JUNIPER NETWORKS I-Junos OS FIPS Evaluated Devices Umhlahlandlela Womsebenzisi

Ubulula bobunjiniyela
I-Junos® OS
FIPS Evaluated Configuration Guide for
Amadivayisi e-MX960, MX480, kanye ne-MX240

Okuqukethwe fihla

1 JUNIPER NETWORKS I-Junos OS FIPS Evaluated Devices

2 Kuphelileview

3 Ilungiselela Ukuqinisekisa Kokuphatha Namalungelo

4 Ukumisa Indima kanye Nezindlela Zokuqinisekisa

5 Ilungiselela i-SSH ne-Console Connection

6 Ilungiselela i-MACsec

7 Ilungiselela i-MACsec ngokhiye we-Layer 2 Traffic

8 Ilungiselela Ukuloga Komcimbi

9 Ukwenza Ukuzihlola Kudivayisi

10 Imiyalo Yokusebenza

11 Amadokhumenti / Izinsiza

11.1 Izithenjwa

JUNIPER NETWORKS I-Junos OS FIPS Evaluated Devices

KHULULA
20.3X75-D30

Inkampani Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
IJuniper Networks, ilogo yeJuniper Networks, iJuniper, neJunos yizimpawu zokuthengisa ezibhalisiwe zeJuniper Networks, Inc.
e-United States nakwamanye amazwe. Zonke ezinye izimpawu zokuthengisa, izimpawu zesevisi, amamaki abhalisiwe, noma izimpawu zesevisi ezibhalisiwe ziyimpahla yabanikazi bazo.
IJuniper Networks ayinaso isibopho sanoma yikuphi ukungalungi kulo mbhalo. I-Juniper Networks igodla ilungelo lokushintsha, ukulungisa, ukudlulisa, noma ukubuyekeza lokhu kushicilelwa ngaphandle kwesaziso.
I-Junos® OS FIPS Evaluated Configuration Guide ye-MX960, MX480, kanye ne-MX240 Devices 20.3X75-D30
Copyright © 2023 Juniper Networks, Inc. Wonke amalungelo agodliwe.
Ulwazi olukule dokhumenti olwamanje kusukela ngosuku osekhasini lesihloko.
UNYAKA KA-2000 ISAZISO
I-Juniper Networks hardware nemikhiqizo yesofthiwe ihambisana noNyaka ka-2000. I-Junos OS ayinakho ukulinganiselwa okuhlobene nesikhathi okwaziwayo ngonyaka ka-2038. Nokho, uhlelo lokusebenza lwe-NTP lwaziwa ngokuba nobunzima obuthile ngonyaka ka-2036.
QEDA ISIVUMELWANO SELAYISENSI YOMSEBENZISI
Umkhiqizo weJuniper Networks okuyisihloko salo mbhalo wobuchwepheshe uqukethe (noma ohloselwe ukusetshenziswa) nesoftware yeJuniper Networks. Ukusetshenziswa kwaleyo softhiwe kungaphansi kwemigomo nemibandela yeSivumelwano Selayisensi Yomsebenzisi Wokugcina (“EULA”) esithunyelwe ku- https://support.juniper.net/support/eula/. Ngokulanda, ukufaka noma ukusebenzisa isofthiwe enjalo, uyavumelana nemigomo nemibandela yaleyo EULA.

Mayelana nalo mhlahlandlela
Sebenzisa lo mhlahlandlela ukuze usebenzise amadivayisi e-MX960, MX480, kanye ne-MX240 ku-Federal Information Processing Standards (FIPS) 140-2 Level 1 imvelo. I-FIPS 140-2 ichaza amazinga okuphepha ezingxenyekazi zekhompuyutha nesofthiwe eyenza imisebenzi ye-cryptographic.
IMIBHALO EHLOBANE
Imibandela Ejwayelekile kanye Nezitifiketi ze-FIPS

Kuphelileview

Ukuqonda i-Junos OS ku-FIPS Mode
KULESI SIGABA

Amapulatifomu Asekelwe Nezingxenyekazi Zekhompyutha | 2
Mayelana Nomngcele We-Cryptographic Kudivayisi Yakho | 3
Ihluke Kanjani Indlela Ye-FIPS Kumodi Engagxili | 3
Inguqulo Eqinisekisiwe Ye-Junos OS Kumodi Ye-FIPS | 3

I-Federal Information Processing Standards (FIPS) 140-2 ichaza amazinga okuphepha ezingxenyekazi zekhompuyutha nesofthiwe eyenza imisebenzi ye-cryptographic. Le rutha yeJuniper Networks esebenzisa uhlelo lokusebenza lweJuniper Networks Junos (Junos OS) ngemodi ye-FIPS ihambisana nezinga le-FIPS 140-2 Level 1.
Ukusebenzisa le router endaweni ye-FIPS 140-2 Level 1 kudinga ukunika amandla nokumisa imodi ye-FIPS kumadivayisi asuka kusixhumi esibonakalayo somugqa womyalo we-Junos OS (CLI).
Isikhulu se-Crypto sinika amandla imodi ye-FIPS ku-Junos OS futhi simise okhiye namaphasiwedi ohlelo nabanye abasebenzisi be-FIPS.
Ama-Platform nama-Hardware asekelwe
Ezicini ezichazwe kulo mbhalo, izinkundla ezilandelayo zisetshenziselwa ukufaneleka kwesitifiketi se-FIPS:

I-MX960, MX480, kanye namadivayisi e-MX240 afakwe ne-RE-S-1800X4 ne-LC MPC7E-10G (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-platform.html,
https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html, futhi
https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-platform.html).
Amadivayisi e-MX960, MX480, kanye ne-MX240 afakwe ne-RE-S-X6 ne-LC MPC7E-10G (https://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-routing-platform.html, https://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-routing-platform.html, futhi
https://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-routing-platform.html).

Mayelana Nomngcele We-Cryptographic Kudivayisi Yakho
Ukuhambisana kwe-FIPS 140-2 kudinga umngcele ochaziwe we-cryptographic ozungeze imojuli ye-cryptographic ngayinye kudivayisi. I-Junos OS kumodi ye-FIPS ivimbela imojuli ye-cryptographic ekusebenziseni noma iyiphi isofthiwe engeyona ingxenye yokusabalalisa okuqinisekisiwe kwe-FIPS, futhi ivumela kuphela ama-cryptographic algorithms agunyazwe yi-FIPS ukuthi asetshenziswe. Awekho amapharamitha okuvikela abalulekile (ama-CSP), njengamaphasiwedi nokhiye, angawela umngcele we-cryptographic wemojula ngefomethi engabhaliwe.
ISEXWAYISO: Izici ze-Virtual Chassis azisekelwa kumodi ye-FIPS. Ungayimisi i-Virtual Chassis kumodi ye-FIPS.

Ihluke Kanjani Imodi Ye-FIPS Kumodi Engagxiliwe
I-Junos OS kumodi ye-FIPS ihluka ngezindlela ezilandelayo ku-Junos OS ngemodi engeyona ye-FIPS:

Ukuzihlola kwakho wonke ama-cryptographic algorithms kwenziwa ekuqaleni.
Ukuzihlola wena kwenombolo okungahleliwe kanye nokukhiqiza ukhiye kwenziwa ngokuqhubekayo.
Ama-algorithms e-cryptographic abuthakathaka njenge-Data Encryption Standard (DES) kanye ne-MD5 akhutshaziwe.

Uxhumano lokuphatha olubuthakathaka noma olungabethelwe akumele lulungiswe.
Amagama ayimfihlo kufanele abethelwe ngama-algorithms aqinile wendlela eyodwa angakuvumeli ukususwa kwemfihlo.
Amaphasiwedi omlawuli kumele okungenani abe nezinhlamvu eziyi-10 ubude.

Inguqulo Eqinisekisiwe ye-Junos OS Kumodi Ye-FIPS
Ukuze unqume ukuthi ingabe ukukhishwa kwe-Junos OS kuqinisekisiwe yi-NIST, bheka ikhasi lomeluleki wokuthobela ku-Juniper Networks Web isiza (https://apps.juniper.net/compliance/).
IMIBHALO EHLOBANE
Ukuhlonza Ukulethwa Komkhiqizo Ovikelekile | 7

Ukuqonda Amagama E-FIPS kanye nama-Cryptographic Algorithms Asekelwe
KULESI SIGABA
Amagama | 4
Ama-Cryptographic Algorithms asekelwe | 5
Sebenzisa izincazelo zamagama e-FIPS, nama-algorithms asekelwe ukukusiza uqonde i-Junos OS kumodi ye-FIPS.

Amagama
Ipharamitha yokuphepha ebucayi (CSP)
Ulwazi oluhlobene nokuphepha—ngokwesiboneloample, okhiye be-cryptographic abayimfihlo nabayimfihlo kanye nedatha yokuqinisekisa njengamagama ayimfihlo nezinombolo zikamazisi womuntu (ama-PIN)— okudalulwa kwawo noma ukuguqulwa kwawo kungase kuphazamise ukuphepha kwemojuli ye-cryptographic noma ulwazi oluvikelayo. Ukuze uthole imininingwane, bheka “Ukuqonda Imvelo Esebenzayo ye-Junos OS Ngemodi Ye-FIPS” ekhasini 16.
Imojula ye-Cryptographic
Isethi yezingxenyekazi zekhompuyutha, isofthiwe, ne-firmware esebenzisa imisebenzi yokuvikela egunyaziwe (okuhlanganisa ama-cryptographic algorithms kanye nokukhiqizwa kokhiye) futhi iqukethwe ngaphakathi komngcele we-cryptographic.
FIPS
I-Federal Information Processing Standards. I-FIPS 140-2 icacisa izidingo zokuphepha namamojula we-cryptographic. I-Junos OS kumodi ye-FIPS ihambisana ne-FIPS 140-2 Level 1.
Indima yokulungisa i-FIPS
Iqhaza Isikhulu se-Crypto esilithathayo sokunakekela umzimba noma izinsizakalo zokunakekela ezinengqondo ezifana nehadiwe noma ukuxilonga isoftware. Ngokuthobelana ne-FIPS 140-2, Isikhulu se-Crypto sivala Injini Yomzila lapho ingena futhi iphuma endimeni yokunakekela ye-FIPS ukuze isule bonke okhiye bombhalo ongenalutho abayimfihlo nabayimfihlo kanye nama-CSP angavikelekile.
QAPHELA: Indima yokulungisa i-FIPS ayisekelwe ku-Junos OS kumodi ye-FIPS.
KATs
Izivivinyo zempendulo ezaziwayo. Ukuzihlola ngokwakho kwesistimu okuqinisekisa okukhiphayo kwama-algorithms e-cryptographic agunyazelwe i-FIPS futhi ahlole ubuqotho bamanye amamojula we-Junos OS. Ukuze uthole imininingwane, bheka “Ukuqonda Ukuzihlola Kwe-FIPS Self” ekhasini 73.
I-SSH
Iphrothokholi esebenzisa ukuqinisekiswa okuqinile nokubethela ukuze uthole ukufinyelela ukude kunethiwekhi yonkana engavikelekile. I-SSH inikeza ukungena ngemvume okukude, ukusebenza kohlelo olukude, file ikhophi, neminye imisebenzi. Ihloselwe ukumiselela okuvikelekile kwe-rlogin, i-rsh, ne-rcp endaweni ye-UNIX. Ukuze uvikele ulwazi oluthunyelwe ngoxhumo lokuphatha, sebenzisa i-SSHv2 yokucushwa kwe-CLI. Ku-Junos OS, i-SSHv2 inikwa amandla ngokuzenzakalelayo, futhi i-SSHv1, engabhekwa njengevikelekile, ivaliwe. I-Zeroization
Ukusulwa kwawo wonke ama-CSP nenye idatha edalwe umsebenzisi kudivayisi ngaphambi kokusebenza kwayo njengemojula ye-cryptographic FIPS noma ukulungiselela ukuphinda kusetshenziswe amadivayisi ukuze asebenze ngaphandle kwe-FIPS.
Isikhulu se-Crypto singamisa uhlelo ngomyalo wokusebenza we-CLI.
Ama-Cryptographic Algorithms asekelwe
Ithebula 1 ekhasini 6 lifingqa ukwesekwa kwe-algorithm yephrothokholi ephezulu.
Ithebula 1: Amaphrothokholi Avunyelwe Kumodi Ye-FIPS

Iphrothokholi	Ukhiye Wokushintshaniswa	Ukuqinisekisa	I-Cipher	Ubuqotho
I-SSHv2	• dh-group14-sha1 • ECDH-sha2-nistp256 • ECDH-sha2-nistp384 • ECDH-sha2-nistp521	Umsingathi (module): • I-ECDSA P-256 • I-SSH-RSA Iklayenti (umsebenzisi): • I-ECDSA P-256 • I-ECDSA P-384 • I-ECDSA P-521 • I-SSH-RSA	• I-AES CTR 128 • I-AES CTR 192 • I-AES CTR 256 • I-AES CBC 128 • I-AES CBC 256	• HMAC-SHA-1 • HMAC-SHA-256 • HMAC-SHA-512

Ithebula 2 ekhasini 6 libala ama-cipher asekelwa yi-MACsec LC.
Ithebula 2: I-MACsec LC Ama-Ciphers asekelwe
I-MACsec LC Ama-Ciphers asekelwe
I-AES-GCM-128
I-AES-GCM-256
Ukuqaliswa ngakunye kwe-algorithm kuhlolwa uchungechunge lwempendulo eyaziwayo (KAT) ukuzihlola ngokwakho. Noma yikuphi ukwehluleka ukuzihlola kuphumela esimweni sephutha le-FIPS.
UMSEBENZI OMUHLE: Ngokuhambisana ne-FIPS 140-2, sebenzisa kuphela ama-cryptographic algorithms agunyazwe yi-FIPS Ku-Junos OS kumodi ye-FIPS.
Ama-algorithms alandelayo e-cryptographic asekelwa kumodi ye-FIPS. Izindlela ze-Symmetric zisebenzisa ukhiye ofanayo wokubethela nokususa ukubethela, kuyilapho izindlela ze-asymmetric zisebenzisa okhiye abahlukene ekubetheleni nasekususeni ukubethela.
I-AES
I-Advanced Encryption Standard (AES), echazwe ku-FIPS PUB 197. I-algorithm ye-AES isebenzisa okhiye be-bits 128, 192, noma 256 ukuze ubethele futhi uguqule idatha kumabhulokhi angu-128 bits.
ECDH
I-Elliptic Curve Diffie-Hellman. Okuhlukile kwe-algorithm yokushintshanisa ukhiye we-Diffie-Hellman esebenzisa i-cryptography esekelwe esakhiweni se-algebraic samajika ayi-elliptic phezu kwezinkambu ezinomkhawulo. I-ECDH ivumela izinhlangothi ezimbili, ngayinye enokhiye oyijikayo oyi-elliptic public-private key, ukusungula imfihlo eyabiwe ngesiteshi esingavikelekile. Imfihlo eyabiwe ingasetshenziswa njengokhiye noma ukuthola omunye ukhiye wokubethela ukuxhumana okulandelayo kusetshenziswa i-symmetric key cipher.
ECDSA
I-Elliptic Curve Digital Signature Algorithm. Okuhlukile kwe-Digital Signature Algorithm (DSA) esebenzisa i-cryptography esekelwe esakhiweni se-algebraic samajika ayi-elliptic phezu kwezinkambu ezinomkhawulo. Usayizi omncane wejika eliyi-elliptic unquma ubunzima bokukhipha ukubethela kokhiye. Ukhiye osesidlangalaleni okukholakala ukuthi uyadingeka ku-ECDSA usayizi ophindwe kabili wezinga lezokuphepha, ngamabhithi. I-ECDSA isebenzisa amajika e-P-256, P-384, kanye ne-P-521 ingalungiselelwa ngaphansi kwe-OpenSSH.
I-HMAC
Ichazwa njengokuthi “Keyed-Hashing for Message Authentication” ku-RFC 2104, i-HMAC ihlanganisa i-hashing algorithms nokhiye be-cryptographic ukuze kuqinisekiswe umlayezo. Ku-Junos OS kumodi ye-FIPS, i-HMAC isebenzisa imisebenzi ye-cryptographic hashi ephindaphindiwe ethi SHA-1, SHA-256, kanye ne-SHA-512 kanye nokhiye oyimfihlo.
I-SHA-256 ne-SHA-512
Vikela i-hash algorithms (SHA) okungeyezinga le-SHA-2 elichazwe ku-FIPS PUB 180-2. Ithuthukiswe yi-NIST, i-SHA-256 ikhiqiza i-256-bit hash digest, futhi i-SHA-512 ikhiqiza i-512-bit hash digest.
IMIBHALO EHLOBANE
Ukuqonda Ukuzihlola Kwe-FIPS | 73
Ukuqonda I-Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS | 25
Ukuhlonza Ukulethwa Komkhiqizo Ovikelekile
Kunezindlela eziningana ezihlinzekiwe ohlelweni lokudiliva ukuze kuqinisekiswe ukuthi ikhasimende lithola umkhiqizo obungazange tampenziwe nge. Ikhasimende kufanele lenze ukuhlola okulandelayo lapho lithola idivayisi ukuze liqinisekise ubuqotho benkundla.

Ilebula yokuthumela—Qinisekisa ukuthi ilebula yokuthumela ihlonza kahle igama lekhasimende elilungile nekheli kanye nocingo.

Impahla yangaphandle—Hlola ibhokisi lokuthumela elingaphandle kanye netheyiphu. Qinisekisa ukuthi i-tape yokuthumela ayikakanqunywa noma ifakwe engcupheni. Qinisekisa ukuthi ibhokisi alikanqunywa noma alilinyaziwe ukuze uvumele ukufinyelela kudivayisi.
Ngaphakathi kokupakishwa—Hlola isikhwama sepulasitiki bese usivala. Qinisekisa ukuthi isikhwama asikanqunywa noma asikhishwa. Qinisekisa ukuthi uphawu luhlala lunjalo.

Uma ikhasimende lihlonza inkinga ngesikhathi sokuhlolwa, kufanele lithinte umphakeli ngokushesha. Nikeza inombolo ye-oda, inombolo yokulandelela, kanye nencazelo yenkinga ekhonjiwe kumphakeli.
Ukwengeza, kukhona amasheke amaningana angenziwa ukuze kuqinisekiswe ukuthi ikhasimende lithole ibhokisi elithunyelwe yiJuniper Networks hhayi inkampani ehlukile ezenza iJuniper Networks. Ikhasimende kufanele lenze ukuhlola okulandelayo lapho lithola idivayisi ukuze liqinisekise ubuqiniso bedivayisi:

Qinisekisa ukuthi idivayisi i-odwe kusetshenziswa i-oda lokuthenga. Amadivayisi weJuniper Networks awakaze athunyelwe ngaphandle kwe-oda lokuthenga.

Uma idivayisi ithunyelwa, isaziso sokuthunyelwa sithunyelwa ekhelini le-imeyili elinikezwa ikhasimende uma i-oda lithathwa. Qinisekisa ukuthi lesi saziso se-imeyili samukelwe. Qinisekisa ukuthi i-imeyili iqukethe ulwazi olulandelayo:
Inombolo ye-oda yokuthenga
Inombolo ye-oda ye-Juniper Networks esetshenziselwa ukulandelela ukuthunyelwa
Inombolo yokulandelela yenkampani yenethiwekhi isetshenziselwa ukulandelela ukuthunyelwa
Uhlu lwezinto ezithunyelwe okuhlanganisa nezinombolo ze-serial
Ikheli kanye noxhumana nabo bobabili umphakeli nekhasimende

Qinisekisa ukuthi ukuthunyelwa kwaqalwa yiJuniper Networks. Ukuqinisekisa ukuthi ukuthunyelwa kwaqalwa yiJuniper Networks, kufanele wenze le misebenzi elandelayo:
Qhathanisa inombolo yokulandelela yenkampani yenethiwekhi yenombolo ye-oda ye-Juniper Networks esohlwini lwesaziso sokuthumela se-Juniper Networks nenombolo yokulandelela kuphakheji etholiwe.

Ngena ngemvume ku-Juniper Networks online ukwesekwa kwamakhasimende portal at https://support.juniper.net/support/ kuye view isimo se-oda. Qhathanisa inombolo yokulandelela yenkampani yenethiwekhi noma inombolo ye-oda ye-Juniper Networks esohlwini lwesaziso sokuthumela se-Juniper Networks nenombolo yokulandelela kuphakheji etholiwe.

Ukuqonda Management Interfaces
Lezi zixhumanisi zokuphatha ezilandelayo zingasetshenziswa ekucushweni okuhloliwe:

I-Local Management Interfaces—Imbobo ye-console ye-RJ-45 kudivayisi ilungiselelwe njenge-RS-232 data terminal equipment (DTE). Ungasebenzisa isixhumi esibonakalayo somugqa womyalo (i-CLI) phezu kwaleli chweba ukuze ulungiselele idivayisi kusukela kutheminali.
Amaphrothokholi Okulawula Isilawuli kude—Idivayisi ingaphathwa ukude ngaphezu kwanoma yisiphi isixhumi esibonakalayo se-Ethernet. I-SSHv2 ukuphela kwephrothokholi evunyelwe yokuphatha kude engasetshenziswa ekucushweni okuhloliwe. I-remote management protocols J-Web kanye ne-Telnet azitholakali ukuthi zisetshenziswe ocingweni.

Ilungiselela Ukuqinisekisa Kokuphatha Namalungelo

Ukuqonda Imithetho Yephasiwedi Ehlobene Yomlawuli Ogunyaziwe
Umlawuli ogunyaziwe uhlotshaniswa nekilasi lokungena elichaziwe, futhi umlawuli unikezwe zonke izimvume. Idatha igcinwa endaweni ukuze kuqinisekiswe iphasiwedi egxilile.
QAPHELA: Ungasebenzisi izinhlamvu zokulawula kumaphasiwedi.
Sebenzisa imihlahlandlela elandelayo nezinketho zokumisa zamaphasiwedi nalapho ukhetha amagama ayimfihlo kuma-akhawunti omlawuli agunyaziwe. Amagama-mfihlo kufanele abe:

Kulula ukukhumbula ukuze abasebenzisi bangalingeka ukukubhala phansi.

Kushintshwe ngezikhathi ezithile.
Kuyimfihlo futhi akwabiwa nanoma ubani.
Iqukethe ubuncane bezinhlamvu eziyi-10. Ubude bephasiwedi obuncane yizinhlamvu eziyi-10.
[ hlela ] administrator@host# setha iphasiwedi yokungena yesistimu ubuncane-ubude obungu-10
Bandakanya kokubili izinhlamvu zamagama nezinombolo nezimpawu zokubhala, ezakhiwe nganoma iyiphi inhlanganisela yezinhlamvu ezinkulu nezincane, izinombolo, nezinhlamvu ezikhethekile njengokuthi, “!”, “@”, “#”, “$”, “%”, “^”, “ &”, “*”, “(“, kanye “)”.
Okungenani kufanele kube noshintsho esimweni esisodwa, idijithi eyodwa noma ngaphezulu, kanye nophawu olulodwa noma ngaphezulu.
Iqukethe amasethi ezinhlamvu. Amasethi ezinhlamvu avumelekile ahlanganisa izinhlamvu ezingosonhlamvukazi, izinhlamvu ezincane, izinombolo, izimpawu zokubhala, nezinye izinhlamvu ezikhethekile.
[ hlela ] administrator@host# setha iphasiwedi yokungena ohlelweni shintsha-uhlobo-ukusetha izinhlamvu
Iqukethe inani elincane lamasethi ezinhlamvu noma izinguquko zesethi yezinhlamvu. Inombolo encane yamasethi ezinhlamvu adingekayo kumaphasiwedi anombhalo ongenalutho ku-Junos FIPS ngu-3.
[ hlela ] administrator@host# setha iphasiwedi yokungena ohlelweni ubuncane-ushintsho 3
I-algorithm ye-hashing yamaphasiwedi womsebenzisi ingaba i-SHA256 noma i-SHA512 (i-SHA512 i-algorithm ye-hashing ezenzakalelayo).
[ hlela ] administrator@host# setha ifomethi yephasiwedi yokungena ohlelweni sha512
QAPHELA: Idivayisi isekela i-ECDSA (P-256, P-384, ne-P-521) kanye ne-RSA (2048, 3072, kanye ne-4092 modulus bit length) izinhlobo zokhiye.
Amaphasiwedi abuthakathaka yilawa:
Amagama angatholakala noma abe khona njengefomu elivunyelwe ohlelweni file njenge /etc/passwd.
Igama lomethuleli wesistimu (njalo ukuqagela kokuqala).
Noma yimaphi amagama avela kusichazamazwi. Lokhu kufaka phakathi izichazamazwi ngaphandle kwesiNgisi, namagama atholakala emisebenzini efana noShakespeare, Lewis Carroll, Thesaurus kaRoget, njalonjalo. Lokhu kwenqatshelwa kubandakanya amagama ajwayelekile nemishwana evela kwezemidlalo, izisho, amamuvi, nezinhlelo zethelevishini.
Izimvume kunoma yikuphi kokungenhla. Okwesiboneloample, igama lesichazamazwi elinonkamisa abathathelwa indawo ngamadijithi (isibample f00t) noma ngamadijithi engezwe ekugcineni.
Noma yimaphi amaphasiwedi akhiqizwa umshini. Ama-algorithms anciphisa isikhala sokusesha sezinhlelo zokuqagela iphasiwedi ngakho-ke akufanele asetshenziswe.
Amagama ayimfihlo anamandla asebenziseka kabusha angase asekelwe ezinhlamvini zebinzana eliyintandokazi noma igama, bese ehlanganiswa namanye, amagama angahlobene, kanye namadijithi engeziwe nezimpawu zokuloba.

IMIBHALO EHLOBANE
Ukuhlonza Ukulethwa Komkhiqizo Ovikelekile | 7

Ukumisa Indima kanye Nezindlela Zokuqinisekisa

Ukuqonda Izindima Nezinsizakalo ze-Junos OS
KULESI SIGABA
Indima Yesikhulu Se-Crypto Nezibopho | 15
FIPS Indima Yomsebenzisi Nezibopho | 15
Yini Elindeleke Kubo Bonke Abasebenzisi Abasebenzisa I-FIPS | 16
Umlawuli Wezokuphepha uhlotshaniswa nomqondisi wokuphepha wekilasi lokungena elichaziwe, onemvume edingekayo esethwe ukuze avumele umlawuli enze yonke imisebenzi edingekayo ukuze aphathe i-Junos OS. Abasebenzisi bokulawula (Umlawuli Wokuvikela) kufanele banikeze ukuhlonza okuyingqayizivele nedatha yokuqinisekisa ngaphambi kokuthi kunikezwe ukufinyelela kokulawula ohlelweni.
Imisebenzi kanye nezibopho Zomlawuli Wezokuphepha zimi kanje:

Umlawuli Wezokuphepha angaphatha endaweni kanye nokude.
Dala, lungisa, susa ama-akhawunti omlawuli, okuhlanganisa ukucushwa kwemingcele yokuhluleka kokuqinisekisa.
Nika amandla kabusha i-akhawunti yomlawuli.
Unomthwalo wemfanelo wokumisa nokugcinwa kwezinto ezifihlakele ezihlobene nokusungulwa kokuxhumana okuvikelekile nokubuya nokusuka kumkhiqizo ohloliwe.

Uhlelo lokusebenza lweJuniper Networks Junos (Junos OS) olusebenza ngemodi engeyona ye-FIPS luvumela inhlobonhlobo yamakhono kubasebenzisi, futhi ukuqinisekiswa kusekelwe kubunikazi. Ngokuphambene, izinga le-FIPS 140-2 lichaza izindima ezimbili zabasebenzisi: Isikhulu se-Crypto kanye nomsebenzisi we-FIPS. Lezi zindima zichazwa ngokwamandla omsebenzisi we-Junos OS.
Zonke ezinye izinhlobo zabasebenzisi ezichazwe ku-Junos OS kumodi ye-FIPS (opharetha, umsebenzisi ophethe, njalo njalo) kufanele ziwele kwesinye sezigaba ezimbili: Isikhulu se-Crypto noma umsebenzisi we-FIPS. Ngalesi sizathu, ukuqinisekiswa komsebenzisi kumodi ye-FIPS kusekelwe endimeni kunokuba kusekelwe kubunikazi.
I-Crypto Officer yenza yonke imisebenzi yokumisa ehlobene ne-FIPS-mode futhi ikhiphe zonke izitatimende nemiyalo ye-Junos OS ngemodi ye-FIPS. Isikhulu se-Crypto kanye nezilungiselelo zabasebenzisi be-FIPS kufanele zilandele imihlahlandlela ye-Junos OS kumodi ye-FIPS.
Indima Yesikhulu Se-Crypto Nezibopho
Isikhulu se-Crypto ngumuntu onesibopho sokuvumela, ukumisa, ukuqapha, nokugcina i-Junos OS ikumodi ye-FIPS kudivayisi. Isikhulu se-Crypto sifaka ngokuphephile i-Junos OS kudivayisi, sivumela imodi ye-FIPS, sisungula okhiye namaphasiwedi kwabanye abasebenzisi namamojula esofthiwe, futhi siqalise idivayisi ngaphambi kokuxhumeka kwenethiwekhi.
UKWENZA KAKHULU: Sincoma ukuthi i-Crypto Officer iphathe uhlelo ngendlela evikelekile ngokugcina amagama ayimfihlo evikelekile futhi ahlole ukuhlolwa kocwaningo files.
Izimvume ezihlukanisa i-Crypto Officer kwabanye abasebenzisi be-FIPS ziyimfihlo, ukuphepha, ukugcinwa, nokulawula. Ngokuhambisana ne-FIPS, yabela Isikhulu se-Crypto ekilasini lokungena eliqukethe zonke lezi zimvume. Umsebenzisi onemvume yokulungisa i-Junos OS angafunda files aqukethe amapharamitha okuphepha abalulekile (CSPs).
QAPHELA: I-Junos OS kumodi ye-FIPS ayisekeli indima yokulungisa ye-FIPS 140-2, ehlukile kunemvume yokulungisa i-Junos OS.
Phakathi kwemisebenzi ehlobene ne-Junos OS kumodi ye-FIPS, isikhulu se-Crypto kulindeleke ukuthi:

Setha iphasiwedi yempande yokuqala. Ubude bephasiwedi kufanele okungenani bube izinhlamvu eziyi-10.
Setha kabusha amaphasiwedi omsebenzisi ngama-algorithms agunyazwe yi-FIPS.
Hlola log kanye nokucwaninga files okwezehlakalo ezithakaselwayo.
Sula okukhiqizwa ngumsebenzisi files, okhiye, kanye nedatha ngokumisa idivayisi.

I-FIPS Indima Yomsebenzisi Nezibopho
Bonke abasebenzisi be-FIPS, kuhlanganise ne-Crypto Officer, bangakwazi view ukumisa. Umsebenzisi onikezwe njengesikhulu se-Crypto kuphela ongashintsha ukucushwa.
Izimvume ezihlukanisa i-Crypto Officers kwabanye abasebenzisi be-FIPS ziyimfihlo, ukuphepha, ukugcinwa, nokulawula. Ngokuhambisana ne-FIPS, yabela umsebenzisi we-FIPS ekilasini elingaqukethe lezi zimvume.
Umsebenzisi we-FIPS angakwazi view okukhiphayo isimo kodwa ayikwazi ukuqalisa phansi noma yenze uziro idivayisi.
Yini Elindelwe Kubo Bonke Abasebenzisi Be-FIPS
Bonke abasebenzisi be-FIPS, kuhlanganise ne-Crypto Officer, kufanele bagcine imihlahlandlela yezokuphepha ngaso sonke isikhathi.
Bonke abasebenzisi be-FIPS kumele:

Gcina wonke amaphasiwedi eyimfihlo.
Gcina amadivaysi kanye nemibhalo endaweni evikelekile.
Faka amadivayisi ezindaweni ezivikelekile.
Hlola ukuhlolwa files ngezikhathi ezithile.
Vumelana nayo yonke eminye imithetho yezokuphepha ye-FIPS 140-2.
Landela le mihlahlandlela:
• Abasebenzisi bayathenjwa.
• Abasebenzisi bathobela yonke imihlahlandlela yezokuphepha.
• Abasebenzisi abafaki ukuphepha engozini ngamabomu
• Abasebenzisi baziphatha ngokuzibophezela ngaso sonke isikhathi.

IMIBHALO EHLOBANE
Idivayisi yeJuniper Networks esebenzisa uhlelo lokusebenza lweJuniper Networks Junos (Junos OS) kwimodi ye-FIPS yakha uhlobo olukhethekile lwezingxenyekazi zekhompuyutha kanye nemvelo yokusebenza kwesofthiwe ehlukile endaweni yedivayisi ekwimodi enga-FIPS:

I-Hardware Environment ye-Junos OS Kumodi ye-FIPS
I-Junos OS kumodi ye-FIPS isungula umngcele we-cryptographic kudivayisi okungekho amapharamitha abalulekile okuvikela (ama-CSP) angaweqa kusetshenziswa umbhalo ongenalutho. Ingxenye ngayinye yezingxenyekazi zekhompuyutha zedivayisi edinga umngcele we-cryptographic wokuthobela i-FIPS 140-2 iyimojuli ehlukile ye-cryptographic. Kunezinhlobo ezimbili zehadiwe enemingcele ye-cryptographic ku-Junos OS kumodi ye-FIPS: eyodwa ku-Routing Engine ngayinye kanye neyodwa ye-chassis yonke ehlanganisa ikhadi le-LC MPC7E-10G. Ingxenye ngayinye yakha imojuli ehlukile ye-cryptographic. Ukuxhumana okubandakanya ama-CSP phakathi kwalezi zindawo ezivikelekile kufanele kwenzeke kusetshenziswa ukubethela.
Izindlela ze-Cryptographic azithathi indawo yokuphepha ngokomzimba. Izingxenyekazi zekhompuyutha kumele zibe endaweni ephephile. Abasebenzisi bazo zonke izinhlobo akumele baveze okhiye noma amagama ayimfihlo, noma bavumele amarekhodi abhaliwe noma amanothi ukuthi abonwe izisebenzi ezingagunyaziwe.
I-Software Environment ye-Junos OS ku-FIPS Mode
Idivayisi yeJuniper Networks esebenzisa i-Junos OS ngemodi ye-FIPS yakha uhlobo olukhethekile lwendawo yokusebenza engalungiseki. Ukufeza le ndawo kudivayisi, isistimu ivimbela ukwenziwa kwanoma iyiphi kanambambili file ebingeyona ingxenye ye-Junos OS eqinisekisiwe ekusabalaliseni kwemodi ye-FIPS. Uma idivayisi ikumodi ye-FIPS, ingasebenzisa i-Junos OS kuphela.
I-Junos OS endaweni yesofthiwe yemodi ye-FIPS isungulwa ngemuva kokuthi Isikhulu se-Crypto sinikeze amandla ngempumelelo imodi ye-FIPS kudivayisi. Isithombe se-Junos OS esihlanganisa imodi ye-FIPS siyatholakala ku-Juniper Networks webindawo futhi ingafakwa kudivayisi esebenzayo.
Ngokuhambisana ne-FIPS 140-2, sincoma ukuthi ususe konke okudalwe ngabasebenzisi files nedatha ngokumisa idivayisi ngaphambi kokunika amandla imodi ye-FIPS.
Ukusebenzisa idivayisi yakho ku-FIPS Level 1 kudinga ukusetshenziswa kwe-tampamalebula abonakalayo ukuze avale Izinjini Zokuhamba ku-chassis.
Ukunika amandla imodi ye-FIPS kukhubaza izivumelwano namasevisi amaningi we-Junos OS evamile. Ikakhulukazi, awukwazi ukumisa lezi zinsizakalo ezilandelayo ku-Junos OS ngemodi ye-FIPS:

umunwe
i-ftp
rlogin
i-telnet
i-tftp
xnm-clear-text

Imizamo yokumisa lawa masevisi, noma ukulayisha ukucupha ngalawa masevisi amisiwe, kubangela iphutha le-syntax yokumisa.
Ungasebenzisa kuphela i-SSH njengesevisi yokufinyelela ukude.
Wonke amagama ayimfihlo asungulwe abasebenzisi ngemva kokuthuthukela ku-Junos OS kumodi ye-FIPS kufanele ahambisane ne-Junos OS ezicacisweni zemodi ye-FIPS. Amagama okungenamfihlo kufanele abe phakathi kwezinhlamvu eziyi-10 neziyi-20 ubude futhi adinga ukusetshenziswa okungenani kwamasethi ezinhlamvu ezintathu kwezihlanu (osonhlamvukazi abakhulu nabancane, amadijithi, izimpawu zokubhala, nezinhlamvu zekhibhodi, njenge-% kanye & &, ezingafakiwe kwezinye. izigaba ezine).
Imizamo yokumisa amagama ayimfihlo angahambisani nale mithetho iphumela ephutheni. Wonke amagama ayimfihlo nokhiye abasetshenziselwa ukufakazela ubuqiniso ontanga kumele okungenani babe nezinhlamvu ezingu-10 ubude, futhi kwezinye izimo ubude kufanele bufane nosayizi wenhlabamkhosi.
QAPHELA: Unganamathiseli idivayisi kunethiwekhi kuze kube yilapho Isikhulu se-Crypto siqeda ukulungisa kusuka kuxhumo lwekhonsoli yendawo.
Ukuze uthole ukuthobela okuqinile, ungahloli ulwazi lokulahla okuyinhloko kanye nokuphahlazeka kukhonsoli yasendaweni ku-Junos OS ngemodi ye-FIPS ngoba amanye ama-CSP angase aboniswe ngombhalo ongenalutho.
Amapharamitha Okuphepha Abalulekile
Amapharamitha abalulekile okuphepha (ama-CSP) awulwazi oluhlobene nokuphepha olufana nokhiye be-cryptographic kanye namagama ayimfihlo angafaka engcupheni ukuphepha kwemojuli ye-cryptographic noma ukuvikeleka kolwazi oluvikelwe imojula uma zivezwa noma zilungiswa.
Ukumisa isistimu kususa yonke iminonjana ye-CSPs ukulungiselela ukusebenzisa idivayisinoma Injini Yokuthungatha njengemojula ye-cryptographic.
Ithebula 3 ekhasini 19 libala ama-CSP kumadivayisi asebenzisa i-Junos OS.
Ithebula 3: Amapharamitha Okuphepha Abalulekile

I-CSP	Incazelo	Zeroze	Sebenzisa
Ukhiye wokubamba oyimfihlo we-SSHv2	Ukhiye we-ECDSA / RSA osetshenziselwa ukukhomba umsingathi, okhiqizwa okokuqala ngqa lapho i-SSH ilungiswa.	Zeroze umyalo.	Isetshenziselwa ukukhomba umsingathi.
Okhiye beseshini ye-SSHv2	Ukhiye wesikhathi osetshenziswa ne-SSHv2 nanjengokhiye oyimfihlo we-Diffie-Hellman. Ukubethela: AES-128, AES-192, AES-256. Ama-MAC: HMAC-SHA-1, HMAC- SHA-2-256, HMAC-SHA2-512. Ukushintshaniswa okubalulekile: dh-group14-sha1, ECDH-sha2-nistp-256, ECDH-sha2- nistp-384, kanye ECDH-sha2-nistp-521.	Umjikelezo wamandla futhi unqamule iseshini.	Ukhiye we-Symmetric usetshenziselwa ukubethela idatha phakathi komsingathi neklayenti.
Ukhiye wokuqinisekisa womsebenzisi	I-Hash yephasiwedi yomsebenzisi: SHA256, SHA512.	Zeroze umyalo.	Isetshenziselwa ukuqinisekisa umsebenzisi kumojuli ye-cryptographic.
Ukhiye wokuqinisekisa we-Crypto Officer	I-Hash yephasiwedi Yesikhulu se-Crypto: SHA256, SHA512.	Zeroze umyalo.	Isetshenziselwa ukuqinisekisa Isikhulu se-Crypto kumojuli ye-cryptographic.
Imbewu ye-HMAC DRBG	Imbewu ye-deterministic randon bit generator (DRBG).	Imbewu ayigcinwa yimojuli ye-cryptographic.	Isetshenziselwa imbewu DRBG.
Inani le-HMAC DRBG V	Inani (V) lobude bebhulokhi yokuphumayo (outlen) kumabhithi, elibuyekezwayo isikhathi ngasinye lapho kukhiqizwa amanye amabhithi okukhiphayo.	Umjikelezo wamandla.	Inani elibalulekile lesimo sangaphakathi se-DRBG.

I-CSP	Incazelo	Zeroze	Sebenzisa
Inani lokhiye we-HMAC DRBG	Inani lamanje lokhiye we-outlen-bit, obuyekezwayo okungenani kanye isikhathi ngasinye lapho indlela ye-DRBG ikhiqiza izingcezu ze-pseudorandom.	Umjikelezo wamandla.	Inani elibalulekile lesimo sangaphakathi se-DRBG.
I-NDRNG entropy	Isetshenziswa njengeyunithi yezinhlamvu yokufaka ye-entropy ku-HMAC DRBG.	Umjikelezo wamandla.	Inani elibalulekile lesimo sangaphakathi se-DRBG.

Ku-Junos OS kumodi ye-FIPS, wonke ama-CSP kufanele angene futhi ashiye imojula ye-cryptographic ngendlela ebethelwe.
Noma iyiphi i-CSP ebethelwe nge-algorithm engagunyaziwe ithathwa njengombhalo ongenalutho nge-FIPS.
UMKHUBA KAHLE: Ukuze uhambisane ne-FIPS, lungiselela idivayisi ngoxhumo lwe-SSH ngoba izixhumanisi ezibethelwe.
Amaphasiwedi endawo asheshisiwe nge-algorithm ye-SHA256 noma i-SHA512. Ukuthola kabusha iphasiwedi akunakwenzeka ku-Junos OS kumodi ye-FIPS. I-Junos OS kumodi ye-FIPS ayikwazi ukuqalisa kumodi yomsebenzisi oyedwa ngaphandle kwephasiwedi eyimpande.
Ukuqonda Ukucaciswa Kwephasiwedi Nemihlahlandlela ye-Junos OS kumodi ye-FIPS
Wonke amagama ayimfihlo asungulwe abasebenzisi yi-Crypto Officer kufanele ahambisane ne-Junos OS elandelayo ngezidingo zemodi ye-FIPS. Imizamo yokumisa amagama ayimfihlo angahambisani nokucaciswa okulandelayo kubangela iphutha.

Ubude. Amagama-mfihlo kufanele aqukathe izinhlamvu eziphakathi kwezi-10 nezingu-20.
Izimfuneko zesethi yohlamvu. Amagama-mfihlo kumele okungenani aqukathe amasethi ezinhlamvu ezinhlanu ezilandelayo ezichaziwe:
Ofeleba abakhulu
Izinhlamvu ezincane
Amadijithi
Izimpawu zokuloba
Izinhlamvu zekhibhodi azifakiwe kwamanye amasethi amane—njengophawu lwephesenti (%) kanye ne ampi-ersand (&)

Izidingo zokuqinisekisa. Wonke amagama ayimfihlo nokhiye abasetshenziselwa ukuqinisekisa ontanga kumele okungenani babe nezinhlamvu eziyi-10, futhi kwezinye izimo inombolo yezinhlamvu kufanele ifane nosayizi wenhlabamkhosi.
Ukubhalwa kwephasiwedi. Ukuze uguqule indlela yokubethela ezenzakalelayo (SHA512) faka isitatimende sefomethi [hlela iphasiwedi yokungena ohlelweni] ileveli yohlelo.

Imihlahlandlela yamaphasiwedi aqinile. Amagama ayimfihlo aqinile, asebenziseka kabusha angase asekelwe ezinhlamvini zebinzana noma igama eliyintandokazi abese ehlanganiswa namanye amagama angahlobene, kanye namadijithi engeziwe nezimpawu zokuloba. Ngokuvamile, iphasiwedi eqinile ithi:

Kulula ukukhumbula ukuze abasebenzisi bangalingeka ukukubhala phansi.
Yakhiwe ngezinhlamvu zamagama nezinombolo ezixutshwe nezimpawu zokuloba. Ekuthobeleni kwe-FIPS kufaka phakathi okungenani ushintsho olulodwa lwesimo, idijithi eyodwa noma ngaphezulu, kanye nophawu olulodwa noma ngaphezulu.
Kushintshwe ngezikhathi ezithile.
Akuvezwanga muntu.
Izimpawu zamaphasiwedi abuthakathaka. Ungasebenzisi amagama ayimfihlo alandelayo abuthakathaka:

Amagama angatholakala noma abe khona njengefomu elivunyelwe ohlelweni files njengokuthi /etc/passwd.
Igama lomethuleli wesistimu (njalo ukuqagela kokuqala).
Noma yiliphi igama noma ibinzana elivela kusichazamazwi noma komunye umthombo owaziwayo, okuhlanganisa izichazamazwi namathesorasi kwezinye izilimi ngaphandle kwesiNgisi; isebenza ngababhali bakudala noma abadumile; noma amagama ajwayelekile nemishwana evela kwezemidlalo, izisho, amamuvi noma izinhlelo zethelevishini.
Izimvume kunoma yikuphi okungenhla—ngokwesiboneloample, igama lesichazamazwi elinezinhlamvu ezifakwe amadijithi ( r00t) noma amadijithi angezwe ekugcineni.

Noma iyiphi iphasiwedi ekhiqizwa umshini. Ama-algorithms anciphisa isikhala sokusesha sezinhlelo zokuqagela iphasiwedi ngakho-ke akufanele asetshenziswe.

Ilanda amaphakheji eSoftware kusuka kuJuniper Networks
Ungakwazi ukulanda iphakheji yesofthiwe ye-Junos OS yedivayisi yakho ku-Juniper Networks webindawo.
Ngaphambi kokuthi uqale ukulanda isoftware, qiniseka ukuthi uneJuniper Networks Web i-akhawunti kanye nenkontileka yosekelo evumelekile. Ukuze uthole i-akhawunti, gcwalisa ifomu lokubhalisa kuJuniper Networks webindawo: https://userregistration.juniper.net/.
Ukulanda amaphakheji wesoftware kusuka kuJuniper Networks:

Ukusebenzisa a Web isiphequluli, landela izixhumanisi ukulanda URL kuJuniper Networks webikhasi. https://support.juniper.net/support/downloads/

Ngena ngemvume ohlelweni lokuqinisekisa lwe-Juniper Networks usebenzisa igama lomsebenzisi (ngokuvamile ikheli lakho le-imeyili) kanye nephasiwedi enikezwe abameleli beJuniper Networks.
Landa isofthiwe. Bheka Ilanda iSoftware.

IMIBHALO EHLOBANE
Umhlahlandlela Wokufaka Nokuthuthukisa
Ukufaka Isofthiwe Kudivayisi eneNjini Eyodwa Yomzila
Ungasebenzisa le nqubo ukuthuthukisa i-Junos OS kudivayisi ngeNjini Yomzila eyodwa.
Ukufaka ukuthuthukiswa kwesofthiwe kudivayisi eneNjini Yomzila eyodwa:

Landa iphakheji yesoftware njengoba kuchazwe ku Ilanda amaphakheji eSoftware kusuka kuJuniper Networks.

Uma ungakakwenzi lokho, xhuma embobeni ye-console kudivayisi kusuka kudivayisi yakho yokuphatha, bese ungena ku-Junos OS CLI.
(Ongakukhetha) Yenza isipele ukucushwa kwesofthiwe yamanje kunketho yesibili yokugcina. Bona i- Umhlahlandlela Wokufaka Nokuthuthukisa Isofthiwe ukuze uthole imiyalelo yokwenza lo msebenzi.
(Ongakukhetha) Kopisha iphakheji yesofthiwe kudivayisi. Sincoma ukuthi usebenzise i-FTP ukukopisha ifayela file ku /var/tmp/ directory.
Lesi sinyathelo singokuzithandela ngoba i-Junos OS ingabuye ithuthukiswe uma isithombe sesofthiwe sigcinwe endaweni ekude. Le miyalo ichaza inqubo yokuthuthukisa isofthiwe yazo zombili izimo.

Faka iphakheji entsha kudivayisi: Ye-REMX2K-X8: umsebenzisi@host> cela isoftware ye-vmhost
Ku-RE1800: umsebenzisi@host> cela uhlelo lwesoftware engeza
Shintshanisa iphakheji ngenye yezindlela ezilandelayo:
• Ukuze uthole iphakheji yesofthiwe kunkomba yendawo kudivayisi, sebenzisa /var/tmp/package.tgz.
• Ngephakheji yesofthiwe kuseva eqhelile, sebenzisa enye yalezi zindlela ezilandelayo, esikhundleni sephakheji yezinketho eziguquguqukayo ngegama lephakheji yesofthiwe.
• ftp://hostname/pathname/package.tgz
• ftp://hostname/pathname/package.tgz
Qalisa kabusha idivayisi ukuze ulayishe ukufaka:
Nge-REMX2K-X8:
umsebenzisi@host> cela i-vmhost iqalise kabusha
Nge-RE1800:
umsebenzisi@host> cela ukuqalisa kabusha isistimu
Ngemuva kokuthi ukuqalisa kabusha sekuqediwe, ngena futhi usebenzise umyalo wenguqulo yombukiso ukuze uqinisekise ukuthi inguqulo entsha yesofthiwe ifakwe ngempumelelo.
umsebenzisi@host> show version
Imodeli: mx960
I-Junos: 20.3X75-D30.1
I-JUNOS OS Kernel 64-bit [20210722.b0da34e0_builder_stable_11-204ab] I-JUNOS OS libs [20210722.b0da34e0_builder_stable_11-204ab] I-JUNOS OS i-runtime_20210722bulder0 ab] Ulwazi lwendawo yesikhathi ye-JUNOS OS [34.b0da11e204_builder_stable_20210722-0ab] isitaki senethiwekhi ye-JUNOS kanye nezinsiza [34_builder_junos_0_x11_d204] I-JUNOS libs [20210812.200100_builder_junos_203_x75_d30] I-JUNOS OS libs compat20210812.200100 [203b75 Ukuhambisana kwe-JUNOS OS 30-bit [32.b20210722da0e34_builder_stable_0-11ab] I-JUNOS libs compat204 [32_builder_junos_20210722_x0_d34]0jus_11s204s32jus20210812.200100 203_x75_d30] I-JUNOS sflow mx [20210812.200100_builder_junos_203_x75_d30] I-JUNOS py extensions20210812.200100 [203_builder_junos_75_x30_d2] JUNOS py extensions [20210812.200100 203] I-JUNOS py base75 [30_builder_junos_20210812.200100_x203_d75] I-JUNOS py base [30_builder_junos_2_x20210812.200100_d203] JUN75 30ab] I-JUNOS OS boot-ve files [20210722.b0da34e0_builder_stable_11-204ab] I-JUNOS ne-telemetry [20.3X75-D30.1] I-JUNOS Security Intelligence [20210812.200100_builder_junos_203_UN_d75 m30_x32] [20210812.200100_builder_junos_203_x75_d30] JUNOS mx isikhathi sokusebenza [20210812.200100_builder_junos_203_x75_d30] JUNOS RPD Telemetry Isicelo [20.3X75. [30.1_builder_junos_20210812.200100_x203_d75] I-JUNOS probe utility [30_builder_junos_20210812.200100_x203_d75] I-JUNOS ukwesekwa kwenkundla evamile [30_builder_junos_20210812.200100_x203_d75] I-JUNOS Openconfig [30X20.3-D75] amamojula enethiwekhi e-JUNOS mtx [30.1_builder_junos_20210812.200100_x203] [75_builder_junos_30_x20210812.200100_d203] JUNOS mx amamojuli [75_builder_junos_30_x20210812.200100_d203] JUNOS mx libs [75_builder_junos_30_x20210812.200100_d203] JUNOS SQL Sync Daemon [75_builder_junos_30_x20210812.200100_d203] JUNOS mtx Data Plane Crypto Support [75_builder_junos_30_x20210812.200100_d203] JUNOS daemons [75_builder_junos_30_x20210812.200100_d203] JUNOS mx daemons [75_builder_junos_30_x20210812.200100_d203] JUNOS appidd-mx application-identification daemon [75_builder_junos_30_x20210812.200100_d203] JUNOS Services URL Hlunga iphakheji [20210812.200100_builder_junos_203_x75_d30] I-JUNOS Services TLB Service PIC package [20210812.200100_builder_junos_203_x75_d30] JUNOS Services Telemetry [20210812.200100_builder_junos_203_x75_d30] JUNOS Services TCP-LOG [20210812.200100_builder_junos_203_x75_d30] JUNOS Services SSL [20210812.200100_builder_junos_203_x75_d30] JUNOS Services SOFTWIRE [20210812.200100_builder_junos_203_x75_d30] I-JUNOS Services Stateful Firewall [20210812.200100_builder_junos_203_x75_d30] JUNOS Services RTCOM [20210812.200100_builder_junos_203_x75_d30] JUNOS Services RPM [20210812.200100_builder_junos_203_x75_d30] JUNOS Services PCEF package [20210812.200100_builder_junos_203_x75_d30] JUNOS Services NAT [20210812.200100_builder_junos_203_x75_d30] Iphakheji Yesiqukathi Sesiqukathi Sesevisi Yesevisi Ye-JUNOS Services
[20210812.200100_builder_junos_203_x75_d30] Iphakheji le-JUNOS Services MobileNext Software [20210812.200100_builder_junos_203_x75_d30] I-JUNOS Services Logging Report20210812.200100 package203 _x75_d30] Iphakheji Yesiqukathi Sezinsizakalo ze-JUNOS LL-PDF [20210812.200100_builder_junos_203_x75_d30] Iphakheji le-JUNOS Services Jflow Container [20210812.200100_builder_junos_203UNOS_75_Package_Package_30] 20210812.200100_builder_junos_203_x75_d30] I-JUNOS Services IPSec [20210812.200100_builder_junos_203_x75_d30] I-JUNOS Services IDS [20210812.200100. ] Amasevisi e-JUNOS IDP [203_builder_junos_75_x30_d20210812.200100] I-JUNOS Services HTTP Content Management package [203_builder_junos_75_x30_d20210812.200100] JUN203ju75 Cryptoi_30 Services20210812.200100 x203_d75] Iphothali Ethunjiwe Yezinsizakalo Ze-JUNOS kanye nephakheji Yesitsha Sokudiliva Okuqukethwe
[20210812.200100_blusider_Junos_203_X75_D30] junos Services cos [20210812.200100_203_x75_30_x20210812.200100_d203_X75_bu Ikhiler_Junos_30_X20210812.200100_D203] I-Junos Services AACL Iphakheji yephakheji [75 x30_d20210812.200100 ] Usekelo Lwenjini Yokudlulisa Iphakethe le-JUNOS (wrlinux203) [75_builder_junos_30_x20210812.200100_d203] Usekelo Lwenjini Yokudlulisa Iphakethe le-JUNOS (ulc) [75_builder_junos30] Injini Yokusekela_I-JUNOS I-PC20210812.200100) [203X75-D30] Usekelo Lwenjini Yokudlulisa Iphakethe le-JUNOS (X9) [ 20210812.200100_builder_junos_203_x75_d30] Injini Ye-JUNOS Yokudlulisa Iphakethe Lenjini Ukusekelwa Kwe-FIPS [20210812.200100X203-D75] I-JUNOS I-Packet Forwarding Engine Support (M/T Common)
[20210812.200100_builder_junos_203_x75_d30] Usekelo Lwenjini Yokudlulisa Iphakethe le-JUNOS (ngemuva)

Ukuqonda I-Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS
KULESI SIGABA
Kungani Zeroize? | 26
Kufanele Uzeroze nini? | 26
I-Zeroization isula ngokuphelele lonke ulwazi lokucushwa Kuzinjini Zomzila, okuhlanganisa wonke amagama ayimfihlo ayimfihlo, izimfihlo, nokhiye abayimfihlo be-SSH, ukubethela kwendawo, ukufakazela ubuqiniso kwasendaweni, kanye ne-IPsec.
I-Crypto Officer iqala inqubo yokumisa iqanda ngokufaka isicelo somyalo wokusebenza we-vmhost misa ukungadluliseli ku-REMX2K-X8 bese ucela isistimu ukuthi imise iqanda ku-RE1800.
ISEXWAYISO: Yenza i-zeroization yesistimu ngokucophelela. Ngemuva kokuthi inqubo yokumisa iqanda isiqediwe, akukho datha esele Enjini Yomzila. Idivayisi ibuyiselwa esimweni esimisiwe sasekuqaleni, ngaphandle kwabasebenzisi abamisiwe noma ukulungiselelwa files.
I-zeroization ingadla isikhathi. Nakuba konke ukulungiselelwa kususwa emizuzwaneni embalwa, inqubo yokumisa iqanda iyaqhubeka nokubhala phezu kwayo yonke imidiya, okungathatha isikhathi eside kuye ngosayizi wemidiya.
Kungani Zeroize?
Idivayisi yakho ayithathwa njengemojuli ye-cryptographic evumelekile ye-FIPS kuze kube yilapho isifakiwe yonke imingcele yokuvikela (CSPs)—noma ifakwe kabusha—ngenkathi idivayisi ikumodi ye-FIPS.
Ukuze uhambisane ne-FIPS 140-2, kufanele wenze isistimu ibe zero ukuze ukhiphe ulwazi olubucayi ngaphambi kokuvala imodi ye-FIPS kudivayisi.
Kufanele Uzeroze nini?
Njengesikhulu se-Crypto, yenza i-zeroization kulezi zimo ezilandelayo:

Ngaphambi kokunika amandla indlela yokusebenza ye-FIPS: Ukuze ulungiselele idivayisi yakho ukuthi isebenze njengemojula ye-cryptographic FIPS, yenza iqanda ngaphambi kokuvumela imodi ye-FIPS.
Ngaphambi kokukhubaza ukusebenza kwe-FIPS: Ukuze uqale ukulungisa kabusha idivayisi yakho ukuze isebenze okungeyona i-FIPS, yenza i-zeroization ngaphambi kokukhubaza imodi ye-FIPS kudivayisi.
QAPHELA: I-Juniper Networks ayikusekeli ukufakwa kwesofthiwe engeyona i-FIPS endaweni ye-FIPS, kodwa ukwenza kanjalo kungase kudingeke ezindaweni ezithile zokuhlola. Qiniseka ukuthi umisa isistimu kuqala.

Ukunciphisa Isistimu
Ukuze wenze idivayisi yakho uziro, landela le nqubo engezansi:

Ngena ngemvume kudivayisi njenge-Crypto Officer futhi usuka ku-CLI, faka umyalo olandelayo.
Nge-REMX2K-X8:
crypto-officer@host> cela i-vmhost yenza iqanda lingadluliseli i-VMHost Zeroization : Sula yonke idatha, okuhlanganisa ukumisa nokungena files ? [yebo, cha] (cha) yebo
re0:
Nge-REMX2K-X8:
crypto-officer@host> cela uhlelo ukuthi zero
I-Zeroization Yesistimu : Sula yonke idatha, okuhlanganisa ukucushwa nokungena files ?
[yebo, cha] (cha) yebo
re0:
Ukuze uqalise inqubo yokwenza uziro, thayipha okuthi yebo emyalweni:
Sula yonke idatha, okuhlanganisa ukumisa nokungena files? [yebo, cha] (cha) yebo Sula yonke idatha, okuhlanganisa ukumisa nokungena files? [yebo, cha] (cha) yebo
re0: ————————isexwayiso: iqanda
re0 ……
Wonke umsebenzi ungathatha isikhathi eside kuye ngosayizi wemidiya, kodwa zonke izinhlaka zokuphepha ezibucayi (CSPs) ziyasuswa phakathi nemizuzwana embalwa. Indawo ebonakalayo kufanele ihlale ivikelekile kuze kuqedwe inqubo yokususa iqanda.

Inika amandla Imodi ye-FIPS
Uma i-Junos OS ifakiwe kudivayisi futhi idivayisi ivuliwe, isilungele ukulungiselelwa.
Ekuqaleni, ungena njengempande yomsebenzisi ngaphandle kwephasiwedi. Uma ungena njengempande, uxhumano lwakho lwe-SSH lunikwa amandla ngokuzenzakalelayo.
Njengomphathi we-Crypto, kufanele usungule impande yephasiwedi evumelana nezidingo zephasiwedi ye-FIPS kokuthi “Ukuqonda Ukucaciswa Kwephasiwedi Nemihlahlandlela ye-Junos OS Kumodi Ye-FIPS” ekhasini 20. Uma unika amandla imodi ye-FIPS ku-Junos OS kudivayisi, awukwazi ukumisa amagama ayimfihlo. ngaphandle uma behlangabezana naleli zinga.
Amaphasiwedi endawo abethelwe nge-algorithm ye-hashi evikelekile ethi SHA256 noma i-SHA512. Ukuthola kabusha iphasiwedi akunakwenzeka ku-Junos OS kumodi ye-FIPS. I-Junos OS kumodi ye-FIPS ayikwazi ukuqalisa kumodi yomsebenzisi oyedwa ngaphandle kwephasiwedi eyimpande.
Ukuze unike amandla imodi ye-FIPS ku-Junos OS kudivayisi:

Susa idivayisi ukuze ususe wonke ama-CSP ngaphambi kokungena kumodi ye-FIPS. Bheka kokuthi “Ukuqonda Ukuthi Zeroization Ukuze Usule Idatha Yesistimu Yemodi Ye-FIPS” ekhasini 25 ukuze uthole imininingwane.
Ngemva kokuthi idivayisi ivele 'ngemodi ye-Amnesiac', ngena ngemvume usebenzisa igama lomsebenzisi nephasiwedi "" (akunalutho).
Ukungena ngemvume kwe-FreeBSD/amd64 (Amnesiac) (ttyu0): impande
— JUNOS 20.3X75-D30.1 Kernel 64-bit JNPR-11.0-20190701.269d466_buil root@:~ # cli root>

Lungiselela ukuqinisekiswa kwezimpande ngephasiwedi okungenani izinhlamvu eziyi-10 noma ngaphezulu.
impande> hlela Ifaka imodi yokumisa [hlela] impande# setha impande yesistimu-ukufakazela ubuqiniso okusobala-umbhalo-iphasiwedi
Iphasiwedi Entsha:
Thayipha kabusha iphasiwedi entsha: [hlela] izimpande# ukuzibophezela kuqediwe
Layisha ukucushwa kudivayisi bese wenza ukucushwa okusha. Lungiselela i-crypto-officer futhi ungene ngemvume ngemininingwane ye-crypto-officer.
Faka iphakheji ye-fips-mode edingekayo ku-Routing Engine KATS.
impande@hostname> cela isoftware yesistimu engeza ongakukhetha:://fips-mode.tgz
I-fips-mode eqinisekisiwe isayinwe indlela ye-PackageDevelopmentEc_2017 ECDSA256+SHA256

Okwamadivayisi e-MX Series,
• Lungiselela i-chassis boundary fips ngokusetha isistimu ye-fips chassis level 1 futhi uzibophezele.
• Lungiselela i-RE boundary fips ngokusetha amasistimu we-fips level 1 futhi uzibophezele.
Idivayisi ingase ibonise Iphasiwedi Ebethelwe kufanele imiswe kabusha ukuze isebenzise isixwayiso se-hash esithobelana ne-FIPS ukuze kususwe ama-CSP amadala ekucushweni okulayishiwe.
Ngemva kokususa nokulungisa kabusha ama-CSP, ukuzibophezela kuzodlula futhi idivayisi idinga ukuqalisa kabusha ukuze ingene kumodi ye-FIPS. [hlela] i-crypto-officer@hostname# zibophezele
Ikhiqiza ukhiye we-RSA /etc/ssh/fips_ssh_host_key
Ikhiqiza ukhiye we-RSA2 /etc/ssh/fips_ssh_host_rsa_key
Ikhiqiza ukhiye we-ECDSA /etc/ssh/fips_ssh_host_ecdsa_key
[hlela] uhlelo
ukuqalisa kabusha kuyadingeka ukuze udlulele ku-FIPS ileveli 1 ukuzinikela okuphelele [hlela] crypto-officer@hostname# sebenzisa isicelo vmhost reboot
Ngemva kokuqalisa kabusha idivayisi, ukuzihlola kwe-FIPS kuzoqalisa futhi idivayisi ingena kumodi ye-FIPS. crypto-officer@hostname: fips>

IMIBHALO EHLOBANE
Ukuqonda Ukucaciswa Kwephasiwedi Nemihlahlandlela ye-Junos OS kumodi ye-FIPS | 20
Ilungiselela Isikhulu se-Crypto kanye Nobunikazi Bomsebenzisi Be-FIPS Nokufinyelela
KULESI SIGABA
Ilungiselela Ukufinyelela Kwesikhulu se-Crypto | 30
Ilungiselela Ukufinyelela Ngemvume Komsebenzisi Kwe-FIPS | 32
I-Crypto Officer inika amandla imodi ye-FIPS kudivayisi yakho futhi yenza yonke imisebenzi yokumisa ye-Junos OS ngemodi ye-FIPS futhi ikhiphe yonke i-Junos OS ngezitatimende nemiyalo yemodi ye-FIPS. Isikhulu se-Crypto kanye nezilungiselelo zabasebenzisi be-FIPS kufanele zilandele i-Junos OS kuzinkombandlela zemodi ye-FIPS.
Ilungiselela Ukufinyelela Kwesikhulu se-Crypto
I-Junos OS kumodi ye-FIPS inikeza ubumbudumbudu obungcono bezimvume zabasebenzisi kunalezo ezigunyazwe i-FIPS 140-2.
Ngokuhambisana ne-FIPS 140-2, noma yimuphi umsebenzisi we-FIPS onemfihlo, ukuphepha, ukugcinwa, kanye nesethi yemvume yokulawula uyisikhulu se-Crypto. Ezimweni eziningi isigaba sabasebenzisi abakhulu sanele Isikhulu se-Crypto.
Ukuze ulungiselele ukufinyelela kokungena ngemvume kwe-Crypto Officer:

Ngena kudivayisi ngephasiwedi yempande uma ungakakwenzi lokho, bese ufaka imodi yokumisa: root@hostname> hlela Ifaka imodi yokumisa [hlela] root@hostname#
Yisho igama lomsebenzisi we-crypto-officer futhi unikeze i-Crypto Officer i-ID yomsebenzisi (isibample, 6400, okumele kube inombolo ehlukile ehlotshaniswa ne-akhawunti yokungena ebangeni elisukela ku-100 kuye ku-64000) kanye neklasi (ngokwesiboneloample, umsebenzisi omkhulu). Uma wabela ikilasi, unikeza izimvume—ngokwesiboneloample, imfihlo, ukuphepha, ukugcinwa, kanye nokulawula.
Ukuze uthole uhlu lwezimvume, bona Ukuqonda Amazinga Elungelo Lokufinyelela kwe-Junos OS.
[hlela] impande@igama lomethuleli# setha igama lomsebenzisi lokungena ohlelweni inani lekilasi igama lekilasi
Okwesiboneloample:
[hlela] impande@igama lomphathi# setha ukungena kwesistimu yomsebenzisi we-crypto-officer uid 6400 class super-user

Ulandela imihlahlandlela ethi “Ukuqonda Ukucaciswa Kwephasiwedi Nemihlahlandlela ye-Junos OS Kumodi Ye-FIPS” ekhasini 20, yabela Isikhulu se-Crypto iphasiwedi yombhalo ongenalutho ukuze uqinisekise ukungena ngemvume. Setha iphasiwedi ngokuthayipha iphasiwedi ngemuva kokwaziswa Iphasiwedi entsha bese uthayipha kabusha iphasiwedi entsha.
[hlela] impande@igama lomethuleli# setha ukungena ngemvume kwesistimu yomsebenzisi ukuqinisekiswa kwekilasi legama lomsebenzisi (igama-liyimfihlo lokuhlola elingenalutho |
Iphasiwedi ebethelwe)
Okwesiboneloample:
[hlela] impande@igama lomphathi# setha ukungena ngemvume komsebenzisi wekilasi le-crypto-officer class super-user authentication plaintext-password
Ngokuzithandela, bonisa ukucushwa:
[hlela] impande@hostname# uhlelo lokuhlela
[hlela uhlelo] impande@hostname# umbukiso
Ngena ngemvume {
umsebenzisi we-crypto-office {
uid 6400;
ukufakazela ubuqiniso {
iphasiwedi ebethelwe " ”; ## IDATHA-EMFIHLO
}
isigaba somsebenzisi omkhulu;
}
}
Uma usuqedile ukumisa idivayisi, yenza ukumisa bese uphuma:
[hlela] impande@hostname# ukuzibophezela kuqediwe
impande@hostname# phuma

Ilungiselela Ukufinyelela Ngemvume Komsebenzisi kwe-FIPS
Umsebenzisi we-fips uchazwa njenganoma yimuphi umsebenzisi we-FIPS ongenayo imfihlo, ukuphepha, ukugcinwa, kanye nezingcezu zemvume yokulawula.
Njengesikhulu se-Crypto usetha abasebenzisi be-FIPS. Abasebenzisi be-FIPS abanakunikwa izimvume ngokuvamile ezigcinelwe Isikhulu se-Crypto—isibample, imvume yokumisa isistimu.
Ukuze ulungiselele ukufinyelela kokungena kumsebenzisi we-FIPS:

Ngena ngemvume kudivayisi ngephasiwedi yakho ye-Crypto Officer uma ungakakwenzi lokho, bese ufaka imodi yokumisa:
crypto-officer@hostname:fips> hlela
Ifaka imodi yokumisa
[hlela] i-crypto-officer@hostname:fips#
Nikeza umsebenzisi, igama lomsebenzisi, futhi unikeze umsebenzisi i-ID yomsebenzisi (isibample, 6401, okumele kube inombolo ehlukile kububanzi obusuka ku-1 kuye ku-64000) kanye nekilasi. Uma wabela ikilasi, unikeza izimvume—ngokwesiboneloample, cacile, inethiwekhi, setha kabushaview, futhi view-ukumisa.
[hlela] crypto-officer@hostname:fips# setha ukungena ngemvume kwesistimu igama lomsebenzisi lomsebenzisi inani lekilasi igama lekilasi For example:
[hlela] crypto-officer@hostname:fips# setha ukungena ngemvume komsebenzisi we-fips-user1 uid 6401 class funda kuphela

Ukulandela imihlahlandlela kokuthi “Ukuqonda Ukucaciswa Kwephasiwedi Nemihlahlandlela ye-Junos OS ku
I-FIPS Mode” ekhasini 20, yabela umsebenzisi we-FIPS igama-mfihlo lombhalo ongenalutho ukuze uqinisekise ukungena ngemvume. Setha iphasiwedi ngokuthayipha iphasiwedi ngemuva kokwaziswa Iphasiwedi entsha bese uthayipha kabusha iphasiwedi entsha.
[hlela] i-crypto-officer@igama lomethuleli:fips# setha ukungena ngemvume kwesistimu yomsebenzisi wesigaba sokuqinisekisa igama-igama (i-plain-text-password | encrypted-password)
Okwesiboneloample:
[hlela] crypto-officer@hostname:fips# setha ukungena ngemvume komsebenzisi we-fips-user1 class read-only ubuqiniso bokuqinisekisa plain-text-password
Ngokuzithandela, bonisa ukucushwa:
[hlela] crypto-officer@hostname:fips# hlela uhlelo [hlela uhlelo] crypto-officer@hostname:fips# show
Ngena ngemvume {
umsebenzisi fips-user1 {
uid 6401;
ukufakazela ubuqiniso {
iphasiwedi ebethelwe " ”; ## IDATHA-EMFIHLO
}
ukufundwa kwekilasi kuphela;
}
}
Uma usuqedile ukumisa idivayisi, yenza ukumisa bese uphuma:
[hlela] crypto-officer@hostname:fips# commit
crypto-officer@hostname:fips# phuma

Ilungiselela i-SSH ne-Console Connection

Ilungiselela i-SSH Ekucushweni Okuhloliwe kwe-FIPS
I-SSH ngokusebenzisa isixhumi esibonakalayo sokuphatha esikude esivunyelwe ekucushweni okuhloliwe. Lesi sihloko sichaza indlela yokumisa i-SSH ngokuphathwa okukude.
Ama-algorithms alandelayo adinga ukulungiswa ukuze kuqinisekiswe i-SSH ye-FIPS.
Ukuze ulungiselele i-SSH ku-DUT:

Cacisa ama-algorithms avumelekile wokhiye wokusingatha we-SSH kumasevisi esistimu.
[hlela] umsebenzisi@host# setha amasevisi esistimu ssh hostkey-algorithm ssh-ecdsa
umsebenzisi@host# setha amasevisi esistimu ssh hostkey-algorithm no-ssh-dss
umsebenzisi@host# setha izinsiza zesistimu ssh hostkey-algorithm ssh-rsa
Cacisa ukushintshanisa kokhiye we-SSH kokhiye be-Diffie-Hellman kumasevisi esistimu.
[hlela] umsebenzisi@host# setha amasevisi esistimu ssh key-exchange dh-group14-sha1
umsebenzisi@host# setha izinsiza zesistimu ssh key-exchange ecdh-sha2-nistp256
umsebenzisi@host# setha izinsiza zesistimu ssh key-exchange ecdh-sha2-nistp384
umsebenzisi@host# setha izinsiza zesistimu ssh key-exchange ecdh-sha2-nistp521

Cacisa wonke amakhodi okuqinisekisa umlayezo ovumelekile we-SSHv2
[hlela] umsebenzisi@host# setha amasevisi esistimu ssh macs hmac-sha1
umsebenzisi@host# setha izinsiza zesistimu ssh macs hmac-sha2-256
umsebenzisi@host# setha izinsiza zesistimu ssh macs hmac-sha2-512
Cacisa ama-cipher avunyelwe kunguqulo 2 yephrothokholi.
[hlela] umsebenzisi@host# setha izinsiza zesistimu ssh ciphers aes128-cbc
umsebenzisi@host# setha izinsiza zesistimu ssh ciphers aes256-cbc
umsebenzisi@host# setha izinsiza zesistimu ssh ciphers aes128-ctr
umsebenzisi@host# setha izinsiza zesistimu ssh ciphers aes256-ctr
umsebenzisi@host# setha izinsiza zesistimu ssh ciphers aes192-cbc
umsebenzisi@host# setha izinsiza zesistimu ssh ciphers aes192-ctr
I-algorithm ye-hostkey ye-SSH esekelwe:
ssh-ecdsa Vumela ukukhiqizwa kokhiye wokusingatha we-ECDSA
ssh-rsa Vumela ukukhiqizwa kokhiye wokusingatha we-RSA
I-algorithm yokushintshanisa ukhiye we-SSH esekelwe:
ecdh-sha2-nistp256 I-EC Diffie-Hellman ku-nistp256 nge-SHA2-256
ecdh-sha2-nistp384 I-EC Diffie-Hellman ku-nistp384 nge-SHA2-384
ecdh-sha2-nistp521 I-EC Diffie-Hellman ku-nistp521 nge-SHA2-512
I-algorithm ye-MAC esekelwe:
I-hmac-sha1 Hash-based MAC isebenzisa i-Secure Hash Algorithm (SHA1)
I-hmac-sha2-256 Hash-based MAC isebenzisa i-Secure Hash Algorithm (SHA2)
I-hmac-sha2-512 Hash-based MAC isebenzisa i-Secure Hash Algorithm (SHA2)
I-algorithm ye-ciphers ye-SSH esekelwe:
i-aes128-cbc 128-bit AES ene-Cipher Block Chaining
i-aes128-ctr 128-bit AES ene-Counter Mode
i-aes192-cbc 192-bit AES ene-Cipher Block Chaining
i-aes192-ctr 192-bit AES ene-Counter Mode
i-aes256-cbc 256-bit AES ene-Cipher Block Chaining
i-aes256-ctr 256-bit AES ene-Counter Mode

Ilungiselela i-MACsec

Ukuqonda Ukuphepha Kokulawula Ukufinyelela Kwemidiya (MACsec) kumodi ye-FIPS
I-Media Access Control Security (MACsec) iwubuchwepheshe bokuphepha obusezingeni lemboni ye-802.1AE IEEE obuhlinzeka ngokuxhumana okuphephile kwayo yonke ithrafikhi kuzixhumanisi ze-Ethernet. I-MACsec ihlinzeka ngokuvikeleka okukhomba iphuzu-kuya-iphuzu kuzixhumanisi ze-Ethernet phakathi kwama-node axhumeke ngokuqondile futhi iyakwazi ukuhlonza nokuvimbela izinsongo eziningi zokuphepha, okuhlanganisa ukunqatshelwa kwesevisi, ukungenelela, umuntu ophakathi nendawo, ukuzenza, ukucofa ngocingo, nokuhlasela kokudlala.
I-MACsec ikuvumela ukuthi uvikele iphoyinti ukuze ukhombe isixhumanisi se-Ethernet cishe kuyo yonke ithrafikhi, okuhlanganisa ozimele abavela ku-Link Layer Discovery Protocol (LLDP), I-Link Aggregation Control Protocol (LACP), I-Dynamic Host Configuration Protocol (DHCP), I-Address Resolution Protocol (ARP), kanye namanye amaphrothokholi ngokuvamile awavikelekile kusixhumanisi se-Ethernet ngenxa yokulinganiselwa kwezinye izixazululo zokuphepha. I-MACsec ingasetshenziswa ngokuhlanganiswa nezinye izimiso zokuphepha ezifana ne-IP Security (IPsec) kanye Nesendlalelo Sezikhoxe Ezivikelekile (SSL) ukuze kuhlinzekwe ukuphepha kwenethiwekhi ekupheleni kuya ekupheleni.
I-MACsec ilinganiswe ku-IEEE 802.1AE. Izinga le-IEEE 802.1AE lingabonwa enhlanganweni ye-IEEE webindawo ku-IEEE 802.1: UKUHLANGANA NOKUPHATHA.
Ukuqaliswa ngakunye kwe-algorithm kuhlolwa uchungechunge lwezivivinyo zokuzihlola ezaziwayo (KAT) kanye nokuqinisekiswa kwe-crypto algorithms (CAV). Ama-algorithms alandelayo e-cryptographic engezwe ngokuqondile ku-MACsec.

I-Advanced Encryption Standard (AES)-Ikhodi Yokuqinisekisa Umlayezo We-Cipher (CMAC)
Ukugoqa Okuthuthukile Kwezinga Lokubethela (AES) Ukhiye
Ku-MACsec, kumodi yokumisa, sebenzisa umyalo osheshayo ukufaka inani lokhiye oyimfihlo wezinhlamvu ezingama-hexadecimal angama-64 ukuze uqinisekise.
[hlela] i-crypto-officer@hostname:fips# ukuxhumeka okusheshayo kwe-macsec-inhlangano pre-shared-key cak
Ikhekhe elisha (imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo):

Ukwenza ngokwezifiso Isikhathi
Ukuze wenze ngokwezifiso isikhathi, khubaza i-NTP bese usetha idethi.

Khubaza i-NTP.
[hlela] crypto-officer@hostname:fips# vala amaqembu global system ntp
crypto-officer@hostname:fips# vala uhlelo ntp
crypto-officer@hostname:fips# commit
crypto-officer@hostname:fips# phuma

Ukusetha idethi nesikhathi. Ifomethi yosuku nesikhathi ithi YYYYMMMDDHHMM.ss
[hlela] i-crypto-officer@hostname:fips# idethi emisiwe 201803202034.00
crypto-officer@hostname:fips# set cli timesamp
Setha imininingwane yesiteshi evikelekile ye-MACsec Key Agreement (MKA).
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association Connection association-igama elivikelekile-isiteshi esivikelekile-igama lesiteshi (engenayo | ephumayo) crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation -igama elivikelekile-isiteshi esivikelekile-igama lokubethela (MACsec) crypto-officer@igama lomethuleli:fips# setha ukuxhumeka kwe-macsec-inhlangano yokuxhumanaassociation-igama elivikelekile-isiteshi esivikelekile-igama le-id mac-address /”mac-address crypto- officer@hostname:fips# set security macsec connectivity-association connectivityassociation-name secure-channel secure-channel-name id port-id port-id-number crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation-igama livikelekile -isiteshi se-security-channel-name offset “(0|30|50) crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation-igama elivikelekile-isiteshi esivikelekile-isiteshi-igama lokuphepha-inhlangano-inhlangano yezokuphepha-inhlangano inombolo ukhiye- umucu
Setha i-MKA kumodi yokuphepha.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association connectivityassociation-name security-mode security-mode

Yabela ukuhlotshaniswa okumisiwe kokuxhumana nesixhumi esibonakalayo se-MACsec esicacisiwe.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivityassociation connectivity-association-name

Ilungiselela i-Static MACsec ene-ICMP Traffic
Ukuze ulungiselele i-Static MACsec usebenzisa ithrafikhi ye-ICMP phakathi kwedivayisi engu-R0 nedivayisi engu-R1:
Ku-R0:

Dala ukhiye owabiwe kusengaphambili ngokulungiselela igama likakhiye wenhlangano yokuxhuma (CKN) kanye nokhiye wokuhlotshaniswa kokuxhumana (CAK)
[hlela] crypto-officer@hostname:fips# setha ukuphepha kwe-macsec uxhumano-inhlangano CA1 pre-sharedkey ckn 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey cak 23456789223344556677889922233344 crypto-officer@hostname:fips# set security macsec connectivity-association CA 1 off

Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log
crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions flag konke
Yabela umkhondo kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe usayizi 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana. [hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak

Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key-serverpriority 1
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval 3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka shouldsecure
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci

Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation
I-CA1
crypto-officer@hostname:fips# set interfaces interface-name unit 0 ikheli le-inet lomndeni 10.1.1.1/24

Ku-R1:

Dala ukhiye owabiwe kusengaphambili ngokulungiselela igama likakhiye wenhlangano yokuxhuma (CKN) kanye nokhiye wokuhlotshaniswa kokuxhumana (CAK)
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey ckn 2345678922334455667788992223334445556667778889992222333344445555ps security uxhumano-inhlangano CA1 pre-sharedkey cak 23456789223344556677889922233344 crypto-officer@hostname:fips # setha ukuxhumana kwezokuphepha kwe-macsec-inhlangano CA1 offset 30
Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag konke

Yabela umkhondo kusixhumi esibonakalayo. [hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe usayizi 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana. [hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 security-mode static-cak
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval 3000

Nika amandla i-MKA evikelekile. [hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka shouldsecure crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo. [hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name connectivityassociation CA1 crypto-officer@hostname:fips# set interfaces interface-name unit 0 ikheli le-inet lomndeni 10.1.1.2/24

Ilungiselela i-MACsec ngokhiye kusetshenziswa i-ICMP Traffic
Ukuze ulungiselele i-MACsec ngokhiye usebenzisa ithrafikhi ye-ICMP phakathi kwedivayisi engu-R0 nedivayisi engu-R1:
Ku-R0:

Nikeza inani lokubekezelela ochungechungeni lokhiye wokuqinisekisa. [hlela] i-crypto-officer@hostname:fips# setha ukuqinisekiswa kwezokuphepha-ukhiye-amaketango okhiye-ketango le-macsec-kc1 tolerance 20
Dala iphasiwedi eyimfihlo ozoyisebenzisa. Iwuchungechunge lwamadijithi angama-hexadecimal afinyelela ezinhlamvu ezingama-64 ubude. Iphasiwedi ingabandakanya izikhala uma uchungechunge lohlamvu lufakwe ezimpawu zokucaphuna. Idatha eyimfihlo ye-keychain isetshenziswa njenge-CAK.
[hlela] i-crypto-officer@hostname:fips# setha ukuqinisekiswa kokhiye-amaketango okhiye-ukhiye we-macsec-kc1 0 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445551 setha ukuqinisekiswa kokuphepha-ukhiye-amaketango okhiye-i-macsec- ukhiye we-kc1 0 isikhathi sokuqala 2018-03-20.20:35 crypto-officer@hostname:fips# setha ukuqinisekiswa kokhiye-ukhiye-amaketango ukhiye-chain macsec-kc1 ukhiye 1 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445552 1 crypto-officer@hostname:fips# setha ukuphepha i-authentication-key-chains key-chain macsec-kc1 ukhiye 2018 isikhathi sokuqala 03-20.20-37:1 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc2 key 2345678922334455667788992223334445556667778889992222333344445553 key-name 1 2 crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-key-chains key-chain macsec-kc2018 ukhiye 03 isikhathi sokuqala 20.20-39-1:3 crypto-officer@hostname:fips# setha ukhiye wokuqinisekisa ubunikazi-ukhiye-amaketango- chain macsec-kc2345678922334455667788992223334445556667778889992222333344445554 ukhiye 1 ukhiye-igama 3 crypto-officer@hostname-hostname-keychain-key-key-key-set-keychain-key-key-set-key-chain 2018-03-20.20:41 crypto-officer@hostname:fips # setha ukuqinisekiswa kokhiye-amaketanga okhiye-ketango-macsec-kc1 ukhiye 4 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445555host-security-keychain csec-kc1 ukhiye 4 isikhathi sokuqala 2018-03- 20.20:43 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556 igama:fips# setha ukuqinisekiswa kokuphepha-ukhiye-amaketango okhiye-i-macsec- ukhiye we-kc1 5 isikhathi sokuqala 2018-03-20.20:45 crypto-officer@hostname:fips# setha ukuqinisekiswa kokhiye-ukhiye-amaketango ukhiye-chain macsec-kc1 ukhiye 6 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445557 1 crypto-officer@hostname:fips# setha ukuphepha i-authentication-key-chains key-chain macsec-kc6 key 2018-time-time 03-20.20-47:1 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc7 key 2345678922334455667788992223334445556667778889992222333344445558 key-name 1 7 crypto-officer@hostname:fips# set security to authentication-key-chains key-chain macsec-kc2018 key 03 isikhathi sokuqala 20.20-49-XNUMX:XNUMX Sebenzisa umyalo osheshayo ukufaka inani lokhiye oyimfihlo. Okwesiboneloample, inani lokhiye oyimfihlo ngu-2345678922334455667788992223334123456789223344556677889922233341. [hlela] crypto-officer@hostname:fips# prompt security-keychain-ukhiye wokuqinisekisa ukhiye wemfihlo : Thayipha kabusha i-cak entsha (imfihlo): i-crypto-officer @hostname:fips# ukuqinisekiswa kokuphepha kokuqinisekisa-ukhiye-amaketango okhiye-ketango le-macseckc1 ukhiye ongu-0 imfihlo I-cak entsha (imfihlo):
Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha ngokushesha-key-chains key-chain macseckc1 key 2 secret I-cak entsha (imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha ngokushesha-key-chains key-chain macseckc1 ukhiye 3 imfihlo I-cak entsha (imfihlo): Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ngokushesha ukufakazela ubuqiniso bezokuphepha-ukhiye-amaketango okhiye-ketango le-macseckc1 ukhiye 4 imfihlo I-cak entsha (imfihlo): Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha kokuqinisekisa-ukhiye-ketango ukhiye-chain macseckc1 ukhiye 5 imfihlo Okusha i-cak (imfihlo): Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha ngokushesha-key-chains key-chain macseckc1 ukhiye 6 imfihlo I-cak entsha (imfihlo): Thayipha kabusha ikhekhe elisha (imfihlo): i-crypto-officer @hostname:fips# ukuqinisekiswa kokuphepha kokuqinisekisa-ukhiye-chain ukhiye-chain macseckc1 ukhiye 7 imfihlo I-cak entsha (imfihlo): Thayipha kabusha i-cak entsha (imfihlo):
Hlobanisa igama lokhiye owabelwe ngaphambili nenhlangano yokuxhuma.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips # setha ukuxhumana kwezokuphepha kwe-macsec-inhlangano CA1 cipher-suite gcm-aes-256
QAPHELA: Inani le-cipher lingasethwa futhi njenge-cipher-suite gcm-aes-128.

Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag konke
Yabela umkhondo kusixhumi esibonakalayo. [hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe usayizi 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana. [hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 securitymode static-cak

Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka keyserver-priority 1
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval 3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci

Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation CA1
crypto-officer@hostname:fips#
setha ukuxhumana-igama iyunithi 0 ikheli le-inet yomndeni 10.1.1.1/24

Ukumisa i-MACsec nge-keychain yethrafikhi ye-ICMP:
Ku-R1:

Nikeza inani lokubekezelela ochungechungeni lokhiye wokuqinisekisa.
[hlela] i-crypto-officer@hostname:fips# setha ukuqinisekiswa kwezokuphepha-ukhiye-amaketango okhiye-ketango le-macsec-kc1 tolerance 20

Dala iphasiwedi eyimfihlo ozoyisebenzisa. Iwuchungechunge lwamadijithi angama-hexadecimal afinyelela ezinhlamvu ezingama-64 ubude. Iphasiwedi ingabandakanya izikhala uma uchungechunge lohlamvu lufakwe ezimpawu zokucaphuna. Idatha eyimfihlo ye-keychain isetshenziswa njenge-CAK.
[hlela] i-crypto-officer@hostname:fips# setha ukuqinisekiswa kokhiye-amaketango okhiye-ukhiye we-macsec-kc1 0 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445551 setha ukuqinisekiswa kokuphepha-ukhiye-amaketango okhiye-i-macsec- ukhiye we-kc1 0 isikhathi sokuqala 2018-03-20.20:35 crypto-officer@hostname:fips# setha ukuqinisekiswa kokhiye-ukhiye-amaketango ukhiye-chain macsec-kc1 ukhiye 1 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445552 1 crypto-officer@hostname:fips# setha ukuphepha i-authentication-key-chains key-chain macsec-kc1 ukhiye 2018 isikhathi sokuqala 03-20.20-37:1 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc2 key 2345678922334455667788992223334445556667778889992222333344445553 key-name 1 2 crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-key-chains key-chain macsec-kc2018 ukhiye 03 isikhathi sokuqala 20.20-39-1:3 crypto-officer@hostname:fips# setha ukhiye wokuqinisekisa ukuphepha-key-chains- chain macsec-kc2345678922334455667788992223334445556667778889992222333344445554 ukhiye 1 ukhiye-igama 3 crypto-officer@hostname-hostname-keychain-key-key-key-set-keychain-key-key-set-key-chain 2018-03-20.20:41 crypto-officer@hostname:fips # setha ukuqinisekiswa kokhiye-amaketanga okhiye-ketango-macsec-kc1 ukhiye 4 ukhiye-igama 2345678922334455667788992223334445556667778889992222333344445555host-security-keychain csec-kc1 ukhiye 4 isikhathi sokuqala 2018-03- 20.20:43 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 5 key-name me:fips# setha ukuqinisekiswa kokuphepha-ukhiye-amaketango okhiye-i-macsec- ukhiye we-kc345678922334455667788992223334445556667778889992222333344445556 1 isikhathi sokuqala 5-2018-03:20.20 crypto-officer@hostname:fips# setha ukuqinisekiswa kokhiye-ukhiye-amaketango ukhiye-chain macsec-kc45 ukhiye 1 ukhiye-igama 6 2345678922334455667788992223334445556667778889992222333344445557 crypto-officer@hostname:fips# setha ukuphepha i-authentication-key-chains key-chain macsec-kc1 key 6-time-time 2018-03-20.20:47 crypto-officer@hostname:fips# set security authentication-key-chains key-chain macsec-kc1 key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558 1 crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-key-chains key-chain macsec-kc7 ukhiye 2018 isikhathi sokuqala 03-20.20-49:XNUMX
Sebenzisa umyalo osheshayo ukuze ufake inani lokhiye oyimfihlo. Okwesiboneloample, inani lokhiye oyimfihlo ngu-2345678922334455667788992223334123456789223344556677889922233341.
[hlela] i-crypto-officer@hostname:fips# isiqiniseko sezokuphepha esisheshayo-ukhiye-amaketanga ukhiye-chain macseckc1 ukhiye 0 imfihlo
Ikhekhe elisha (imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha ngokushesha-key-chains key-chain macseckc1 ukhiye 1 imfihlo I-cak entsha (imfihlo): Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ngokushesha ukufakazela ubuqiniso bokuphepha-ukhiye-amaketango ukhiye-chain-macseckc1 ukhiye 2 imfihlo I-cak entsha (imfihlo): Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha kokuqinisekisa-ukhiye-ketango ukhiye-chain macseckc1 ukhiye 3 imfihlo Okusha i-cak (imfihlo): Thayipha kabusha i-cak entsha (imfihlo): crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha okusheshayo-key-chains key-chain macseckc1 ukhiye 4 imfihlo I-cak entsha (imfihlo): Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha kokuqinisekisa-ukhiye-amaketanga ukhiye-chain macseckc1 ukhiye 5 imfihlo I-cak entsha (imfihlo): Thayipha kabusha i-cak entsha (imfihlo):
crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha okusheshayo-key-chains key-chain macseckc1 ukhiye 6 imfihlo I-cak entsha (imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo):
crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha okusheshayo-key-chains key-chain macseckc1 ukhiye 7 imfihlo I-cak entsha (imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo):
Hlobanisa igama lokhiye owabelwe ngaphambili nenhlangano yokuxhuma.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 okwabelwana ngakho ngaphambili- key-chain macsec-kc1
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag konke

Yabela umkhondo kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe usayizi 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 securitymode static-cak
Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka keyserver-priority 1

Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval 3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation
I-CA1
crypto-officer@hostname:fips# set interfaces interface-name unit 0 ikheli le-inet lomndeni 10.1.1.2/24

Ilungiselela i-MACsec emile ye-Layer 2 Traffic
Ukuze ulungiselele i-MACsec emile yethrafikhi Yesendlalelo 2 phakathi kwedivayisi engu-R0 nedivayisi engu-R1:
Ku-R0:

Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key server-priority 1
Dala iphasiwedi eyimfihlo ozoyisebenzisa. Iwuchungechunge lwamadijithi angama-hexadecimal afinyelela ezinhlamvu ezingama-64 ubude. Iphasiwedi ingabandakanya izikhala uma uchungechunge lohlamvu lufakwe ezimpawu zokucaphuna. Idatha eyimfihlo ye-keychain isetshenziswa njenge-CAK.
[hlela] i-crypto-officer@igama lomethuleli:fips# ukuqinisekiswa kokuphepha okusheshayo-ukhiye-amaketanga ukhiye-chain macseckc1 ukhiye 0 imfihlo I-cak entsha (imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo):
Okwesiboneloample, inani lokhiye oyimfihlo ngu-2345678922334455667788992223334123456789223344556677889922233341.

Hlobanisa igama lokhiye owabelwe ngaphambili nenhlangano yokuxhuma. [hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain macsec-kc1 crypto-officer@hostname:fips# set security macsec connectivity-association CA1 offset 50 crypto-officer@hostname:fips # setha ukuxhumana kwezokuphepha kwe-macsec-inhlangano CA1 cipher-suite gcm-aes-256
Setha amanani enketho yokulandelela. [hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000 crypto-officer@hostname:fips# set security macsec traceoptions flag konke
Yabela umkhondo kusixhumi esibonakalayo. [hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe usayizi 1g crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions flag konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 securitymode static-cak
Setha okubalulekile kweseva yokhiye we-MKA. [hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key server-priority 1
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval 3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation
I-CA1
Lungiselela i-VLAN tagukugoba.
[hlela] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
setha i-interface-name1 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama1 iyunithi 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
setha i-interface-name2 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama2 iyunithi 100 vlan-id 100
Lungiselela isizinda sebhuloho.
[hlela] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

Ku-R1:

Dala iphasiwedi eyimfihlo ozoyisebenzisa. Iwuchungechunge lwamadijithi angama-hexadecimal afinyelela ezinhlamvu ezingama-64 ubude. I
iphasiwedi ingafaka izikhala uma iyunithi yezinhlamvu ifakwe ezimpawu zokucaphuna. I-keychain's
idatha eyimfihlo isetshenziswa njenge-CAK.
[hlela] i-crypto-officer@hostname:fips# isiqiniseko sezokuphepha esisheshayo-ukhiye-amaketanga ukhiye-chain macseckc1 ukhiye 0 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
Okwesiboneloample, inani lokhiye oyimfihlo ngu
2345678922334455667788992223334123456789223344556677889922233341.
Hlobanisa igama lokhiye owabelwe ngaphambili nenhlangano yokuxhuma.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain
macsec-kc1 crypto-officer@hostname:fips#
setha ukuphepha kwe-macsec uxhumano-inhlangano CA1 offset 50
crypto-officer@hostname:fips# set security macsec connectivity-association CA1 cipher-suite gcm-aes-256
Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log
crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions flag konke
Yabela umkhondo kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions file mka_xe usayizi 1g
crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
hlaba umkhosi konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 securitymode
i-static-cak
Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key server-priority 1
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval
3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation CA1
Lungiselela i-VLAN tagukugoba.
[hlela] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips# set interfaces interface-name1 unit 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama1 iyunithi 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
setha i-interface-name2 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama2 iyunithi 100 vlan-id 100
Lungiselela isizinda sebhuloho.
[hlela] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

Ilungiselela i-MACsec ngokhiye we-Layer 2 Traffic

Ukuze ulungiselele i-MACsec nge-keychain yethrafikhi ye-ICMP phakathi kwedivayisi engu-R0 nedivayisi engu-R1:
Ku-R0:

Nikeza inani lokubekezelela ochungechungeni lokhiye wokuqinisekisa.
[hlela] i-crypto-officer@hostname:fips# setha ukuqinisekiswa kwezokuphepha-ukhiye-amaketango okhiye-ketango le-macsec-kc1 tolerance 20
Dala iphasiwedi eyimfihlo ozoyisebenzisa. Iwuchungechunge lwamadijithi angama-hexadecimal afinyelela ezinhlamvu ezingama-64 ubude. Iphasiwedi ingabandakanya izikhala uma uchungechunge lohlamvu lufakwe ezimpawu zokucaphuna. Idatha eyimfihlo ye-keychain isetshenziswa njenge-CAK.
[hlela] i-crypto-officer@hostname:fips# setha ukufakazela ubuqiniso bezokuphepha-ukhiye-amaketango okhiye-iketango le-macsec-kc1
key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 0 isikhathi sokuqala 2018-03-20.20:35
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 1 isikhathi sokuqala 2018-03-20.20:37
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 2 isikhathi sokuqala 2018-03-20.20:39
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 3 isikhathi sokuqala 2018-03-20.20:41
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 4 isikhathi sokuqala 2018-03-20.20:43
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 5 isikhathi sokuqala 2018-03-20.20:45
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 6 isikhathi sokuqala 2018-03-20.20:47
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 7 isikhathi sokuqala 2018-03-20.20:49
Sebenzisa umyalo osheshayo ukuze ufake inani lokhiye oyimfihlo. Okwesiboneloample, inani lokhiye oyimfihlo ngu
2345678922334455667788992223334123456789223344556677889922233341.
[hlela] i-crypto-officer@hostname:fips# isiqiniseko sezokuphepha esisheshayo-ukhiye-amaketanga ukhiye-chain macseckc1 ukhiye 0 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 1 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha okusheshayo-key-chains key-chain macseckc1 key 2 secret
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 3 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 4 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 5 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 6 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 7 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
Hlobanisa igama lokhiye owabelwe ngaphambili nenhlangano yokuxhuma.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain
macsec-kc1
crypto-officer@hostname:fips#
setha ukuphepha kwe-macsec uxhumano-inhlangano CA1 cipher-suite
i-gcm-aes-256
Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log
crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions flag konke
Yabela umkhondo kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
file mka_xe usayizi 1g
crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
hlaba umkhosi konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 securitymode
i-static-cak
Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka key server-priority 1
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval
3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation
I-CA1
Lungiselela i-VLAN tagukugoba.
[hlela] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexibleethernet-services
crypto-officer@hostname:fips#
setha i-interface-name1 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama1 iyunithi 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexibleethernet-services
crypto-officer@hostname:fips#
setha i-interface-name2 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama2 iyunithi 100 vlan-id 100
Lungiselela isizinda sebhuloho.
[hlela] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

Ku-R1:

Nikeza inani lokubekezelela ochungechungeni lokhiye wokuqinisekisa.
[hlela] i-crypto-officer@hostname:fips# setha ukuqinisekiswa kwezokuphepha-ukhiye-amaketango okhiye-ketango le-macsec-kc1 tolerance 20
Dala iphasiwedi eyimfihlo ozoyisebenzisa. Iwuchungechunge lwamadijithi angama-hexadecimal afinyelela ezinhlamvu ezingama-64 ubude. Iphasiwedi ingabandakanya izikhala uma uchungechunge lohlamvu lufakwe ezimpawu zokucaphuna. Idatha eyimfihlo ye-keychain isetshenziswa njenge-CAK.
[hlela] i-crypto-officer@hostname:fips# setha ukufakazela ubuqiniso bezokuphepha-ukhiye-amaketango okhiye-iketango le-macsec-kc1
key 0 key-name 2345678922334455667788992223334445556667778889992222333344445551
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 0 isikhathi sokuqala 2018-03-20.20:35
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 1 key-name 2345678922334455667788992223334445556667778889992222333344445552
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 1 isikhathi sokuqala 2018-03-20.20:37
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 2 key-name 2345678922334455667788992223334445556667778889992222333344445553
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 2 isikhathi sokuqala 2018-03-20.20:39
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 3 key-name 2345678922334455667788992223334445556667778889992222333344445554
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 3 isikhathi sokuqala 2018-03-20.20:41
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 4 key-name 2345678922334455667788992223334445556667778889992222333344445555
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 4 isikhathi sokuqala 2018-03-20.20:43
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 5 key-name 2345678922334455667788992223334445556667778889992222333344445556
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 5 isikhathi sokuqala 2018-03-20.20:45
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 6 key-name 2345678922334455667788992223334445556667778889992222333344445557
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 6 isikhathi sokuqala 2018-03-20.20:47
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 7 key-name 2345678922334455667788992223334445556667778889992222333344445558
crypto-officer@hostname:fips# setha ukuqinisekiswa kokuphepha-ukhiye-chain key-chain macsec-kc1
key 7 isikhathi sokuqala 2018-03-20.20:49
Sebenzisa umyalo osheshayo ukuze ufake inani lokhiye oyimfihlo. Okwesiboneloample, inani lokhiye oyimfihlo ngu
2345678922334455667788992223334123456789223344556677889922233341.
[hlela] i-crypto-officer@hostname:fips# isiqiniseko sezokuphepha esisheshayo-ukhiye-amaketanga ukhiye-chain macseckc1 ukhiye 0 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 1 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo):
crypto-officer@hostname:fips# ukuqinisekiswa kokuphepha okusheshayo-key-chains key-chain macseckc1 key 2 secret
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 3 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 4 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 5 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 6 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha
(imfihlo):
crypto-officer@hostname:fips#
ngokushesha ukufakazela ubuqiniso bokhiye-ukhiye-chain ukhiye-macseckc1 ukhiye 7 imfihlo
Ikhekhe elisha
(imfihlo):
Thayipha kabusha ikhekhe elisha (imfihlo):
Hlobanisa igama lokhiye owabelwe ngaphambili nenhlangano yokuxhuma.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 pre-sharedkey-chain
macsec-kc1
crypto-officer@hostname:fips#
setha ukuphepha kwe-macsec uxhumano-inhlangano CA1 cipher-suite
i-gcm-aes-256
Setha amanani enketho yokulandelela.
[hlela] i-crypto-officer@hostname:fips# setha izindlela zokuphepha ze-macsec file I-MACsec.log
crypto-officer@hostname:fips# setha ukuphepha kwe-macsec traceoptions file usayizi 4000000000
crypto-officer@hostname:fips# set security macsec traceoptions flag konke
Yabela umkhondo kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
file mka_xe usayizi 1g
crypto-officer@hostname:fips# set security macsec interfaces interface-name traceoptions
hlaba umkhosi konke
Lungiselela imodi yokuphepha ye-MACsec njenge-static-cak yenhlangano yokuxhumana.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 securitymode
i-static-cak
Setha okubalulekile kweseva yokhiye we-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka keyserver-priority
Setha isikhawu sokudlulisa se-MKA.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 mka transmitinterval
3000
Nika amandla i-MKA evikelekile.
[hlela] crypto-officer@hostname:fips# set security macsec connectivity-association CA1 include-sci
Yabela ukuhlotshaniswa kokuxhumana kusixhumi esibonakalayo.
[hlela] crypto-officer@hostname:fips# set security macsec interfaces interface-name Connectivityassociation
I-CA1
Lungiselela i-VLAN tagukugoba.
[hlela] crypto-officer@hostname:fips# set interfaces interface-name1 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name1 encapsulation flexibleethernet-services
crypto-officer@hostname:fips#
setha i-interface-name1 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama1 iyunithi 100 vlan-id 100
crypto-officer@hostname:fips# set interfaces interface-name2 flexible-vlan-tagging
crypto-officer@hostname:fips# set interfaces interface-name2 encapsulation flexible Ethernet-services
crypto-officer@hostname:fips#
setha i-interface-name2 iyunithi 100 encapsulation vlanbridge
crypto-officer@hostname:fips#
setha i-interfaces-igama2 iyunithi 100 vlan-id 100
Lungiselela isizinda sebhuloho.
[hlela] crypto-officer@hostname:fips# set bridge-domains BD-110 domain-type bridge
crypto-officer@hostname:fips# set bridge-domains BD-110 vlan-id 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name1 100
crypto-officer@hostname:fips# set bridge-domains BD-110 interface-name2 100

Ilungiselela Ukuloga Komcimbi

Ukungena Kwemicimbi Kuphelileview
Ukulungiselelwa okuhloliwe kudinga ukucutshungulwa kwezinguquko zokucushwa ngelogi yesistimu.
Ngaphezu kwalokho, i-Junos OS ingakwazi:

Thumela izimpendulo ezizenzakalelayo emicimbini yokuhlola (ukudala ukufakwa kwe-syslog).
Vumela abaphathi abagunyaziwe ukuthi bahlole amalogi ocwaningo.
Thumela ukuhlolwa files kumaseva angaphandle.
Vumela abaphathi abagunyaziwe ukuthi babuyisele isistimu esimweni esaziwayo.

Ukungena ngemvume kokucushwa okuhloliwe kufanele kuthwebule imicimbi elandelayo:

Izinguquko kudatha yokhiye oyimfihlo ekucushweni.
Izinguquko ezizibophezele.
Ngena/phuma kubasebenzisi.
Ukuqaliswa kwesistimu.
Yehlulekile ukusungula iseshini ye-SSH.
Ukusungulwa/ukuqedwa kweseshini ye-SSH.
Izinguquko esikhathini (sesistimu).
Ukunqanyulwa kweseshini yesilawuli kude ngomshini wokukhiya iseshini.
Ukunqanyulwa kweseshini yokusebenzisana.

Ngaphezu kwalokho, iJuniper Networks incoma ukuthi ukugawula futhi:

Shutha zonke izinguquko ekucushweni.
Gcina imininingwane yokungena ukude.

Ilungiselela Ukuloga Komcimbi Kwendawo File
Ungalungiselela ukugcinwa kolwazi locwaningo endaweni file ngesitatimende se-syslog. Lesi example igcina izingodo ku file ebizwa ngokuthi Audit-File:
[hlela uhlelo] i-syslog {
file Audit-File;
}
Ukutolika Imiyalezo Yomcimbi
Okuphumayo okulandelayo kukhombisa njengeample umlayezo womcimbi.
Feb 27 02:33:04 bm-a mgd[6520]: UI_LOGIN_EVENT: Ukungena 'kwesikhulu sezokuvikela' somsebenzisi, isigaba 'j-superuser'
[6520],
ssh-connection ”, imodi yeklayenti
'cli'
Feb 27 02:33:49 bm-a mgd[6520]: UI_DBASE_LOGIN_EVENT: 'Isikhulu sezokuvikela' somsebenzisi singena ekucushweni
imodi
Feb 27 02:38:29 bm-a mgd[6520]: UI_CMDLINE_READ_LINE: Umsebenzisi 'isikhulu sezokuvikela', umyalo 'sebenzisa umbukiso
log
Ilogi yokuhlola | grep LOGIN
Ithebula 4 ekhasini 69 ichaza izinkambu zomlayezo womcimbi. Uma insiza yokungena yesistimu ingakwazi ukunquma inani endaweni ethile, esikhundleni salokho kuvela ihayifeni ( - ).
Ithebula 4: Izinkambu Emilayezweni Yomcimbi

Inkambu	Incazelo	ExampLes
izikhathiamp	Isikhathi lapho umlayezo wenziwe khona, kokukodwa kwezethulo ezimbili: • MMM-DD HH:MM:SS.MS+/-HH:MM, inyanga, usuku, ihora, umzuzu, isekhondi kanye ne-millisecond ngesikhathi sasendaweni. Ihora nomzuzu olandela uphawu lokuhlanganisa (+) noma uphawu lokususa (-) liwukusulwa kwendawo yesikhathi yasendaweni ukusuka ku-Coordinated Universal Time (UTC). • I-YYYY-MM-DDTHH:MM:SS.MSZ unyaka, inyanga, usuku, ihora, umzuzu, isekhondi kanye ne-millisecond ku-UTC.	Feb 27 02:33:04 isikhathiamp kuchazwe njengesikhathi sendawo e-United States. 2012-02-27T03:17:15.713Z is 2:33 AM UTC ngomhla ka-27 Feb 2012.
igama lomethuleli	Igama lomsingathi okhiqize umlayezo ekuqaleni.	umzila 1
inqubo	Igama lenqubo ye-Junos OS ekhiqize umlayezo.	mgd
processID	I-ID yenqubo ye-UNIX (PID) yenqubo ye-Junos OS ekhiqize umlayezo.	4153
TAG	Umlayezo welogi yesistimu ye-Junos OS tag, ekhomba umlayezo ngokuhlukile.	UI_DBASE_LOGOUT_EVENT
igama lomsebenzisi	Igama lomsebenzisi lomsebenzisi oqala umcimbi.	"admin"
umyalezo-umbhalo	Incazelo yomcimbi ngolimi lwesiNgisi .	setha: [i-system radius-server 1.2.3.4 imfihlo]

Izinguquko Zokungena Kudatha Eyimfihlo
Okulandelayo yi-exampimininingwane yocwaningo lwamalogi emicimbi eshintsha idatha eyimfihlo. Noma nini lapho kukhona ushintsho ku-ex yokucushwaampNokho, umcimbi we-syslog kufanele uthwebule izingodo ezingezansi:
Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Isethi 'yomqondisi' yomsebenzisi:
[i-system radius-server 1.2.3.4 imfihlo] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Isethi ethi 'admin' yomsebenzisi:
[ukuqinisekisa ukungena ngemvume komsebenzisi wesistimu ngokubethela-iphasiwedi] Jul 24 17:43:28 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Isethi 'yomlawuli' yomsebenzisi:
[ukuqinisekiswa komsebenzisi kokungena kwesistimu2 ukuqinisekiswa okubethelwe-iphasiwedi] Njalo lapho ukulungiselelwa kubuyekezwa noma kushintshwa, i-syslog kufanele ithwebule lawa malogi:
Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Umsebenzisi 'admin' esikhundleni:
[i-system radius-server 1.2.3.4 imfihlo] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Umsebenzisi 'admin' esikhundleni:
[ukuqinisekiswa komsebenzisi wokungena kwesistimu ku-encrypted-password] Jul 24 18:29:09 router1 mgd[4163]: UI_CFG_AUDIT_SET_SECRET: Umsebenzisi 'admin' esikhundleni:
[ukuqinisekiswa komsebenzisi wokungena kwesistimu nge-encrypted-password] Ukuze uthole ulwazi olwengeziwe mayelana nokumisa amapharamitha nokuphatha log files, bona i-Junos OS System
Inkomba yemilayezo yelogi.
Ngena ngemvume futhi Uphume Imicimbi usebenzisa i-SSH
Imilayezo yelogi yesistimu yenziwa noma nini lapho umsebenzisi ezama ngempumelelo noma engaphumeleli ukufinyelela i-SSH. Imicimbi yokuphuma nayo iyarekhodwa. OkwesiboneloampLe, amalogi alandelayo awumphumela wemizamo emibili yokuqinisekisa ehlulekile, bese kuba eyimpumelelo, futhi ekugcineni ukuphuma ngemvume:
Dec 20 23:17:35 bilbo sshd[16645]: Iphasiwedi ehlulekile ye-op kusuka ku-172.17.58.45 port 1673 ssh2
Dec 20 23:17:42 bilbo sshd[16645]: Iphasiwedi ehlulekile ye-op kusuka ku-172.17.58.45 port 1673 ssh2
Dec 20 23:17:53 bilbo sshd[16645]: Iphasiwedi eyamukelwe ye-op kusuka ku-172.17.58.45 port 1673 ssh2
Dec 20 23:17:53 bilbo mgd[16648]: UI_AUTH_EVENT: Umsebenzisi oqinisekisiwe 'op' ezingeni lemvume
'j-opharetha'
Dec 20 23:17:53 bilbo mgd[16648]: UI_LOGIN_EVENT: Ukungena 'op' komsebenzisi, isigaba 'j-operator' [16648] Dec 20 23:17:56 bilbo mgd[16648]: UI_CMDLINE_READ_LINE, Umsebenzisi 'op' umyalo 'yeka'
Dec 20 23:17:56 bilbo mgd[16648]: UI_LOGOUT_EVENT: Ukuphuma kwe-'op' komsebenzisi
Ukugawulwa kwe-Audit Startup
Ulwazi lokucwaninga olufakiwe lufaka phakathi ukuqaliswa kwe-Junos OS. Lokhu kuphinde kuhlonze izehlakalo zokuqalisa zohlelo lokucwaninga, olungakwazi ukukhutshazwa ngokuzimele noma lunikwe amandla. Okwesiboneloampfuthi, uma i-Junos OS iqalwa kabusha, ilogi yokuhlola iqukethe ulwazi olulandelayo:
Dec 20 23:17:35 bilbo syslogd: iphuma kusiginali 14
Dec 20 23:17:35 bilbo syslogd: qala kabusha
Dec 20 23:17:35 bilbo syslogd /kernel: Dec 20 23:17:35 init: syslogd (PID 19128) iphume nge
isimo=1
Dec 20 23:17:42 bilbo/kernel:
Dec 20 23:17:53 init: i-syslogd (PID 19200) iqalile

Ukwenza Ukuzihlola Kudivayisi

Ukuqonda Ukuzihlola Kwe-FIPS
Imojula ye-cryptographic isebenzisa imithetho yezokuphepha ukuze kuqinisekiswe ukuthi iJuniper Networks Junos iyasebenza
uhlelo (Junos OS) kumodi ye-FIPS ihlangabezana nezidingo zokuphepha ze-FIPS 140-2 Izinga 1. Ukuqinisekisa
ukukhishwa kwe-cryptographic algorithms egunyazwe i-FIPS futhi ihlole ubuqotho bamanye amamojula wesistimu,
idivayisi yenza uchungechunge olulandelayo lokuhlola impendulo eyaziwayo (KAT):

I-kernel_kats—I-KAT yezinqubo ze-kernel cryptographic
md_kats—KAT yelungu kanye ne-libc
openssl_kats—I-KAT yokusetshenziswa kwe-cryptographic ye-OpenSSL
i-quicksec_kats—I-KAT yokusetshenziswa kwe-cryptographic yekhithi yamathuluzi e-QuickSec
ssh_ipsec_kats—KAT ye-SSH IPsec Toolkit cryptographic ukuqaliswa
macsec_kats—KAT yokusetshenziswa kwe-cryptographic ye-MACsec

Ukuzihlola kwe-KAT kwenziwa ngokuzenzakalelayo ekuqaleni. Ukuzihlola okunemibandela nakho kwenziwa ngokuzenzakalelayo ukuze kuqinisekiswe amaphakheji esofthiwe asayiniwe ngedijithali, izinombolo ezikhiqizwayo ezingahleliwe, amapheya okhiye we-RSA kanye ne-ECDSA, kanye nokhiye abafakwe ngesandla.
Uma ama-KAT aqedwa ngempumelelo, ilogi yesistimu (syslog) file ibuyekezwa ukuze ibonise izivivinyo ezenziwe.
Uma kukhona ukwehluleka kwe-KAT, idivayisi ibhala imininingwane kulogi yesistimu file, ingena esimweni sephutha le-FIPS (ukwethuka) bese iqalisa kabusha.
I file show /var/log/messages umyalo ubonisa ilogi yesistimu.
Ungaphinda usebenzise ukuzihlola kwe-FIPS ngokukhipha umyalo we-vmhost reboot reboot. Ungabona amalogi okuzihlola e-FIPS kukhonsoli uma isistimu iza.
Example: Lungiselela Ukuzihlola Kwe-FIPS
Lesi exampi-le ikhombisa ukuthi ungalungiselela kanjani ukuzihlola kwe-FIPS ukuthi kusebenze ngezikhathi ezithile.
Izingxenyekazi zekhompuyutha nezidingo zeSoftware

Kufanele ube namalungelo okuphatha ukuze ulungiselele ukuzihlola kwe-FIPS.
Idivayisi kufanele ibe isebenzisa inguqulo ehloliwe ye-Junos OS kusofthiwe yemodi ye-FIPS.

Kuphelileview
Ukuzihlola kwe-FIPS kuqukethe amasudi alandelayo okuhlolwa kwezimpendulo ezaziwayo (KATs):

I-kernel_kats—I-KAT yezinqubo ze-kernel cryptographic
md_kats—KAT ye-libmd ne-libc
i-quicksec_kats—I-KAT yokusetshenziswa kwe-cryptographic yekhithi yamathuluzi e-QuickSec
openssl_kats—I-KAT yokusetshenziswa kwe-cryptographic ye-OpenSSL
ssh_ipsec_kats—KAT ye-SSH IPsec Toolkit cryptographic ukuqaliswa
macsec_kats—KAT yokusetshenziswa kwe-cryptographic ye-MACsec
Kulesi exampNokho, ukuzihlola kwe-FIPS kwenziwa ngo-9:00 AM eNew York City, e-USA, njalo ngoLwesithathu.

QAPHELA: Esikhundleni sokuhlolwa kwamaviki onke, ungalungiselela ukuhlola kwanyanga zonke ngokufaka izitatimende zenyanga nezinsuku zenyanga.
Uma ukuzihlola kwe-KAT kwehluleka, umlayezo welogi ubhalwa emilayezweni yelogi yesistimu file nemininingwane yokuhluleka kokuhlolwa. Bese isistimu iyatatazela futhi iqalise kabusha.
Ukucushwa Okusheshayo kwe-CLI
Ukuze ulungiselele ngokushesha lesi example, kopisha imiyalo elandelayo, uyinamathisele embhalweni file, susa noma yikuphi ukunqanyulwa kolayini, shintsha noma yimiphi imininingwane edingekayo ukuze ifane nokucushwa kwenethiwekhi yakho, bese ukopisha futhi unamathisele imiyalo ku-CLI ezingeni [hlela] lesigaba.
setha isistimu ye-fips yokuzihlola isikhathi sokuqala sezikhathi 09:00
setha i-fips yesistimu yokuzihlola ngezikhathi ezithile usuku lweviki 3
Isinyathelo Ngesinyathelo Inqubo
Ukuze ulungiselele ukuzihlola kwe-FIPS, ngena kudivayisi ngemininingwane ye-crypto-officer:

Lungiselela ukuzihlola kwe-FIPS okuzokwenziwa ngo-9:00 AM njalo ngoLwesithathu.
[hlela i-fips self-test] crypto-officer@hostname:fips# setha isikhathi sokuqala sezikhathi 09:00
crypto-officer@hostname:fips# setha usuku-lweviki 3
Uma usuqedile ukumisa idivayisi, yenza ukucushwa.
[hlela i-fips self-test] crypto-officer@hostname:fips# commit

Imiphumela
Kusukela kumodi yokumisa, qinisekisa ukucushwa kwakho ngokukhipha umyalo wesistimu yokubonisa. Uma okukhiphayo kungabonisi ukucushwa okuhlosiwe, phinda imiyalelo ekulesi example ukulungisa ukucushwa.
crypto-officer@hostname:fips# show system
amafips {
zihlole {
ngezikhathi ezithile {
isikhathi sokuqala "09:00";
usuku lweviki 3;
}
}
}

Ukuqinisekisa

Qinisekisa ukuthi ukucushwa kusebenza kahle.
Ukuqinisekisa Ukuzihlola Kwe-FIPS

Inhloso
Qinisekisa ukuthi ukuzihlola kwe-FIPS kuvuliwe.
Isenzo
Qalisa ukuzihlola kwe-FIPS mathupha ngokukhipha umyalo wokuzihlola wesistimu yesicelo noma uqalise kabusha idivayisi.
Ngemva kokukhipha isistimu yesicelo i-fips self-test umyalo noma qalisa kabusha idivayisi, ilogi yesistimu file ibuyekezwa ukuze ibonise ama-KAT asetshenziswayo. Kuya view ilogi yesistimu file, khipha i file bonisa umyalo /var/log/ imilayezo.
umsebenzisi@host# file bonisa /var/log/messages
RE KATS:
mgd: Ukuqalisa Ukuzihlola Kwe-FIPS
mgd: Ihlola i-kernel KATS:
mgd: NIST 800-90 HMAC DRBG Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: DES3-CBC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SHA-2-384 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SHA-2-512 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES128-CMAC: Iphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-CBC: Iphumelele
mgd: Ukuhlola i-MACSec KATS:
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES128-CMAC: Iphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES256-CMAC: Iphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-ECB: Iphumelele
mgd: AES-KEYWRAP Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KBKDF Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Ihlola i-libmd KATS:
mgd: HMAC-SHA1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SHA-2-512 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Ihlola i-OpenSSL KATS:
mgd: NIST 800-90 HMAC DRBG Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: FIPS ECDSA Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: FIPS ECDH Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: FIPS RSA Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: DES3-CBC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-224 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-384 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-512 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-CBC: Iphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-GCM: Iphumelele
mgd: ECDSA-SIGN Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-IKE-V1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-SSH-SHA256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KAS-ECC-EPHEM-UNIFIED-NOKC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KAS-FFC-EPHEM-NOKC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Testing QuickSec 7.0 KATS:
mgd: NIST 800-90 HMAC DRBG Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: DES3-CBC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-224 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-384 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-512 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-CBC: Iphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-GCM: Iphumelele
mgd: SSH-RSA-ENC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SSH-RSA-SIGN Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SSH-ECDSA-SIGN Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-IKE-V1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-IKE-V2 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Testing QuickSec KATS:
mgd: NIST 800-90 HMAC DRBG Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: DES3-CBC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-224 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-384 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-512 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-CBC: Iphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-GCM: Iphumelele
mgd: SSH-RSA-ENC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SSH-RSA-SIGN Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-IKE-V1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-IKE-V2 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Ukuhlola i-SSH IPsec KATS:
mgd: NIST 800-90 HMAC DRBG Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: DES3-CBC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: HMAC-SHA2-256 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Isivivinyo Sempendulo Eyaziwayo ye-AES-CBC: Iphumelele
mgd: SSH-RSA-ENC Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: SSH-RSA-SIGN Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: KDF-IKE-V1 Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Ukuhlola file ubuqotho:
mgd: File ubuqotho Isivivinyo Sempendulo Eyaziwayo: Uphumelele
mgd: Ihlola ubuqotho be-crypto:
mgd: Ubuqotho be-Crypto Ukuhlolwa Kwempendulo Eyaziwayo: Kuphumelele
mgd: Lindela i-exec AuthenticatiMAC/veriexec: azikho izigxivizo zeminwe (file=/sbin/kats/cannot-exec
fsid=246 fileid=49356 gen=1 uid=0 pid=9384 ppid=9354 gppid=9352)ngephutha...
mgd: /sbin/kats/run-test: /sbin/kats/cannot-exec: Iphutha lokuqinisekisa
mgd: Ukuzihlola kwe-FIPS Kuphumelele
I-LC KATS:
Sep 12 10:50:44 network_macsec_kats_input xe- /0/0:0:
cha> pic:0 port:0 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:50:50 network_macsec_kats_input xe- /0/1:0:
cha> pic:0 port:1 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:50:55 network_macsec_kats_input xe- /0/0:0:
cha> pic:0 port:0 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:50:56 network_macsec_kats_input xe- /0/2:0:
cha> pic:0 port:2 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:01 network_macsec_kats_input xe- /0/1:0:
cha> pic:0 port:1 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:02 network_macsec_kats_input xe- /0/2:0:
cha> pic:0 port:2 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:06 network_macsec_kats_input xe- /0/3:0:
cha> pic:0 port:3 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:12 network_macsec_kats_input xe- /0/3:0:
cha> pic:0 port:3 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:17 network_macsec_kats_input xe- /0/4:0:
cha> pic:0 port:4 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:17 network_macsec_kats_input xe- /0/4:0:
cha> pic:0 port:4 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:26 network_macsec_kats_input xe- /0/5:0:
cha> pic:0 port:5 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:27 network_macsec_kats_input xe- /0/5:0:
cha> pic:0 port:5 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:36 network_macsec_kats_input xe- /0/6:0:
cha> pic:0 port:6 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:36 network_macsec_kats_input xe- /0/6:0:
cha> pic:0 port:6 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:44 network_macsec_kats_input xe- /0/7:0:
cha> pic:0 port:7 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:44 network_macsec_kats_input xe- /0/7:0:
cha> pic:0 port:7 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:51 network_macsec_kats_input xe- /0/8:0:
cha> pic:0 port:8 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:51 network_macsec_kats_input xe- /0/8:0:
cha> pic:0 port:8 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:51:58 network_macsec_kats_input xe- /0/9:0:
cha> pic:0 port:9 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:51:58 network_macsec_kats_input xe- /0/9:0:
cha> pic:0 port:9 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:52:05 network_macsec_kats_input xe- /0/10:0:
I-slot no> pic:0 port:10 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:52:05 network_macsec_kats_input xe- /0/10:0:
I-slot no> pic:0 port:10 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:52:12 network_macsec_kats_input xe- /0/11:0:
I-slot no> pic:0 port:11 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:52:12 network_macsec_kats_input xe- /0/11:0:
I-slot no> pic:0 port:11 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:52:20 network_macsec_kats_input xe- /1/0:0:
cha> pic:1 port:0 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:52:20 network_macsec_kats_input xe- /1/0:0:
cha> pic:1 port:0 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:52:27 network_macsec_kats_input xe- /1/1:0:
cha> pic:1 port:1 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Sep 12 10:52:28 network_macsec_kats_input xe- /1/1:0:
cha> pic:1 port:1 chan:0 FIPS AES-256-GCM MACsec KATS decryption idlulile
Sep 12 10:52:34 network_macsec_kats_input xe- /1/2:0:
cha> pic:1 port:2 chan:0 FIPS AES-256-GCM MACsec KATS ukubethela kudlulile
Incazelo
Ilogi yesistimu file ikhombisa usuku kanye nesikhathi ama-KAT abulawa ngaso kanye nesimo sawo.

Imiyalo Yokusebenza

I-syntax
cela isistimu imise ziro
Incazelo
Ku-RE1800, susa lonke ulwazi lokucushwa ku-Routing Engines bese usetha kabusha wonke amanani abalulekile. Uma idivayisi ine-dual Routing Engines, umyalo usakazwa kuzo zonke Izinjini Zomzila kudivayisi. Umyalo ususa yonke idatha files, kufaka phakathi ukucushwa okwenziwe ngezifiso kanye nelogi files, ngokususa ukuxhumanisa kwe files ezinhlwini zabo zemibhalo. Umyalo ususa konke okudalwe ngabasebenzisi files kusukela kusistimu okuhlanganisa wonke amagama ayimfihlo ayimfihlo, izimfihlo, nokhiye abayimfihlo be-SSH, ukubethela kwasendaweni, ukuqinisekiswa kwasendaweni, i-IPsec, i-RADIUS, i-TACACS+, ne-SNMP.
Lo myalo uqalisa kabusha idivayisi futhi uyisethela ekucushweni okuzenzakalelayo kwasembonini. Ngemva kokuqalisa kabusha, awukwazi ukufinyelela idivayisi ngokusebenzisa isixhumi esibonakalayo se-Ethernet yokuphatha. Ngena nge-console njengempande bese uqala i-Junos OS CLI ngokuthayipha u-cli ngokushesha.
Ileveli Yelungelo Elidingekayo
ukunakekela
cela i-vmhost yenza iqanda lingadluliseli
I-syntax
cela i-vmhost yenza iqanda lingadluliseli
Incazelo
Ku-REMX2K-X8, susa lonke ulwazi lokucushwa ku-Routing Engines bese usetha kabusha wonke amanani abalulekile. Uma idivayisi ine-dual Routing Engines, umyalo usakazwa kuzo zombili Izinjini Zomzila kudivayisi.
Umyalo ususa yonke idatha files, kufaka phakathi ukucushwa okwenziwe ngezifiso kanye nelogi files, ngokususa ukuxhumanisa kwe files ezinhlwini zabo zemibhalo. Umyalo ususa konke okudalwe ngabasebenzisi files kusukela kusistimu okufaka phakathi wonke amagama ayimfihlo ayimfihlo, izimfihlo, nokhiye abayimfihlo be-SSH, ukubethela kwasendaweni, ukuqinisekiswa kwasendaweni, i-IPsec, i-RADIUS, i-TACACS+, ne-SNMP.
Lo myalo uqalisa kabusha idivayisi futhi uyisethela ekucushweni okuzenzakalelayo kwasembonini. Ngemva kokuqalisa kabusha, awukwazi ukufinyelela idivayisi ngokusebenzisa isixhumi esibonakalayo se-Ethernet yokuphatha. Ngena nge-console njengomsebenzisi wempande bese uqala i-Junos OS CLI ngokuthayipha u-cli ngokushesha.
SampOkukhiphayo
cela i-vmhost yenza iqanda lingadluliseli
umsebenzisi@host> cela i-vmhost misa ungadluliseli
I-VMHost Zeroization : Sula yonke idatha, okuhlanganisa ukumisa nokungena files ?
[yebo, cha] (cha) yebo
re0:
isixwayiso: I-Vmhost izoqala kabusha futhi ingase ingaqali ngaphandle
ukumisa
isixwayiso: Iqhubeka nge-vmhost
zeroze
I-Zeroise idiski yangaphakathi yesibili
Iqhubeka ngoziro kwesibili
idiski
Idivayisi yokukhweza ilungiselela
zero…
Ukuhlanza idisk eqondiwe ukuze wenze uziro
Ukumisa iqanda kwenziwe kokuthile
idiski.
Khulisa idiski yesibili
kuqediwe
Susa idiski yangaphakathi eyinhloko
Iqhubeka ngoziro kokuyinhloko
idiski
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_dsa_key
Idivayisi yokukhweza ilungiselela
zero…
Ukuhlanza idisk eqondiwe ukuze wenze uziro
Ukumisa iqanda kwenziwe kokuthile
idiski.
Khulisa idiski eyinhloko
kuqediwe
Zeroze
kwenziwe
—(more)— Iyama
cron.
Ilinde i-PIDS:
6135.
.
Feb 16 14:59:33 jlaunchd: periodic-packet-services (PID 6181) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: smg-service (PID 6234) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: ukuhlonza isicelo (PID 6236) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: ifstate-tracing-process (PID 6241) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: ukuphathwa kwensiza (PID 6243) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: ishajiwe (PID 6246) nqamula isignali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: ilayisensi-service (PID 6255) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: ntp (PID 6620) nqamula isignali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: gkd-chassis (PID 6621) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: gkd-lchassis (PID 6622) nqamula isiginali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: umzila (PID 6625) nqamula isignali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: i-sonet-aps (PID 6626) nqamula isignali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: remote-operations (PID 6627) nqamula isignali engu-15 ithunyelwe
Feb 16 14:59:33 jlaunchd: isigaba-sesevisi
……..
99

Amadokhumenti / Izinsiza

JUNIPER NETWORKS I-Junos OS FIPS Evaluated Devices [pdf] Umhlahlandlela Womsebenzisi
I-Junos OS FIPS Evaluated Devices, Junos OS, FIPS Evaluated Devices, Amadivayisi Ahloliwe, Amadivayisi

Izithenjwa

Imaniwali yosebenzisayo

JUNIPER NETWORKS I-Junos OS FIPS Evaluated Devices

Kuphelileview

Ilungiselela Ukuqinisekisa Kokuphatha Namalungelo

Ukumisa Indima kanye Nezindlela Zokuqinisekisa

Ilungiselela i-SSH ne-Console Connection

Ilungiselela i-MACsec

Ilungiselela i-MACsec ngokhiye we-Layer 2 Traffic

Ilungiselela Ukuloga Komcimbi

Ukwenza Ukuzihlola Kudivayisi

Imiyalo Yokusebenza

Amadokhumenti / Izinsiza

Izithenjwa

Shiya amazwana

Khansela impendulo