I am about to create a new tagging key for the first time in the Bounce Verification settings of our IronPort C350 and i'm wondering if anyone could advise on a few things please.
1) Should the tagging key have some degree of complexity?
2) Is there a need/recommendation to change the tagging key at intervals?
3) If i was to change the tagging key on the device, and subsequently delete the old one, what would happen to any bounce verifications that were 'tagged' with the old key? Would they be rejected or are the old keys remembered in some way by the IronPort device for a period of time?
The IEFT draft does not include recommendations on key complexity. There is minimal protection against replay of known keys, so choosing a highly complex key would provide little, if any, additional security.
The signatures include a timestamp that will automatically treat any otherwise valid bounce as invalid if it is recieved more than 7 days after being sent.
If you change keys, the appliance will only use keys that are less than seven days old (in most cases).
If you purge a key from the system, it can no longer be used for validation, no matter what the age.
BATV does not provide a complicated security algorithm in order to minimize the overhead in signing and validating messages. Because of that, rotating keys and choosing complicated text strings can provide only a limited amount of additional security.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :