enco

7/27/2019 enco

1/50

Chapter 18

Compression and Encryption Services

Introduction ................................................................................................. 18-2

Data Compression ....................................................................................... 18-2Data Encryption ........................................................................................... 18-4Symmetrical Encryption ......................................................................... 18-5Asymmetrical (Public Key) Encryption ..................................................... 18-6Network Encryption ............................................................................... 18-6

Authentication ............................................................................................. 18-7Key Exchange Algorithms ............................................................................ 18-8Hardware Support ....................................................................................... 18-9

Mini Accelerator (MAC) Cards and PCI Accelerator Cards (PACs) ........... 18-9Hardware Control and Monitoring ....................................................... 18-10

ENCO Support for IPv6 .............................................................................. 18-10ENCO Services ........................................................................................... 18-11

Compression ....................................................................................... 18-12Encryption ........................................................................................... 18-13Authentication .................................................................................... 18-13Diffie-Hellman Key Exchange Algorithm .............................................. 18-13Key Creation and Storage .................................................................... 18-14

Access Control ........................................................................................... 18-16User Modules ............................................................................................ 18-17

IP Payload Encryption and Virtual Private Networks .............................. 18-17Secure Shell ......................................................................................... 18-17PPP ...................................................................................................... 18-17Frame Relay ......................................................................................... 18-18X.25 Link Compression ........................................................................ 18-18

Command Reference ................................................................................. 18-19

CREATE ENCO KEY .............................................................................. 18-19DESTROY ENCO KEY ........................................................................... 18-21DISABLE ENCO COMPSTATISTICS ........................................................ 18-22DISABLE ENCO DEBUGGING ............................................................... 18-22ENABLE ENCO COMPSTATISTICS ......................................................... 18-23ENABLE ENCO DEBUGGING ................................................................ 18-23RESET ENCO COUNTER ....................................................................... 18-23SET ENCO DHPRIORITY ........................................................................ 18-24SET ENCO KEY .................................................................................... 18-25SET ENCO SW ..................................................................................... 18-26SHOW ENCO ....................................................................................... 18-27SHOW ENCO CHANNEL ...................................................................... 18-28

SHOW ENCO COUNTER ...................................................................... 18-33SHOW ENCO KEY ............................................................................... 18-48

7/27/2019 enco

2/50

18-2 AR Series Router Software Reference

Software Release 2.4.1C613-03047-00 REV A

Introduction

This chapter describes the data compression and data security servicesavailable on the router, how the services are provided, the router networkfunctions which use these services, and how to monitor the services.

The ENCO module provides the following data compression and data securityservices to other router software modules (referred to as user modules):

data compression

data encryption

data authentication

Diffie-Hellman key exchange

key creation and storage

See Data Compression on page 18-2,Data Encryption on page 18-4,

Authentication on page 18-7 and Key Exchange Algorithms on page 18-8 foran overview of these services. See ENCO Services on page 18-11 for adescription of how these services are provided by the ENCO module.

The ENCO module can utilise the presence of a Mini Accelerator (MAC) cardor a PCI Accelerator Card (PAC) to enhance the performance of someencryption and compression services. See Hardware Support on page 18-9 formore information about how the ENCO module uses hardware resources. Seethe Hardware Reference for more information about MAC or PAC cardhardware.

Data Compression

Data compression for routers is driven by the high cost ofwide area network(WAN) access and user demands for increased bandwidth. The cost of WANaccess is a significant part of the cost of providing a data network and the useof data compression on networks can result in significant savings.Compression increases the effective throughput of data across a network linkby reducing the size of packets. This allows more packets to be transmittedover the link in the same time interval, or the same number of packets to betransmitted over a slower (and cheaper) link in the same time interval.

Data compression works by identifying redundancy in the data and producingan encoded form which is smaller yet contains all the information required torecreate the original data. This is called lossless data compression, as opposed tovoice and video compression which, due to their analog nature, normally uselossy data compression algorithms. Most modern high performance datacompression techniques use variations of the Lempel-Ziv algorithm. Thisalgorithm compresses data by maintaining data histories at the compressionand decompression ends of the link. These histories contain the most recentdata which has been transmitted on a data link. The data to be compressed iscompared against the history to find any common sequences. If a match isfound, a reference to the position of the matching sequence in the history issent instead of the data sequence itself. Compression is achieved because the

7/27/2019 enco

3/50

Compression and Encryption Services 18-3


reference is smaller than the sequence it represents. The algorithm is adaptive,adjusting automatically to produce the best compression ratio for the contentof the data being compressed. Typically a checksum is also added to the databefore compression to allow the validity of the data to be checked ondecompression.

It is impossible to compress all possible data streams. A stream of totally random datahas no redundancy and therefore can not be compressed. Similarly, data which hasalready been compressed is unlikely to be further compressed. Some compressionalgorithms, such as the STAC LZS algorithm, cause uncompressable data to expandduring the compression process.

Network data compression can be divided into three categorieslinkcompression, payload compression and header compression.

Link Compression

Link compression has traditionally been provided by an external deviceconnected between a router port and the WAN access device. The maindisadvantages of external compression devices are that they require a separateconnection to each router port requiring compression and to each WAN accessdevice, and they can not be managed from within the routers managementstructure.

Link compression operates by compressing the whole data stream, includingthe network layer packet headers used for routing. This means that the packetheader is no longer accessible by intermediate routers which do not supportthe particular compression algorithm. Even if an intermediate router doessupport the particular compression algorithm, packets must be decompressedand re-compressed at each router so that the packet headers can be read. Thisplaces an additional load on the router and results in high latency.Consequently, external link compression is normally only used in point-to-point configurations where the local and remote routers are directly connected,without any intermediate routers.

Integrating the compression function into the router enables a singlecompression resource to support the compression of multiple links over anyrouter interface, replacing multiple external compression devices. Integrationalso allows the router to support protocols such as PPP multilink, which canspread data from one compression channel across multiple physical links. Thecompression process can be configured and monitored using the routers ownmanagement interface, instead of a separate management system used only for

the external compression device.

See Chapter 36 Link Compression and Encryptionfor more information aboutconfiguring link compression on the router.

Payload Compression

Payload compression is used to compress packet data at the network layer,without changing the packet header. Since the routing information remainsunchanged the packet can be carried across a routed network, such as theInternet, without requiring the intermediate routers to support thecompression algorithm or have any knowledge about how to access the

compressed data.
http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/

7/27/2019 enco

4/50



Payload compression is usually not as efficient as link compression due to thefact that each packet must be compressed with no reference to any otherpacketas packets may be lost or re-ordered while traversing the network.This means that the compression history must be cleared before compressing apacket, losing any advantage gained from compressing the previous packets.Only large packets or packets containing highly compressible data benefitgreatly from payload compression.

The main benefit of payload compression over link-layer compression is incombination with payload encryption. Compressing data after it has beenencrypted is a pointless exercise, as encrypted data is not compressible. Whenpayload encryption is being used, payload compression can be performedbefore encryption, giving useful compression in some cases. Such functionalityis difficult for an external device to achieve, since the device needs tounderstand the network layer protocol to determine which part of the packet tocompress or decompress.

See Chapter 37 IP Security (IPsec) for more information about configuringpayload compression on the router.

Header Compression

Van Jacobsons header compression algorithm (defined in RFC 1144) can beused in TCP/IP networks to compress the standard 40-byte TCP/IP header ofTCP packets down to 5 bytes (sometimes even down to 3 bytes). This producesa significant performance improvement when the majority of traffic consists ofsmall packets. Because the router processor must perform the compressioncalculations this method is normally recommended for lower speed (less than64 kbps) links. Van Jacobsons header compression applies only to TCP packetscarried over Point-to-Point Protocol (PPP) links and can not be used with otherencapsulations (such as Frame Relay) or with other routing protocols such as

Novell IPX and DECnet. The ENCO module is not required for headercompression.

See Chapter 8 Internet Protocol (IP) for more information about configuringVan Jacobsons header compression.

Data Encryption

Data encryption for routers is driven by the need for organisations to keepsensitive data private and secure. Encrypting network data before it is passed

to the wide area network (WAN) ensures that the data can not be read ormodified as it traverses the WAN. Since all wide area traffic passes through therouter, the router is the ideal place to locate the complex hardware required toprovide secure data encryption. Locating the encryption function in thenetwork router and integrating the complex encryption key managementprocedures into the routers management system minimises the cost ofsupporting an encrypted network.

Data encryption operates by applying an encryption algorithm and key to theoriginal data (the plaintext) to convert it into an encrypted form (theciphertext). The ciphertext produced by encryption is a function of thealgorithm used and the key. Since it is easy to discover what type of algorithm

is being used the security of an encryption system relies on the secrecy of itskey information. When the ciphertext is received by the remote router thedecryption algorithm and key are used to recover the original plaintext. Often achecksum is also added to the data before encryption to allow the validity ofthe data to be checked on decryption.
http://ipsec.pdf/http://ip.pdf/http://ip.pdf/http://ipsec.pdf/

7/27/2019 enco

5/50



There are two main classes of encryption algorithm in usesymmetricalencryption and asymmetrical encryption.

Symmetrical Encryption

Symmetrical encryption refers to algorithms in which a single key is used forboth the encryption and decryption processes. Anyone who has access to thekey used to encrypt the plaintext can decrypt the ciphertext. Because theencryption key must be kept secret to protect the data these algorithms are alsocalled private, or secret key algorithms. The key can be any value of theappropriate length.

DES Encryption Algorithms

The most common symmetrical encryption system is the Data EncryptionStandard (DES) algorithm (FIPS PUB 46). The DES algorithm has withstood thetest of time and proved itself to be a highly secure encryption algorithm. Tofully conform to the DES standard the actual data encryption operations must

be carried out in hardware. Software implementations can only be DES-compatible, not DES-compliant. The DES algorithm has a key length of 56 bitsand operates on 64-bit blocks of data. DES can be used in a number of modes:

Electronic Code Book (ECB) is the fundamental DES function. Plaintext isdivided into 64-bit blocks which are encrypted with the DES algorithm andkey. For a given input block of plaintext ECB will always produce the sameblock of ciphertext.

Cipher Block Chaining (CBC) is the most popular form of DESencryption. CBC also operates on 64-bit blocks of data, but includes afeedback step which chains consecutive blocks so that repetitive plaintextdata (such as ASCII blanks) does not yield identical ciphertext. CBC also

introduces a dependency between data blocks which protects againstfraudulent data insertion and replay attacks. The feedback for the firstblock of data is provided by a 64-bit Initialisation Vector (IV). This is theDES mode used for the routers data encryption process.

Cipher FeedBack (CFB) is an additive stream cipher method which usesDES to generate a pseudo-random binary stream which is combined withthe plaintext to produce the ciphertext. The ciphertext is then fed back toform a portion of the next DES input block.

Output FeedBack (OFB) combines the first IV with the plaintext to formciphertext. The ciphertext is then used as the next IV.

The DES algorithm has been optimised to produce very high speed hardware

implementations, making it ideal for networks where high throughput and lowlatency are essential.

Triple DES Encryption Algorithms

The Triple DES (3DES) encryption algorithm is a simple variant on the DESCBC algorithm. The DES function is replaced by three rounds of that function,an encryption followed by a decryption followed by an encryption. This can bedone by using either two DES keys (112-bit key) or three DES keys (168-bitkey).

The two-key algorithm encrypts the data with the first key, decrypts it with the

second key and then encrypts the data again with the first key. The three-keyalgorithm uses a different key for each step. The three-key algorithm is themost secure algorithm due to the longer key length.

7/27/2019 enco

6/50



There are several modes in which Triple DES encryption can be performed. Thetwo most common modes are:

Inner CBC mode encrypts the entire packet in CBC mode three times, andrequires three different initialisation vectors (IVs).

Outer CBC mode triple encrypts each 8-byte block of a packet in CBCmode three times and requires one IV.

Asymmetrical (Public Key) Encryption

Asymmetrical encryption algorithms use two keysone for encryption andone for decryption. The encryption key is called the public key because it cannot be used to decrypt a message and therefore does not have to be kept secret.Only the decryption, or private key needs to be kept secret. The other name forthis type of algorithm is public key encryption. The public and private key paircan not be randomly assigned but must be generated together. In a typicalscenario, a decryption station will generate a key pair and then distribute thepublic key to encrypting stations. This distribution need not be kept secret, but

must be protected against the substitution of the public key by a maliciousthird party. Another use for asymmetrical encryption is as a digital signature.The signature station publishes its public key, and then signs its messages bydecrypting them with its private key. To verify the source of a message thereceiver encrypts the messages with the published public key. If the messagethat results is valid then the signing station is authenticated as the source of themessage.

The most common asymmetrical encryption algorithm is RSA. RSA utilisesmathematical operations which are relatively easy to calculate in one directionbut which have no known reverse solution. The security of RSA relies on thedifficulty of factoring the modulus of the RSA key. Because typical key lengths

of 512 bits or greater are used in public key encryption systems, decryptingRSA encrypted messages is almost impossible with current technology.

Asymmetrical encryption algorithms require enormous computationalresources, making them very slow when compared to symmetrical algorithms.For this reason they are normally only used on small blocks of data (e.g.exchanging symmetrical algorithm keys), and not for entire data streams.

Network Encryption

Network data encryption can be divided into two categorieslink encryptionand payload encryption.

Link Encryption

Link encryption has traditionally been provided by an external deviceconnected between a router port and the WAN access device. The maindisadvantages of external encryption devices are that they require a separateconnection to each router port requiring encryption and to each WAN accessdevice, they can not be managed from within the routers managementstructure, and they normally dont support dial-up interfaces such as ISDN.

Link encryption operates by encrypting the whole data stream, including thenetwork layer packet headers used for routing. This means that the packetheader is no longer accessible by intermediate routers which do not supportthe particular encryption algorithm. Even if an intermediate router doessupport the particular encryption algorithm, packets must be decrypted and

7/27/2019 enco

7/50



re-encrypted at each router so that the header can be read. This places anadditional load on the router and results in high latency. Consequently,external link encryption is normally only used in point-to- point configurationswhere the local and remote routers are directly connected without anyintermediate routers.

Integrating the encryption function into the router enables a single encryption

resource to support the encryption of multiple links over any router interface,replacing multiple external encryption devices. Integration also allows therouter to support protocols such as PPP multilink, which can spread data fromone encryption channel across multiple physical links. The encryption processcan be configured and monitored using the routers own managementinterface, instead of a separate management system used only for the externalencryption device.

See Chapter 36 Link Compression and Encryptionfor more information aboutconfiguring link compression on the router.

Payload Encryption

Payload encryption is used to encrypt packet data at the network layer,without changing the packet header. Since the routing information remainsunchanged the packet can be carried across a routed network, such as aninternet, without requiring the intermediate routers to support the encryptionalgorithm or have any knowledge about how to access the secure data. Thisallows insecure internets to be used to form a highly secure network for thetransport of sensitive information. As well as preventing unauthorised viewingand modification of the data, payload encryption can also be used to preventunauthorised access into the network. Only a router which has knowledge ofthe secret encryption keys is capable of accessing the network. All other accessattempts will decrypt incorrectly and be discarded. Such functionality is verydifficult for an external device to achieve, since the device would need an

understanding of the network layer protocol before it could tell which part ofthe packet to encrypt or decrypt.

See Chapter 37 IP Security (IPsec) for more information about configuringpayload compression on the router.

Authentication

Data authentication for routers is driven by the need for organisations to verify

that sensitive data has not been altered. Authenticating network data before itis passed to the wide area network (WAN) ensures that the data can not bealtered as it traverses the WAN. Since all wide area traffic passes through therouter, the router is the ideal place to locate the complex processing required toprovide secure data authentication. Locating the authentication function in thenetwork router and integrating the complex authentication key managementprocedures into the routers management system minimises the cost ofsupporting an authenticated network.

Data authentication operates by calculating a Message Authentication Code(MAC), commonly referred to as a hash, of the original data and appending it tothe message. The MAC produced is a function of the algorithm used and the

key. Since it is easy to discover what type of algorithm is being used thesecurity of an authentication system relies on the secrecy of its key information.When the message is received by the remote router another MAC is calculated
http://linkce.pdf/http://linkce.pdf/http://ipsec.pdf/http://ipsec.pdf/http://linkce.pdf/

7/27/2019 enco

8/50



and checked against the MAC appended to the message. If the two MACs areidentical the message is authentic.

Typically a MAC is calculated using a keyed one-way hash algorithm. A keyedone-way hash function operates on an arbitrary-length message and a key andreturns a fixed length hash. The properties which make the hash function one-way are:

it is easy to calculate the hash from the message and the key

it is very hard to compute the message and the key from the hash

it is very hard to find another message and key which give the same hash

The two most commonly used one-way hash algorithms are MD5 (MessageDigest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined inFIPS-180-1). MD5 returns a 128-bit hash and SHA-1 returns a 160-bit hash.MD5 is faster in software than SHA-1, but SHA-1 is generally regarded to beslightly more secure.

HMAC is a mechanism for calculating a keyed Message Authentication Codewhich can use any one-way hash function. It allows for keys to be handled thesame way for all hash functions and it allows for different sized hashes to bereturned.

Another method of calculating a MAC is to use a symmetric block cypher suchas DES in CBC mode. This is done by encrypting the message and using thelast encrypted block as the MAC and appending this to the original message(plain-text). Using CBC mode ensures that the whole message affects theresulting MAC. See DES Encryption Algorithms on page 18-5 for moreinformation about DES in CBC mode.

See Chapter 37 IP Security (IPsec) for more information about configuring

authentication on the router.

Key Exchange Algorithms

Key exchange algorithms are used by routers to securely generate andexchange encryption and authentication keys with other routers. Without keyexchange algorithms, encryption and authentication session keys must bemanually changed by the system administrator. If it is not possible to gainphysical access to all routers in the secure network, it is virtually impossible to

do this securely. Key exchange algorithms enable routers to re-generate sessionkeys automatically and on a frequent basis.

The most important property of any key exchange algorithm is that only thenegotiating parties are able to decode or generate the shared secret. Because ofthis requirement, public key cryptography plays an important role in keyexchange algorithms. Public key cryptography provides a method ofencrypting a message which can only be decrypted by one party. A router cangenerate a session key, encrypt the key using public key cryptography, transmitthe key over an insecure channel, and be certain that the key can only bedecrypted by the intended recipient. Symmetrical encryption algorithms canalso be used for key exchange, but commonly require an initial shared secret to

be manually entered into all routers in the secure network.The Diffie-Hellman algorithm is one of the more commonly used key exchangealgorithms. It is not an encryption algorithm because messages can not be
http://ipsec.pdf/http://ipsec.pdf/

7/27/2019 enco

9/50



encrypted using Diffie-Hellman. Instead it provides a method for two partiesto generate the same shared secret with the knowledge that no other party cangenerate that same value. It uses public key cryptography and is commonlyknown as the first public key algorithm. Its security is based on the difficulty ofsolving the discrete logarithm problem, which can be compared to thedifficulty of factoring very large integers.

A Diffie-Hellman algorithm requires more processing overhead than RSAbased key exchange schemes, but does not need the initial exchange of publickeys. Instead, it uses published and well tested public key values. The securityof the Diffie-Hellman algorithm depends on these values. Public key valuesless than 768 bits in length are considered to be insecure.

A Diffie-Hellman exchange starts with both parties each generating a largerandom number. These values are kept secret, while the result of a public keyoperation on the random number is transmitted to the other party. A secondpublic key operation, this time using the random number and the exchangedvalue, results in the shared secret. As long as no other party knows either of therandom values, the secret is safe.

See Chapter 37 IP Security (IPsec) for more information about configuring keyexchange on the router.

Hardware Support

Encryption and compression services that are supported by both hardware andsoftware resources will always make use of any installed hardware resources,in preference to software resources, to maximise performance.

Mini Accelerator (MAC) Cards and PCI AcceleratorCards (PACs)

Mini Accelerator (MAC) cards provide hardware data compression andencryption for AR Series routers. The MAC or PAC cards are hardwareprocessing units controlled by the routers CPU. The following MAC cards areavailable:

CMAC (Compression only) provides STAC hardware compression usinga high performance lossless, adaptive data compression technique basedon the Lempel-Ziv algorithm.

EMAC (Encryption only) provides multi-channel encryption usingdedicated high performance DES/3DES hardware in the CBC mode. TheDES/3DES hardware performs DES, 112-bit Outer CBC Mode (2-key)Triple DES and 168-bit Inner CBC Mode Triple DES encryption compliantwith FIPS PUB 46, ISO DEA 1 and ANSI X3.92 standards.

ECMAC (Encryption and Compression) combines the CMAC and EMACcards into a single card providing both high performance lossless, adaptivedata compression based on the Lempel-Ziv algorithm and multi-channelencryption using dedicated high performance DES/3DES hardware.

ECMACV2 (Encryption, Compression and Authentication) performs allthe functions of the ECMAC, and in addition performs

168-bit OuterCBC Mode Triple DES encryption, and authentication using HMAC MD5-96, HMAC SHA-1-96 and DES-MAC.

7/27/2019 enco

10/50



ECPAC (Encryption, Compression and Authentication) combinescompression, encryption and authentication in a single card. It performsSTAC hardware compression using a high performance lossless, adaptivedata compression technique based on the Lempel-Ziv algorithm. Itprovides multi-channel encryption using dedicated high performanceDES/3DES hardware in the CBC mode. The DES/3DES hardwareperforms DES, 112-bit Outer CBC Mode (2-key) Triple DES, 168-bit InnerCBC Mode Triple DES, and 168-bit Outer CBC Mode Triple DES encryptioncompliant with FIPS PUB 46, ISO DEA 1 and ANSI X3.92 standards. Thiscard also performs authentication using HMAC MD5-96, HMAC SHA-1-96and DES-MAC.

For more information about MAC or PAC cards, see the Hardware Reference.

Hardware Control and Monitoring

The ENCO module is responsible for controlling and monitoring the hardwareprocessing resources and performs the following functions:

The ENCO module monitors any installed MAC or PAC card. If the devicestops operating, the ENCO module logs the event.

The ENCO module writes a history of the most recent hardware events tothe routers system log.

ENCO Support for IPv6

IPv6 uses IPSec, in conjuction with encryption key handling, to provideauthentication and encryption to all IPv6 traffic. For information about IPSec,see Chapter 37 IP Security (IPsec).

IPv6 addresses can be specified in ENCO keys, using the command:

CREATE ENCO KEY=key-id TYPE={DES|3DES2KEY|3DESINNER|

3DESOUTER|GENERAL|RSA} IPADDRESS=ipv6add

[DESCRIPTION=description] [FILE=filename] [FORMAT={HEX|

NIQ|SSH}] [LENGTH=length] [MODULE=module-id] [{RANDOM|

VALUE=value}]

If an IPv6 address is specified with the IPADDRESS parameter, that address isassociated with the key. The ISAKMP and SSH modules use the key to find the

RSA public key of a remote peer.

The address can be changed for an existing key, using the command:

SET ENCO KEY=key-id [DESCRIPTION=description]

[IPADDRESS={ipv4add|ipv6add}] [MODULE=module-id]

The IPv6 address associated with a particular key can be displayed, using thecommand:

SHOW ENCO KEY=key-id

7/27/2019 enco

11/50



ENCO Services

The ENCO module provides services to user modules via channel pairs. A usermodule requests a service, specifying any configuration needed for the service,and is attached to an ENCO channel pair if the service and free channels are

available. A channel pair consists of an encoding channel and a decodingchannel. An encoding channel is used for compression, encryption,authentication or Diffie-Hellman key exchange. A decoding channel is used fordecompression, decryption or authentication.

The following services are provided by the ENCO module:

EncryptionDES encryption, 112-bit 2-key Outer mode Triple DESencryption, 168-bit Inner mode Triple DES encryption, RSA encryption,and RSA key generation.

AuthenticationHMAC MD5-96, HMAC SHA-1-96 and DES-MAC.

CompressionSTAC LZS and Predictor compression.

Diffie-Hellman key exchange.

Key storage.

Some of these services may be provided in hardware. Some of the servicesprovided in software require a feature license before they can be used. SeeSpecial Feature Licences on page 1-47 ofChapter 1, Operation for moreinformation about feature licenses.

The number of channels available is dependent on the amount of RAM on therouter. Routers with up to 8 MBytes of RAM can have up to 512 encryption andcompression channels. Routers with 16 MBytes can have up to 1024 channels,and routers with 32 Mbytes up to 2048 channels. The amount of RAM on a

router can be checked, using the command:

SHOW SYSTEM

The identification number of the lowest and highest channels available can bedisplayed, using the command:

SHOW ENCO

This command also displays general information about the ENCO module andthe services that are available.

Version 1 MAC cards have a limit of 128 channels. If compression is performed by the

routers CPU, because a MAC card is not installed, the number of compression channelsis further limited (see Compression on page 18-12). Version 2 MAC cards do not havethis limitation. To see whether the MAC card installed in the router is version 1 orversion 2, use the SHOW SYSTEM command on page 1-137 of Chapter 1, Operation.

A user module which requests the retention of process histories betweenpackets for an encryption or compression service (see User Modules onpage 18-17) may also request that the history of one of its channels be reset.Whenever a decoding channel gets out of step with its associated encodingchannel the encoding channels history must be reset.
http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/

7/27/2019 enco

12/50



Compression

The ENCO module provides two compression algorithmsSTAC LZS andPredictor.

STAC LZS compression is provided either in software or in hardware (when acompression-capable MAC or PAC card is installed). The STAC LZScompression algorithm provided in the router software can only be used whenhardware compression resources are not available. Predictor compression isprovided in software. A version 1 compression-capable MAC card can supportup to 128 concurrent compression channels.

To use software compression, the number of channels required must beconfigured using the command:

SET ENCO SW PREDCHANNELS=0..4 STACCHANNELS=0..4

This command must be run from the boot configuration script since thememory required by the software compression algorithms must be contiguousand the most efficient way to acquire contiguous memory is just after therouter has rebooted. The maximum number of software compression channelsis limited due to the large amount of memory required by the softwarecompression algorithms; STAC LZS requires 13 KBytes per channel andPredictor requires 128 KBytes per channel. The limit is 2-4 Predictor channelsand 4 STAC LZS channels. By default no compression channels are configured.

STAC LZS Compression

The hardware and software compression processes are interoperable, enablingcompression performance requirements to be evaluated on a per-site basis.Sites which have high speed compressed links, or a large number of slowerlinks (since it is the aggregate link speed which is important) can make use of

the high throughput provided by hardware compression. Smaller sites withlower aggregate requirements, and often a higher cost sensitivity, are bestserved by software compression. The interoperability of the two processes isparticularly relevant for a network with a single central site and multipleremote sites. The central site can use hardware compression to support thehigh aggregate link speed, while the remote sites can use software compressionfor the most cost-effective solution.

For STAC LZS compression, it is possible to select between compression speedand compression ratio using the command:

SET ENCO SW STACSPEED=0..3

Setting STACSPEED to a high value minimises compression time at theexpense of the compression ratio and is most suitable for high aggregate linespeeds. Setting STACSPEED to a low value maximises the compression ratio atthe expense of processing time and is most effective for low aggregate linkspeeds. Intermediate values give a balance between the two. The STACSPEEDvalue only effects the transmit (compression) path; the receive (decompression)path is not affected by the value of STACSPEED.

The compression hardware always compresses for the maximum ratio so it isnot affected by the value of STACSPEED. When hardware and software STACLZS compression processes are interoperating, the compression ratio in thesoftware-to-hardware direction will depend on the value of STACSPEED,

while the compression ratio in the hardware-to-software direction will be thehighest obtainable.

7/27/2019 enco

13/50



STAC LZS software compression will always be compatible with STAC LZS hardwarecompression. The value of STACSPEED does not effect compatibility.

Predictor

Predictor compression is the default compression algorithm for PPP linkcompression. Predictor compression requires a lot of memory for itscompression history and is not recommended for routers with 4 MBytes ofRAM.

Encryption

The ENCO module provides four variants of DES encryption (DES, 112-bit2-key Outer CBC Mode Triple DES, 168-bit Inner CBC Mode Triple DES, and168-bit Outer CBC Mode Triple DES) and RSA encryption. The DES encryptionvariants are provided in hardware and require the presence of an encryption-

capable MAC or PAC card.

If the router has a Secure Shell feature license and does not have any DESencryption-capable hardware installed the ENCO module will provide DESusing software, but only to the Secure Shell module. Triple DES requires aspecial feature licence. See Special Feature Licences on page 1-47 ofChapter 1,Operationfor a description of feature licenses. See Chapter 35 Secure Shellformore information about Secure Shell.

RSA encryption is provided in software. To use RSA encryption the routermust have either a Secure Shell feature license or an ISAKMP feature license.See Special Feature Licences on page 1-47 ofChapter 1, Operation for adescription of feature licenses. See Chapter 35 Secure Shell for more information

about Secure Shell. See Chapter 37 IP Security (IPsec) for more information aboutISAKMP.

Authentication

The ENCO module provides three authentication algorithmsHMACMD5-96, HMAC SHA-1-96 and DES-MAC. The HMAC hash algorithms areprovided in software. The DES-MAC hash algorithm is provided in hardwareand requires the presence of an encryption-capable MAC or PAC card.

Diffie-Hellman Key Exchange AlgorithmThe ENCO module provides the Diffie-Hellman key exchange algorithm insoftware. To use the Diffie-Hellman key exchange service, the router must havean ISAKMP feature license. See Special Feature Licences on page 1-47 ofChapter 1, Operation for a description of feature licenses. See Chapter 37 IPSecurity (IPsec) for more information about ISAKMP.

The Diffie-Hellman exchange takes place in two phases. In the first phase thelocal random number is generated, combined with a Diffie-Hellman public keyvalue and transmitted to the other party in the key exchange. In the secondphase the shared secret is generated from the exchanged and local randomnumber values. Each phase is broken into small pieces of processing because ofthe processor intensive public key calculations. As a result the key exchange
http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://ssh.pdf/http://ssh.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://ssh.pdf/http://ipsec.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://ipsec.pdf/http://ipsec.pdf/http://ipsec.pdf/http://ipsec.pdf/http://ipsec.pdf/http://opr.pdf/http://opr.pdf/http://ssh.pdf/http://opr.pdf/http://ssh.pdf/http://opr.pdf/http://opr.pdf/

7/27/2019 enco

14/50



takes longer, but ensures the general operation of the router is not haltedduring this process.

The Diffie Hellman key exchange has a high priority by default. If the speed ofthe key exchange is not critical, the priority can be set to a lower value to leavemore CPU time available for routing processes. To change the Diffie Hellmankey exchange priority, use the command:

SET ENCO DHPRIORITY={HIGH|MEDIUM|LOW}

The ENCO module supports published public key values MODP Group 1and MODP Group 2 as defined in RFC 2412, The OAKLEY Key DeterminationProtocol. These public key values are 768 and 1024 bits in length, respectively.

Key Creation and Storage

Keys required by the router for encryption and authentication services arecreated and stored by the ENCO module. Keys are stored in the FLASHmemory.

The following types of keys are used by the router:

DES, used for DES encryption

3DES2KEY, used for 112-bit 2-key Outer CBC Mode Triple DES encryption

3DESINNER, used for 168-bit Inner CBC Mode Triple DES encryption

3DESOUTER, used for 168-bit Outer CBC Mode Triple DES encryption

RSA, used for RSA encryption

GENERAL, used for HMAC authentication and ISAKMP pre-shared keys

Each key that is created and stored in the router has a unique identificationnumber. Each key has a set of attributes, including the user module associatedwith the key. Each user module specifies whether or not these key attributesmust be set. For example, the ISAKMP and SSH modules use the IP addressattribute of RSA keys to find the public key of the remote peer.

Key Formats

Keys can be stored in the router and displayed in several formats.

DES, 3DES2KEY, 3DESOUTER and 3DESINNER keys can be entered in aproprietary short/checked ASCII format or in hexadecimal format. The short/checked ASCII format represents each 5 bits of the key by an ASCII character.

The legal characters are lowercase letters (az) and digits (29). The digits 0 and1 are not used, to prevent confusion with the letters O and l. A checksum fieldis added to ensure the key has been entered correctly. DES, 3DES2KEY,3DESOUTER and 3DESINNER keys are displayed in both hexadecimal and theshort/checked ASCII format.

RSA keys can not be entered via the command line. They can be generated onthe router or imported from a text file. See RSA Keys on page 18-15 and theCREATE ENCO KEY command on page 18-19 for more information aboutimporting RSA keys.

GENERAL keys can be entered in hexadecimal format or as an easy to

remember pass phrase. The pass phrase must contain only printable charactersand if spaces are included, the pass phrase must be enclosed in double quotes.

7/27/2019 enco

15/50



GENERAL keys are displayed in hexadecimal format and also in string formatif the key data contains all printable characters.

See the CREATE ENCO KEY command on page 18-19 for more informationabout generating and entering keys into the router. See the SHOW ENCO KEYcommand on page 18-48 for more information about displaying keys.

RSA Keys

RSA keys can be generated using the CREATE ENCO KEY command onpage 18-19. RSA public keys generated on an external device (such as a PC) canbe imported as a text file. RSA public keys on the router can be exported to atext file for transfer to an external device.

The generation of RSA keys is a time consuming and processor intensiveoperation. Two very large random prime numbers must be created and thencombined to form the RSA key. The fastest method for generating large primenumbers is to create a large random number and then test to see if it is prime. Ifis not, then the number is modified and tested again. Because this is a very

random procedure, it can take anywhere between 3 seconds and 30 minutes,depending on the size of the key and the CPU. To ensure the normal operationof the router is not affected, RSA key generation is performed as a backgroundtask.

RSA public keys can be imported from and exported to text files. RSA publickeys generated by an external device can be loaded on to the router in text fileformat (.key files) and ENCO RSA public keys are generated from these textfiles. When a RSA key generated by the router is exported to a text file, only thepublic portion of the key is written to the file.

Three text file formats are recognised by the routerSSH (Figure 18-1 on

page 18-15), NIQ (Figure 18-2 on page 18-15) and HEX (Figure 18-3 onpage 18-16). The default format is HEX. The first number in the key file is thelength of the RSA public key in bits, the second number is the exponent field ofthe key and the last number is the modulus field of the key. In SSH format filesthe length, exponent and modulus fields are all in one long line. In Figure 18-1on page 18-15 the \ character shows where the line has been wrapped. InNIQ and HEX format files the length, exponent and modulus fields are onseparate lines.

Figure 18-1: An RSA public key file in SSH format.

Figure 18-2: An RSA public key file in NIQ format.

512 65537 58271454040942172675574803018707732886250732940593381153466514993637269\

2554308139731130814782897798791374252039162251634873178364999125511405069275595877

-NiQ Router RSA Public Key

512

65537

5827145404094217267557480301870773288625

0732940593381153466514993637206925543081

3973113081478289779879137425203916225163

4873178364999125511405069275595877

7/27/2019 enco

16/50



Figure 18-3: An RSA public key file in HEX format.

See the CREATE ENCO KEY command on page 18-19 for more informationabout generating and entering keys into the router.

Access Control

When encryption is configured and enabled, the router must be placed insecurity mode, using the command:

ENABLE SYSTEM SECURITY_MODE

See the ENABLE SYSTEM SECURITY_MODE command on page 1-75 ofChapter 1, Operation for more information about enabling security mode.

Keys created on a router which is not in security mode will be destroyed whenthe router is restarted. Enable security mode before creating encryption keys.

When the router is in security mode only users with SECURITY OFFICERprivilege can execute commands which could impact the security of the routerand its keys. Table 1-1 on page 1-6 ofChapter 1 Operation lists the commands

which require SECURITY OFFICER privilege when the router is in securitymode.

A user must login from a local port, a Secure Shell session or a Telnet sessionfrom a Remote Security Officer address (if the Remote Security Officer functionis enabled) to gain SECURITY OFFICER privilege:

See Chapter 1 Operation for more information about creating users withSECURITY OFFCER privilege, configuring Remote Security Officers andlogging in to a user account with SECURITY OFFICER privilege. See Chapter 35Secure Shellfor more information about Secure Shell.

When an encrypting router is removed from service its sensitive encryption

keys should be cleared before it is transported in an unprotected manner. Allencryption keys on a router can be cleared by disabling security mode, usingthe command:

DISABLE SYSTEM SECURITY_MODE

The encryption technology used in the router is a government controlledproduct. The router encryption hardware must never be disposed of by the user.These products must always be returned to your authorised distributor orreseller for deregistration and disposal.

512

0x010001

0x6f427e5112e1389e2af1c4df09545fa88f90b093aabbdebb5778ef5ed1d39fe9

248602ef11e399216b52adae2f5fd1ae8b7ca5c19b3c27a3ec5179966cb58465
http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://ssh.pdf/http://ssh.pdf/http://ssh.pdf/http://ssh.pdf/http://ssh.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/http://opr.pdf/

7/27/2019 enco

17/50



User Modules

IP Payload Encryption and Virtual Private Networks

AT-VPNet combines the hardware processing resources, payload encryptiontechnology, and security associations to create secure virtual private networks(VPNs) across the Internet.

The router supports two methods of encrypting IP packet payloads. The firstmethod is an RFC compliant implementation of IPsec and ISAKMP/IKE. IPsec,as defined in RFCs 24012406, provides encryption and authentication of IPpackets. ISAKMP/IKE, as defined in RFCs 24072409, provides key exchangeand negotiation of attributes for IPsec. The router also supports IP compressionusing LZS compression as defined in RFC 2393 and RFC 2395. The secondmethod is a proprietary Security Association implementation which issupported for backward compatibility with Software Release 7.7.

For more information about configuring IP payload encryption andcompression see Chapter 37 IP Security (IPsec).

Secure Shell

Secure Shell (SSH) requires the DES and RSA encryption algorithms. Once aSSH feature licence has been entered, these algorithms are made available tothe SSH module by the ENCO module. Triple DES encryption also requires aspecial feature licence. If a MAC or PAC card is installed, DES encryption forSSH will be performed in hardware for enhanced performance.

See Special Feature Licences command on page 1-47 ofChapter 1, Operation formore information about feature licences. For more information aboutconfiguring Secure Shell see Chapter 35 Secure Shell.

PPP

The PPP module can use the services of the ENCO module to provide linkcompression and/or link encryption.

The router implements the Compression Control Protocol (CCP) as defined byRFC 1962 to provide compression on PPP. CCP provides a method for

negotiating the compression algorithm to use and algorithm-specificparameters such as the check mode. It also provides a mechanism forsynchronising the compression histories at each end of the link if they becomeunsynchronised. The use of STAC LZS and Predictor compression with PPP isdefined in RFCs 1962 and 1978, respectively.

The router implements the Encryption Control Protocol (ECP) as defined byRFC 1968 to provide encryption on PPP links. ECP provides a method fornegotiating the encryption algorithm to use and algorithm-specific parameters.It also provides a mechanism for synchronising the encryption and decryptionprocesses at each end of the link. The router uses a proprietary algorithmnumber with ECP to provide STAR key management and DES encryption.

If a PPP interface is configured for compression and encryption, the data iscompressed first to give the compression phase the best opportunity of finding
http://ipsec.pdf/http://opr.pdf/http://opr.pdf/http://ssh.pdf/http://opr.pdf/http://ssh.pdf/http://ipsec.pdf/

7/27/2019 enco

18/50



non-random sequences, and then the data is encrypted. PPP fully supports thenegotiation and link management required to provide both compression andencryption on links. Configuring PPP for dual mode operation only requiresthat both encryption and compression be enabled on the PPP interface. Thecompression option is negotiated by the routers at each end of the link, so thatif one is configured for dual mode and the other is configured for encryptiononly then compression will not be used. Encryption on a link is notnegotiableboth ends must be configured for encryption for the link to beestablished.

For more information about configuring PPP link compression and/orencryption see Chapter 36 Link Compression and Encryption.

Frame Relay

The Frame Relay module can use the services of the ENCO module to providelink compression and/or link encryption.

The router uses the mechanism described in the Frame Relay ForumsImplementation Agreement 9Data Compression Over Frame Relay standard toprovide STAC LZS compression on Frame Relay circuits. The router adds an 8-bit Longitudinal Check Byte (LCB) to the data, enabling the packet to bevalidated on decompression. The negotiation process and compression resetprocess are based on the PPP CCP mechanism.

The router extends the mechanism described in the Frame Relay ForumsImplementation Agreement 9Data Compression Over Frame Relay standard toprovide STAR key management and DES encryption on Frame Relay circuits.The router adds an 8-bit Longitudinal Check Byte (LCB) to the data, enablingthe packet to be validated on decompression. The negotiation process and

compression reset process are based on the PPP ECP mechanism.

If a Frame Relay circuit is configured for compression and encryption, the datais compressed first to give the compression phase the best opportunity offinding non-random sequences, and then the data is encrypted. Frame Relayfully supports the negotiation and link management required to provide bothcompression and encryption on links. Configuring Frame Relay for dual modeoperation only requires that both encryption and compression be enabled onthe Frame Relay circuit. The compression option is negotiated by the routers ateach end of the link, so that if one is configured for dual mode and the other isconfigured for encryption only then compression will not be used. Encryptionon a link is not negotiableboth ends must be configured for encryption forthe link to be established.

For more information about configuring Frame Relay link compression and/orencryption see Chapter 36 Link Compression and Encryption.

X.25 Link Compression

The router uses a simple static configuration process to provide STAC LZScompression for X.25. X.25 does not reset compression links as it is a reliabletransmission protocol.

For more information about configuring X.25 compression see Chapter 36 Link

Compression and Encryption.
http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/http://linkce.pdf/

7/27/2019 enco

19/50

Compression and Encryption Services CREATE ENCO KEY 18-19


Command Reference

This section describes the commands available on the router to configure andmonitor the compression and encryption processes on the router.

A user must be logged in with SECURITY OFFICER privilege to configure

encryption services. See Chapter 1 Operationfor more information aboutcreating users with SECURITY OFFCER privilege, configuring RemoteSecurity Officers and logging in with SECURITY OFFICER privilege.

For each interface over which compression or encryption is to be used, a higherlayer module must be configured to use compression or encryption. Currently,compression and encryption are supported on Point-to-Point Protocol (PPP),Frame Relay and X.25 interfaces, and Security Associations. See Chapter 3 Point-to-Point Protocol (PPP) for details of the commands required to enablecompression and encryption on a PPP interface. See Chapter 6 X.25 for details ofthe commands required to enable compression and encryption on an X.25interface. See Chapter 8 Internet Protocol (IP) for details of the commands

required to enable IP payload compression and encryption with SecurityAssociations. See Chapter 36 Link Compression and Encryption for moreinformation about configuring link compression and encryption. See Chapter 35Secure Shellfor more information about configuring and using Secure Shell.

See Conventions on page lxxx ofPreface in the front of this manual for detailsof the conventions used to describe command syntax. SeeAppendix A Messagesfor a complete list of messages and their meanings.

CREATE ENCO KEY

Syntax CREATE ENCO KEY=key-id TYPE={DES|3DES2KEY|3DESINNER|3DESOUTER|GENERAL|RSA} [DESCRIPTION=description]

[FILE=filename] [FORMAT={HEX|NIQ|SSH}]

[IPADDRESS={ipv4add|ipv6add}] [LENGTH=length]

[MODULE=module-id] [{RANDOM|VALUE=value}]

where:

key-id is a number in the range 0 to 65535.

description is a character string, 1 to 25 characters in length. Valid charactersare any printable character. Ifdescription contains spaces it must beenclosed in double quotes.

filename is a valid router filename with a .key extension.

ipv4add is an IPv4 address in dotted decimal notation.

ipv6add is an IPv6 address in colon-separated hexadecimal notation.

length is a number in the range 0 to 65535.

module-id is the name or number of a router module (see Module Identifiersand Names on page B-2 ofAppendix B, Reference Tablesfor a complete list).

value is a character string, of variable length depending on the key type.For ASCII formatted keys, valid characters are lowercase letters (az) anddigits (29). The digits 0 and 1 are illegal, to prevent confusion with the
http://opr.pdf/http://opr.pdf/http://ppp.pdf/http://ppp.pdf/http://x25.pdf/http://ip.pdf/http://linkce.pdf/http://ssh.pdf/http://ssh.pdf/http://ssh.pdf/http://preface.pdf/http://preface.pdf/http://preface.pdf/http://preface.pdf/http://msg.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://linkce.pdf/http://ref.pdf/http://ref.pdf/http://msg.pdf/http://preface.pdf/http://ssh.pdf/http://ssh.pdf/http://ip.pdf/http://ppp.pdf/http://ppp.pdf/http://opr.pdf/http://x25.pdf/

7/27/2019 enco

20/50

18-20 CREATE ENCO KEY AR Series Router Software Reference


letters O and l. Hexadecimal keys must start with 0x and must containan even number of characters using the digits (0-9) and letters (a-f).Passphrase keys may contain any printable character. Ifvalue containsspaces it must be enclosed in double quotes.

Description This command creates a encryption or authentication key of the specified typeand stores the key information in the routers FLASH memory. This commandcan also be used to import or export RSA keys.

The KEY parameter specifies the identification number for the key.

The TYPE parameter specifies the type of key to be created. If a DES or 3DESkey is being created, then the RANDOM or VALUE parameters must bespecified. If DES is specified, a 56-bit DES key is created. If 3DES2KEY isspecified, a 112-bit DES key is created. If 3DESINNER is specified, a 168-bitDES key is created. If 3DESOUTER is specified, a 168-bit DES key is created. Ifan RSA key is being generated, then the LENGTH or FILE parameters must bespecified. If the FILE parameter is specified, the RSA key will be imported fromor exported to the specified file. If the FILE parameter is not specified, then a

random RSA key is generated. If a GENERAL key is being created, then theLENGTH or VALUE parameters must be specified. Keys of type GENERALcan be used for authentication algorithms or as shared secrets.

The DESCRIPTION parameter specifies a user-defined description for the key,to make it easier to keep track of different keys.

The FILE parameter specifies name of a router file. RSA public keys may beimported from or exported to a file in either Secure Shell format, the router'sown format or in hexadecimal format. If the file exists but the specified RSAkey does not exist, then the RSA key is imported from the file. If the specifiedRSA key does exist but the file does not exist, the RSA key is exported to the

file. The FORMAT parameter must be specified when importing or exportingkeys.

The FORMAT parameter specifies the format of the .key file when importing orexporting an RSA key. Secure Shell users should use SSH. NIQ is the routersown format, which can be used for transferring RSA keys between routers. TheHEX format should be used when transferring keys between other devices. Thedefault is HEX. If FORMAT is specified, the FILE parameter must also bepresent.

The IPADDRESS parameter specifies an IP address to associate with the key.The ISAKMP and SSH modules use this value to find the RSA public key of aremote peer. Documentation for particular modules specify whether this

parameter is required.

The LENGTH parameter specifies the length of the key to be created. An RSAkey length is specified in bits and must be a multiple of 32. Valid RSA keys arein the range 256 to 2048 bits. A key of type GENERAL can have any length inthe range 2 to 64 bytes.

The MODULE parameter can be used to link a key to a specific module.Documentation for particular modules specify whether this parameter isrequired.

The RANDOM parameter creates a random key. The key can entered into

another router using the CREATE ENCO KEY command and specifying theVALUE parameter.

7/27/2019 enco

21/50

Compression and Encryption Services DESTROY ENCO KEY 18-21


The VALUE parameter creates a key with the supplied value. DES and 3DESkeys require a key in 5-bit ASCII format or hexadecimal format. This ASCIIrepresentation includes a check value of the key to ensure it has been typed incorrectly. A hexadecimal key always starts with 0x. The value of a key can bedisplayed using the SHOW ENCO KEY command on page 18-48. Keys of typeGENERAL can be entered as a string or in hexadecimal format.

For security reasons this command will only be accepted if the user has SECURITYOFFICER privilege.

Examples To create a random DES encryption key with the identification number 1 andthen display the key, use the commands:

CREATE ENCO KEY=1 TYPE=DES RANDOM

SHOW ENCO KEY=1

To add this DES key to another router, use the command:

CREATE ENCO KEY=1 TYPE=DES VALUE=value

on the other router, where value is the value of the key displayed in the outputof the SHOW ENCO KEY command on page 18-48.

To create a random 512-bit RSA private key with the key identification number2, use the command:

CREATE ENCO KEY=2 TYPE=RSA LENGTH=512 DESCRIPTION="Router A

private key"

To create an uploadable file for the public component of the same RSA key inthe format used by Secure Shell use the command:

CREATE ENCO KEY=2 TYPE=RSA FILE=routerA.key FORMAT=SSH

To import an RSA key from the file RSA.KEY, which is in HEX format, asencryption key 3, use the command:

CREATE ENCO KEY=3 TYPE=RSA FILE=rsa.key FORMAT=HEX

See Also DESTROY ENCO KEYSET ENCO KEYSHOW ENCO KEY

DESTROY ENCO KEY

Syntax DESTROY ENCO KEY=key-id LOCATION=FLASH

where:


Description This command destroys the specified encryption key. The memory the keyoccupied is overwritten to ensure the key is irretrievable.

The KEY parameter specifies the identification number for the key. A key withthe specified identification number must exist.

7/27/2019 enco

22/50

18-22 DISABLE ENCO COMPSTATISTICS AR Series Router Software Reference


The LOCATION parameter specifies the location of the key.


Examples To destroy the encryption key in FLASH with the key identification number 4,use the command:

DESTROY ENCO KEY=4 LOCATION=FLASH

See Also CREATE ENCO KEYSET ENCO KEYSHOW ENCO KEY

DISABLE ENCO COMPSTATISTICS

Syntax DISABLE ENCO COMPSTATISTICS

Description This command disables the calculation and storage of compression ratiostatistics for any compression-only ENCO channels.

See Also ENABLE ENCO COMPSTATISTICSSHOW ENCO CHANNEL

DISABLE ENCO DEBUGGING

Syntax DISABLE ENCO DEBUGGING=PACKET

Description This command disables the specified debugging option for the ENCO module.The specified debugging option must currently be enabled. Debugginginformation is sent to the terminal from which the command was entered. Anycombination of options can be disabled using successive commands.

The DEBUG parameter specifies which debugging option is to be disabled.PACKET debugging displays the contents of packets processed by the ENCOmodule.

Examples To disable the debugging of the contents of packets processed by the ENCOmodule, use the command:

DISABLE ENCO DEBUG=PACKET

See Also ENABLE ENCO DEBUGGING

7/27/2019 enco

23/50

Compression and Encryption Services RESET ENCO COUNTER 18-23


ENABLE ENCO COMPSTATISTICS

Syntax ENABLE ENCO COMPSTATISTICS

Description This command enables the calculation and storage of compression ratio

statistics for any compression-only ENCO channels. The collected statistics aredisplayed in the output of the SHOW ENCO CHANNEL command onpage 18-28.

See Also DISABLE ENCO COMPSTATISTICS

ENABLE ENCO DEBUGGING

Syntax ENABLE ENCO DEBUGGING=PACKET

Description This command enables the specified debugging option for the ENCO module.The specified debugging option must currently be disabled. Debugginginformation is sent to the terminal from which the command was entered. Anycombination of options can be enabled using successive commands.

The DEBUG parameter specifies which debugging option is to be enabled.PACKET debugging displays the contents of packets processed by the ENCOmodule.

Examples To enable the debugging of the contents of packets processed by the ENCO

module, use the command:

ENABLE ENCO DEBUG=PACKET

See Also DISABLE ENCO DEBUGGING

RESET ENCO COUNTER

Syntax RESET ENCO COUNTER={DES|DH|HMAC|JOBPROCCESSING|MAC|PAC|PRED|RSA|STAC|USER|UTIL}

Description This command clears general and process-specific counters for the ENCOmodule.

The COUNTER parameter specifies the category of counters to be cleared. If acategory is not specified, all ENCO counters are cleared. USER, UTIL andJOBPROCCESSING counters display information about the general operationof the ENCO module. The DMAN, DES, RSA, STAC and PRED countersdisplay information for particular processes. The MAC and PAC countersdisplay information about the operation of the MAC and PAC cards.

If DES is specified, counters for the DES encryption process are reset. If DH isspecified, counters for the Diffie Hellman key exchange process are reset. If

7/27/2019 enco

24/50

18-24 SET ENCO DHPRIORITY AR Series Router Software Reference


HMAC is specified, counters for the HMAC message process are reset. IfJOBPROCCESSING is specified, counters for the jobs that have been or are stillbeing processed by the ENCO module are reset. If PRED is specified, countersfor the PRED compression process are reset. If RSA is specified, counters forthe RSA encryption process are reset. If STAC is specified, counters for theSTAC compression process are reset. If USER is specified, counters for theinterface between the ENCO module and other user modules who use ENCOchannels are reset. If UTIL is specified, counters for the interface between theENCO module and other user modules who use the ENCO module for one-offjobs are reset. If MAC is specified, counters for the MAC card process are reset.If PAC is specified, counters for the PAC card process are reset.

Examples To reset all the ENCO counter, use the command:

RESET ENCO COUNTER

To reset all the counters for the RSA encryption process, use the command:

RESET ENCO COUNTER=RSA

See Also SHOW ENCO COUNTER

SET ENCO DHPRIORITY

Syntax SET ENCO DHPRIORITY={HIGH|MEDIUM|LOW}

Description This command is used to change the priority of the Diffie Hellman keyexchange on the router. The higher the priority, the more CPU time the

algorithm will use and the faster the key exchange will be completed. If thespeed of the Diffie Hellman key exchange is not critical, the DHPRIORITY canbe set lower so that the routing process is given more CPU time.

The DHPRIORITY parameter specifies the priority of the Diffie Hellman keyexchange. Valid values are HIGH, MEDIUM and LOW. The default value isHIGH priority.

Examples To set the Diffie Hellman priority to LOW, use the command:

SET ENCO DHPRIORITY=LOW

See Also SHOW ENCO KEY

7/27/2019 enco

25/50

Compression and Encryption Services SET ENCO KEY 18-25


SET ENCO KEY

Syntax SET ENCO KEY=key-id [DESCRIPTION=description][IPADDRESS={ipv4add|ipv6add}] [MODULE=module-id]

where:


description is a character string, 1 to 25 characters in length. Valid charactersare any printable character. Ifdescription contains spaces it must beenclosed in double quotes.

ipv4add is an IPv4 address in dotted decimal notation.

ipv6add is an IPv6 address in colon-separated hexadecimal notation.

module-id is the name or number of a router module (see Module Identifiersand Names on page B-2 ofAppendix B, Reference Tablesfor a complete list).

Description This command changes the user-defined description, IP address or module fora specified key.

The KEY parameter specifies the identification number for the key. Thespecified encryption key must already exist.

The DESCRIPTION parameter specifies a user-defined description for the key,to make it easier to keep track of different keys.

The IPADDRESS parameter specifies an IP address to associate with the key.The ISAKMP and SSH modules use this value to find the RSA public key of aremote peer. Documentation for particular modules specify whether this

parameter is required.

The MODULE parameter can be used to link a key to a specific module.Documentation for particular modules specify whether this parameter isrequired.


Examples To change the description for key 1, use the command:

SET ENCO KEY=1 DESCRIPTION="Router Z key"

See Also CREATE ENCO KEYDESTROY ENCO KEYSHOW ENCO KEY
http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/http://ref.pdf/

7/27/2019 enco

26/50

18-26 SET ENCO SW AR Series Router Software Reference


SET ENCO SW

Syntax SET ENCO SW [PREDCHANNELS=0..4] [STACCHANNELS=0..4][STACSPEED=0..3]

Description This command changes the configuration parameters for softwarecompression.

The PREDCHANNELS parameter specifies the number of Predictorcompression channels to allocate. Each Predictor compression channel requires128 KBytes of contiguous memory. On a router with 4MB of memory thenumber of Predictor channels is limited to 2.

The STACCHANNELS parameter specifies the number of STAC LZScompression channels to allocate. Each STAC LZS compression channelrequires 13 KBytes of contiguous memory.

The STACSPEED parameter specifies a performance level between 0

(maximum compression ratio) and 3 (maximum compression speed). A highvalue minimises compression time at the expense of the compression ratio, andis suitable for high aggregate line speeds. A low value maximises thecompression ratio and the expense of processing time, and is most effective forlow aggregate line speeds. Intermediate values give a balance between the two.The speed setting only effects the transmit (compression) path; the receive(decompression) path does not require a speed parameter.

Compression speed should be set according to the bandwidth of the links overwhich software compression will be used. Suggested speed settings fordifferent line rates are shown in Table 18-1 on page 18-26.

The STACKSPEED parameter is not used on the AR720 Router.

Examples To configure three STAC LZS software compression channels, use thecommand:

SET ENCO SW STACCHANNELS=3

See Also SHOW ENCO CHANNEL

Table 18-1: Suggested software compression speed settings for differenttransmission line speeds.

Aggregate Line Speed (kbps) Compression Speed Setting

> 85 3

6085 2

4059 1

< 40 0

7/27/2019 enco

27/50

Compression and Encryption Services SHOW ENCO 18-27


SHOW ENCO

Syntax SHOW ENCO

Description This command displays information about the ENCO module. The output of

this command varies depending on feature licences and whether or not a MACor PAC card (Figure 18-4 on page 18-27, Table 18-2 on page 18-28) is installed.

Figure 18-4: Example output from the SHOW ENCO command for a router with aMACcard installed.

Figure 18-5: Example output from the SHOW ENCO command for a router without

a MACcard installed.

ENCO Module Configuration

Hardware ............................... MAC

Lowest valid channel ................... 1

Highest valid channel .................. 511

Compression Statistics Enabled ......... FALSE

Diffie Hellman Priority ................ HIGH

SW Processes available

RSA - RSA Encryption

DH - Diffie Hellman

MAC Processes available

DES - DES Encryption

3DES - Triple DES Encryption

STAC - Stac Compression

HMAC - Message Digest

ENCO Module Configuration

Hardware ............................... None

Lowest valid channel ................... 1

Highest valid channel .................. 511

Compression Statistics Enabled ......... FALSE

Diffie Hellman Priority ................ HIGH

SW Processes available

STAC - Stac Compression

RSA - RSA Encryption

DH - Diffie HellmanHMAC - Message Digest

Stac LZS compression performance level.3

Stac LZS compression footprint ....... 9989

Stac LZS compression history size .... 20688

Stac LZS decompression history size .. 4168

Stac LZS channels configured ......... 2

Stac LZS channels available .......... 2

7/27/2019 enco

28/50

18-28 SHOW ENCO CHANNEL AR Series Router Software Reference


See Also SET ENCO DHPRIORITYSHOW ENCO CHANNELSHOW ENCO COUNTER

SHOW ENCO CHANNEL

Syntax SHOW ENCO CHANNEL[=channel [COUNTER]]

where:

channel is a number in the range 0 to 512, if the router has up to 8 Mbytes ofRAM, 0 to 1024 if the router has 16 Mbytes of RAM, or 0 to 2048 if therouter has 32 Mbytes of RAM.

Description This command displays information about active ENCO module channels. Ifan ENCO channel is not specified, a summary of all currently active channels isdisplayed (Figure 18-6 on page 18-29, Table 18-3 on page 18-29). If an ENCO

Table 18-2: Parameters displayed in the output of the SHOWENCO command.

Parameter Meaning

Hardware The type of ENCO hardware if it available; one of "PAC",

"MAC" or "FALSE".

Lowest valid channel The identification number of the lowest channel

available for use by a user module.

Highest valid channel The identification number of the highest channel

available for use by a user module.

Compression Statistics Enabled Whether or not gathering of compression statistics is

enabled for all channels; one of TRUE or FALSE.

Diffie Hellman Priority The priority of the Diffie Hellman key exchange; one of

"HIGH", "MEDIUM" or "LOW".

SW Processes available A list of the software-based processes available to the

ENCO module for processing user data packets; one or

more of "NONE", "DMAN", "PREDICTOR", "STAC","RSA", "DH", or "HMAC".

MAC Processes available A list of the MAC-based processes available to the ENCO

module for processing user data packets; one or more of

"NONE", "DES", "3DES", "STAC", or "HMAC".

Private Channel Used Whether the ENCO modules private channel is currently

in use.

Private Channel User The identification number of the ENCO sub-component

which is currently using, or was the last user of, the

ENCO private channel. For debugging purposes only.

Private Channel Timeouts The number of ENCO private channel timeouts. For

debugging purposes only.

Private Channel Locks The number of times an ENCO private channel has been

locked by an ENCO module sub-component. For

debugging purposes only.

7/27/2019 enco

29/50

Compression and Encryption Services SHOW ENCO CHANNEL 18-29


channel is specified, detailed configuration and status information about thespecified channel is displayed (Figure 18-7 on page 18-29,Table 18-4 onpage 18-30). If compression statistics are enabled, the display will includecompression statistics.

If the COUNTER parameter is specified, information counters for the specifiedchannel are displayed (Figure 18-8 on page 18-31, Table 18-5 on page 18-31).

Figure 18-6: Example output from the SHOW ENCO CHANNEL command.

Figure 18-7: Example output from the SHOW ENCO CHANNEL command for aspecified channel.

Channel State User UserID MDL pktOverhead Process

------------------------------------------------------------

1 UP SA f0000001 1528 72 DES

2 UP PPP 00000001 1500 64 DES

3 UP SSH 00000001 1584 16 DES

------------------------------------------------------------

Table 18-3: Parameters displayed in the output of the SHOW ENCO CHANNEL

command.

Parameter Meaning

Channel The channel identification number.

State The state of the channel; one of UP or DOWN.

User The user module attached to this channel; one of PPP, FR,

MIOX, TEST, SA SSH, ISAKMP or IPSEC.

UserID A number used by the user module to identify this channel.

MDL The maximum data length of packets accepted on this channel.

pktOverhead The number of bytes that the user module requested be reserved

in a packet in front of encoded data.Process The process for which the channel is configured; one of

PREDICTOR, STAC, RSA, DH, DES, or HMAC.

Channel ........................ 1

Type ........................... ENCODE/DECODE

State .......................... UP

User ........................... SSHUser ID ........................ 00000001

Maximum Data Length ............ 1584

Packet Overhead ................ 16

Process ........................ DES

Process Configuration:

Des Type..........DES - 56 bit

Channel Type......ENCODE/DECODE

History Mode......Off

IV Type...........Random

7/27/2019 enco

30/50



Table 18-4: Parameters displayed in the output of the SHOW ENCO CHANNELcommand for a specified channel .

Parameter Meaning

Channel The identification number of the channel.

Type The mode of the channel; one of ENCODE/DECODE,ENCODE ONLY or DECODE ONLY.

State The state of the channel; one of UP or DOWN.

User The user module attached to this channel; one of PPP,

FR, MIOX, TEST, SA SSH, ISAKMP or

IPSEC.

User ID A number used by the user module to identify this

channel.

Maximum Data Length The maximum data length of packets accepted on this

channel.

Packet Overhead The number of bytes reserved at the head of data

packets in front of the encoded data, for lower layer

packet headers.

Process The process for which the channel is configured; one of

PREDICTOR, STAC, RSA, DH, DES or

HMAC.

Process Configuration Details about a particular process. The fields displayed

vary depending on the process.

Max Data Length The maximum allowed length of data packets on the

channel.

Check Type The type of checksum to be used; one of XOR8 or

NONE (STAC compression), CRCCCITT or

CRC16(Predictor compression).

DES Type [DES] The DES encryption/decryption algorithm used to

process packets on the channel; one of DES56 bit,

3DES112 bitouter CBC, 3DES168 bitinner

CBC, 3DES168 bitouter CBC or DESMAC.

Channel Type [DES] The mode of the channel; one of ENCODE/

DECODE, ENCODE ONLY or DECODE ONLY.

History Mode [DES] Whether or not DES is operating with history

mode enabled; one of On or Off.

IV Type [DES] The type of Initialisation Vector (IV) used by DES;

one of Zero, Random or Specified.RSA mode [RSA] The RSA encryption mode on this channel; one of

PUBLIC or PRIVATE.

Mode [Diffie Hellman] Which mode of DH; one of Phase 1

or Phase 2.

Group Type [Diffie Hellman] The group types supported. Only

MODP is currently supported.

Group [Diffie Hellman] The Diffie Hellman group; one of 768-

bit MODP or 1024-bit MODP.

Algorithm [HMAC] The HMAC algorithm; one of MD5 or

SHA.

Key Length [HMAC] The length of the HMAC key.

7/27/2019 enco

31/50

Compression and Encryption Services SHOW ENCO CHANNEL 18-31


Figure 18-8: Example output from the SHOW ENCO CHANNEL COUNTER command.

Compression Statistics Statistics for the compression process. This section is

only displayed when compression statistics have been

enabled with the ENABLE ENCO COMPSTATISTICS

command on page 18-23.

Number of Packets Compressed The number of data packets that have been

compressed.

Best Compression Ratio The highest compression ratio achieved.

Mean Compression Ratio The mean compression ratio achieved.

Worst Compression Ratio The lowest compression ratio achieved.

Compression Ratio A range of compression ratios.

Number of Packets The number of packets compressed, for which the

resulting compression ration was in the specified range.

Table 18-4: Parameters displayed in the output of the SHOW ENCO CHANNELcommand for a specified channel (Continued).

Parameter Meaning

Channel Counter:

UP events 1 DOWN events 0

start config 1 attach good 1

encode NULL packets 0 decode NULL packets 0

encode bad priorities 0 decode bad priorities 0

encode bad length 0 decode bad length 0

encode actions sent 0 decode actions sent 0

good encodes 0 good decodes 0

bad encodes 0 bad decodes 0

reset E actions sent 0 reset D actions sent 0

good encode resets 0 good decode resets 0

bad encode resets 0 bad decode resets 0

discarded encode jobs 0 discarded decode jobs 0

Table 18-5: Parameters displayed in the output of the SHOW CHANNELS COUNTERcommand .

Parameter Meaning

UP events The number of times the channel has entered the UP

state.

DOWN events The number of times the channel has entered the DOWN

state.

start config The number of times a configure operation has started on

the channel.

attach good The number of successful attach operations on the channel.

encode NULL packets The number of encode requests received from a user

module with no data packet.

decode NULL packets The number of decode requests received from a user

module with no data packet.

encode bad priorities The number of encode requests received from a user

module with a data packet containing an unknown priority.

7/27/2019 enco

32/50



Examples To show a summary of all active ENCO channels, use the command:

SHOW ENCO CHANNEL

To show detailed configuration and status information for channel 1, use thecommand:

SHOW ENCO CHANNEL=1

To show information counter for channel 1, use the command:

SHOW ENCO CHANNEL=1 COUNTER

See Also SHOW ENCO COUNTER

decode bad priorities The number of decode requests received from a user

module with a data packet containing an unknown priority.

encode bad length The number of encode requests received from a usermodule with a data packet with a bad length.

decode bad length The number of decode requests received from a user

module with a data packet with a bad length.

encode actions sent The number of encode actions which have been sent to the

process on this channel.

decode actions sent The number of decode actions which have been sent to the

process on this channel.

good encodes The number of successful encode operations on the

channel.

good decodes The number of successful decode operations on the

channel.

bad encodes The number of unsuccessful encode operations on the

channel.

bad decodes The number of unsuccessful decode operations on the

channel.

reset E actions sent The number of encode reset actions which have been sent

to the process on the channel.

reset D actions sent The number of decode reset actions which have been sent

to the process on the channel.

good encode resets The number of successful encode resets on the channel.

good decode resets The number of successful decode resets on the channel.

bad encode resets The number of unsuccessful encode resets on the channel.

bad decode resets The number of unsuccessful decode resets on the channel.

discarded encode jobs The number of encode jobs discarded due to queue

overloading or a channel reset.

discarded decode jobs The number of decode jobs discarded due to queue

overloading or a channel reset.

Table 18-5: Parameters displayed in the output of the SHOW CHANNELS COUNTERcommand (Continued).

Parameter Meaning

7/27/2019 enco

33/50

Compression and Encryption Services SHOW ENCO COUNTER 18-33


SHOW ENCO COUNTER

Syntax SHOW ENCO COUNTER={DES|DH|HMAC|JOBPROCCESSING|MAC|PAC|PRED|RSA|STAC|USER|UTIL}

Description This command displays information counters for the ENCO module.

The COUNTER parameter specifies the category of counters to display. TheUSER, UTIL and JOBPROCCESSING counters display information about thegeneral operation of the ENCO module. The DES, DH, HMAC, PRED, RSAand STAC counters display information for particular processes.The MAC andPAC counters disp

Documents

enco