa mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo macsec kulumikizana-mgwirizano CA1 chitetezo mode static-cak
Khazikitsani seva yofunika kwambiri ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka keyserver-priority 1

Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-chogwirizana CA1 mka transmitinterval 3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 kuphatikiza-sci
Perekani mgwirizano wolumikizira ku mawonekedwe.
[edit] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name connectivityassociation
CA1
crypto-officer@hostname:fips# set interfaces interface-name unit 0 family inet adilesi 10.1.1.2/24

Kukonza Static MACsec ya Layer 2 Traffic
Kukonza static MACsec ya Layer 2 traffic pakati pa chipangizo cha R0 ndi chipangizo cha R1:
mu R0:

Khazikitsani seva yofunika kwambiri ya MKA.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka key server-priority 1
Pangani mawu achinsinsi oti mugwiritse ntchito. Ndi mndandanda wa manambala a hexadecimal mpaka zilembo 64 kutalika. Mawu achinsinsi angaphatikizepo mipata ngati chingwe cha zilembo chili ndi ma quotation marks. Zinsinsi zachinsinsi za keychain zimagwiritsidwa ntchito ngati CAK.
[edit] crypto-officer@hostname:fips# chinsinsi chachitetezo chotsimikizika-key-chain key-chain macseckc1 kiyi 0 chinsinsi Chatsopano cak (chinsinsi):
Lembaninso keke yatsopano (chinsinsi):
Za example, mtengo wachinsinsi wachinsinsi ndi 2345678922334455667788992223334123456789223344556677889922233341.

Gwirizanitsani dzina la keychain lomwe mudagawana kale ndi mgwirizano wamalumikizidwe. [edit] crypto-officer@hostname:fips# khazikitsani chitetezo macsec kulumikizana-mgwirizano CA1 pre-sharedkey-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips # khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 cipher-suite gcm-aes-256
Khazikitsani ma trace option values. [edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log crypto-officer@hostname:fips# set security macsec traceoptions file kukula 4000000000 crypto-officer@hostname:fips# set chitetezo macsec traceoptions mbendera zonse
Perekani kufufuza kwa mawonekedwe. [Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions file mka_xe size 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo macsec kulumikizana-mgwirizano CA1 chitetezo mode static-cak
Khazikitsani seva yofunika kwambiri ya MKA. [Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka key server-priority 1
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-chogwirizana CA1 mka transmitinterval 3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 kuphatikiza-sci
Perekani mgwirizano wolumikizira ku mawonekedwe.
[edit] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name connectivityassociation
CA1
Konzani VLAN tagkulira.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name1 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name1 unit 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name2 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name2 unit 100 vlan-id 100
Konzani dera la mlatho.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type mlatho
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

mu R1:

Pangani mawu achinsinsi oti mugwiritse ntchito. Ndi mndandanda wa manambala a hexadecimal mpaka zilembo 64 kutalika. The
mawu achinsinsi angaphatikizepo mipata ngati chingwe cha zilembo chili ndi ma quotation marks. The keychain ndi
chinsinsi-data imagwiritsidwa ntchito ngati CAK.
[edit] crypto-officer@hostname:fips# chinsinsi chachitetezo-key-chain key-chain macseckc1 key 0 chinsinsi
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
Za example, mtengo wachinsinsi wachinsinsi ndi
2345678922334455667788992223334123456789223344556677889922233341.
Gwirizanitsani dzina la keychain lomwe mudagawana kale ndi mgwirizano wamalumikizidwe.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 pre-sharedkey-chain
macsec-kc1 crypto-officer@hostname:fips#
khazikitsani chitetezo cha macsec cholumikizira-chogwirizanitsa CA1 offset 50
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log
crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file kukula 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions mbendera zonse
Perekani kufufuza kwa mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions file mka_xe 1g
crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 chitetezo mode
static-cak
Khazikitsani seva yofunika kwambiri ya MKA.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka key server-priority 1
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka transmitinterval
3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 kuphatikiza-sci
Perekani mgwirizano wolumikizira ku mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec cholumikizira mawonekedwe-dzina kulumikizanachiyanjano CA1
Konzani VLAN tagkulira.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name1 unit 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name2 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name2 unit 100 vlan-id 100
Konzani dera la mlatho.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type mlatho
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

Kukonza MACsec yokhala ndi keychain ya Layer 2 Traffic

Kukonza MACsec yokhala ndi keychain ya ICMP traffic pakati pa chipangizo cha R0 ndi chipangizo cha R1:
mu R0:

Perekani mtengo wololera pamakiyi otsimikizira.
[edit] crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 tolerance 20
Pangani mawu achinsinsi oti mugwiritse ntchito. Ndi mndandanda wa manambala a hexadecimal mpaka zilembo 64 kutalika. Mawu achinsinsi angaphatikizepo mipata ngati chingwe cha zilembo chili ndi ma quotation marks. Zinsinsi zachinsinsi za keychain zimagwiritsidwa ntchito ngati CAK.
[edit] crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 0 nthawi yoyambira 2018-03-20.20:35
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 1 nthawi yoyambira 2018-03-20.20:37
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 2 nthawi yoyambira 2018-03-20.20:39
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 3 nthawi yoyambira 2018-03-20.20:41
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 4 nthawi yoyambira 2018-03-20.20:43
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 5 nthawi yoyambira 2018-03-20.20:45
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 6 nthawi yoyambira 2018-03-20.20:47
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 7 nthawi yoyambira 2018-03-20.20:49
Gwiritsani ntchito lamulo lofulumira kuti mulowetse mtengo wachinsinsi. Za example, mtengo wachinsinsi wachinsinsi ndi
2345678922334455667788992223334123456789223344556677889922233341.
[edit] crypto-officer@hostname:fips# chinsinsi chachitetezo-key-chain key-chain macseckc1 key 0 chinsinsi
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 1
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips# chinsinsi chotsimikizira chitetezo-key-chains key-chain macseckc1 key 2 secret
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 3
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 4
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 5
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 6
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 7
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
Gwirizanitsani dzina la keychain lomwe mudagawana kale ndi mgwirizano wamalumikizidwe.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 pre-sharedkey-chain
macsek-kc1
crypto-officer@hostname:fips#
khazikitsani chitetezo cha macsec cholumikizira-chogwirizanitsa CA1 cipher-suite
gcm-aes-256
Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log
crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file kukula 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions mbendera zonse
Perekani kufufuza kwa mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions
file mka_xe 1g
crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 chitetezo mode
static-cak
Khazikitsani seva yofunika kwambiri ya MKA.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka key server-priority 1
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka transmitinterval
3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 kuphatikiza-sci
Perekani mgwirizano wolumikizira ku mawonekedwe.
[edit] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name connectivityassociation
CA1
Konzani VLAN tagkulira.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexibleethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name1 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name1 unit 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexibleethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name2 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name2 unit 100 vlan-id 100
Konzani dera la mlatho.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type mlatho
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

mu R1:

Perekani mtengo wololera pamakiyi otsimikizira.
[edit] crypto-officer@hostname:fips# khazikitsani chitsimikiziro chachitetezo-key-chains key-chain macsec-kc1 tolerance 20
Pangani mawu achinsinsi oti mugwiritse ntchito. Ndi mndandanda wa manambala a hexadecimal mpaka zilembo 64 kutalika. Mawu achinsinsi angaphatikizepo mipata ngati chingwe cha zilembo chili ndi ma quotation marks. Zinsinsi zachinsinsi za keychain zimagwiritsidwa ntchito ngati CAK.
[edit] crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 0 nthawi yoyambira 2018-03-20.20:35
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 1 nthawi yoyambira 2018-03-20.20:37
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 2 nthawi yoyambira 2018-03-20.20:39
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 3 nthawi yoyambira 2018-03-20.20:41
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 4 nthawi yoyambira 2018-03-20.20:43
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 5 nthawi yoyambira 2018-03-20.20:45
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 6 nthawi yoyambira 2018-03-20.20:47
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558
crypto-officer@hostname:fips# khazikitsani chitsimikizo-key-chains key-chain macsec-kc1
key 7 nthawi yoyambira 2018-03-20.20:49
Gwiritsani ntchito lamulo lofulumira kuti mulowetse mtengo wachinsinsi. Za example, mtengo wachinsinsi wachinsinsi ndi
2345678922334455667788992223334123456789223344556677889922233341.
[edit] crypto-officer@hostname:fips# chinsinsi chachitetezo-key-chain key-chain macseckc1 key 0 chinsinsi
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 1
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano (chinsinsi):
crypto-officer@hostname:fips# chinsinsi chotsimikizira chitetezo-key-chains key-chain macseckc1 key 2 secret
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 3
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 4
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 5
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 6
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano
(chinsinsi):
crypto-officer@hostname:fips#
chinsinsi chachitetezo chachinsinsi-makiyi-makiyi achinsinsi macseckc1 chinsinsi 7
Chaka chatsopano
(chinsinsi):
Lembaninso keke yatsopano (chinsinsi):
Gwirizanitsani dzina la keychain lomwe mudagawana kale ndi mgwirizano wamalumikizidwe.
[Sinthani] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 pre-sharedkey-chain
macsek-kc1
crypto-officer@hostname:fips#
khazikitsani chitetezo cha macsec cholumikizira-chogwirizanitsa CA1 cipher-suite
gcm-aes-256
Khazikitsani ma trace option values.
[edit] crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file MACsec.log
crypto-officer@hostname:fips# khazikitsani njira zachitetezo za macsec file kukula 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions mbendera zonse
Perekani kufufuza kwa mawonekedwe.
[Sinthani] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name traceoptions
file mka_xe 1g
crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
mbendera zonse
Konzani njira yachitetezo ya MACsec ngati static-cak yolumikizirana.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 chitetezo mode
static-cak
Khazikitsani seva yofunika kwambiri ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka keyserver-priority
Khazikitsani nthawi yotumizira ya MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 mka transmitinterval
3000
Yambitsani chitetezo cha MKA.
[edit] crypto-officer@hostname:fips# khazikitsani chitetezo cha macsec kulumikizana-mgwirizano CA1 kuphatikiza-sci
Perekani mgwirizano wolumikizira ku mawonekedwe.
[edit] crypto-officer@hostname:fips# set chitetezo macsec interfaces interface-name connectivityassociation
CA1
Konzani VLAN tagkulira.
[edit] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexibleethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name1 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name1 unit 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagkulira
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
set interfaces interface-name2 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
khazikitsani mawonekedwe-name2 unit 100 vlan-id 100
Konzani dera la mlatho.
[edit] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type mlatho
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

Kukonza Logging Zochitika

Chochitika Chodula Pathaview
Kukonzekera kowunikiridwa kumafuna kuwunika kwa masinthidwe osinthika kudzera mu chipika chadongosolo.
Kuphatikiza apo, Junos OS ikhoza:

Tumizani mayankho okhazikika ku zochitika zowunikira (zopanga syslog).
Lolani oyang'anira ovomerezeka kuti afufuze zolemba zowerengera.
Tumizani kafukufuku files ku ma seva akunja.
Lolani oyang'anira ovomerezeka kuti abweze dongosololi kudera lodziwika.

Kukonzekera kotereku kuyenera kuwonetsa zochitika zotsatirazi:

Kusintha kwa data yachinsinsi mu kasinthidwe.
Zosintha zodzipereka.
Lowani/kutuluka kwa ogwiritsa ntchito.
Kuyambitsa dongosolo.
Kulephera kukhazikitsa gawo la SSH.
Kukhazikitsa/kutha kwa gawo la SSH.
Kusintha kwa nthawi (kachitidwe).
Kuthetsa gawo lakutali ndi njira yotsekera gawo.
Kuthetsa gawo lokambirana.

Kuphatikiza apo, Juniper Networks imalimbikitsa kuti kudula mitengo:

Jambulani zosintha zonse ku kasinthidwe.
Sungani zambiri zakudula patali.

Kukonza Kudula kwa Zochitika Kudera Lanu File
Mutha kusintha kusungidwa kwa zidziwitso za kafukufuku kudera lanu file ndi mawu a syslog. Ex iziampamasunga zipika mu a file dzina lake Audit-File:
[kusintha dongosolo] syslog {
file Audit-File;
}
Kutanthauzira Mauthenga a Zochitika
Zotsatira zotsatirazi zikuwonetsa ngatiampndi uthenga wa zochitika.
Feb 27 02:33:04 bm-a mgd[6520]: UI_LOGIN_EVENT: Lowetsani 'ofesi-chitetezo', kalasi 'j-superuser'
[6520],
ssh-kulumikizana ”, kasitomala-njira
'cli'
Feb 27 02:33:49 bm-a mgd[6520]: UI_DBASE_LOGIN_EVENT: Wogwiritsa ntchito 'wachitetezo' akulowetsa zosintha
mode
Feb 27 02:38:29 bm-a mgd[6520]: UI_CMDLINE_READ_LINE: Wogwiritsa ntchito 'chitetezo', lamula 'run show
chipika
Audit log | grep LOGIN
Tebulo 4 patsamba 69 limafotokoza minda ya uthenga wa chochitika. Ngati ntchito yodula mitengoyo siyingadziwe mtengo wagawo linalake, hyphen (-) imawonekera m'malo mwake.
Gulu 4: Minda mu Mauthenga a Zochitika

Munda	Kufotokozera	Examples
nthawiamp	Nthawi yomwe uthengawo udapangidwa, mu chimodzi mwazoyimira ziwiri: • MMM-DD HH:MM:SS.MS+/-HH:MM, ndi mwezi, tsiku, ola, mphindi,chiwiri ndi millisecond mu nthawi yakomweko. Ola ndi mphindi zomwe zimatsatira chizindikiro chowonjezera (+) kapena chochotsera (-) ndi kuchotsera kwanthawi yapafupi kuchokera ku Coordinated Universal Time (UTC). • YYYY-MM-DDTHH:MM:SS.MSZ ndi chaka, mwezi, tsiku, ola, mphindi,chiwiri ndi millisecond mu UTC.	Feb 27 02:33:04 ndi nthawiamp zofotokozedwa ngati nthawi yakomweko ku United States. 2012-02-27T03:17:15.713Z is 2:33 AM UTC pa 27 Feb 2012.
dzina la alendo	Dzina la wolandila yemwe adatulutsa uthengawo.	rauta 1
ndondomeko	Dzina la njira ya Junos OS yomwe idatulutsa uthengawo.	mgd
processID	UNIX process ID (PID) ya Junos OS yomwe idatulutsa uthengawo.	4153
TAG	Mauthenga a pulogalamu ya Junos OS tag, zomwe zimazindikiritsa uthengawo mwapadera.	UI_DBASE_LOGOUT_EVENT
dzina lolowera	Dzina la wogwiritsa ntchito amene akuyambitsa chochitikacho.	"admin"
uthenga-lemba	Kufotokozera m'Chingelezi za chochitikacho .	set: [system radius-server 1.2.3.4 chinsinsi]

Kusintha kwa Mitengo ku Chinsinsi Chachinsinsi
Otsatirawa ndi akaleamples of audit logs of events that change the secret data. Nthawi zonse pakakhala kusintha kwa kasinthidwe exampLero, chochitika cha syslog chiyenera kujambula zolemba pansipa:
Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Seti ya 'admin' ya ogwiritsa:
[system radius-server 1.2.3.4 chinsinsi] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Wogwiritsa 'admin' set:
[makina achinsinsi olowera pakompyuta] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Seti ya 'admin':
[makina olowera achinsinsi admin2 kutsimikizika kwachinsinsi] Nthawi iliyonse pomwe kasinthidwe kasinthidwa kapena kusinthidwa, syslog iyenera kujambula zolemba izi:
Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: M'malo mwa 'admin':
[system radius-server 1.2.3.4 secret] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Wogwiritsa 'admin' m'malo:
[chitsimikizo cha wogwiritsa ntchito wolowera pakompyuta] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Wogwiritsa 'admin' m'malo:
[makina achinsinsi olowera pakompyuta] Kuti mumve zambiri zakusintha magawo ndikuwongolera chipika files, onani Junos OS System
Log Mauthenga Reference.
Lowani ndi Kutuluka Zochitika Pogwiritsa Ntchito SSH
Mauthenga a chipika pamakina amapangidwa nthawi iliyonse wogwiritsa ntchito akayesa bwino kapena mosalephera kupeza SSH. Zochitika zotuluka zimalembedwanso. Za example, zipika zotsatirazi ndi zotsatira za kuyesa kawiri kolephera kutsimikizira, kenako kopambana, ndipo potsiriza kutuluka:
Dec 20 23:17:35 bilbo sshd[16645]: Mawu achinsinsi olephera op kuchokera ku 172.17.58.45 doko 1673 ssh2
Dec 20 23:17:42 bilbo sshd[16645]: Mawu achinsinsi olephera op kuchokera ku 172.17.58.45 doko 1673 ssh2
Dec 20 23:17:53 bilbo sshd[16645]: Mawu achinsinsi ovomerezeka op kuchokera ku 172.17.58.45 port 1673 ssh2
Dec 20 23:17:53 bilbo mgd[16648]: UI_AUTH_EVENT: Wogwiritsa ntchito 'op' pa chilolezo
'j-operator'
Dec 20 23:17:53 bilbo mgd[16648]: UI_LOGIN_EVENT: Kulowa kwa wogwiritsa ntchito, kalasi 'j-operator' [16648] Dec 20 23:17:56 bilbo mgd[16648]: UI_CMDLINE_READ_LINE, User 'op' lamulo 'siyani'
Dec 20 23:17:56 bilbo mgd[16648]: UI_LOGOUT_EVENT: Kutuluka kwa 'op'
Kutsitsa kwa Audit Startup
Zambiri zowunikira zomwe zidalowetsedwa zikuphatikiza zoyambira za Junos OS. Izi zimazindikiritsa zochitika zoyambira zowunikira, zomwe sizingalephereke kapena kuthandizidwa. Za example, ngati Junos OS ayambiranso, chipika chowerengera chili ndi izi:
Dec 20 23:17:35 bilbo syslogd: kutuluka pa siginecha 14
Dec 20 23:17:35 bilbo syslogd: kuyambitsanso
Dec 20 23:17:35 bilbo syslogd /kernel: Dec 20 23:17:35 init: syslogd (PID 19128) anatuluka ndi
udindo=1
Dec 20 23:17:42 bilbo / kernel:
Dec 20 23:17:53 init: syslogd (PID 19200) inayamba

Kudziyesa Pawekha pa Chipangizo

Kumvetsetsa Mayeso Odziyesera a FIPS
The cryptographic module imakhazikitsa malamulo achitetezo kuti awonetsetse kuti Juniper Networks Junos ikugwira ntchito
system (Junos OS) mumayendedwe a FIPS amakwaniritsa zofunikira zachitetezo cha FIPS 140-2 Level 1. Kutsimikizira
zotsatira za cryptographic algorithms zovomerezeka pa FIPS ndikuyesa kukhulupirika kwa ma modules ena,
chipangizochi chimapanga mayeso otsatirawa odziwika bwino (KAT):

kernel_kats-KAT ya kernel cryptographic routines
md_kats—KAT ya miyendo ndi libc
openssl_kats—KAT ya OpenSSL cryptographic kukhazikitsa
quicksec_kats—KAT ya QuickSec Toolkit cryptographic kukhazikitsa
ssh_ipsec_kats—KAT ya SSH IPsec Toolkit cryptographic kukhazikitsa
macsec_kats-KAT ya MACsec cryptographic kukhazikitsa

Kudziyesa kwa KAT kumachitika zokha poyambira. Kudziyesa kokhazikika kumachitidwanso kuti zitsimikizire mapulogalamu osainidwa ndi digito, manambala opangidwa mwachisawawa, makiyi a RSA ndi ECDSA, ndi makiyi omwe adalowetsedwa pamanja.
Ngati ma KAT amalizidwa bwino, chipika chadongosolo (syslog) file imasinthidwa kuti iwonetse mayeso omwe adachitidwa.
Ngati pali kulephera kwa KAT, chipangizocho chimalemba tsatanetsatane ku chipika chadongosolo file, imalowa mu vuto la FIPS (mantha) ndikuyambiranso.
The file onetsani /var/log/messages lamulo likuwonetsa chipika chadongosolo.
Muthanso kuyesa kudziyesa nokha kwa FIPS popereka vmhost reboot command. Mutha kuwona zipika zodziyesera za FIPS pa konsoni pomwe dongosolo likubwera.
Example: Konzani FIPS Self-Test
Ex iziample ikuwonetsa momwe mungakhazikitsire zoyesera za FIPS kuti ziziyenda nthawi ndi nthawi.
Zofunikira pa Hardware ndi Mapulogalamu

Muyenera kukhala ndi mwayi woyang'anira kuti mukonze zoyeserera za FIPS.
Chipangizochi chiyenera kukhala chikugwiritsa ntchito mtundu wowunikiridwa wa Junos OS mu pulogalamu ya FIPS mode.

Zathaview
Kudziyesa kwa FIPS kumakhala ndi zotsatirazi zamayeso odziwika (KATs):

kernel_kats-KAT ya kernel cryptographic routines
md_kats—KAT ya libmd ndi libc
quicksec_kats—KAT ya QuickSec Toolkit cryptographic kukhazikitsa
openssl_kats—KAT ya OpenSSL cryptographic kukhazikitsa
ssh_ipsec_kats—KAT ya SSH IPsec Toolkit cryptographic kukhazikitsa
macsec_kats-KAT ya MACsec cryptographic kukhazikitsa
Mu exampLero, kuyesa kwa FIPS kumachitidwa nthawi ya 9:00 AM ku New York City, USA, Lachitatu lililonse.

ZINDIKIRANI: M'malo moyesa sabata iliyonse, mutha kusintha mayeso a pamwezi pophatikiza ziganizo za mwezi ndi tsiku la mwezi.
Kudziyesa kwa KAT kukalephera, uthenga wa chipika umalembedwa ku mauthenga a log log file ndi tsatanetsatane wa kulephera kwa mayeso. Ndiye dongosolo mantha ndi reboots.
Kusintha Kwachangu kwa CLI
Kuti mukonze mwachangu example, koperani malamulo otsatirawa, muwaike m'mawu file, chotsani kusweka kwa mzere uliwonse, sinthani tsatanetsatane wofunikira kuti mufanane ndi kasinthidwe ka netiweki yanu, ndiyeno koperani ndi kumata malamulowo mu CLI pamlingo wa [edit]
set system fips kudziyesa nthawi ndi nthawi yoyambira 09:00
set system fips kudziyesa nthawi ndi nthawi tsiku la sabata 3
Ndondomeko ya Pang'onopang'ono
Kuti mukonzekere kudziyesa nokha kwa FIPS, lowani pachipangizocho ndi zizindikiro za crypto-officer:

Konzani kuyesa kwanu kwa FIPS kuti kuchitike 9:00 AM Lachitatu lililonse.
[edit system fips self-test] crypto-officer@hostname:fips# ikani nthawi yoyambira nthawi ndi nthawi 09:00
crypto-officer@hostname:fips# khalani ndi tsiku la sabata 3
Ngati mwamaliza kukonza chipangizocho, pangani kasinthidwe.
[edit system fips self-test] crypto-officer@hostname:fips# commit

Zotsatira
Kuchokera pamasinthidwe, tsimikizirani kasinthidwe kanu popereka dongosolo lawonetsero. Ngati zotulukazo sizikuwonetsa kasinthidwe komwe mukufuna, bwerezani malangizo omwe ali mu example kukonza kasinthidwe.
crypto-officer@hostname:fips# show system
fips {
kudziyesa{
pafupipafupi {
nthawi yoyambira "09:00";
tsiku la sabata 3;
}
}
}

Kutsimikizira

Onetsetsani kuti kasinthidwe kakuyenda bwino.
Kutsimikizira FIPS Self-Test

Cholinga
Tsimikizirani kuti kudziyesa kwa FIPS ndikoyatsidwa.
Zochita
Yesetsani kudziyesa nokha FIPS pamanja popereka pulogalamu yofunsira fips self-test command kapena kuyambitsanso chipangizocho.
Pambuyo popereka pempho dongosolo fips self-test lamulo kapena kuyambiransoko chipangizo, chipika dongosolo file imasinthidwa kuti iwonetse ma KAT omwe akuchitidwa. Ku view dongosolo log file, perekani file onetsani /var/log/ mauthenga lamulo.
user@host# file onetsani /var/log/messages
RE KATS:
mgd: Kuyesa kuyesa kwa FIPS
mgd: Kuyesa kernel KATS:
mgd: NIST 800-90 HMAC DRBG Mayankho Odziwika Odziwika: Wadutsa
mgd: DES3-CBC Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA1 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-256 Mayankho Odziwika Odziwika: Adutsa
mgd: SHA-2-384 Mayeso Odziwika Yankho: Adutsa
mgd: SHA-2-512 Mayeso Odziwika Yankho: Adutsa
mgd: AES128-CMAC Odziwika Yankho Mayeso: Wadutsa
mgd: AES-CBC Odziwika Yankho Mayeso: Wadutsa
mgd: Kuyesa MACSec KATS:
mgd: AES128-CMAC Odziwika Yankho Mayeso: Wadutsa
mgd: AES256-CMAC Odziwika Yankho Mayeso: Wadutsa
mgd: AES-ECB Odziwika Yankho Mayeso: Wadutsa
mgd: AES-KEYWRAP Odziwika Yankho Mayeso: Wadutsa
mgd: KBKDF Mayeso Odziwika Yankho: Wapambana
mgd: Kuyesa libmd KATS:
mgd: HMAC-SHA1 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-256 Mayankho Odziwika Odziwika: Adutsa
mgd: SHA-2-512 Mayeso Odziwika Yankho: Adutsa
mgd: Kuyesa OpenSSL KATS:
mgd: NIST 800-90 HMAC DRBG Mayankho Odziwika Odziwika: Wadutsa
mgd: FIPS ECDSA Yodziwika Yankho Mayeso: Yadutsa
mgd: FIPS ECDH Yodziwika Yankho Mayeso: Yadutsa
mgd: FIPS RSA Yankho Lodziwika Kwambiri Mayeso: Wadutsa
mgd: DES3-CBC Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA1 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-224 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-256 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-384 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-512 Mayankho Odziwika Odziwika: Adutsa
mgd: AES-CBC Odziwika Yankho Mayeso: Wadutsa
mgd: AES-GCM Odziwika Yankho Mayeso: Wadutsa
mgd: ECDSA-SIGN Yodziwika Yankho Mayeso: Yadutsa
mgd: Mayeso a KDF-IKE-V1 Odziwika: Wapambana
mgd: KDF-SSH-SHA256 Mayankho Odziwika Odziwika: Apambana
mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Mayankho Odziwika Odziwika: Apambana
mgd: KAS-FFC-EPHEM-NOKC Mayankho Odziwika Odziwika: Apambana
mgd: Kuyesa QuickSec 7.0 KATS:
mgd: NIST 800-90 HMAC DRBG Mayankho Odziwika Odziwika: Wadutsa
mgd: DES3-CBC Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA1 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-224 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-256 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-384 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-512 Mayankho Odziwika Odziwika: Adutsa
mgd: AES-CBC Odziwika Yankho Mayeso: Wadutsa
mgd: AES-GCM Odziwika Yankho Mayeso: Wadutsa
mgd: SSH-RSA-ENC Mayankho Odziwika Odziwika: Adutsa
mgd: SSH-RSA-SIGN Odziwika Yankho Mayeso: Wadutsa
mgd: SSH-ECDSA-SIGN Odziwika Yankho Mayeso: Wapambana
mgd: Mayeso a KDF-IKE-V1 Odziwika: Wapambana
mgd: Mayeso a KDF-IKE-V2 Odziwika: Wapambana
mgd: Kuyesa QuickSec KATS:
mgd: NIST 800-90 HMAC DRBG Mayankho Odziwika Odziwika: Wadutsa
mgd: DES3-CBC Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA1 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-224 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-256 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-384 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-512 Mayankho Odziwika Odziwika: Adutsa
mgd: AES-CBC Odziwika Yankho Mayeso: Wadutsa
mgd: AES-GCM Odziwika Yankho Mayeso: Wadutsa
mgd: SSH-RSA-ENC Mayankho Odziwika Odziwika: Adutsa
mgd: SSH-RSA-SIGN Odziwika Yankho Mayeso: Wadutsa
mgd: Mayeso a KDF-IKE-V1 Odziwika: Wapambana
mgd: Mayeso a KDF-IKE-V2 Odziwika: Wapambana
mgd: Kuyesa SSH IPsec KATS:
mgd: NIST 800-90 HMAC DRBG Mayankho Odziwika Odziwika: Wadutsa
mgd: DES3-CBC Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA1 Mayankho Odziwika Odziwika: Adutsa
mgd: HMAC-SHA2-256 Mayankho Odziwika Odziwika: Adutsa
mgd: AES-CBC Odziwika Yankho Mayeso: Wadutsa
mgd: SSH-RSA-ENC Mayankho Odziwika Odziwika: Adutsa
mgd: SSH-RSA-SIGN Odziwika Yankho Mayeso: Wadutsa
mgd: Mayeso a KDF-IKE-V1 Odziwika: Wapambana
mgd: Kuyesa file chilungamo:
mgd: File kukhulupirika Odziwika Yankho Mayeso: Wapambana
mgd: Kuyesa kukhulupirika kwa crypto:
mgd: Crypto integrity Mayeso Odziwika Yankho: Yadutsa
mgd: Yembekezerani ntchito ya AuthenticatiMAC/veriexec: palibe chala (file=/sbin/kats/cannot-exec
fsid=246 fileid=49356 gen=1 uid=0 pid=9384 ppid=9354 gppid=9352)pa zolakwika...
mgd: /sbin/kats/run-mayeso: /sbin/kats/cannot-exec: cholakwika chotsimikizira
mgd: Kudziyesa kwa FIPS Kwadutsa
LC KATS:
Sep 12 10:50:44 network_macsec_kats_input xe- /0/0:0:
ayi> chithunzi: 0 port:0 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:50:50 network_macsec_kats_input xe- /0/1:0:
ayi> chithunzi: 0 port:1 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:50:55 network_macsec_kats_input xe- /0/0:0:
ayi> chithunzi: 0 port:0 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:50:56 network_macsec_kats_input xe- /0/2:0:
ayi> chithunzi: 0 port:2 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:01 network_macsec_kats_input xe- /0/1:0:
ayi> chithunzi: 0 port:1 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:02 network_macsec_kats_input xe- /0/2:0:
ayi> chithunzi: 0 port:2 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:06 network_macsec_kats_input xe- /0/3:0:
ayi> chithunzi: 0 port:3 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:12 network_macsec_kats_input xe- /0/3:0:
ayi> chithunzi: 0 port:3 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:17 network_macsec_kats_input xe- /0/4:0:
ayi> chithunzi: 0 port:4 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:17 network_macsec_kats_input xe- /0/4:0:
ayi> chithunzi: 0 port:4 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:26 network_macsec_kats_input xe- /0/5:0:
ayi> chithunzi: 0 port:5 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:27 network_macsec_kats_input xe- /0/5:0:
ayi> chithunzi: 0 port:5 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:36 network_macsec_kats_input xe- /0/6:0:
ayi> chithunzi: 0 port:6 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:36 network_macsec_kats_input xe- /0/6:0:
ayi> chithunzi: 0 port:6 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:44 network_macsec_kats_input xe- /0/7:0:
ayi> chithunzi: 0 port:7 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:44 network_macsec_kats_input xe- /0/7:0:
ayi> chithunzi: 0 port:7 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:51 network_macsec_kats_input xe- /0/8:0:
ayi> chithunzi: 0 port:8 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:51 network_macsec_kats_input xe- /0/8:0:
ayi> chithunzi: 0 port:8 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:51:58 network_macsec_kats_input xe- /0/9:0:
ayi> chithunzi: 0 port:9 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:51:58 network_macsec_kats_input xe- /0/9:0:
ayi> chithunzi: 0 port:9 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:52:05 network_macsec_kats_input xe- /0/10:0:
Slot no> pic:0 port:10 chan:0 FIPS AES-256-GCM MACsec KATS encryption yadutsa
Sep 12 10:52:05 network_macsec_kats_input xe- /0/10:0:
Slot no> pic:0 port:10 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:52:12 network_macsec_kats_input xe- /0/11:0:
Slot no> pic:0 port:11 chan:0 FIPS AES-256-GCM MACsec KATS encryption yadutsa
Sep 12 10:52:12 network_macsec_kats_input xe- /0/11:0:
Slot no> pic:0 port:11 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:52:20 network_macsec_kats_input xe- /1/0:0:
ayi> chithunzi: 1 port:0 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:52:20 network_macsec_kats_input xe- /1/0:0:
ayi> chithunzi: 1 port:0 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:52:27 network_macsec_kats_input xe- /1/1:0:
ayi> chithunzi: 1 port:1 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Sep 12 10:52:28 network_macsec_kats_input xe- /1/1:0:
ayi> chithunzi: 1 port:1 chan:0 FIPS AES-256-GCM MACsec KATS decryption yadutsa
Sep 12 10:52:34 network_macsec_kats_input xe- /1/2:0:
ayi> chithunzi: 1 port:2 chan:0 FIPS AES-256-GCM MACsec KATS encryption wadutsa
Tanthauzo
Ndondomeko ya ndondomeko file limasonyeza tsiku ndi nthawi imene KATs anaphedwa ndi udindo wawo.

Malamulo Ogwira Ntchito

Syntax
pemphani dongosolo zeroze
Kufotokozera
Kwa RE1800, chotsani zidziwitso zonse za kasinthidwe pa Routing Engines ndikukhazikitsanso zofunikira zonse. Ngati chipangizocho chili ndi Ma Injini Awiri Oyendetsa, lamuloli limawulutsidwa ku Injini Zonse Zoyendetsa pa chipangizocho. Lamulo limachotsa deta yonse files, kuphatikizapo kasinthidwe makonda ndi chipika files, pochotsa files kuchokera pamakanema awo. Lamulo limachotsa zonse zopangidwa ndi ogwiritsa ntchito files kuchokera pamakinawa kuphatikiza mawu achinsinsi, zinsinsi, ndi makiyi achinsinsi a SSH, kubisa kwanuko, kutsimikizika kwanuko, IPsec, RADIUS, TACACS +, ndi SNMP.
Lamuloli limayambitsanso chipangizocho ndikuchiyika ku fakitale yokhazikika. Mukayambiranso, simungathe kulumikiza chipangizochi kudzera mu mawonekedwe a kasamalidwe a Ethernet. Lowani kudzera mu console ngati muzu ndikuyamba Junos OS CLI polemba cli mwamsanga.
Mulingo Wofunika Wamwayi
kukonza
pemphani vmhost zeroze osatumiza
Syntax
pemphani vmhost zeroze osatumiza
Kufotokozera
Kwa REMX2K-X8, chotsani zidziwitso zonse za kasinthidwe pa Routing Engines ndikukhazikitsanso zofunikira zonse. Ngati chipangizocho chili ndi Ma Injini Awiri Oyendetsa, lamuloli limawulutsidwa ku Ma Injini Oyendetsa Pachipangizocho.
Lamulo limachotsa deta yonse files, kuphatikizapo kasinthidwe makonda ndi chipika files, pochotsa files kuchokera pamakanema awo. Lamulo limachotsa zonse zopangidwa ndi ogwiritsa ntchito files kuchokera pamakinawa kuphatikiza mawu achinsinsi, zinsinsi, ndi makiyi achinsinsi a SSH, kubisa kwanuko, kutsimikizika kwanuko, IPsec, RADIUS, TACACS +, ndi SNMP.
Lamuloli limayambitsanso chipangizocho ndikuchiyika ku fakitale-default kasinthidwe. Mukayambiranso, simungathe kupeza chipangizochi kudzera mu mawonekedwe a kasamalidwe a Ethernet. Lowani kudzera mu kontrakitala monga wogwiritsa ntchito mizu ndikuyamba Junos OS CLI polemba cli mwamsanga.
Sampndi Output
pemphani vmhost zeroze osatumiza
user@host> pemphani vmhost zero zero osatumiza
VMHost Zeroization : Chotsani deta yonse, kuphatikizapo kasinthidwe ndi chipika files ?
[inde, ayi] (ayi) inde
re0:
chenjezo: Vmhost iyambiranso ndipo sizingayambe popanda
kasinthidwe
chenjezo: Kupitilira ndi vmhost
zeroze
Zeroise sekondale yamkati disk
Kupitilira ndi zeroize pa sekondale
disk
Kuyika chipangizo pokonzekera
zero…
Kuyeretsa disk chandamale kwa zeroize
Zeroze wachitika pa chandamale
disk.
Zeroze ya sekondale disk
anamaliza
Zeroise primary internal disk
Kupitilira ndi zeroize pa pulaimale
disk
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_dsa_key
Kuyika chipangizo pokonzekera
zero…
Kuyeretsa disk chandamale kwa zeroize
Zeroze wachitika pa chandamale
disk.
Zeroze ya diski yoyamba
anamaliza
Zeroize
zachitika
—(zambiri)— Kuyimitsa
cron.
Kudikirira PIDS:
6135.
.
Feb 16 14:59:33 jlaunchd: periodic-packet-services (PID 6181) kuthetsa chizindikiro 15 kutumizidwa
Feb 16 14:59:33 jlaunchd: smg-service (PID 6234) kuthetsa chizindikiro 15 yotumizidwa
Feb 16 14:59:33 jlaunchd: chizindikiritso cha ntchito (PID 6236) chotsani chizindikiro 15 chotumizidwa
Feb 16 14:59:33 jlaunchd: ifstate-tracing-process (PID 6241) imathetsa chizindikiro 15 yotumizidwa
Feb 16 14:59:33 jlaunchd: kasamalidwe kazinthu (PID 6243) kuthetsa chizindikiro 15 yotumizidwa
Feb 16 14:59:33 jlaunchd: mlandu (PID 6246) kuthetsa chizindikiro 15 kutumizidwa
Feb 16 14:59:33 jlaunchd: chilolezo-service (PID 6255) kuthetsa chizindikiro 15 kutumizidwa
Feb 16 14:59:33 jlaunchd: ntp (PID 6620) chotsani chizindikiro 15 chotumizidwa
Feb 16 14:59:33 jlaunchd: gkd-chassis (PID 6621) chotsani chizindikiro 15 chotumizidwa
Feb 16 14:59:33 jlaunchd: gkd-lchassis (PID 6622) chotsani chizindikiro 15 chotumizidwa
Feb 16 14:59:33 jlaunchd: mayendedwe (PID 6625) chotsani chizindikiro 15 chotumizidwa
Feb 16 14:59:33 jlaunchd: sonet-aps (PID 6626) kuthetsa chizindikiro 15 kutumizidwa
Feb 16 14: 59: 33 jlaunchd: ntchito zakutali (PID 6627) kuthetsa chizindikiro 15 kutumizidwa
Feb 16 14:59:33 jlaunchd: kalasi-ya-ntchito
……..
99

Zolemba / Zothandizira

JUNIPER NETWORKS Junos OS FIPS Evaluated Devices [pdf] Buku Logwiritsa Ntchito
Junos OS FIPS Evaluated Devices, Junos OS, FIPS Evaluated Devices, Evaluated Devices, Devices

Maumboni

Buku Logwiritsa Ntchito

JUNIPER NETWORKS Junos OS FIPS Evaluated Devices

Zathaview

Kukonza Zizindikiro Zoyang'anira ndi Mwayi

Kukonza Maudindo ndi Njira Zotsimikizira

Kukhazikitsa kulumikizana kwa SSH ndi Console

Kukonza MACsec

Kukonza MACsec yokhala ndi keychain ya Layer 2 Traffic

Kukonza Logging Zochitika

Kudziyesa Pawekha pa Chipangizo

Malamulo Ogwira Ntchito

Zolemba / Zothandizira

Maumboni

Siyani ndemanga

Letsani yankho