JUNIPER NETWORKS Junos OS FIPS Iloiloga Ta'iala mo Tagata Fa'aoga

Inisinia Faigofie
Junos® OS
FIPS Iloiloga Fa'atonu Taiala mo
MX960, MX480, ma MX240 masini

Mataupu lalafi

1 JUNIPER NETWORKS Junos OS FIPS Iloiloga Masini

2 Ua umaview

3 Fa'atulagaina o Fa'ailoga Fa'atonu ma Fa'amanuiaga

4 Fa'atulagaina o Matafaioi ma Metotia Fa'amaoni

5 Fa'atulagaina le SSH ma le Console Connection

6 Fa'atonu MACsec

7 Fa'atulagaina le MACsec ma le keychain mo Layer 2 Traffic

8 Fa'atulagaina o mea na tutupu

9 Fa'atinoina o su'ega a le tagata lava ia i luga o se masini

10 Poloaiga Faagaioiina

11 Pepa / Punaoa

11.1 Fa'asinomaga

JUNIPER NETWORKS Junos OS FIPS Iloiloga Masini

FA'ASA'oloto
20.3X75-D30

Juniper Networks, Inc.
1133 Auala Fou
Sunnyvale, Kalefonia 94089
ISA
408-745-2000
www.juniper.net
Juniper Networks, le logo Juniper Networks, Juniper, ma Junos o fa'ailoga fa'amaufa'ailoga a Juniper Networks, Inc.
i le Iunaite Setete ma isi atunuu. O isi fa'ailoga tau fefa'ataua'iga uma, fa'ailoga tautua, fa'ailoga resitala, po'o fa'ailoga tautua ua resitalaina o mea ia a latou tagata.
E leai se matafaioi a Juniper Networks mo soʻo se mea le saʻo i totonu o lenei pepa. Juniper Networks fa'asaoina le aia tatau e sui ai, suia, fesiita'i, po'o se isi itu e toe teuteu lenei lomiga e aunoa ma se fa'aaliga.
Junos® OS FIPS Iloiloga Fa'atonu Taiala mo MX960, MX480, ma MX240 Devices 20.3X75-D30
Puletaofia © 2023 Juniper Networks, Inc. Ua taofia aia tatau uma.
O fa'amatalaga o lo'o i totonu o lenei pepa o lo'o lata mai e pei o le aso i le itulau autu.
TAUSAGA 2000 FAAALIGA
Juniper Networks hardware and software products is Year 2000 compliant. Junos OS e leai ni fa'agata fa'agata fa'atatau ile tausaga ile tausaga 2038. Peita'i, ole talosaga NTP e iloa e iai ni fa'afitauli ile tausaga 2036.
FA'AI'U FA'A'OA'OGA LAISENE MALIGA
O le Juniper Networks oloa o loʻo avea ma autu o lenei faʻamatalaga faʻapitoa e aofia ai (pe faʻamoemoe mo le faʻaogaina ma) Juniper Networks software. O le fa'aogaina o ia polokalame e fa'atatau i aiaiga ma aiaiga o le Maliega Laisene Tagata Fa'ai'u (“EULA”) fa'asalalau i le. https://support.juniper.net/support/eula/. E ala i le la'uina mai, fa'apipi'i po'o le fa'aogaina o ia polokalame, e te ioe i aiaiga ma aiaiga o lena EULA.

E uiga i Lenei Taiala
Fa'aoga lenei ta'iala e fa'agaioi ai masini MX960, MX480, ma MX240 i Feterale Fa'atonu Fa'asologa o Fa'amatalaga (FIPS) 140-2 Level 1 siosiomaga. FIPS 140-2 o lo'o fa'amatalaina tulaga saogalemu mo masini ma polokalama fa'atino e fa'atino ai galuega fa'atino.
FA'AMATALAGA FESOASOANI
Tulaga masani ma Fa'ailoga FIPS

Ua umaview

Malamalama i le Junos OS i le FIPS Mode
I LE VAEGA LENEI

Fa'avae ma Meafaigaluega Lagolago | 2
E uiga i le tuaoi o le Cryptographic i luga o lau masini | 3
E Fa'afefea ona Eseese le Faiga FIPS mai le Faiga e le-FIPS | 3
Fa'amaonia Faiga o Junos OS i le tulaga FIPS | 3

Federal Information Processing Standards (FIPS) 140-2 o lo'o fa'amatalaina tulaga saogalemu mo masini ma polokalama fa'atino e fa'atino galuega fa'aata. Ole Juniper Networks router lea o loʻo faʻaogaina le Juniper Networks Junos operating system (Junos OS) ile FIPS mode e faʻamalieina ile tulaga FIPS 140-2 Level 1.
O le fa'agaioia o lenei alalaupapa i totonu o le si'osi'omaga FIPS 140-2 Level 1 e mana'omia ai le fa'aagaoioia ma le fa'atulagaina o le auala FIPS i masini mai le Junos OS command-line interface (CLI).
O le Crypto Officer e faʻatagaina le mode FIPS i Junos OS ma faʻatutuina ki ma upu faʻaulu mo le faiga ma isi tagata faʻaoga FIPS.
Polokalama Lagolago ma Meafaigaluega
Mo foliga o loʻo faʻamatalaina i lenei pepa, o faʻavae nei e faʻaaogaina e faʻamaonia ai le tusipasi FIPS:

MX960, MX480, ma MX240 masini faʻapipiʻi i le RE-S-1800X4 ma le LC MPC7E-10G (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-platform.html,
https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html, ma
https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-platform.html).
MX960, MX480, ma MX240 masini faʻapipiʻi i le RE-S-X6 ma le LC MPC7E-10G (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-platform.html, https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html, ma
https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-platform.html).

E uiga i le tuaoi o le Cryptographic i luga o lau masini
FIPS 140-2 tausisia e mana'omia se tuaoi fa'ata'ita'i fa'ata'amilo i module fa'ata'itusi ta'itasi i luga o se masini. O le Junos OS i le tulaga FIPS e taofia ai le cryptographic module mai le faʻaogaina o soʻo se polokalama e le o se vaega o le faʻasalalauga faʻamaonia FIPS, ma faʻatagaina naʻo faʻamaonia faʻamaonia algorithms e faʻaaogaina. E leai ni fa'amaufa'ailoga taualoa (CSPs), e pei o upu fa'amaonia ma ki, e mafai ona laasia le tua'oi fa'ata'otoga o le module i le faatulagaga e le'i fa'ailogaina.
FAATUATUA: E le o lagolagoina vaega o Chassis i le tulaga FIPS. Aua le faʻapipiʻiina se Chassis Virtual i le tulaga FIPS.

Fa'afefea le Eseesega o le Faiga o FIPS mai le Faiga e le-FIPS
O Junos OS i le tulaga FIPS e ese mai i auala nei mai le Junos OS ile non-FIPS mode:

O suʻega a le tagata lava ia o faʻataʻitaʻiga algorithms uma e faia i le amataga.
O su'ega a le tagata lava ia o numera fa'afuase'i ma fa'atupuina autu e faia fa'aauau.
O fa'asologa o fa'amatalaga vaivai e pei ole Data Encryption Standard (DES) ma le MD5 ua le atoatoa.

O feso'ota'iga tau pulega vaivai pe le'i fa'ailogaina e le tatau ona fa'atulagaina.
O upu fa'amaonia e tatau ona fa'ailogaina i algorithms malosi e tasi e le fa'atagaina ai le fa'amama.
E tatau ona le itiiti ifo ma le 10 mataitusi le umi o upu faataga a le pule.

Fa'amaonia Fa'amatalaga o Junos OS i le tulaga FIPS
Ina ia iloa pe faʻamaonia e le Junos OS le faʻamaonia o le NIST, vaʻai i le itulau faufautua tausisia ile Juniper Networks Web nofoaga (https://apps.juniper.net/compliance/).
FA'AMATALAGA FESOASOANI
Faailoaina Puipuia le Tilivaina o Oloa | 7

Malamalama i Fa'auigaga FIPS ma Fa'asologa o Fa'asologa o Fa'asologa o Fa'amaumauga
I LE VAEGA LENEI
Upu | 4
Lagolagoina Cryptographic Algorithms | 5
Fa'aaogā fa'auigaga o upu FIPS, ma fa'atonu algorithms e fesoasoani ia te oe e malamalama ai i le Junos OS ile tulaga FIPS.

Fa'aupuga
Fa'amautu mo le saogalemu (CSP)
Fa'amatalaga e feso'ota'i ma le saogalemu—mo fa'ata'ita'igaample, fa'alilolilo ma patino cryptographic ki ma fa'amaumauga fa'amaonia e pei o upu fa'amaonia ma numera e iloagofie ai le tagata lava ia (PINs)—o latou fa'aaliga po'o suiga e mafai ona fa'afefeteina ai le saogalemu o se module cryptographic po'o fa'amatalaga na te puipuia. Mo faʻamatalaga, tagaʻi i le "Malamalama i le Siosiomaga Faʻagaioiga mo Junos OS i le tulaga FIPS" i le itulau 16.
Cryptographic module
Le seti o meafaigaluega, polokalama, ma firmware e faʻatinoina galuega faʻamaonia faʻamaonia (e aofia ai faʻataʻitaʻiga algorithms ma faʻatupuina autu) ma o loʻo iai i totonu o le tuaoi o le cryptographic.
FIPS
Feterale Fa'atonu Fa'asologa o Fa'amatalaga. FIPS 140-2 o loʻo faʻamaoti mai manaʻoga mo le saogalemu ma faʻataʻitaʻiga modules. O Junos OS ile tulaga FIPS e fa'amalie ile FIPS 140-2 Laasaga 1.
tulaga tausia FIPS
O le matafaioi a le Crypto Officer e faʻatino le tausiga faʻaletino poʻo le tausiga faʻapitoa e pei o meafaigaluega poʻo masini faʻataʻitaʻiga. Mo le tausisia o FIPS 140-2, o le Crypto Officer e faʻamalo le Routing Engine i le ulufale atu ma le alu ese mai le matafaioi o le tausiga o FIPS e tape uma ai ki faalilolilo ma faalilolilo ma CSP e le puipuia.
FAAMANATU: E le lagolagoina le matafaioi o le tausiga o FIPS i Junos OS ile tulaga FIPS.
KATs
Su'ega tali iloa. Faiga su'ega a le tagata lava ia e fa'amaonia ai le gaosiga o cryptographic algorithms fa'amaonia mo FIPS ma fa'ata'ita'i le fa'amaoni o nisi Junos OS modules. Mo auiliiliga, tagai i le “Malamalama i Suega a le Tagata Lava Ia” i le itulau 73.
SSH
Ose fa'atonuga e fa'aogaina ai le fa'amaoni malosi ma le fa'ailoga mo avanoa mamao i luga o se feso'otaiga e le malu puipuia. SSH e tuʻuina atu le saini mamao, faʻaogaina o polokalame mamao, file kopi, ma isi galuega. O loʻo faʻamoemoeina e avea o se sui saogalemu mo rlogin, rsh, ma rcp i se siosiomaga UNIX. Ina ia faʻamautinoa le faʻamatalaga na lafoina i luga o fesoʻotaʻiga pulega, faʻaoga SSHv2 mo CLI faʻatulagaina. I le Junos OS, SSHv2 ua mafai ona o le faaletonu, ma SSHv1, lea e le o mautinoa, ua le atoatoa. Zeroization
Aveese uma CSPs ma isi faʻamatalaga na faia e tagata faʻaoga i luga o se masini aʻo leʻi faʻaogaina o se FIPS cryptographic module poʻo le sauniuni mo le toe faʻaaogaina o masini mo le faʻaogaina e le FIPS.
E mafai e le Crypto Officer ona faʻaogaina le faiga ma se faʻatonuga faʻatonu CLI.
Lagolagoina Cryptographic Algorithms
Siata 1 i le itulau 6 o loʻo aoteleina ai le lagolago algorithm algorithm maualuga.
Fuafuaga 1: Polokalama Fa'ataga ile Faiga FIPS

Polokalama	Fetufaʻiga Autu	Fa'amaoni	Cipher	Fa'amaoni
SSHv2	• dh-vaega14-sha1 • ECDH-sha2-nistp256 • ECDH-sha2-nistp384 • ECDH-sha2-nistp521	Talimalo (module): • ECDSA P-256 • SSH-RSA Tagata fa'atau (tagata fa'aoga): • ECDSA P-256 • ECDSA P-384 • ECDSA P-521 • SSH-RSA	• AES FMT 128 • AES FMT 192 • AES FMT 256 • AES CBC 128 • AES CBC 256	• HMAC-SHA-1 • HMAC-SHA-256 • HMAC-SHA-512

Siata 2 i le itulau 6 o lo'o lisiina ai fa'amaumauga lagolago a le MACsec LC.
Laulau 2: MACsec LC Lagolago Ciphers
MACsec LC Lagolago Ciphers
AES-GCM-128
AES-GCM-256
O faʻatinoga taʻitasi o se algorithm e siakiina e se faasologa o suʻega tali (KAT) suʻega a le tagata lava ia. So'o se su'ega a le tagata lava ia e i'u i se tulaga sese FIPS.
FA'A'OGA SILI: Mo FIPS 140-2 tausisia, fa'aaoga na'o fa'amaonia fa'ata'ita'i algorithms I Junos OS ile tulaga FIPS.
O fa'ata'ita'iga fa'asologa o lo'o mulimuli mai o lo'o lagolagoina ile tulaga FIPS. O metotia fa'atusa e fa'aaoga ai le ki lava e tasi mo le fa'ailoga ma le fa'ailoga, a'o le fa'aogaina o auala eseese e fa'aaoga ai ki eseese mo le fa'ailoga ma le decryption.
AES
O le Advanced Encryption Standard (AES), o loʻo faʻamatalaina i le FIPS PUB 197. O le AES algorithm e faʻaaogaina ki o 128, 192, poʻo 256 bits e faʻapipiʻi ma faʻamaonia ai faʻamatalaga i poloka o 128 bits.
ECDH
Elliptic Curve Diffie-Hellman. O se suiga ole Diffie-Hellman key exchange algorithm lea e fa'aogaina ai fa'amatalaga e fa'atatau i le fa'asologa o le algebraic o pupuni elliptic i luga o fanua fa'agata. E fa'atagaina e le ECDH ni vaega se lua, e tofu le tagata ma le fa'ailoga elliptic curve lautele-private key pair, e fa'atuina se mealilo fefa'asoaa'i i luga o se auala le saogalemu. O le mealilo fefa'asoaa'i e mafai ona fa'aogaina e fai ma ki po'o le maua mai o se isi ki mo le fa'ailogaina o feso'ota'iga mulimuli ane e fa'aaoga ai se simmetric key cipher.
ECDSA
Elliptic Curve Digital Signature Algorithm. O se fesuiaiga o le Digital Signature Algorithm (DSA) e faʻaogaina faʻamatalaga faʻavae e faʻavae i luga o le algebraic structure o pupuni elliptic i luga o fanua faʻatapulaʻa. Ole si'i lapo'a ole elliptic curve e iloa ai le faigata o le decrypting le ki. Ole ki fa'alaua'itele e talitonuina e mana'omia mo le ECDSA e tusa ma le fa'aluaina le lapo'a o le puipuiga malu, i vaega. ECDSA fa'aoga P-256, P-384, ma P-521 pupuni e mafai ona fa'atulagaina i lalo o OpenSSH.
HMAC
Fa'amatalaina o le "Keyed-Hashing for Message Authentication" i le RFC 2104, HMAC tu'ufa'atasia hashing algorithms ma cryptographic ki mo le fa'amaoni fe'au. Mo Junos OS i le tulaga FIPS, e fa'aogaina e le HMAC le fa'aogaina o galuega fa'ata'ita'i fa'ailoga SHA-1, SHA-256, ma le SHA-512 fa'atasi ai ma se ki faalilolilo.
SHA-256 ma SHA-512
Secure hash algorithms (SHA) o lo'o iai ile SHA-2 standard fa'amatalaina ile FIPS PUB 180-2. Fausiaina e le NIST, SHA-256 e maua ai le 256-bit hash digest, ma le SHA-512 e maua ai le 512-bit hash digest.
FA'AMATALAGA FESOASOANI
Malamalama i Su'ega a le Tagata Lava ia | 73
Malamalama i le Zeroization e Fa'amama Fa'amatalaga Fa'atonu mo le Fa'asologa o FIPS | 25
Faailoaina Saogalemu Oloa Tiliva
E tele auala o lo'o tu'uina atu i le fa'agasologa o le tu'uina atu ina ia mautinoa e maua e le tagata fa'atau se oloa e le'i tampfa'atasi ma. E tatau i le tagata fa'atau ona faia siaki nei pe a maua se masini e fa'amaonia ai le sa'o o le tulaga.

Fa'ailoga o Va'a—Ia fa'amautinoa o lo'o fa'ailoa sa'o e le fa'ailoga va'a le igoa sa'o ma le tuatusi fa'atau fa'apea ma le masini.

afifiina fafo—Asia le pusa fela'ua'i fafo ma le mea faapipii. Ia mautinoa e leʻi tipiina pe faʻafefeteina le lipine felauaiga. Ia mautinoa e leʻi tipiina pe faʻaleagaina le pusa ina ia mafai ai ona maua le masini.
Totonu o afifi—Asia le taga palasitika ma fa'amaufa'ailoga. Ia mautinoa e le o tipiina pe aveese le ato. Ia mautinoa o loʻo tumau pea le faʻamaufaʻailoga.

Afai e iloa e le tagata faʻatau se faʻafitauli i le taimi o le asiasiga, e tatau ona faʻafesoʻotaʻi vave le tagata faʻatau. Tuuina atu le numera o le oka, numera o siaki, ma se faʻamatalaga o le faʻafitauli faʻaalia i le faʻatau.
E le gata i lea, e tele ni siaki e mafai ona faia e faʻamautinoa ai ua maua e le tagata faʻatau se atigipusa na lafoina e Juniper Networks ae le o se kamupani eseʻese e faʻapipiʻiina e pei o Juniper Networks. E tatau i le tagata faatau ona faia siaki nei pe a maua se masini e faʻamaonia ai le moni o le masini:

Fa'amaonia na okaina le masini e fa'aaoga ai se fa'atauga. Juniper Networks masini e le lafoaʻi e aunoa ma se faʻatauga faʻatau.

Pe a lafo se masini, e auina atu se faʻamatalaga o uta i le tuatusi imeli na tuʻuina atu e le tagata faʻatau pe a fai le faʻatonuga. Fa'amaonia na maua lenei fa'amatalaga i-meli. Fa'amaonia o le imeli o lo'o iai fa'amatalaga nei:
Numera oka fa'atau
Juniper Networks oka numera fa'aaoga e siaki ai le uta
Ole numera ole su'esu'ega o lo'o fa'aaoga e siaki ai le uta
Lisi o mea na lafo e aofia ai numera fa'asologa
Tuatusi ma feso'ota'iga a le kamupani fa'atau ma le tagata fa'atau

Faʻamautinoa o le uta na amataina e Juniper Networks. Ina ia faʻamaonia o se uta na amataina e Juniper Networks, e tatau ona e faia galuega nei:
Faatusatusa le numera o le siakiina o le avetaʻavale a le Juniper Networks order number o loʻo lisiina i le Juniper Networks faʻasalalauga faʻasalalauga ma le numera o le siaki i luga o le afifi na maua.

Fa'amau i luga ole Juniper Networks luga ole laiga lagolago tagata fa'atau ile https://support.juniper.net/support/ ia view le tulaga oka. Faatusatusa le numera o le siakiina o le avetaʻavale poʻo le numera o le faʻatonuga a Juniper Networks o loʻo lisiina i le faʻasalalauga faʻasalalau a Juniper Networks ma le numera siaki i luga o le afifi na maua.

Malamalama i Faiga Fa'atonu
O feso'ota'iga fa'afoe nei e mafai ona fa'aogaina i le fa'atulagaina o iloiloga:

Fa'alapotopotoga Fa'alotoifale-O le RJ-45 fa'amafanafanaga uafu i luga o le masini ua fa'atulagaina e pei o RS-232 fa'amaumauga fa'amaumauga (DTE). E mafai ona e faʻaogaina le faʻaogaina o laina laina (CLI) i luga o lenei taulaga e faʻapipiʻi ai le masini mai se laina.
Polokalama Pulega Mamao-E mafai ona pulea mamao le masini i luga o soʻo se atinaʻe Ethernet. SSHv2 ua na'o le fa'atagaina o le pulega mamao fa'atagaina e mafai ona fa'aoga i le fa'atulagaina o iloiloga. O tulafono tau pulega mamao J-Web ma Telnet e le o avanoa mo le fa'aoga ile masini.

Fa'atulagaina o Fa'ailoga Fa'atonu ma Fa'amanuiaga

Malamalama i Tulafono Fa'afeso'ota'i Fa'amatalaga mo se Pule Fa'atagaina
O le pule fa'atagaina e feso'ota'i ma se vasega saini fa'amaonia, ma e tofia le pule fa'atasi ma fa'atagaga uma. O fa'amaumauga e teu i totonu o le atunu'u mo le fa'amaoniaina o upu fa'amaonia.
FAAMANATU: Aua le faaaogaina mataitusi pulea i upu faataga.
Fa'aoga ta'iala nei ma filifiliga fa'aopoopo mo fa'aupuga ma pe a filifilia fa'aupuga mo fa'amatalaga fa'atagaina. O upu faataga e tatau ona:

Faigofie ona manatua ina ia le faaosoosoina tagata e tusi i lalo.

Suia i lea taimi ma lea taimi.
Fa'alilolilo ma e le fa'asoa i se tasi.
E iai le itiiti ifo i le 10 mataitusi. Ole umi ole password ole 10 mataitusi.
[ fa'asa'o ] pule@host# seti le fa'aupuga fa'akomupiuta fa'aoga la'ititi-umi 10
Fa'aaofia uma mataitusi fa'anumera ma fa'ailoga, e aofia ai so'o se tu'ufa'atasiga o mata'itusi pito i luga ma mataitusi la'ititi, numera, ma mataitusi fa'apitoa e pei o, “!”, “@”, “#”, “$”, “%”, “^”, “ &”, “*”, “(“, ma le “)”.
E tatau ona i ai se suiga i le mataupu e tasi, tasi pe sili atu numera, ma le tasi pe sili atu faailoga.
E i ai seti o uiga. O seti uiga lelei e aofia ai mataitusi tetele, mataitusi laiti, numera, faailoga, ma isi mataitusi faapitoa.
[ fa'asa'o ] pule@ talimalo# seti faiga login upu faataga sui-ituaiga amio-seti
O lo'o i ai le numera aupito maualalo o seti o uiga po'o suiga o seti o uiga. Ole la'ititi ole numera ole seti amio e mana'omia ile upu fa'amatalaga manino ile Junos FIPS e 3.
[ fa'asa'o ] pule@host# seti le fa'aupuga fa'aulufalega fa'amalo la'ititi-suiga 3
O le hashing algorithm mo upu fa'aoga e mafai ona avea ma SHA256 po'o SHA512 (SHA512 o le fa'aletonu algorithm).
[ fa'asa'o ] pule@host# seti le faiga fa'aoga upu fa'apolokalame fa'ailoga sha512
FAAMANATU: E lagolagoina e le masini le ECDSA (P-256, P-384, ma le P-521) ma le RSA (2048, 3072, ma le 4092 modulus bit length) ituaiga ki.
O upu fa'amaonia vaivai o:
O upu e mafai ona maua i totonu po'o i ai o se faiga fa'atulafonoina i totonu o se faiga file pei ole /etc/passwd.
Le igoa talimalo o le faiga (e masani lava o se mate muamua).
So'o se upu o lo'o fa'aalia i se lomifefiloi. E aofia ai lomifefiloi e ese mai le Igilisi, ma upu o loo maua i galuega e pei o Shakespeare, Lewis Carroll, Roget's Thesaurus, ma isi. O lenei faʻasaina e aofia ai upu masani ma fuaitau mai taʻaloga, upu, ata tifaga, ma ata televise.
Fa'atonuga i so'o se mea o lo'o i luga. Mo example, o se upu lolomifefiloi ua suitulaga i vaueli i numera (mo example f00t) poʻo le faʻaopoopoina o numera i le pito.
So'o se fa'aupuga e gaosia e masini. Algorithms fa'aitiitia le avanoa su'esu'e o polokalame e matemate ai upu fa'amaonia ma e le tatau ona fa'aogaina.
O upu fa'aoga malosi e mafai ona fa'avae i mataitusi mai se fasifuaitau po'o se upu e sili ona fiafia i ai, ona fa'atasi lea ma isi upu e le feso'ota'i, fa'atasi ai ma numera fa'aopoopo ma fa'ailoga.

FA'AMATALAGA FESOASOANI
Faailoaina Puipuia le Tilivaina o Oloa | 7

Fa'atulagaina o Matafaioi ma Metotia Fa'amaoni

Malamalama i Matafaioi ma Auaunaga mo Junos OS
I LE VAEGA LENEI
Crypto Officer Matafaioi ma Tiute | 15
FIPS Tagata Fa'aaoga Matafaioi ma Tiutetauave | 15
O le a le mea o loʻo faʻamoemoeina mo tagata faʻaoga FIPS uma | 16
O le Pule Puipuia e fesoʻotaʻi ma le faʻauigaina o le vasega saogalemu-admin, lea e iai le faʻatagaga talafeagai e faʻatagaina ai le pule e faʻatino galuega uma e manaʻomia e pulea ai Junos OS. E tatau i tagata fa'apitoa ona tu'uina atu fa'amatalaga fa'apitoa ma fa'amaumauga fa'amaonia a'o le'i tu'uina atu so'o se avanoa fa'atonu i le faiga.
O matafaioi ma matafaioi a le Pule Saogalemu e faapea:

E mafai e le Pule o le Saogalemu ona faafoeina i le lotoifale ma le mamao.
Fausia, suia, tape tala fa'atonu, e aofia ai le fa'atulagaina o fa'amaufa'ailoga fa'aletonu.
Toe fa'agaoioi se teuga tupe a le Pule.
E nafa ma le faʻatulagaina ma le tausiga o elemene cryptographic e fesoʻotaʻi ma le faʻavaeina o fesoʻotaʻiga malupuipuia i ma mai le oloa faʻavasegaina.

O le Juniper Networks Junos operating system (Junos OS) o loʻo faʻaogaina i le non-FIPS mode e faʻatagaina ai le tele o gafatia mo tagata faʻaoga, ma o le faʻamaoni e faʻavaeina. I se faʻatusatusaga, o le FIPS 140-2 faʻataʻitaʻiga o loʻo faʻamatalaina ai ni matafaioi se lua a tagata faʻaoga: Crypto Officer ma FIPS tagata faʻaoga. O nei matafaioi o loʻo faʻamatalaina i tulaga o le Junos OS faʻaoga gafatia.
O isi ituaiga tagata faʻaoga uma ua faʻamatalaina mo Junos OS i le tulaga FIPS (tagata faʻaoga, tagata faʻaoga pulega, ma isi) e tatau ona paʻu i se tasi o vaega e lua: Crypto Officer poʻo tagata FIPS. Mo lenei mafua'aga, o le fa'amaoniga a le tagata fa'aoga i le tulaga FIPS e fa'avae fa'avae nai lo le fa'asinomaga.
Crypto Officer e faʻatinoina uma galuega faʻatulagaina e fesoʻotaʻi ma FIPS-mode ma tuʻuina atu faʻamatalaga uma ma faʻatonuga mo Junos OS i le tulaga FIPS. Crypto Officer ma FIPS fa'aoga fa'aoga e tatau ona mulimulita'i i ta'iala mo Junos OS ile tulaga FIPS.
Matafaioi ma Matafaioi Crypto Officer
O le Crypto Officer o le tagata e nafa ma le faʻatagaina, faʻatulagaina, mataʻituina, ma le tausia o Junos OS i le tulaga FIPS i luga o se masini. O le Crypto Officer e faʻapipiʻi faʻapipiʻi le Junos OS i luga o le masini, faʻatagaina le mode FIPS, faʻatūina ki ma upu faʻaulu mo isi tagata faʻaoga ma masini komepiuta, ma amataina le masini aʻo leʻi fesoʻotaʻi fesoʻotaʻiga.
GALUEGA LELEI: Matou te fautuaina le Crypto Officer e faʻatautaia le faiga i se auala saogalemu e ala i le faʻamautuina o upu faʻamaonia ma siaki suʻega files.
O faʻatagaga e vaʻaia ai le Crypto Officer mai isi tagata faʻaoga FIPS e faalilolilo, saogalemu, tausiga, ma le pulea. Mo le tausisia o FIPS, tofia le Crypto Officer i se vasega saini e iai uma nei faʻatagaga. E mafai ona faitau se tagata fa'aoga ma le Junos OS fa'atagaga tausiga files o lo'o i ai fa'amaufa'ailoga mata'utia puipuiga (CSPs).
FAAMANATU: O Junos OS i le tulaga FIPS e le lagolagoina le tulaga o le tausia o FIPS 140-2, e ese mai le faatagaga o le tausiga o Junos OS.
Faatasi ai ma galuega e fesoʻotaʻi ma Junos OS i le tulaga FIPS, o le Crypto Officer e faʻamoemoe e:

Seti le upu muamua a'a. Ole umi ole fa'aupuga e tatau ona le itiiti ifo ile 10 mataitusi.
Toe seti upu fa'aoga a tagata fa'aoga fa'atasi ai ma algorithms fa'atagaina FIPS.
Su'e faamaumauga ma su'etusi files mo mea e fiafia i ai.
Tape le fa'aaogaina e tagata files, ki, ma faʻamaumauga e ala i le faʻaogaina o le masini.

FIPS Tagata Fa'aaoga Matafaioi ma Tiutetauave
O tagata FIPS uma, e aofia ai le Crypto Officer, e mafai view le faatulagaga. Na'o le tagata fa'aoga ua tofia e avea ma Crypto Officer e mafai ona suia le fa'atulagaga.
O faʻatagaga e faʻaeseese ai Crypto Officers mai isi faʻaoga FIPS e faalilolilo, saogalemu, tausiga, ma le pulea. Mo le tausisia o FIPS, tofia le tagata fa'aoga FIPS i se vasega e leai se tasi o nei fa'atagaga o iai.
mafai e tagata fa'aoga FIPS view tulaga fa'atino ae le mafai ona toe fa'afou pe fa'aola le masini.
O le a le mea o loʻo faʻamoemoeina mo tagata faʻaoga FIPS uma
O tagata FIPS uma, e aofia ai le Crypto Officer, e tatau ona mataʻituina taʻiala saogalemu i taimi uma.
O tagata FIPS uma e tatau ona:

Taofi fa'alilolilo upu uma.
Teu masini ma fa'amaumauga i se nofoaga malupuipuia.
Fa'apipi'i masini i nofoaga malupuipuia.
Siaki su'etusi files faavaitaimi.
Faʻatasi ma isi tulafono faʻamaonia FIPS 140-2.
Mulimuli i taiala nei:
• E fa'atuatuaina tagata fa'aoga.
• E usita'i tagata fa'aoga i ta'iala uma mo le puipuiga.
• E le fa'afefeteina ma le loto i ai e tagata fa'aoga le puipuiga malu
• O tagata fa'aoga e amio lelei i taimi uma.

FA'AMATALAGA FESOASOANI
O se masini Juniper Networks o loʻo faʻaogaina le Juniper Networks Junos operating system (Junos OS) i le FIPS mode e fausia ai se ituaiga faʻapitoa o masini ma polokalama faʻaogaina siosiomaga e ese mai le siosiomaga o se masini i le non-FIPS mode:

Siosiomaga Meafaigaluega mo Junos OS ile tulaga FIPS
O le Junos OS i le tulaga FIPS e fa'atūina ai se tuaoi fa'ata'ita'i i totonu o le masini e leai ni fa'amaufa'ailoga taualoa (CSPs) e mafai ona laasia i le fa'aogaina o tusitusiga manino. O vaega ta'itasi o le masini e mana'omia ai se tuaoi fa'ata'ita'i mo le tausisia o FIPS 140-2, o se fa'aputuga fa'apitoa. E lua ituaiga o meafaigaluega ma tuaoi cryptographic i Junos OS i le tulaga FIPS: tasi mo Ta'avale Inisinia taitasi ma le tasi mo chassis atoa lea e aofia ai le LC MPC7E-10G kata. O vaega ta'itasi e fai ai se fa'asologa fa'ata'otoga eseese. Feso'ota'iga e a'afia ai CSP i le va o nei si'osi'omaga malupuipuia e tatau ona fa'aogaina ile fa'ailoga.
O metotia fa'a-cryptographic e le o se mea e suitulaga i le saogalemu faaletino. O meafaigaluega e tatau ona tuʻuina i totonu o se siosiomaga saogalemu. E le tatau i tagata fa'aoga o ituaiga uma ona fa'aalia ki po'o fa'aupuga, pe fa'atagaina fa'amaumauga tusitusia po'o fa'amatalaga e va'aia e tagata e le fa'atagaina.
Siosiomaga Polokalama mo Junos OS ile tulaga FIPS
O se masini Juniper Networks o loʻo faʻaogaina Junos OS i le tulaga FIPS e fausia ai se ituaiga faʻapitoa ole siosiomaga faʻaogaina e le mafai ona suia. Ina ia ausia lenei siosiomaga i luga o le masini, o le faiga e taofia ai le faʻatinoina o soʻo se binary file e le o se vaega o le Junos OS faʻamaonia i le tufatufaina atu o auala. A iai se masini i le tulaga FIPS, e mafai ona faʻatautaia naʻo Junos OS.
O le Junos OS i le FIPS mode software environment e faʻavaeina pe a maeʻa ona faʻaogaina e le Crypto Officer le faʻaogaina o le FIPS mode i luga o se masini. O le ata Junos OS e aofia ai le mode FIPS o loʻo maua ile Juniper Networks webnofoaga ma e mafai ona faʻapipiʻi i luga o se masini galue.
Mo le tausisia o le FIPS 140-2, matou te fautua atu e te tape uma mea na faia e tagata e faaaogāina files ma faʻamatalaga e ala i le faʻapolopoloina o le masini aʻo leʻi faʻaogaina le mode FIPS.
O le fa'agaioia o lau masini ile FIPS Laasaga 1 e mana'omia ai le fa'aogaina ole tampfa'ailoga manino e fa'amau ai Inisinia Fa'aala i totonu o le ta'avale.
O le fa'aogaina o le FIPS mode e fa'agata ai le tele o fa'atonuga ma auaunaga masani a Junos OS. Aemaise lava, e le mafai ona e faʻatulagaina auaunaga nei ile Junos OS ile tulaga FIPS:

tamatamailima
ftp
login
telefoni
tftp
xnm-manino-tusitusi

O le taumafai e fa'atulaga nei 'au'aunaga, po'o le utaina o fa'atonuga ma nei 'au'aunaga ua fa'atulagaina, e i'u ai i se fa'asologa o fa'asologa o mea sese.
E mafai ona e fa'aogaina na'o le SSH e fai ma 'au'aunaga avanoa mamao.
O upu fa'aulu uma ua fa'atuina mo tagata fa'aoga pe a mae'a fa'afou ile Junos OS ile tulaga FIPS e tatau ona fa'afetaui ile Junos OS ile fa'atonuga ole mode. O upu faataga e tatau ona i ai i le va o le 10 ma le 20 mataitusi le umi ma e manaʻomia le faʻaogaina o le itiiti ifo ma le tolu o seti faʻamalamalamaga e lima (mataitusi tetele ma mataitusi laiti, numera, faʻailoga, ma mataitusi keyboard, e pei o le % ma le &, e le o aofia i le isi. fa vaega).
O taumafaiga e fetuutuunai upu faataga e le ogatusa ma nei tulafono e iu ai i se mea sese. O upu fa'aoga uma ma ki e fa'aoga e fa'amaonia ai tupulaga e tatau ona le itiiti ifo i le 10 mataitusi le umi, ma i nisi tulaga e tatau ona fetaui le umi ma le lapopo'a.
FAAMANATU: Aua le faʻapipiʻi le masini i se fesoʻotaʻiga seʻi vagana ua maeʻa e le Crypto Officer le faʻatulagaina mai le fesoʻotaʻiga faʻamafanafana i le lotoifale.
Mo le tausisia atoatoa, aua le suʻesuʻeina faʻamatalaga autu ma faʻalavelave lafoai i luga o le faʻamafanafanaga faʻapitonuʻu i Junos OS ile tulaga FIPS ona o nisi CSP e ono faʻaalia i tusitusiga manino.
Fa'ailoga Saogalemu Matautia
Critical security parameters (CSPs) o faʻamatalaga e fesoʻotaʻi ma le saogalemu e pei o ki faʻamatalaga ma upu faʻamaonia e mafai ona faʻafefe ai le saogalemu o le cryptographic module poʻo le saogalemu o faʻamatalaga puipuia e le module pe a faʻaalia pe suia.
Ole fa'aogaina ole faiga e tape uma fa'ailoga o le CSP i le tapenaga mo le fa'aogaina o le masini po'o le Routing Engine e avea o se fa'asologa o ata.
Laulau 3 i le itulau 19 lisi CSPs i masini o loʻo faʻaogaina Junos OS.
Fuafuaga 3: Fa'ailoga Saogalemu Mata'utia

CSP	Fa'amatalaga	Zeroize	Fa'aoga
SSHv2 private host key	ECDSA / RSA ki faʻaaogaina e iloa ai le talimalo, faʻatupuina i le taimi muamua e faʻapipiʻi ai le SSH.	Zeroize poloaiga.	Fa'aaogaina e iloa ai le tagata talimalo.
SSHv2 ki sauniga	Sauniga ki fa'aoga ile SSHv2 ma ole Diffie-Hellman patino ki. Fa'ailoga: AES-128, AES-192, AES-256. MACs: HMAC-SHA-1, HMAC- SHA-2-256, HMAC-SHA2-512. Fetufaaiga autu: dh-group14-sha1, ECDH-sha2-nistp-256, ECDH-sha2- nistp-384, ma ECDH-sha2-nistp-521.	Taamilomilo malosi ma faamuta le sauniga.	Ki fa'atusa fa'aoga e fa'aigoa ai fa'amatalaga i le va o le talimalo ma le tagata fa'atau.
Ki fa'amaoniga fa'aoga	Hash o upu fa'aoga a le tagata fa'aoga: SHA256, SHA512.	Zeroize poloaiga.	Fa'aaogaina e fa'amaonia ai se tagata fa'aoga i le fa'asologa o ata.
Crypto Ofisa fa'amaonia ki	Hash o le upu faataga a le Crypto Officer: SHA256, SHA512.	Zeroize poloaiga.	Fa'aaogaina e fa'amaonia ai le Crypto Officer i le cryptographic module.
fatu HMAC DRBG	Fa'ato'aga mo fa'atupu fa'aputu randon (DRBG).	E le o teuina fatu e le cryptographic module.	Fa'aaogaina mo le totoina o le DRBG.
HMAC DRBG V tau	Le tau (V) o le umi poloka o galuega faatino (outlen) i bits, lea e faafou i taimi uma e gaosia ai isi vaega pito i fafo.	Taamilomilo malosi.	O se taua taua o le totonugalemu o le DRBG.

CSP	Fa'amatalaga	Zeroize	Fa'aoga
Ole tau ole HMAC DRBG	Le tau o loʻo i ai nei o le outlen-bit key, lea e faʻafouina ia le itiiti ifo ma le tasi i taimi uma e gaosia ai e le masini DRBG pseudorandom bits.	Taamilomilo malosi.	O se taua taua o le totonugalemu o le DRBG.
NDRNG entropy	Fa'aaogaina e fai ma manoa entropy i totonu ole HMAC DRBG.	Taamilomilo malosi.	O se taua taua o le totonugalemu o le DRBG.

I le Junos OS i le tulaga FIPS, e tatau i CSP uma ona ulufale ma tu'u le fa'ailoga fa'ailoga i le fa'ailoga fa'ailoga.
So'o se CSP e fa'ailogaina i se algorithm e le'i fa'atagaina e fa'atatau i tusitusiga manino e FIPS.
FAATINO LELEI: Mo le tausisia o FIPS, fetuutuunai le masini i luga o fesoʻotaʻiga SSH aua o latou faʻailoga faʻailoga.
O upu fa'alotoifale e fa'asalaina i le SHA256 po'o le SHA512 algorithm. E le mafai ona toe faʻaleleia le faʻaupuga i Junos OS ile tulaga FIPS. O le Junos OS i le tulaga FIPS e le mafai ona fa'aulu i totonu o le tagata e tasi e aunoa ma le fa'aupuga sa'o.
Malamalama i Fa'amatalaga Fa'amatalaga ma Ta'iala mo Junos OS i le tulaga FIPS
O upu fa'aulu uma ua fa'atuina mo tagata fa'aoga e le Crypto Officer e tatau ona ogatasi ma Junos OS o lo'o mulimuli mai i tulaga mana'oga o FIPS. O taumafaiga e fetuutuuna'i upu fa'amaonia e le ogatasi ma fa'amatalaga nei e i'u ai i se mea sese.

Umi. O upu faataga e tatau ona iai i le va o le 10 ma le 20 mataitusi.
Manaoga seti o uiga. O upu fa'aulu e tatau ona iai a itiiti ifo ma le tolu o seti uiga fa'amatala e lima nei:
Mataitusi tetele
Mataitusi laiti
Numera
Faailoga faailoga
O mataitusi keyboard e le o aofia i isi seti e fa—e pei o le faailoga pasene (%) ma le ampersand (&)

Mana'oga fa'amaoni. O upu uma ma ki e fa'aoga e fa'amaonia ai a latou tupulaga e tatau ona i ai a itiiti ifo ma le 10 mataitusi, ma i nisi tulaga o le numera o mataitusi e tatau ona fetaui ma le lapopo'a fa'amamafa.
Fa'ailoga fa'ailoga. Ina ia suia le auala fa'ailoga fa'ailoga (SHA512) fa'aaofia ai le fa'amatalaga fa'asologa i le [fa'asa'o fa'aoga upu fa'apolopolo] tulaga fa'atonu.

Ta'iala mo upu fa'amalosi malosi. O upu fa'amalo ma toe fa'aaogaina e mafai ona fa'avae i mata'itusi mai se fasifuaitau po'o se upu e sili ona fiafia i ai ona tu'ufa'atasia lea ma isi upu e le feso'ota'i, fa'atasi ai ma numera fa'aopoopo ma fa'ailoga. I se tulaga lautele, o se upu faataga malosi o le:

Faigofie ona manatua ina ia le faaosoosoina tagata e tusi i lalo.
E faia i mataitusi fefiloi alphanumeric ma faailoga. Mo le tausisia o FIPS e aofia ai le itiiti ifo ma le tasi le suiga o mata'itusi, tasi pe sili atu numera, ma le tasi pe sili atu fa'ailoga.
Suia i lea taimi ma lea taimi.
Le fa'ailoaina i se tasi.
Uiga o passwords vaivai. Aua le fa'aogaina upu fa'amalo vaivai nei:

O upu e mafai ona maua i totonu po'o i ai o se faiga fa'atulafonoina i totonu o se faiga files pei ole /etc/passwd.
Le igoa talimalo o le faiga (e masani lava o se mate muamua).
So'o se upu po'o se fasifuaitau e aliali mai i totonu o se lomifefiloi po'o se isi fa'apogai ta'uta'ua, e aofia ai lomifefiloi ma su'esu'ega i gagana e ese mai le Igilisi; galuega a tusitala masani pe lauiloa; po o upu masani ma fasifuaitau mai taaloga, upu, ata tifaga po o ata televise.
Fa'aliliuga i so'o se mea o lo'o ta'ua i luga—mo fa'ataample, o se upu lolomifefiloi ua suia mataitusi i numera ( r00t) po o numera faaopoopo i le faaiuga.

So'o se fa'aupuga e gaosia e masini. Algorithms fa'aitiitia le avanoa su'esu'e o polokalame e matemate ai upu fa'amaonia ma e le tatau ona fa'aogaina.

La'uina o Polokalama Polokalama mai Juniper Networks
E mafai ona e siiina mai le Junos OS software package mo lau masini mai le Juniper Networks webnofoaga.
Ae e te leʻi amataina le downloadina o le polokalama, ia mautinoa o loʻo i ai sau Juniper Networks Web teugatupe ma se konekarate lagolago aoga. Ina ia maua se tala, faʻatumu le pepa resitala ile Juniper Networks webnofoaga: https://userregistration.juniper.net/.
Mo le siiina mai o pusa polokalame mai Juniper Networks:

Fa'aaogaina a Web browser, mulimuli i sootaga i le download URL luga ole Juniper Networks webitulau. https://support.juniper.net/support/downloads/

Ulufale i le Juniper Networks authentication system e faʻaaoga ai le igoa ole igoa (e masani lava o lau tuatusi imeli) ma le faʻaupuga e tuʻuina atu e sui o Juniper Networks.
La'u mai le polokalama. Vaai La'uina o polokalame.

FA'AMATALAGA FESOASOANI
Fa'apipi'i ma Fa'aleleia Taiala
Fa'apipi'i Polokalama i luga o se masini ma le afi ta'avale ta'itasi
E mafai ona e faʻaogaina lenei faiga e faʻaleleia ai le Junos OS i luga o le masini ma se tasi Routing Engine.
Le fa'apipi'i fa'aleleia o polokalame i luga o se masini e tasi le Inisinia Fa'aola:

La'u mai le pusa polokalame e pei ona faamatalaina i totonu La'uina o Polokalama Polokalama mai Juniper Networks.

Afai e te leʻi faia, faʻafesoʻotaʻi i le pusa faʻamafanafanaga i luga o le masini mai lau masini pulega, ma saini i le Junos OS CLI.
(Filifili) Toe fa'afo'i le fa'atulagaina o polokalama faakomepiuta o lo'o iai nei i se filifiliga lona lua e teu ai. Vaai i le Polokalama Fa'apipi'i ma Fa'aleleia Taiala mo faatonuga i le faatinoina o lenei galuega.
(Filifili) Kopi le pusa polokalama i le masini. Matou te fautua atu e te faʻaoga FTP e kopi ai le file i le /var/tmp/ directory.
O lenei laʻasaga e filifili aua e mafai foi ona faʻaleleia le Junos OS pe a teuina le ata o le polokalama i se nofoaga mamao. O fa'atonuga nei o lo'o fa'amatalaina ai le fa'aleleia o polokalame mo fa'aaliga uma e lua.

Faʻapipiʻi le afifi fou i luga o le masini: Mo REMX2K-X8: user@host> talosaga vmhost software add
Mo RE1800: user@host> talosaga polokalama faakomepiuta faaopoopo
Suia le afifi i se tasi o auala nei:
• Mo se pusa polokalama i totonu o se lisi faʻapitonuʻu i luga o le masini, faʻaoga /var/tmp/package.tgz.
• Mo se pusa polokalama i luga o se server mamao, fa'aoga se tasi o auala nei, sui le pusa filifiliga fesuia'i i le igoa o le pusa polokalama.
• ftp://hostname/pathname/package.tgz
• ftp://hostname/pathname/package.tgz
Toe faʻafou le masini e faʻapipiʻi ai:
Mo REMX2K-X8:
user@host> talosaga vmhost toe amata
Mo RE1800:
user@host> toe faʻafouina le faiga
A maeʻa le toe faʻafouina, saini i totonu ma faʻaoga le faʻaaliga faʻatonuga e faʻamaonia ai o loʻo faʻapipiʻiina lelei le faʻaoga fou o le polokalama.
user@host> fa'aali fa'aaliga
Fa'ata'ita'iga: mx960
Junos: 20.3X75-D30.1
JUNOS OS Kernel 64-bit [20210722.b0da34e0_builder_stable_11-204ab] JUNOS OS libs [20210722.b0da34e0_builder_stable_11-204ab] JUNOS OS taimi ta'avale [20210722. fa'amatalaga sone [0.b34da0e11_builder_stable_204-20210722ab] fa'aputuga feso'otaiga a JUNOS ma mea aoga [0_builder_junos_34_x0_d11] JUNOS libs [204_builder_junos_20210812.200100_x203_d75] JUNOS OS libs compat30 [20210812.200100_builder_junos_203_x75_d30] JUNOS OS libs compat32 [20210722.b0da34_table0_builder -bit fegalegaleai [11.b204da32e20210722_builder_stable_0-34ab] JUNOS libs compat0 [11_builder_junos_204_x32_d20210812.200100] JUNOS taimi ta'avale [203_builder_junos_75_x30_d20210812.200100] JUNOS. tafe mx [203_builder_junos_75_x30_d20210812.200100] JUNOS py extensions203 [75_builder_junos_30_x2_d20210812.200100] JUNOS py extensions [203_builder_junos_75_x30_d20210812.200100] JUNOS py extensions [203 [75_builder_junos_30_x2_d20210812.200100] JUNOS py base [203_builder_junos_75_x30_d20210812.200100] JUNOS OS crypto [203.b75daer30stable20210722] files [20210722.b0da34e0_builder_stable_11-204ab] JUNOS ma le telemetry [20.3X75-D30.1] JUNOS Security Intelligence [20210812.200100_builder_junos_203_x75_d30 libs] 32 er_junos_20210812.200100_x203_d75] JUNOS mx taimi [30_builder_junos_20210812.200100_x203_d75] JUNOS RPD Telemetry Application [30X20.3-D75 .30.1] Redis [20210812.200100_builder_junos_203_x75_d30] JUNOS su'esu'e aoga [20210812.200100_builder_junos_203_x75_d30] JUNOS lagolago tulaga masani [20210812.200100_203. UNOS Openconfig [75X30-D20.3] JUNOS mtx modules network [75_builder_junos_30.1_x20210812.200100_d203] JUNOS modules [75_builder_junos_30_x20210812.200100] modules JUNOS [203_builder_junos_75_x30_d20210812.200100] JUNOS mx libs [203_builder_junos_75_x30_d20210812.200100] JUNOS SQL Sync Daemon [203_builder_junos_75_x30_d20210812.200100] JUNOS SQL Sync Daemon [203. mtx Data Plane Crypto Lagolago [75_builder_junos_30_x20210812.200100_d203] JUNOS daemons [75_builder_junos_30_x20210812.200100_d203] JUNOS mx daemons [75_30_20210812.200100_203_75_30_20210812.200100_203_75_30_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX_XNUMX dXNUMX] JUNOS appidd-mx application-identification daemon [XNUMX_builder_junos_XNUMX_xXNUMX_dXNUMX] JUNOS Au'aunaga URL Fa'amama afifi [20210812.200100_builder_junos_203_x75_d30] JUNOS Auaunaga TLB Auaunaga PIC afifi [20210812.200100_builder_junos_203_x75_d30] JUNOS Au'aunaga Telemetry [20210812.200100_203. UNOS Au'aunaga TCP-LOG [75_builder_junos_30_x20210812.200100_d203] JUNOS Au'aunaga SSL [75_builder_junos_30_x20210812.200100_d203] JUNOS Au'aunaga SOFTWIRE [75_builder_junos_30_x20210812.200100_d203] JUNOS Services SOFTWIRE [75] JUNOS Services Stateful Firewall [30_builder_junos_20210812.200100_x203_d75] JUNOS Services RTCOM [30_builder_junos_20210812.200100_x203_d75] JUNOS Services RPM [30_20210812.200100_builder_junos_203_x75_d30] JUNOS Services RPM [20210812.200100_203_builder_75 afifi [30_builder_junos_20210812.200100_x203_d75] JUNOS Services NAT [30_builder_junos_XNUMX_xXNUMX_dXNUMX] JUNOS Services Mobile Subscriber Service Container package
[20210812.200100_builder_junos_203_x75_d30] JUNOS Services MobileNext Software package [20210812.200100_builder_junos_203_x75_d30] JUNOS Services MobileNext Software package [20210812.200100. ] JUNOS Services LL-PDF pusa pusa [203_builder_junos_75_x30_d20210812.200100] JUNOS Services Jflow atigi pusa [203_builder_junos_75_x30_d20210812.200100 paketi] JUNOS Au'aunaga Su'esu'ega 203_builder_junos_75_x30_d20210812.200100] JUNOS Auaunaga IPSec [203_builder_junos_75_x30_d20210812.200100] JUNOS Auaunaga IDS [203} [75_builder_junos_30_x20210812.200100_d203] JUNOS Services HTTP Content Management package [75_builder_junos_30_x20210812.200100_d203] JUNOS Services Crypto [75_builder30_builder_junos_20210812.200100_x203_d75] JUNOS Services Crypto [30_builder20210812.200100_builder_junos_203_x75_d30] JUNOS Services Crypto [XNUMX_builderXNUMX_dXNUMX] al ma le Content Delivery Container package
[20210812.200100_builder_junos_203_x75_d30] JUNOS Services COS [20210812.200100_builder_junos_203_x75_d30] JUNOS AppId Services [20210812.200100_builder_junos_203_x75_d30] JUNOS AppId Services [20210812.200100 Application] Gateways [203_builder_junos_75_x30_d20210812.200100] JUNOS Services AACL Container package [203_builder_junos_75_x30_d20210812.200100] JUNOS SDN203 Software Suite [75. UNOS Extension Toolkit [30_builder_junos_20210812.200100_x203_d75 ] JUNOS Packet Forwarding Engine Support (wrlinux30) [9_builder_junos_20210812.200100_x203_d75] JUNOS Packet Forwarding Engine Support (ulc) [30_builder_junos_20210812.200100_d203] JUNOS Packet Forwarding Engine Support (ulc) [75_builder_junos_30_x3 X20.3-D75] Lagolago Inisinia Fa'asolo Atu A'ai JUNOS (X30.1) [ 2000_builder_junos_20210812.200100_x203_d75] JUNOS Packet Forwarding Engine FIPS Support [30X20.3-D75] JUNOS Packet Forwarding Engine Support (M/T Common)
[20210812.200100_builder_junos_203_x75_d30] Lagolago Inisinia La'u Fa'asolo a le JUNOS (pito i tua)

Malamalama i le Zeroization e Faʻamama Faʻamatalaga Faʻatonu mo le Faiga FIPS
I LE VAEGA LENEI
Aisea e Zeroize? | 26
O afea e Zeroize ai? | 26
O le Zeroization e tape atoa uma faʻamatalaga faʻatulagaina i luga o Routing Engines, e aofia ai upu faʻamaonia uma, mealilo, ma ki faʻapitoa mo SSH, faʻamatalaga faʻapitonuʻu, faʻamaoniga faʻapitonuʻu, ma IPsec.
O le Crypto Officer e amataina le faiga o le zeroization e ala i le ulufale i le faʻatonuga faʻatonu talosaga vmhost zeroize leai-faʻasalalau mo REMX2K-X8 ma talosaga faiga zeroize mo RE1800.
FAATUATUA: Fa'atino le fa'aogaina ole system ma le fa'aeteete. A maeʻa le faʻaogaina o le zeroization, e leai se faʻamatalaga o totoe i luga o le Routing Engine. O le masini e toe faʻafoʻi i le tulaga faʻaletonu fale gaosimea, e aunoa ma se faʻaoga faʻaoga poʻo se faʻatulagaga files.
Zeroization e mafai ona alu le taimi. E ui lava ina aveese faʻatonuga uma i ni nai sekone, o le faʻasologa o le zeroization e faʻaauau pea ona faʻaulu uma ala o faasalalauga, lea e mafai ona umi se taimi e fuafua i le tele o le aufaasālalau.
Aisea e Zeroize?
E le o manatu lau masini ose module cryptographic aoga FIPS se'iloga ua uma ona fa'aulu uma vaega taua mo le puipuiga (CSPs)—pe toe fa'aofi mai—a'o i ai le masini ile tulaga FIPS.
Mo le tausisia o FIPS 140-2, e tatau ona e fa'aogaina le faiga e aveese ai fa'amatalaga ma'ale'ale a'o le'i fa'agata le fa'aogaina o FIPS i luga o le masini.
O afea e Zeroize ai?
I le avea ai ma Crypto Officer, fai le zeroization i tulaga nei:

A'o le'i fa'agaoioi le faiga o FIPS: Ina ia saunia lau masini mo le fa'agaioiga o se module cryptographic FIPS, fai le zeroization a'o le'i fa'agaoioi le mode FIPS.
A'o le'i fa'agata le fa'agaioiga FIPS: Ina ia amata toe fa'afo'i lau masini mo le fa'agaoioiga e le o le FIPS, fai le zeroization a'o le'i tape le mode FIPS i luga o le masini.
FAAMANATU: E le lagolagoina e Juniper Networks le fa'apipi'iina o polokalame e le o le FIPS i totonu o se si'osi'omaga FIPS, ae o le faia o lea mea e ono mana'omia i ni si'osi'omaga o su'ega. Ia mautinoa e fa'asolo muamua le faiga.

Fa'asalaina ole Faiga
Ina ia fa'aleaogaina lau masini, mulimuli i le faiga o lo'o i lalo:

Ulufale i le masini e pei o Crypto Officer ma mai CLI, ulufale i le poloaiga lenei.
Mo REMX2K-X8:
crypto-officer@host> talosaga vmhost zeroize leai-forwarding VMHost Zeroization : Aveese uma faʻamatalaga, e aofia ai le faʻatulagaina ma le ogalaau files ? [ioe, leai] (leai) ioe
toe0:
Mo REMX2K-X8:
crypto-officer@host> talosaga faiga zeroize
System Zeroization : Tape uma faʻamaumauga, e aofia ai le faʻatulagaina ma le ogalaau files ?
[ioe, leai] (leai) ioe
toe0:
Ina ia amataina le faiga o le zeroization, fa'aoga ioe i le vave:
Tape uma faʻamatalaga, e aofia ai le faʻatulagaina ma le faʻamaumauga files? [ioe, leai] (leai) ioe Aveese uma faʻamaumauga, e aofia ai le faʻatulagaina ma le ogalaau files? [ioe, leai] (leai) ioe
re0: ————————lapataiga: zeroizing
toe0……
O le fa'agaioiga atoa e mafai ona umi se taimi e fa'atatau i le tele o fa'asalalauga, ae o fa'amaufa'ailoga taua uma (CSPs) e aveese i totonu o ni nai sekone. E tatau ona tumau le saogalemu o le siosiomaga faaletino seia maeʻa le faiga o le zeroization.

Fa'aagaoioia le Faiga
A faʻapipiʻi Junos OS i luga o se masini ma faʻamalosi le masini, ua sauni e faʻapipiʻi.
I le taimi muamua, e te ulufale i totonu o le aʻa o le tagata e leai se faʻaupuga. A e ulufale i totonu o le aʻa, o lau SSH fesoʻotaʻiga e mafai ona faʻaogaina.
I le avea ai ma Crypto Officer, e tatau ona e faʻatuina se faʻaupuga aʻa e ogatusa ma manaʻoga o le password password i le "Malamalama i Faʻamatalaga Faʻamatalaga ma Taʻiala mo Junos OS i le FIPS Mode" i le itulau 20. A e faʻaogaina le mode FIPS i Junos OS i luga o le masini, e le mafai ona e faʻapipiʻi uputatala. sei vagana ua latou ausia lea tulaga.
O upu fa'alotoifale o lo'o fa'ailogaina i le hash algorithm SHA256 po'o SHA512. E le mafai ona toe faʻaleleia le faʻaupuga i Junos OS ile tulaga FIPS. O le Junos OS i le tulaga FIPS e le mafai ona faʻaulu i le faʻaoga tasi e aunoa ma le faʻaupuga aʻa saʻo.
Ina ia mafai ai le tulaga FIPS i Junos OS i luga o le masini:

Zeroize le masini e tape uma CSP a'o le'i ulufale i le tulaga FIPS. Va'ai i le “Malamalama i le Zeroization e Fa'amama Fa'amatalaga Fa'atonu mo le Faiga FIPS” i le itulau 25 vaega mo fa'amatalaga.
A mae'a ona sau le masini i le 'Amnesiac mode', saini e fa'aoga le igoa ole igoa a'a ma le fa'aupuga “” (ganoa).
FreeBSD/amd64 (Amnesiac) (ttyu0) login: a'a
— JUNOS 20.3X75-D30.1 Kernel 64-bit JNPR-11.0-20190701.269d466_buil root@:~ # cli root>

Fa'amautu le fa'amaoni a'a ma upu fa'aigoa ia le itiiti ifo ma le 10 mataitusi pe sili atu.
a'a> fa'asa'o Ulufale atu i le faiga fa'atulagaina [fa'asa'o] a'a# seti faiga fa'amautu-fa'amaonia manino-tusitala-failautusi
Upu faataga fou:
Toe lolomi upu fou: [fa'asa'o] root# commit commit ua mae'a
Tu'u le fa'atulagaga i luga o le masini ma fai le fa'atulagaga fou. Fa'atulaga le crypto-officer ma saini i le crypto-officer fa'amaonia.
Fa'apipi'i le afifi fa'afips-mo'omia mo KATS Engine Routing.
root@hostname> talosaga polokalama faakomepiuta faaopoopo i ai le filifiliga://fips-mode.tgz
Fa'amaonia le faiga-fips saini e le PackageDevelopmentEc_2017 auala ECDSA256+SHA256

Mo masini MX Series,
• Fa'atulaga le fa'alava o le 'au e ala i le setiina o le fa'atūina o le fa'aogaina o le fa'aogaina o le tulaga 1 ma tu'umau.
• Fa'atulaga RE tu'oi tuaoi e ala i le fa'atulagaina o faiga fa'atonu tulaga 1 ma ta'utino.
Atonu e fa'aalia e masini le Encrypted-password e tatau ona toe fa'aoga e fa'aoga ai le lapataiga hash e fa'amalie ai FIPS e tape ai CSP tuai i le fa'atonuga o uta.
A maeʻa ona tape ma toe faʻapipiʻi CSP, o le a alu le tautinoga ma manaʻomia le toe faʻafouina o masini e ulufale ai i le tulaga FIPS. [fa'asa'o] crypto-officer@hostname# commit
Fausia RSA ki /etc/ssh/fips_ssh_host_key
Fausia RSA2 ki /etc/ssh/fips_ssh_host_rsa_key
Fausia ki ECDSA /etc/ssh/fips_ssh_host_ecdsa_key
[fa'asa'o] faiga
e manaʻomia le toe faʻafouina e faʻafeiloaʻi i le FIPS laʻasaga 1 faʻamaeʻa [faʻasaʻo] crypto-officer@hostname# run request vmhost reboot
A maeʻa ona toe faʻafouina le masini, o le a faʻataʻitaʻi suʻega a le tagata lava ia ma ulufale atu le masini i le tulaga FIPS. crypto-officer@hostname: fips>

FA'AMATALAGA FESOASOANI
Malamalama i Faʻamatalaga Faʻamatalaga ma Taʻiala mo Junos OS i le FIPS Mode | 20
Fa'atulagaina o Crypto Officer ma FIPS Fa'amatalaga Fa'aoga ma Avanoa
I LE VAEGA LENEI
Fa'atonu le Avanoa a le Ofisa o Crypto | 30
Fa'atulagaina o FIPS User Login Access | 32
O le Crypto Officer e faʻatagaina le mode FIPS i luga o lau masini ma faʻatino uma galuega faʻatulagaina mo Junos OS i le tulaga FIPS ma tuʻuina atu uma Junos OS i faʻamatalaga ma faʻatonuga mode. Crypto Officer ma FIPS faʻaoga faʻaoga e tatau ona mulimulitaʻia Junos OS i taʻiala mode mode.
Fa'atonu le Avanoa a le Ofisa o Crypto
O le Junos OS i le tulaga FIPS e ofoina atu se faʻamatalaga sili atu o faʻatagaga a tagata faʻaoga nai lo faʻatonuga a FIPS 140-2.
Mo FIPS 140-2 tausisia, soʻo se tagata faʻaoga FIPS faʻatasi ai ma mealilo, saogalemu, tausiga, ma faʻatonuga faʻatagaga seti seti o se Crypto Officer. I le tele o tulaga ua lava le vasega fa'aoga sili mo le Ofisa Crypto.
Ina ia fetuutuunai avanoa e ulufale ai mo se Crypto Officer:

Ulufale i totonu o le masini ma le upu faʻaupuga aʻa pe afai e te leʻi faia, ma ulufale i le faʻatulagaga: root@hostname> faʻasaʻo Ulufale i le faʻatulagaga [faʻasaʻo] root@hostname#
Ta'u le tagata o lo'o fa'aogaina le crypto-officer ma tu'u atu i le Crypto Officer se ID fa'aoga (mo se fa'ataample, 6400, lea e tatau ona avea o se numera tulaga ese e fesoʻotaʻi ma le faʻamatalaga saini i le va o le 100 e oʻo i le 64000) ma se vasega (mo example, fa'aoga sili). A e tofiaina le vasega, e te atofa atu i faatagaga—mo example, faalilolilo, saogalemu, tausiga, ma le pulea.
Mo se lisi o fa'atagaga, va'ai Malamalama i le Junos OS Access Privilege Levels.
[fa'asa'o] a'a@hostname# seti system login user username uid value class class-name
Mo exampLe:
[fa'asa'o] root@hostname# seti le fa'aogaina o le faiga fa'aoga tagata fa'aoga crypto-officer uid 6400 vasega fa'aoga sili

I le mulimulitaia o taʻiala i le "Malamalama i Faʻamatalaga Faʻamatalaga ma Taʻiala mo Junos OS i le FIPS Mode" i le itulau 20, tuʻuina atu i le Crypto Officer se upu faʻamaonia mo le faʻamaonia o le saini. Seti le uputatala e ala i le taina o se upu faataga pe a uma ona uunaia New password ma Toe lolomi upu fou.
[fa'asa'o] a'a@hostname# seti faiga fa'aoga e fa'aoga ai tagata fa'aoga igoa fa'aoga vasega-igoa fa'amaoni (fa'amaonia-testpassword |
encrypted-password)
Mo exampLe:
[fa'asa'o] root@hostname# seti faiga fa'aoga e fa'aoga ai le vasega crypto-officer class super-user authentication plaintext-password
I le faitalia, fa'aali le fa'atulagaga:
[fa'asa'o] root@hostname# fa'atonu faiga
[fa'asa'o faiga] root@hostname# fa'aaliga
saini {
tagata fa'aoga crypto-ofisa {
uid 6400;
fa'amaoni {
encrypted-password “ ”; ## FA'AMATALAGA FA'AVAE
}
vasega fa'aoga sili;
}
}
Afai ua maeʻa lau faʻatulagaina o le masini, fai le faʻatulagaga ma alu ese:
[fa'asa'o] root@hostname# commit commit mae'a
a'a@namename# alu ese

Fa'atulagaina le avanoa e ulufale ai i totonu o le tagata fa'aoga FIPS
O le fa'aoga-fips ua fa'amatalaina o so'o se tagata fa'aoga FIPS e leai se mealilo, saogalemu, tausiga, ma fa'atonuga fa'atagaga ua setiina.
I le avea ai ma Crypto Officer e te setiina tagata faʻaoga FIPS. E le mafai ona fa'atagaina tagata fa'aoga FIPS e masani ona fa'aagaga mo le Crypto Officer—mo fa'atasiample, faatagaga e zeroize le faiga.
Ina ia fetuutuunai le avanoa e saini ai mo se tagata fa'aoga FIPS:

Saini i totonu i le masini ma lau upu faataga Crypto Officer pe afai e te leʻi faia, ma ulufale i le faʻatulagaga faʻatulagaina:
crypto-officer@hostname:fips> faʻasaʻo
Ulufale atu i le faiga fa'atulagaina
[fa'asa'o] crypto-officer@hostname:fips#
Tuuina atu i le tagata faʻaoga, se igoa faʻaoga, ma tuʻuina atu i le tagata faʻaoga se ID faʻaoga (mo se faʻataʻitaʻigaample, 6401, lea e tatau ona avea ma numera tulaga ese i le va o le 1 e oo i le 64000) ma se vasega. A e tofiaina le vasega, e te atofa atu i faatagaga—mo example, manino, upega, toe setiinaview, ma view-fa'atulagaina.
[fa'asa'o] crypto-officer@hostname:fips# set system login user username uid value class class-name Mo exampLe:
[fa'asa'o] crypto-officer@hostname:fips# seti faiga fa'aoga fa'aoga tagata fa'aoga fips-user1 uid 6401 vasega faitau-na'o

Mulimuli i taʻiala i le "Malamalama i Faʻamatalaga Faʻamatalaga ma Taʻiala mo Junos OS i
FIPS Mode” i le itulau e 20, atofa i le tagata FIPS se upu faataga mo le saini saini. Seti le uputatala e ala i le taina o se upu faataga pe a uma ona uunaia New password ma Toe lolomi upu fou.
[fa'asa'o] crypto-officer@hostname:fips# set system login user username class class-name authentication (plain-text-password | encrypted-password)
Mo exampLe:
[fa'asa'o] crypto-officer@hostname:fips# seti faiga fa'aoga tagata fa'aoga fips-user1 vasega faitau-na'o fa'amaoniga manino-tusitala-fa'aupuga
I le faitalia, fa'aali le fa'atulagaga:
[fa'asa'o] crypto-officer@hostname:fips# edit system [fa'asa'o faiga] crypto-officer@hostname:fips# show
saini {
user fips-user1 {
uid 6401;
fa'amaoni {
encrypted-password “ ”; ## FA'AMATALAGA FA'AVAE
}
vasega na'o le faitau;
}
}
Afai ua maeʻa lau faʻatulagaina o le masini, fai le faʻatulagaga ma alu ese:
[fa'asa'o] crypto-officer@hostname:fips# commit
crypto-officer@hostname:fips# alu ese

Fa'atulagaina le SSH ma le Console Connection

Fa'atulagaina le SSH i luga ole Fa'atonuga Iloiloga mo FIPS
SSH e ala i fesoʻotaʻiga pulega mamao faʻatagaina i le faʻatulagaina iloiloga. O lenei autu o loʻo faʻamatalaina pe faʻafefea ona faʻapipiʻi SSH e ala ile pulega mamao.
O algorithms nei e manaʻomia ona faʻatulagaina e faʻamaonia ai SSH mo FIPS.
Ina ia fa'atulaga SSH ile DUT:

Fa'ailoa mai le fa'atagaina SSH host-key algorithms mo 'au'aunaga fa'aoga.
[fa'asa'o] tagata fa'aoga@host# seti auaunaga fa'aoga ssh hostkey-algorithm ssh-ecdsa
tagata fa'aoga@ talimalo # seti auaunaga fa'aoga ssh hostkey-algorithm no-ssh-dss
tagata fa'aoga@ talimalo # seti auaunaga fa'aoga ssh hostkey-algorithm ssh-rsa
Fa'ailoa le ki-fetufa'aiga SSH mo ki Diffie-Hellman mo auaunaga faiga.
[fa'asa'o] tagata fa'aoga@host# seti auaunaga fa'aoga ssh ki-fetufa'aiga dh-group14-sha1
user@host# seti auaunaga faiga ssh ki-fetufaaiga ecdh-sha2-nistp256
user@host# seti auaunaga faiga ssh ki-fetufaaiga ecdh-sha2-nistp384
user@host# seti auaunaga faiga ssh ki-fetufaaiga ecdh-sha2-nistp521

Fa'ailoa uma le fa'atagaina o fe'au fa'amaonia code algorithms mo SSHv2
[fa'asa'o] tagata fa'aoga@ talimalo# seti auaunaga fa'aoga ssh macs hmac-sha1
tagata fa'aoga@ talimalo # seti tautua faiga ssh macs hmac-sha2-256
tagata fa'aoga@ talimalo # seti tautua faiga ssh macs hmac-sha2-512
Fa'ama'oti le siphers ua fa'atagaina mo le protocol version 2.
[fa'asa'o] tagata fa'aoga@host# seti auaunaga fa'akomepiuta ssh ciphers aes128-cbc
tagata fa'aoga@ talimalo # seti tautua faiga ssh ciphers aes256-cbc
tagata fa'aoga@ talimalo# seti auaunaga faiga ssh ciphers aes128-ctr
tagata fa'aoga@ talimalo# seti auaunaga faiga ssh ciphers aes256-ctr
tagata fa'aoga@ talimalo # seti tautua faiga ssh ciphers aes192-cbc
tagata fa'aoga@ talimalo# seti auaunaga faiga ssh ciphers aes192-ctr
Lagolago SSH hostkey algorithm:
ssh-ecdsa Fa'ataga le fa'atupuina o le ECDSA host-key
ssh-rsa Fa'ataga le fa'atupuina o le RSA host-key
Lagolago SSH key-exchange algorithm:
ecdh-sha2-nistp256 Le EC Diffie-Hellman i luga o nistp256 ma SHA2-256
ecdh-sha2-nistp384 Le EC Diffie-Hellman i luga o nistp384 ma SHA2-384
ecdh-sha2-nistp521 Le EC Diffie-Hellman i luga o nistp521 ma SHA2-512
Lagolago MAC algorithm:
hmac-sha1 Hash-fa'avae MAC fa'aaoga le Algorithm Saogalemu Hash (SHA1)
hmac-sha2-256 MAC fa'avae i luga ole laiga ile fa'aogaina ole Secure Hash Algorithm (SHA2)
hmac-sha2-512 MAC fa'avae i luga ole laiga ile fa'aogaina ole Secure Hash Algorithm (SHA2)
Lagolago SSH ciphers algorithm:
aes128-cbc 128-bit AES faʻatasi ma le Cipher Block Chaining
aes128-ctr 128-bit AES faʻatasi ma le Counter Mode
aes192-cbc 192-bit AES faʻatasi ma le Cipher Block Chaining
aes192-ctr 192-bit AES faʻatasi ma le Counter Mode
aes256-cbc 256-bit AES faʻatasi ma le Cipher Block Chaining
aes256-ctr 256-bit AES faʻatasi ma le Counter Mode

Fa'atonu MACsec

Malamalama i le Media Access Control Security (MACsec) ile tulaga FIPS
Media Access Control Security (MACsec) ole 802.1AE IEEE alamanuia-standard security technology lea e maua ai feso'ota'iga saogalemu mo feoaiga uma ile Ethernet so'otaga. MACsec o loʻo tuʻuina atu le puipuiga i luga o fesoʻotaʻiga Ethernet i le va o nodes fesoʻotaʻi tuusaʻo ma e mafai ona iloa ma puipuia le tele o faʻamataʻu saogalemu, e aofia ai le faʻafitia o le tautua, faʻalavelave, tagata-i-le-ogatotonu, masquerading, passive wiretapping, ma toe faʻafoʻi osofaʻiga.
O le MACsec e fa'atagaina oe e fa'amautu le feso'ota'iga Ethernet mo le toetoe lava o fefa'atauaiga uma, e aofia ai fa'avaa mai le Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), ma isi tulafono e le masani ona malupuipuia i luga o se fesoʻotaʻiga Ethernet ona o tapulaʻa ma isi fofo saogalemu. MACsec e mafai ona faʻaogaina faʻatasi ma isi faʻasalalauga faʻapitoa e pei ole IP Security (IPsec) ma Secure Sockets Layer (SSL) e tuʻuina atu ai le saogalemu o fesoʻotaʻiga pito i luga.
MACsec o loʻo faʻasalalau ile IEEE 802.1AE. Ole tulaga IEEE 802.1AE e mafai ona va'aia ile fa'alapotopotoga IEEE webnofoaga ile IEEE 802.1: FAALAPOTOPOTOGA & PULE.
O faʻatinoga taʻitasi o se algorithm e siakiina e se faʻasologa o suʻega tali (KAT) suʻega a le tagata lava ia ma faʻamaonia crypto algorithms (CAV). O lo'o fa'aopoopoina fa'apitoa fa'amatalaga fa'ata'otoga mo MACsec.

Fa'asinomaga Fa'ailoga Maualuga (AES)-Cipher Message Authentication Code (CMAC)
Fa'ailoga Fa'ailoga Maualuga (AES) A'ai Ki
Mo MACsec, i le faʻatulagaga faʻatulagaina, faʻaoga le faʻatonuga vave e faʻaoga ai se mea lilo faalilolilo o mataitusi hexadecimal 64 mo le faʻamaoni.
[fa'asa'o] crypto-officer@hostname:fips# prompt security macsec connectivity-asociation pre-shared-key cak
cak fou (lilo):
Toe lolomi le cak fou (faalilo):

Taimi fa'apitoa
Ina ia fa'avasega le taimi, tape le NTP ma seti le aso.

Taofi le NTP.
[fa'asa'o] crypto-officer@hostname:fips# deactivate groups global system ntp
crypto-officer@hostname:fips# deactivate system ntp
crypto-officer@hostname:fips# commit
crypto-officer@hostname:fips# alu ese

Faatulaga le aso ma le taimi. O le faatulagaga o le aso ma le taimi o le YYYYMMDDHHMM.ss
[fa'asa'o] crypto-officer@hostname:fips# seti aso 201803202034.00
crypto-officer@hostname:fips# seti cli taimiamp
Seti le MACsec Key Agreement (MKA) fa'amautu fa'amatalaga alaala.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi feso'ota'iga feso'ota'iga-igoa malupuipuia-auala malupuipuia-auala-igoa fa'atonuga (i totonu | fafo) crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi feso'ota'iga feso'ota'iga -igoa fa'amautu-auala fa'amautu-alā-igoa fa'ailoga (MACsec) crypto-officer@hostname:fips# seti le saogalemu macsec feso'ota'iga-feso'ota'iga feso'ota'iga feso'ota'iga-igoa malupuipuia-auala malupuipuia-ala-igoa id mac-address /”mac-address crypto- officer@hostname:fips# set security macsec connectivity-asosi feso'ota'igaasosociation-name secure-channel secure-channel-name id port-id port-id-number crypto-officer@hostname:fips# seti puipuiga macsec connectivity-asosi feso'ota'iga feso'ota'iga-igoa malupuipuia -auala saogalemu-ala-igoa fa'aeseese “(0|30|50) crypto-officer@hostname:fips# seti saogalemu macsec feso'ota'iga-feso'ota'iga feso'ota'iga feso'ota'iga-igoa fa'amautu-auala fa'amautu-ala-igoa saogalemu-feso'ota'iga saogalemu-asosociationnumber ki ki- manoa
Seti le MKA i le tulaga saogalemu.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi feso'ota'iga feso'ota'iga-igoa saogalemu-mode security-mode

Tofia le fesoʻotaʻiga fesoʻotaʻiga faʻatulagaina ma se faʻamatalaga faʻapitoa MACsec.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa connectivityasosociation connectivity-asosi-igoa

Fa'atulagaina le Static MACsec ma le ICMP Traffic
Le faʻatulagaina o le Static MACsec e faʻaaoga ai le ICMP fefaʻatauaiga i le va o le masini R0 ma le masini R1:
I le R0:

Fausia le ki mua'i fa'asoa e ala i le fa'atulagaina o le igoa fa'afeso'ota'i feso'ota'iga (CKN) ma feso'ota'iga ki feso'ota'iga (CAK)
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec connectivity-asosi CA1 muai-sharedkey ckn 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosiasi CA1 muai-sharedkey cak 23456789223344556677889922233344 crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 offset

Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log
crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file tele 4000000000
crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fuʻa uma
Tofi le fa'asologa i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega file mka_xe lapopoa 1g crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga. [fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 security-mode static-cak

Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka ki-server faamuamua 1
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval 3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka e tatau ona malupuipuia
crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia ai-sci

Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation
CA1
crypto-officer@hostname:fips# seti fesoʻotaʻiga fesoʻotaʻiga-igoa iunite 0 tuatusi inet aiga 10.1.1.1/24

I le R1:

Fausia le ki mua'i fa'asoa e ala i le fa'atulagaina o le igoa fa'afeso'ota'i feso'ota'iga (CKN) ma feso'ota'iga ki feso'ota'iga (CAK)
[fa'asa'o] crypto-officer@hostname:fips# seti le saogalemu macsec connectivity-asosi CA1 mua'i-sharedkey ckn 2345678922334455667788992223334445556667778889992222333344445555 cryptoofficonfic1 cryptooff23456789223344556677889922233344 asosi CA1 muamua-sharedkey cak 30 crypto-officer@hostname:fips # seti saogalemu macsec connectivity-asosi CAXNUMX offset XNUMX
Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log crypto-officer@hostname:fips# seti le saogalemu macsec traceoptions file tele 4000000000 crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fu'a uma

Tofi le fa'asologa i se fa'aoga. [fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega file mka_xe lapopoa 1g crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga. [fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 security-mode static-cak
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval 3000

Fa'amalo le saogalemu o le MKA. [fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka e tatau ona malupuipuia crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 aofia-sci
Tofi le so'oga feso'ota'iga i se fa'aoga. [fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 tuatusi inet aiga 10.1.1.2/24

Fa'atulagaina le MACsec ma le keychain e fa'aaoga ai le ICMP Traffic
Le fetuutuunai MACsec ma keychain e faʻaaoga ai le ICMP fefaʻatauaiga i le va o le masini R0 ma le masini R1:
I le R0:

Fa'asoa se tau fa'apalepale ile filifili ki fa'amaoni. [fa'asa'o] crypto-officer@hostname:fips# seti fa'amaoniga saogalemu-key-chains key-chain macsec-kc1 tolerance 20
Fausia le upu faalilolilo e fa'aoga. O se manoa o numera hexadecimal e oo atu i le 64 mataitusi le umi. O le upu faataga e mafai ona aofia ai avanoa pe afai o le manoa o le tagata o loʻo faʻapipiʻiina i faʻailoga. O fa'amatalaga faalilolilo a le keychain e fa'aaogaina o se CAK.
[fa'asa'o] crypto-officer@hostname:fips# seti le fa'amaoniga o le puipuiga-ki-chains ki-chain macsec-kc1 ki 0 ki-igoa 2345678922334455667788992223334445556667778889992222333344445551 fa'amaoniga-ki- filifili ki filifili macsec- kc1 ki 0 amata-taimi 2018-03-20.20:35 crypto-officer@hostname:fips# seti le fa'amaoniga saogalemu-key-chains key-chain macsec-kc1 ki 1 ki-igoa 2345678922334455667788992223334445556667778889992222333344445552 1 crypto-officer@hostname:fips# seti puipuiga fa'amaoni-ki-chains ki-chain macsec-kc1 ki 2018 amata-taimi 03-20.20-37:1 crypto-officer@hostname:fips# seti puipuiga fa'amaoni-key-chains ki-chain macsec-kc2 ki 2345678922334455667788992223334445556667778889992222333344445553 ki-igoa 1 2 crypto-officer@hostname:fips# seti le puipuiga malu-key-chains key-chain macsec-kc2018 ki 03 amata-taimi 20.20-39-1:3 crypto-officer@hostname:fips# seti le puipuiga malu-key-chains ki- Chain MacCac-KC2345678922334455667788992223334445556667778889992222333344445554 ki 1 ki-igoa 3-Cydy2018 PTO-Customer @ Hostname: Up # seti le fa'amaoniga fa'amaonia-key-chains key-chain macsec-kc03 ki 20.20 ki-igoa 41 seti crypto-chainname-keyficer@key-name: sec-kc1 ki 4 amata-taimi 2345678922334455667788992223334445556667778889992222333344445555-1- 4: 2018 hyptoto-cydy @ Hostpeaname: Taui # O LE FANUA MULIMULIO-Key-con-cont03 -Faauga ki-filifili macsec- kc20.20 ki 43 amata-taimi 1-5-2345678922334455667788992223334445556667778889992222333344445556:1 crypto-officer@hostname:fips# seti le fa'amaoniga saogalemu-key-chains ki-chain macsec-kc5 ki 2018 ki-igoa 03 20.20 crypto-officer@hostname:fips# seti puipuiga fa'amaonia-ki-chains ki-chain macsec-kc45 ki 1 amataga-taimi 6-2345678922334455667788992223334445556667778889992222333344445557-1:6 crypto-officer@hostname:fips# seti le saogalemu fa'amaoni-ki-chains ki-chain macsec-kc2018 ki 03 ki-igoa 20.20 47 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 start-time 2345678922334455667788992223334445556667778889992222333344445558-1-7:2018 Fa'aoga le fa'atonuga vave e ulufale ai i se tau fa'alilolilo. Mo exampLe, o le ki faalilolilo taua o le 2345678922334455667788992223334123456789223344556677889922233341. [fa'asa'o] crypto-officer@hostname:fips# prompt security authentication-key-chackkey-chack key-chack1. cak (mea lilo): crypto-offience @hostname:fips# fa'anatinati fa'amaoni fa'amaonia-key-chains key-chain macseckc0 ki 1 mealilo Fou cak (secret):
Toe lolomi le cak fou (faalilo): crypto-officer@hostname:fips# fa'avave le puipuiga fa'amaonia-key-chains key-chain macseckc1 ki 2 mealilo cak fou (secret):
Toe lolomi le cak fou (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macseckc1 key 3 mealilo cak fou (secret): Toe lolomi le cak fou (secret): crypto-officer@hostname:fips# fa'amautu fa'amaoni vave-so'o fa'atau ki filifili macseckc1 ki 4 mealilo Fou cak (secret): Toe lolomi le cak fou (secret): crypto-officer@hostname:fips# vave fa'amaonia le puipuiga-key-chains key-chain macseckc1 ki 5 mealilo Fou cak (secret): Toe type cak fou (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macseckc1 key 6 secret New cak (secret): Toe type new cak (secret): crypto-officer @hostname:fips# fa'anatinati fa'amaoni fa'amaonia-key-chains key-chain macseckc1 ki 7 mealilo cak fou (secret): Toe ta'i le cak fou (secret):
Fa'afeso'ota'i le igoa fa'asoa fa'atasi ma le so'oga feso'ota'i.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips # seti le saogalemu macsec connectivity-asosi CA1 cipher-suite gcm-aes-256
FAAMANATU: E mafai fo'i ona fa'atūina le tau o le cipher o le cipher-suite gcm-aes-128.

Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log crypto-officer@hostname:fips# seti le saogalemu macsec traceoptions file tele 4000000000 crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fu'a uma
Tofi le fa'asologa i se fa'aoga. [fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega file mka_xe lapopoa 1g crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga. [fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 securitymode static-cak

Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka keyserver-faamuamua 1
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval 3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia-sci

Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation CA1
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa iunite 0 tuatusi inet aiga 10.1.1.1/24

Le fetuutuunai MACsec ma keychain mo ICMP felauaiga:
I le R1:

Fa'asoa se tau fa'apalepale ile filifili ki fa'amaoni.
[fa'asa'o] crypto-officer@hostname:fips# seti le fa'amaoniaga saogalemu-key-chains key-chain macsec-kc1 tolerance 20

Fausia le upu faalilolilo e fa'aoga. O se manoa o numera hexadecimal e oo atu i le 64 mataitusi le umi. O le upu faataga e mafai ona aofia ai avanoa pe afai o le manoa o le tagata o loʻo faʻapipiʻiina i faʻailoga. O fa'amatalaga faalilolilo a le keychain e fa'aaogaina o se CAK.
[fa'asa'o] crypto-officer@hostname:fips# seti le fa'amaoniga o le puipuiga-ki-chains ki-chain macsec-kc1 ki 0 ki-igoa 2345678922334455667788992223334445556667778889992222333344445551 fa'amaoniga-ki- filifili ki filifili macsec- kc1 ki 0 amata-taimi 2018-03-20.20:35 crypto-officer@hostname:fips# seti le fa'amaoniga saogalemu-key-chains key-chain macsec-kc1 ki 1 ki-igoa 2345678922334455667788992223334445556667778889992222333344445552 1 crypto-officer@hostname:fips# seti puipuiga fa'amaoni-ki-chains ki-chain macsec-kc1 ki 2018 amata-taimi 03-20.20-37:1 crypto-officer@hostname:fips# seti puipuiga fa'amaoni-key-chains ki-chain macsec-kc2 ki 2345678922334455667788992223334445556667778889992222333344445553 ki-igoa 1 2 crypto-officer@hostname:fips# seti le puipuiga malu-key-chains key-chain macsec-kc2018 ki 03 amata-taimi 20.20-39-1:3 crypto-officer@hostname:fips# seti le puipuiga malu-key-chains ki- Chain MacCac-KC2345678922334455667788992223334445556667778889992222333344445554 ki 1 ki-igoa 3-Cydy2018 PTO-Customer @ Hostname: Up # seti le fa'amaoniga fa'amaonia-key-chains key-chain macsec-kc03 ki 20.20 ki-igoa 41 seti crypto-chainname-keyficer@key-name: sec-kc1 ki 4 amata-taimi 2345678922334455667788992223334445556667778889992222333344445555-1- 4: 2018 hyptoto-cydy @ Hostpian igoa: Taui le saogalemu faʻamaonia-Keys Key-Chan03D20.20 filifili kin-chain macsec- kc43 ki 1 amata-taimi 5-345678922334455667788992223334445556667778889992222333344445556-1:5 crypto-officer@hostname:fips# seti le fa'amaoniga saogalemu-key-chains ki-chain macsec-kc2018 ki 03 ki-igoa 20.20 45 crypto-officer@hostname:fips# seti puipuiga fa'amaonia-ki-chains ki-chain macsec-kc1 ki 6 amataga-taimi 2345678922334455667788992223334445556667778889992222333344445557-1-6:2018 crypto-officer@hostname:fips# seti le saogalemu fa'amaoni-ki-chains ki-chain macsec-kc03 ki 20.20 ki-igoa 47 1 crypto-officer@hostname:fips# seti fa'amaoniga saogalemu-key-chains key-chain macsec-kc7 ki 2345678922334455667788992223334445556667778889992222333344445558 amata-taimi 1-7-2018:03
Fa'aaoga le fa'atonuga vave e fa'aulu ai se tau fa'alilolilo. Mo exampLe, o le tau ki faalilolilo o le 2345678922334455667788992223334123456789223344556677889922233341.
[fa'asa'o] crypto-officer@hostname:fips# fa'avave le puipuiga fa'amaonia-key-chains key-chain macseckc1 ki 0 mealilo
cak fou (lilo):
Toe lolomi le cak fou (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macseckc1 key 1 secret New cak (secret): Toe type cak fou (mea lilo): crypto-officer@hostname:fips# fa'amautu fa'amautu fa'apolopolo-ki-chains key-chain macseckc1 ki 2 mealilo cak fou (secret): Toe lolomi le cak fou (mealilo): crypto-officer@hostname:fips# vave fa'amaonia le saogalemu-key-chains key-chain macseckc1 ki 3 mealilo Fou cak (secret): Toe ta'i le cak fou (secret): crypto-officer@hostname:fips# prompt security authentication-key-chains key-chain macseckc1 key 4 secret New cak (secret): Toe type cak fou
(mea lilo):
crypto-officer@hostname:fips# fa'anatinati fa'amaoni fa'amaonia-key-chains key-chain macseckc1 ki 5 mealilo Cak fou (secret): Toe ta'i le cak fou (secret):
crypto-officer@hostname:fips# fa'anatinati fa'amaoni fa'amaonia-key-chains ki-chain macseckc1 ki 6 mealilo Fou cak (secret):
Toe lolomi le cak fou (faalilo):
crypto-officer@hostname:fips# fa'anatinati fa'amaoni fa'amaonia-key-chains ki-chain macseckc1 ki 7 mealilo Fou cak (secret):
Toe lolomi le cak fou (faalilo):
Fa'afeso'ota'i le igoa fa'asoa fa'atasi ma le so'oga feso'ota'i.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mua'i fa'asoa- key-chain macsec-kc1
crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 offset 50 crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 cipher-suite gcm-aes-256
Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log crypto-officer@hostname:fips# seti le saogalemu macsec traceoptions file tele 4000000000 crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fu'a uma

Tofi le fa'asologa i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega file mka_xe lapopoa 1g crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 securitymode static-cak
Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka keyserver-faamuamua 1

Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval 3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia-sci
Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation
CA1
crypto-officer@hostname:fips# seti fesoʻotaʻiga fesoʻotaʻiga-igoa iunite 0 tuatusi inet aiga 10.1.1.2/24

Fa'atulagaina le Static MACsec mo Layer 2 Ta'avale
Le faʻatulagaina o MACsec faʻamau mo le Layer 2 fefaʻatauaiga i le va o le masini R0 ma le masini R1:
I le R0:

Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka ki server-faamuamua 1
Fausia le upu faalilolilo e fa'aoga. O se manoa o numera hexadecimal e oo atu i le 64 mataitusi le umi. O le upu faataga e mafai ona aofia ai avanoa pe afai o le manoa o le tagata o loʻo faʻapipiʻiina i faʻailoga. O fa'amatalaga faalilolilo a le keychain e fa'aaogaina o se CAK.
[fa'asa'o] crypto-officer@hostname:fips# fa'anatinati puipuiga fa'amaoni-key-chains key-chain macseckc1 ki 0 mealilo Fou cak (mea lilo):
Toe lolomi le cak fou (faalilo):
Mo exampLe, o le tau ki faalilolilo o le 2345678922334455667788992223334123456789223344556677889922233341.

Fa'afeso'ota'i le igoa fa'asoa fa'atasi ma le so'oga feso'ota'i. [fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips # seti le saogalemu macsec connectivity-asosi CA1 cipher-suite gcm-aes-256
Seti le su'esu'ega o filifiliga. [fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log crypto-officer@hostname:fips# seti le saogalemu macsec traceoptions file tele 4000000000 crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fu'a uma
Tofi le fa'asologa i se fa'aoga. [fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega file mka_xe lapopoa 1g crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 securitymode static-cak
Seti le MKA key server faamuamua. [fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka ki server-faamuamua 1
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval 3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia-sci
Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation
CA1
Fa'atulaga VLAN tagging
[fa'asa'o] crypto-officer@hostname:fips# seti interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa1 encapsulation fetuutuunai Ethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 vlan-id 100
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻaoga-igoa2 fetuutuunai-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa2 encapsulation fetuutuunai Ethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 vlan-id 100
Fa'atulaga alalaupapa fanua.
[fa'asa'o] crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 domain-type alalaupapa
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa1 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa2 100

I le R1:

Fausia le upu faalilolilo e fa'aoga. O se manoa o numera hexadecimal e oo atu i le 64 mataitusi le umi. O le
password e mafai ona aofia ai avanoa pe afai o le manoa o le tagata o loʻo faʻapipiʻiina i faʻailoga. O le filifili ki
fa'amatalaga faalilolilo o lo'o fa'aaogaina o se CAK.
[fa'asa'o] crypto-officer@hostname:fips# fa'avave le puipuiga fa'amaonia-key-chains key-chain macseckc1 ki 0 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
Mo example, o le taua ki faalilolilo o
2345678922334455667788992223334123456789223344556677889922233341.
Fa'afeso'ota'i le igoa fa'asoa fa'atasi ma le so'oga feso'ota'i.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 pre-sharedkey-chain
macsec-kc1 crypto-officer@hostname:fips#
seti saogalemu macsec connectivity-asosi CA1 offset 50
crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 cipher-suite gcm-aes-256
Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log
crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file tele 4000000000
crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fuʻa uma
Tofi le fa'asologa i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega file mka_xe lapopoa 1g
crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name traceoptions
fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec connectivity-asosi CA1 securitymode
static-cak
Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka ki server-faamuamua 1
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval
3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia-sci
Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation CA1
Fa'atulaga VLAN tagging
[fa'asa'o] crypto-officer@hostname:fips# seti interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa1 encapsulation fetuutuunai Ethernet-auaunaga
crypto-officer@hostname:fips# seti fesoʻotaʻiga fesoʻotaʻiga-igoa1 iunite 100 faʻapipiʻi vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 vlan-id 100
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻaoga-igoa2 fetuutuunai-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa2 encapsulation fetuutuunai Ethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 vlan-id 100
Fa'atulaga alalaupapa fanua.
[fa'asa'o] crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 domain-type alalaupapa
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa1 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa2 100

Fa'atulagaina le MACsec ma le keychain mo Layer 2 Traffic

Le fetuutuunai MACsec ma keychain mo ICMP felauaiga i le va o masini R0 ma masini R1:
I le R0:

Fa'asoa se tau fa'apalepale ile filifili ki fa'amaoni.
[fa'asa'o] crypto-officer@hostname:fips# seti le fa'amaoniaga saogalemu-key-chains key-chain macsec-kc1 tolerance 20
Fausia le upu faalilolilo e fa'aoga. O se manoa o numera hexadecimal e oo atu i le 64 mataitusi le umi. O le upu faataga e mafai ona aofia ai avanoa pe afai o le manoa o le tagata o loʻo faʻapipiʻiina i faʻailoga. O fa'amatalaga faalilolilo a le keychain e fa'aaogaina o se CAK.
[fa'asa'o] crypto-officer@hostname:fips# seti fa'amaoniga saogalemu-key-chains key-chain macsec-kc1
ki 0 ki-igoa 2345678922334455667788992223334445556667778889992222333344445551
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 0 amata-taimi 2018-03-20.20:35
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 1 ki-igoa 2345678922334455667788992223334445556667778889992222333344445552
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 1 amata-taimi 2018-03-20.20:37
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 2 ki-igoa 2345678922334455667788992223334445556667778889992222333344445553
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 2 amata-taimi 2018-03-20.20:39
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 3 ki-igoa 2345678922334455667788992223334445556667778889992222333344445554
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 3 amata-taimi 2018-03-20.20:41
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 4 ki-igoa 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 4 amata-taimi 2018-03-20.20:43
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 5 ki-igoa 2345678922334455667788992223334445556667778889992222333344445556
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 5 amata-taimi 2018-03-20.20:45
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 6 ki-igoa 2345678922334455667788992223334445556667778889992222333344445557
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 6 amata-taimi 2018-03-20.20:47
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 7 ki-igoa 2345678922334455667788992223334445556667778889992222333344445558
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 7 amata-taimi 2018-03-20.20:49
Fa'aaoga le fa'atonuga vave e fa'aulu ai se tau fa'alilolilo. Mo example, o le taua ki faalilolilo o
2345678922334455667788992223334123456789223344556677889922233341.
[fa'asa'o] crypto-officer@hostname:fips# fa'avave le puipuiga fa'amaonia-key-chains key-chain macseckc1 ki 0 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 1 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips# vave fa'amaonia le saogalemu-key-chains key-chain macseckc1 ki 2 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 3 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 4 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 5 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 6 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 7 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
Fa'afeso'ota'i le igoa fa'asoa fa'atasi ma le so'oga feso'ota'i.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 pre-sharedkey-chain
macsec-kc1
crypto-officer@hostname:fips#
seti saogalemu macsec connectivity-asosi CA1 cipher-suite
gcm-aes-256
Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log
crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file tele 4000000000
crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fuʻa uma
Tofi le fa'asologa i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega
file mka_xe lapopoa 1g
crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name traceoptions
fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec connectivity-asosi CA1 securitymode
static-cak
Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka ki server-faamuamua 1
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval
3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia-sci
Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation
CA1
Fa'atulaga VLAN tagging
[fa'asa'o] crypto-officer@hostname:fips# seti interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa1 encapsulation flexibleethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 vlan-id 100
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻaoga-igoa2 fetuutuunai-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa2 encapsulation flexibleethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 vlan-id 100
Fa'atulaga alalaupapa fanua.
[fa'asa'o] crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 domain-type alalaupapa
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa1 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa2 100

I le R1:

Fa'asoa se tau fa'apalepale ile filifili ki fa'amaoni.
[fa'asa'o] crypto-officer@hostname:fips# seti le fa'amaoniaga saogalemu-key-chains key-chain macsec-kc1 tolerance 20
Fausia le upu faalilolilo e fa'aoga. O se manoa o numera hexadecimal e oo atu i le 64 mataitusi le umi. O le upu faataga e mafai ona aofia ai avanoa pe afai o le manoa o le tagata o loʻo faʻapipiʻiina i faʻailoga. O fa'amatalaga faalilolilo a le keychain e fa'aaogaina o se CAK.
[fa'asa'o] crypto-officer@hostname:fips# seti fa'amaoniga saogalemu-key-chains key-chain macsec-kc1
ki 0 ki-igoa 2345678922334455667788992223334445556667778889992222333344445551
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 0 amata-taimi 2018-03-20.20:35
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 1 ki-igoa 2345678922334455667788992223334445556667778889992222333344445552
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 1 amata-taimi 2018-03-20.20:37
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 2 ki-igoa 2345678922334455667788992223334445556667778889992222333344445553
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 2 amata-taimi 2018-03-20.20:39
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 3 ki-igoa 2345678922334455667788992223334445556667778889992222333344445554
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 3 amata-taimi 2018-03-20.20:41
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 4 ki-igoa 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 4 amata-taimi 2018-03-20.20:43
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 5 ki-igoa 2345678922334455667788992223334445556667778889992222333344445556
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 5 amata-taimi 2018-03-20.20:45
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 6 ki-igoa 2345678922334455667788992223334445556667778889992222333344445557
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 6 amata-taimi 2018-03-20.20:47
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 7 ki-igoa 2345678922334455667788992223334445556667778889992222333344445558
crypto-officer@hostname:fips# seti le faʻamaoniga saogalemu-key-chains key-chain macsec-kc1
ki 7 amata-taimi 2018-03-20.20:49
Fa'aaoga le fa'atonuga vave e fa'aulu ai se tau fa'alilolilo. Mo example, o le taua ki faalilolilo o
2345678922334455667788992223334123456789223344556677889922233341.
[fa'asa'o] crypto-officer@hostname:fips# fa'avave le puipuiga fa'amaonia-key-chains key-chain macseckc1 ki 0 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 1 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou (faalilo):
crypto-officer@hostname:fips# vave fa'amaonia le saogalemu-key-chains key-chain macseckc1 ki 2 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 3 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 4 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 5 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 6 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou
(mea lilo):
crypto-officer@hostname:fips#
vave fa'amaoniga fa'amaonia-key-chains key-chain macseckc1 ki 7 mealilo
cak fou
(mea lilo):
Toe lolomi le cak fou (faalilo):
Fa'afeso'ota'i le igoa fa'asoa fa'atasi ma le so'oga feso'ota'i.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 pre-sharedkey-chain
macsec-kc1
crypto-officer@hostname:fips#
seti saogalemu macsec connectivity-asosi CA1 cipher-suite
gcm-aes-256
Seti le su'esu'ega o filifiliga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file MACsec.log
crypto-officer@hostname:fips# seti puipuiga macsec traceoptions file tele 4000000000
crypto-officer@hostname:fips# seti saogalemu macsec traceoptions fuʻa uma
Tofi le fa'asologa i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-igoa su'ega
file mka_xe lapopoa 1g
crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name traceoptions
fu'a uma
Fa'atulaga le fa'aogaina o le saogalemu MACsec e pei o le static-cak mo le feso'ota'iga feso'ota'iga.
[fa'asa'o] crypto-officer@hostname:fips# seti puipuiga macsec connectivity-asosi CA1 securitymode
static-cak
Seti le MKA key server faamuamua.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec connectivity-asosi CA1 mka keyserver-faamuamua
Seti le MKA felauaiga vaeluaga.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 mka transmitinterval
3000
Fa'amalo le saogalemu o le MKA.
[fa'asa'o] crypto-officer@hostname:fips# set security macsec connectivity-asosi CA1 aofia-sci
Tofi le so'oga feso'ota'iga i se fa'aoga.
[fa'asa'o] crypto-officer@hostname:fips# seti saogalemu macsec interfaces interface-name connectivityassociation
CA1
Fa'atulaga VLAN tagging
[fa'asa'o] crypto-officer@hostname:fips# seti interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa1 encapsulation flexibleethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa1 iunite 100 vlan-id 100
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻaoga-igoa2 fetuutuunai-vlan-tagging
crypto-officer@hostname:fips# seti fesoʻotaʻiga faʻafesoʻotaʻi-igoa2 encapsulation fetuutuunai Ethernet-auaunaga
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
seti feso'ota'iga fa'aoga-igoa2 iunite 100 vlan-id 100
Fa'atulaga alalaupapa fanua.
[fa'asa'o] crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 domain-type alalaupapa
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa1 100
crypto-officer@hostname:fips# seti alalaupapa-domains BD-110 interface interface-igoa2 100

Fa'atulagaina o mea na tutupu

Fa'atosina o mea na tupuview
O le fa'atulagaina o iloiloga e mana'omia ai le su'eina o suiga fa'aopoopo e ala i le log system.
E le gata i lea, e mafai e Junos OS ona:

Auina atu tali otometi i mea su'etusi (fausiaina o le syslog entry).
Fa'ataga pule fa'atagaina e su'esu'e fa'amaumauga su'etusi.
Auina atu su'etusi files i servers fafo.
Fa'ataga pule fa'atagaina e toe fa'afo'i le faiga i se setete ua iloa.

O le fa'amauina mo le fa'atulagaina iloiloga e tatau ona pu'eina mea nei:

Suiga i faʻamatalaga autu faalilolilo i le faʻatulagaga.
Suiga tuuto.
Ulufale/talafo o tagata fa'aoga.
Amata faiga.
Le mafai ona fa'atuina se sauniga SSH.
Fa'atuina/fa'amuta se sauniga SSH.
Suiga i le (faiga) taimi.
Fa'amutaina se sauniga mamao e ala i le faiga loka o le sauniga.
Fa'amutaina o se sauniga fegalegaleai.

E le gata i lea, ua fautuaina e Juniper Networks le taina foi o:

Pu'e uma suiga i le faatulagaga.
Teu fa'amatalaga o la'au i le mamao.

Fa'atulagaina le Fa'amauina o mea na tutupu i se Fa'alotoifale File
E mafai ona e fa'atulagaina le teuina o fa'amatalaga su'etusi i se lotoifale file faʻatasi ai ma le faʻamatalaga syslog. O lenei example faleoloa o ogalaau i a file igoa Su'etusi-File:
[fa'atonu faiga] syslog {
file Su'etusi-File;
}
Fa'aliliuga Fe'au o Mea na Tutupu
O lo'o fa'aalia i lalo le galuega fa'atinoample feau o le mea na tupu.
Feb 27 02:33:04 bm-a mgd[6520]: UI_LOGIN_EVENT: Fa'aoga 'security-officer' login, vasega 'j-superuser'
[6520],
ssh-fesoʻotaʻiga ”, tagata faʻatau-faiga
'cli'
Fep 27 02:33:49 bm-a mgd[6520]: UI_DBASE_LOGIN_EVENT: Fa'aoga 'security-officer' ulu atu i le fa'atulagaga
faiga
Fep 27 02:38:29 bm-a mgd[6520]: UI_CMDLINE_READ_LINE: Tagata fa'aoga 'security-officer', fa'atonu le 'run show
ogalaau
Fa'amaumauga su'etusi | grep LOGIN
Siata 4 i le itulau 69 fa'amatala fanua mo se fe'au na tupu. Afai e le mafai e le polokalama logging aoga ona iloa le tau i totonu o se fanua faapitoa, o le va'aiga (-) e aliali mai nai lo.
Fuafuaga 4: Fa'ato'aga i Feau o Mea na tupu

fanua	Fa'amatalaga	Examples
taimiamp	Taimi na faia ai le fe'au, i se tasi o fa'atusa e lua: • MMM-DD HH:MM:SS.MS+/-HH:MM, o le masina, aso, itula, minute, lua ma le milisecond i le taimi i le lotoifale. O le itula ma le minute e mulimuli atu i le fa'ailoga fa'aopoopo (+) po'o le fa'ailoga to'ese (-) o le fa'ai'uga lea o le sone taimi fa'alenu'u mai le Taimi Fa'atasi (UTC). • YYYY-MM-DDTHH:MM:SS.MSZ o le tausaga, masina, aso, itula, minute, lua ma le milisecond i le UTC.	Feb 27 02:33:04 o le taimiamp fa'aalia o le taimi fa'apitonu'u i le Iunaite Setete. 2012-02-27T03:17:15.713Z is 2:33 AM UTC i le aso 27 Fep 2012.
igoa talimalo	Igoa o le talimalo na amataina le fe'au.	router1
faiga	Igoa o le Junos OS process na fa'atupuina le fe'au.	mgd
processID	UNIX process ID (PID) o le Junos OS process na fa'atupuina le fe'au.	4153
TAG	Junos OS system log message tag, lea e iloagofie ai le feʻau.	UI_DBASE_LOGOUT_EVENT
username	Username o le tagata fa'aoga na amataina le mea na tupu.	“pule”
feau-tusitusi	Fa'amatalaga i le gagana Peretania o le mea na tupu .	seti: [system radius-server 1.2.3.4 faalilolilo]

Fa'amauina o Suiga i Fa'amatalaga Fa'alilo
O mea nei o exampo fa'amaumauga su'etusi o mea na tutupu e suia ai fa'amatalaga faalilolilo. Soo se taimi lava e i ai se suiga i le faʻatulagaga example, o le syslog event e tatau ona puʻeina ogalaau o loʻo i lalo:
Iul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Seti 'admin' tagata fa'aoga:
[system radius-server 1.2.3.4 mealilo] Iul 24 17:43:28 router1 mgd [4163]: UI_CFG_AUDIT_SET_SECRET: Seti 'admin' tagata fa'aoga:
[system login user admin authentication encrypted-password] Iul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Seti 'admin' tagata faaaoga:
[system login user admin2 authentication encrypted-password] Soo se taimi e toe faafou pe suia ai se faatulagaga, e tatau ona pu'e e le syslog ia ogalaau:
Iul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Sui 'admin' sui:
[system radius-server 1.2.3.4 mealilo] Iul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Sui 'admin' sui:
[system login user admin authentication encrypted-password] Iul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Sui 'admin' sui:
[system login user admin authentication encrypted-password] Mo nisi faʻamatalaga e uiga i le faʻatulagaina o tapulaʻa ma le puleaina o ogalaau files, va'ai le Junos OS System
Fa'amatalaga Messages.
Fa'aoga ma sau i fafo mea na tutupu ile SSH
E fa'atupu fe'au fa'akomepiuta i so'o se taimi e taumafai ai se tagata fa'aoga manuia pe le manuia le SSH. O lo'o fa'amaumau fo'i mea na tutupu i fafo. Mo example, o ogalaau nei o le iʻuga o le lua taumafaiga faʻamaonia na le manuia, sosoo ai ma le manuia, ma mulimuli ane o le logo out:
Tes 20 23:17:35 bilbo sshd[16645]: Fa'aletonu upu fa'amaonia mo op mai le 172.17.58.45 port 1673 ssh2
Tes 20 23:17:42 bilbo sshd[16645]: Fa'aletonu upu fa'amaonia mo op mai le 172.17.58.45 port 1673 ssh2
Tesema 20 23:17:53 bilbo sshd[16645]: Talia upu faataga mo op mai le 172.17.58.45 port 1673 ssh2
Tes 20 23:17:53 piliona mgd[16648]: UI_AUTH_EVENT: Fa'amaonia tagata fa'aoga 'op' ile tulaga fa'atagaga
'j-operator'
Dec 20 23:17:53 bilbo mgd[16648]: UI_LOGIN_EVENT: User 'op' login, class 'j-operator' [16648] Dec 20 23:17:56 billbo mgd[16648]: UI_CMDLINE_READ_LINE: User 'op', poloa'i 'tu'u'
Tes 20 23:17:56 piliona mgd[16648]: UI_LOGOUT_EVENT: User 'op' logout
Fa'amauina o Su'etusi Amata
O fa'amatalaga su'etusi o lo'o fa'amauina e aofia ai amataga ole Junos OS. O le mea lea e iloagofie ai mea amata o le faiga su'etusi, lea e le mafai ona faʻagata pe mafai. Mo exampma, afai e toe amataina le Junos OS, o le suʻega suʻega o loʻo i ai faʻamatalaga nei:
Tes 20 23:17:35 bilbo syslogd: alu ese i le faailo 14
Dec 20 23:17:35 bilbo syslogd: toe amata
Tes 20 23:17:35 bilbo syslogd /kernel: Dec 20 23:17:35 init: syslogd (PID 19128) alu ese ma
tulaga=1
Tes 20 23:17:42 pepa / fatu:
Tesema 20 23:17:53 init: syslogd (PID 19200) amata

Fa'atinoina o su'ega a le tagata lava ia i luga o se masini

Malamalama i Su'ega a le Tagata Lava ia FIPS
O le cryptographic module e faʻamalosia tulafono saogalemu e faʻamautinoa ai o loʻo faʻaogaina le Juniper Networks Junos
faiga (Junos OS) i le tulaga FIPS e fetaui ma manaoga saogalemu o FIPS 140-2 Laasaga 1. Ina ia faʻamaonia le
gaosiga o cryptographic algorithms faʻamaonia mo FIPS ma faʻataʻitaʻiina le faʻamaoni o nisi o faʻaoga faʻaoga,
e fa'atino e le masini le fa'asologa o su'ega tali (KAT) o lo'o i lalo:

kernel_kats—KAT mo faiga fa'ata'otoga fa'amau
md_kats—KAT mo vae ma libc
openssl_kats—KAT mo le OpenSSL faʻataʻitaʻiga faʻataʻitaʻiga
quicksec_kats—KAT mo le QuickSec Toolkit fa'atinoga fa'ata'otoga
ssh_ipsec_kats—KAT mo le SSH IPsec Toolkit fa'ata'ita'iga fa'atino
macsec_kats—KAT mo MACsec fa'atinoga fa'ata'otoga

O su'ega a le KAT e fa'atino otometi ile amataga. O su'ega a le tagata lava ia e fa'atatauina e fa'atino otometi lava e fa'amaonia ai pusa komipiuta saini fa'afuainumera, fa'atupu numera fa'afuase'i, RSA ma ECDSA pa'aga autu, ma ki fa'aulu ma lima.
Afai ua mae'a lelei KATs, o le log system (syslog) file ua fa'afou e fa'aalia ai su'ega na fa'atino.
Afai e iai le faaletonu o le KAT, e tusia e le masini faʻamatalaga i se log system file, ulufale i le tulaga sese o FIPS (panic) ma toe faʻafou.
O le file show /var/log/messages command e fa'aalia ai le log system.
E mafai fo'i ona e fa'ata'ita'iina le su'ega a le tagata lava ia i le tu'uina atu o le talosaga vmhost reboot command. E mafai ona e vaʻai i ogalaau suʻega FIPS i luga o le faʻamafanafanaga pe a oʻo mai le faiga.
Example: Fa'atulaga Su'ega Su'ega a le FIPS
O lenei exampLe faʻaalia le faʻaogaina o suʻega a le FIPS oe lava ia e taʻavale i lea taimi ma lea taimi.
Meafaigaluega ma Polokalama Manaoga

E tatau ona iai sau avanoa fa'apulega e fa'atulaga ai su'ega a oe lava FIPS.
E tatau ona fa'atino e le masini le su'esu'ega o le Junos OS i le polokalame FIPS mode.

Ua umaview
O le su'ega a le FIPS lava ia e aofia ai su'ega nei o su'ega tali iloa (KATs):

kernel_kats—KAT mo faiga fa'ata'otoga fa'amau
md_kats—KAT mo libmd ma libc
quicksec_kats—KAT mo le QuickSec Toolkit fa'atinoga fa'ata'otoga
openssl_kats—KAT mo le OpenSSL faʻataʻitaʻiga faʻataʻitaʻiga
ssh_ipsec_kats—KAT mo le SSH IPsec Toolkit fa'ata'ita'iga fa'atino
macsec_kats—KAT mo MACsec fa'atinoga fa'ata'otoga
I lenei exampO lea, e faia le su'ega a le FIPS i le 9:00 i le taeao i le Aai o Niu Ioka, ISA, i Aso Lulu uma.

FAAMANATU: Nai lo o su'ega faalevaiaso, e mafai ona e fa'atulaga su'ega ta'i masina e ala i le fa'aofiina o fa'amatalaga o le masina ma le aso o le masina.
A le manuia le su'ega a le tagata lava ia KAT, e tusia se fe'au ogalaau i fe'au log system file fa'atasi ai ma fa'amatalaga o le fa'aletonu o le su'ega. Ona popole lea o le faiga ma toe amata.
CLI Fa'atonuga vave
Ina ia vave fetuunai lenei exampia, kopi poloaiga nei, faapipii i totonu o se tusitusiga file, aveese soʻo se laina laina, sui soʻo se faʻamatalaga e manaʻomia e fetaui ma lau faʻaogaina o fesoʻotaʻiga, ona kopi lea ma faʻapipiʻi poloaiga i le CLI i le [faʻasaʻo] tulaga maualuga.
seti system fips su'ega a le tagata lava ia taimi amata-taimi 09:00
seti system fips su'ega a le tagata lava ia aso-o-vaiaso 3
Fa'asologa o Laasaga
Ina ia fa'atulaga le su'ega a le FIPS ia lava, saini i le masini ma fa'ailoga crypto-officer:

Fa'atulaga le su'ega a le FIPS oe lava ia e fa'atino ile 9:00 ile taeao i Aso Lulu uma.
[edit system fips self-test] crypto-officer@hostname:fips# seti taimi amata-taimi 09:00
crypto-officer@hostname:fips# seti aso-o-vaiaso 3
Afai ua maeʻa ona e faʻatulagaina le masini, fai le faʻatulagaga.
[edit system fips self-test] crypto-officer@hostname:fips# commit

I'uga
Mai le faʻatulagaga faʻatulagaina, faʻamaonia lau faʻatulagaina e ala i le tuʻuina atu o le faʻatonuga o le polokalama. Afai e le fa'aalia e le fa'aaliga le fa'atonuga fa'amoemoe, toe fai fa'atonuga i lenei fa'ataample e faasa'o le faatulagaga.
crypto-officer@hostname:fips# show system
fips {
su'ega a le tagata lava ia {
faavaitaimi {
taimi amata “09:00”;
aso-o-vaiaso 3;
}
}
}

Fa'amaoniga

Faamaonia o loʻo galue lelei le faʻatulagaga.
Fa'amaonia le Su'ega a le tagata lava ia FIPS

Faamoemoega
Fa'amaonia ua mafai le su'ega a le FIPS.
Gaioiga
Fa'ata'ita'i ma le lima le su'ega a le FIPS oe lava e ala i le tu'uina atu o le fa'atonuga ole faiga ole su'ega ole su'ega a le tagata lava ia pe toe fa'afou le masini.
A mae'a ona tu'uina atu le fa'atonuga ole su'ega a le tagata lava ia po'o le toe fa'afouina o le masini, o le log system file ua fa'afouina e fa'aalia ai KAT o lo'o fa'atinoina. I view le log system file, tuuina atu le file fa'aali /var/log/ messages command.
tagata fa'aoga@ talimalo# file fa'aali /var/log/messages
RE KATS:
mgd: Tamomoe FIPS Su'ega a le tagata lava ia
mgd: Su'ega fatu KATS:
mgd: NIST 800-90 HMAC DRBG Su'ega Tali Ta'uta'ua: Ua pasi
mgd: DES3-CBC Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA1 Su'ega Tali Iloa: Ua pasi
mgd: HMAC-SHA2-256 Su'ega Tali Malamalama: Na pasi
mgd: SHA-2-384 Su'ega Tali Malamalama: Na pasi
mgd: SHA-2-512 Su'ega Tali Malamalama: Na pasi
mgd: AES128-CMAC Su'ega Tali Malamalama: Ua pasi
mgd: AES-CBC Su'ega Tali Iloa: Na pasi
mgd: Su'ega MACSec KATS:
mgd: AES128-CMAC Su'ega Tali Malamalama: Ua pasi
mgd: AES256-CMAC Su'ega Tali Malamalama: Ua pasi
mgd: AES-ECB Su'ega Tali Malamalama: Na pasi
mgd: AES-KEYWRAP Su'ega Tali Malamalama: Ua pasi
mgd: KBKDF Su'ega Tali Iloa: Pasia
mgd: Su'ega libmd KATS:
mgd: HMAC-SHA1 Su'ega Tali Iloa: Ua pasi
mgd: HMAC-SHA2-256 Su'ega Tali Malamalama: Na pasi
mgd: SHA-2-512 Su'ega Tali Malamalama: Na pasi
mgd: Su'ega OpenSSL KATS:
mgd: NIST 800-90 HMAC DRBG Su'ega Tali Ta'uta'ua: Ua pasi
mgd: FIPS ECDSA Su'ega Tali Malamalama: Ua pasi
mgd: FIPS ECDH Su'ega Tali Malamalama: Ua pasi
mgd: FIPS RSA Su'ega Tali Malamalama: Na pasi
mgd: DES3-CBC Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA1 Su'ega Tali Iloa: Ua pasi
mgd: HMAC-SHA2-224 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-256 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-384 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-512 Su'ega Tali Malamalama: Na pasi
mgd: AES-CBC Su'ega Tali Iloa: Na pasi
mgd: AES-GCM Su'ega Tali Iloa: Ua pasi
mgd: ECDSA-SIGN Su'ega Tali Malamalama: Ua pasi
mgd: KDF-IKE-V1 Su'ega Tali Ta'uta'ua: Pasia
mgd: KDF-SSH-SHA256 Su'ega Tali Ta'uta'ua: Na pasi
mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Su'ega Tali Ta'uta'ua: Na pasi
mgd: KAS-FFC-EPHEM-NOKC Su'ega Tali Ta'uta'ua: Na pasi
mgd: Su'ega QuickSec 7.0 KATS:
mgd: NIST 800-90 HMAC DRBG Su'ega Tali Ta'uta'ua: Ua pasi
mgd: DES3-CBC Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA1 Su'ega Tali Iloa: Ua pasi
mgd: HMAC-SHA2-224 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-256 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-384 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-512 Su'ega Tali Malamalama: Na pasi
mgd: AES-CBC Su'ega Tali Iloa: Na pasi
mgd: AES-GCM Su'ega Tali Iloa: Ua pasi
mgd: SSH-RSA-ENC Su'ega Tali Malamalama: Na pasi
mgd: SSH-RSA-SIGN Su'ega Tali Ta'uta'ua: Pasia
mgd: SSH-ECDSA-SIGN Su'ega Tali Malamalama: Ua pasi
mgd: KDF-IKE-V1 Su'ega Tali Ta'uta'ua: Pasia
mgd: KDF-IKE-V2 Su'ega Tali Ta'uta'ua: Pasia
mgd: Su'ega QuickSec KATS:
mgd: NIST 800-90 HMAC DRBG Su'ega Tali Ta'uta'ua: Ua pasi
mgd: DES3-CBC Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA1 Su'ega Tali Iloa: Ua pasi
mgd: HMAC-SHA2-224 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-256 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-384 Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA2-512 Su'ega Tali Malamalama: Na pasi
mgd: AES-CBC Su'ega Tali Iloa: Na pasi
mgd: AES-GCM Su'ega Tali Iloa: Ua pasi
mgd: SSH-RSA-ENC Su'ega Tali Malamalama: Na pasi
mgd: SSH-RSA-SIGN Su'ega Tali Ta'uta'ua: Pasia
mgd: KDF-IKE-V1 Su'ega Tali Ta'uta'ua: Pasia
mgd: KDF-IKE-V2 Su'ega Tali Ta'uta'ua: Pasia
mgd: Su'ega SSH IPsec KATS:
mgd: NIST 800-90 HMAC DRBG Su'ega Tali Ta'uta'ua: Ua pasi
mgd: DES3-CBC Su'ega Tali Malamalama: Na pasi
mgd: HMAC-SHA1 Su'ega Tali Iloa: Ua pasi
mgd: HMAC-SHA2-256 Su'ega Tali Malamalama: Na pasi
mgd: AES-CBC Su'ega Tali Iloa: Na pasi
mgd: SSH-RSA-ENC Su'ega Tali Malamalama: Na pasi
mgd: SSH-RSA-SIGN Su'ega Tali Ta'uta'ua: Pasia
mgd: KDF-IKE-V1 Su'ega Tali Ta'uta'ua: Pasia
mgd: Su'ega file fa'amaoni:
mgd: File amiosa'o Su'ega Tali Iloa: Ua pasi
mgd: Su'ega le faamaoni o le crypto:
mgd: Crypto amiosa'o Su'ega Tali Iloa: Na pasi
mgd: Fa'atalitali i se fa'atonu AuthenticatiMAC/veriexec: leai se tamatamai lima (file=/sbin/kats/cannot-exec
hack=246 fileid=49356 gen=1 uid=0 pid=9384 ppid=9354 gppid=9352)i mea sese…
mgd: /sbin/kats/run-tests: /sbin/kats/cannot-exec: Fa'amaoni sese
mgd: FIPS Su'ega a le tagata lava ia Pasia
LC KATS:
Sep 12 10:50:44 network_macsec_kats_input xe- /0/0:0:
leai> ata:0 taulaga:0 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:50:50 network_macsec_kats_input xe- /0/1:0:
leai> ata:0 taulaga:1 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:50:55 network_macsec_kats_input xe- /0/0:0:
leai> ata:0 taulaga:0 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:50:56 network_macsec_kats_input xe- /0/2:0:
leai> ata:0 taulaga:2 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:01 network_macsec_kats_input xe- /0/1:0:
leai> ata:0 taulaga:1 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:02 network_macsec_kats_input xe- /0/2:0:
leai> ata:0 taulaga:2 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:06 network_macsec_kats_input xe- /0/3:0:
leai> ata:0 taulaga:3 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:12 network_macsec_kats_input xe- /0/3:0:
leai> ata:0 taulaga:3 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:17 network_macsec_kats_input xe- /0/4:0:
leai> ata:0 taulaga:4 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:17 network_macsec_kats_input xe- /0/4:0:
leai> ata:0 taulaga:4 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:26 network_macsec_kats_input xe- /0/5:0:
leai> ata:0 taulaga:5 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:27 network_macsec_kats_input xe- /0/5:0:
leai> ata:0 taulaga:5 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:36 network_macsec_kats_input xe- /0/6:0:
leai> ata:0 taulaga:6 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:36 network_macsec_kats_input xe- /0/6:0:
leai> ata:0 taulaga:6 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:44 network_macsec_kats_input xe- /0/7:0:
leai> ata:0 taulaga:7 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:44 network_macsec_kats_input xe- /0/7:0:
leai> ata:0 taulaga:7 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:51 network_macsec_kats_input xe- /0/8:0:
leai> ata:0 taulaga:8 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:51 network_macsec_kats_input xe- /0/8:0:
leai> ata:0 taulaga:8 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:51:58 network_macsec_kats_input xe- /0/9:0:
leai> ata:0 taulaga:9 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:51:58 network_macsec_kats_input xe- /0/9:0:
leai> ata:0 taulaga:9 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:52:05 network_macsec_kats_input xe- /0/10:0:
Slot no> ata:0 taulaga:10 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:52:05 network_macsec_kats_input xe- /0/10:0:
Slot no> ata:0 taulaga:10 chan:0 FIPS AES-256-GCM MACsec KATS decryption pasia
Sep 12 10:52:12 network_macsec_kats_input xe- /0/11:0:
Slot no> ata:0 taulaga:11 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:52:12 network_macsec_kats_input xe- /0/11:0:
Slot no> ata:0 taulaga:11 chan:0 FIPS AES-256-GCM MACsec KATS decryption pasia
Sep 12 10:52:20 network_macsec_kats_input xe- /1/0:0:
leai> ata:1 taulaga:0 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:52:20 network_macsec_kats_input xe- /1/0:0:
leai> ata:1 taulaga:0 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:52:27 network_macsec_kats_input xe- /1/1:0:
leai> ata:1 taulaga:1 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Sep 12 10:52:28 network_macsec_kats_input xe- /1/1:0:
leai> ata:1 taulaga:1 chan:0 FIPS AES-256-GCM MACsec KATS fa'alilolilo pasi
Sep 12 10:52:34 network_macsec_kats_input xe- /1/2:0:
leai> ata:1 taulaga:2 chan:0 FIPS AES-256-GCM MACsec KATS fa'ailoga ua pasia
Uiga
O le log system file fa'aalia le aso ma le taimi na fa'ataunu'uina ai KAT ma o latou tulaga.

Poloaiga Faagaioiina

Syntax
talosaga faiga zeroize
Fa'amatalaga
Mo RE1800, aveese uma faʻamatalaga faʻatulagaina i luga o le Routing Engines ma toe faʻafou uma tulaga taua. Afai o le masini e lua Routing Engines, o le poloaiga e faʻasalalau i Routing Engines uma i luga o le masini. O le poloaiga e aveese uma faʻamaumauga files, e aofia ai fetuunaiga faʻapitoa ma ogalaau files, e ala i le tatalaina o le files mai a latou fa'amaumauga. O le fa'atonuga e aveese uma na faia e tagata fa'aoga files mai le faiga e aofia ai upu fa'amaonia uma, mealilo, ma ki patino mo SSH, fa'ailoga fa'apitonu'u, fa'amaoniga fa'apitonu'u, IPsec, RADIUS, TACACS +, ma le SNMP.
O lenei fa'atonuga e toe fa'afou ai le masini ma tu'u i le fa'atonuga o le fale gaosimea. A maeʻa le toe faʻafouina, e le mafai ona e mauaina le masini e ala i le pulega Ethernet interface. Ulufale i totonu o le faʻamafanafanaga e pei o aʻa ma amata le Junos OS CLI e ala i le taina cli i le vave.
Tulaga Fa'apitoa Manaomia
tausiga
talosaga vmhost zeroize leai-forwarding
Syntax
talosaga vmhost zeroize leai-forwarding
Fa'amatalaga
Mo REMX2K-X8, aveese uma faʻamatalaga faʻatulagaina i luga o le Routing Engines ma toe faʻafoʻi uma tulaga taua. Afai o le masini e lua Routing Engines, o le poloaiga e faʻasalalau i Routing Engines i luga o le masini.
O le poloaiga e aveese uma faʻamaumauga files, e aofia ai fetuunaiga faʻapitoa ma ogalaau files, e ala i le tatalaina o le files mai a latou fa'amaumauga. O le fa'atonuga e aveese uma na faia e tagata fa'aoga files mai le faiga e aofia ai upu fa'amaonia uma, mealilo, ma ki patino mo SSH, fa'ailoga fa'apitonu'u, fa'amaoniga fa'apitonu'u, IPsec, RADIUS, TACACS +, ma SNMP.
O lenei poloaiga e toe faʻafouina le masini ma tuʻu i le faʻatulagaina o falegaosimea. A maeʻa le toe faʻafouina, e le mafai ona e mauaina le masini e ala i le pulega Ethernet interface. Ulufale i totonu o le faʻamafanafanaga e pei o le aʻa faʻaoga ma amata le Junos OS CLI e ala i le taina cli i le vave.
Sample Galuega Fa'atino
talosaga vmhost zeroize leai-forwarding
user@host> talosaga vmhost zeroize leai-faʻasalalau
VMHost Zeroization : Tape uma faʻamatalaga, e aofia ai le faʻatulagaina ma le ogalaau files ?
[ioe, leai] (leai) ioe
toe0:
lapataiga: Vmhost o le a toe faʻafouina ma atonu e le taʻavale e aunoa ma
faatulagaga
lapataiga: Faʻaauau ma vmhost
fa'ailo
Zeroise tisiki totonu lona lua
Fa'agasolo ile zeroize ile tulaga lua
tisiki
Fa'apipi'i masini e sauniuni ai
fa'atosina…
Fa'amamāina le tisiki fa'atatau mo le fa'ailo
Zeroize faia i le sini
tisiki.
Zeroize o le tisiki lona lua
mae'a
Zeroize tisiki totonu muamua
Fa'agasolo ile fa'asolo ile tulaga muamua
tisiki
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_dsa_key
Fa'apipi'i masini e sauniuni ai
fa'atosina…
Fa'amamāina le tisiki fa'atatau mo le fa'ailo
Zeroize faia i le sini
tisiki.
Zeroize o le tisiki muamua
mae'a
Zeroize
faia
—(more)— Taofi
cron.
Faatalitali mo le PIDS:
6135.
.
Feb 16 14:59:33 jlaunchd: va'aiga-packet-services (PID 6181) fa'amutaina faailoilo 15 auina atu
Feb 16 14:59:33 jlaunchd: smg-service (PID 6234) faamuta le faailo 15 auina atu
Fep 16 14:59:33 jlaunchd: talosaga-iloa (PID 6236) faamuta faailo 15 auina atu
Feb 16 14:59:33 jlaunchd: ifstate-tracing-process (PID 6241) faamuta le faailo 15 auina atu
Fep 16 14:59:33 fa'alauiloa: fa'atonu-pulea (PID 6243) fa'amuta fa'ailoga 15 lafo.
Fep 16 14:59:33 jlaunchd: molia (PID 6246) faamuta le faailo 15 auina atu
Fep 16 14:59:33 fa'alauiloa: laisene-auaunaga (PID 6255) fa'amuta fa'ailoga 15 lafo.
Fep 16 14:59:33 jlaunchd: ntp (PID 6620) faamuta le faailo 15 auina atu
Fep 16 14:59:33 jlaunchd: gkd-chassis (PID 6621) faamuta le faailo 15 auina atu
Feb 16 14:59:33 jlaunchd: gkd-lchassis (PID 6622) faamuta le faailo 15 auina atu
Fep 16 14:59:33 fa'alauiloa: ta'avale (PID 6625) fa'amuta fa'ailoga 15 lafo.
Fep 16 14:59:33 fa'alauiloa: sonet-aps (PID 6626) fa'amuta fa'ailoga 15 lafo.
Fep 16 14:59:33 jlaunchd: galuega mamao (PID 6627) faamuta le faailo 15 auina atu
Feb 16 14:59:33 jlaua: vasega-o-auaunaga
……..
99

Pepa / Punaoa

JUNIPER NETWORKS Junos OS FIPS Iloiloga Masini [pdf] Taiala mo Tagata Fa'aoga
Junos OS FIPS Su'esu'eina Masini, Junos OS, FIPS Su'esu'eina Masini, Su'esu'eina Masini, Masini

Fa'asinomaga

Tusi Taiala

JUNIPER NETWORKS Junos OS FIPS Iloiloga Masini

Ua umaview

Fa'atulagaina o Fa'ailoga Fa'atonu ma Fa'amanuiaga

Fa'atulagaina o Matafaioi ma Metotia Fa'amaoni

Fa'atulagaina le SSH ma le Console Connection

Fa'atonu MACsec

Fa'atulagaina le MACsec ma le keychain mo Layer 2 Traffic

Fa'atulagaina o mea na tutupu

Fa'atinoina o su'ega a le tagata lava ia i luga o se masini

Poloaiga Faagaioiina

Pepa / Punaoa

Fa'asinomaga

Tuu se faamatalaga

Fa'aleaogaina le tali