To prevent an adversary from having time to break your cryptosystem, you need to periodically replace the security associations that you created in Step 5 with new ones. Use the following procedure to replace your current security associations. If you are running an IPv4 network, the IKE module manages the replacement of security associations.
How to Replace Current Security Associations
This procedure enables you to replace current security associations. You should do this procedure periodically so that an adversary has less time to break your cryptosystem.
Become superuser on the system console.
Note - Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the total security of the system is reduced to the security of the remote login session.
On each system, flush the current security associations in ipseckey command mode:
# ipseckey > flush >
Set new security associations for outbound packets:
> add esp spi new-random-number src local-system dst remote-system \ auth_alg the_algorithm-name encr_alg the_algorithm-name \ authkey random-hex-string-of-algorithm-specified-length \ encrkey random-hex-string-of-algorithm-specified-length
Press the Return key.
This step executes the command and redisplays the ipseckey command mode prompt.
Set new security associations for inbound packets:
> add esp spi new-random-number src remote-system dst local-system \ auth_alg the_algorithm-name encr_alg the_algorithm-name \ authkey random-hex-string-of-algorithm-specified-length \ encrkey random-hex-string-of-algorithm-specified-length
Note - The keys and SPI can and should be different for each security association.
Type Control-D or quit to exit this mode.
Example--Replacing Security Associations in ipseckeys Files
The following example refreshes the keys on the systems partym and enigma, whose traffic was secured in "How to Secure Traffic Between Two Systems". The assumption is that both systems are using the SHA1 algorithm for AH, and both systems are using IPv6 addresses.
Flush the current keys.
Edit the ipseckeys file on both systems to replace existing SPI and authkey values.
Edit the ipseckeys file on partym:
# for inbound packets add ah spi 0x55142 dst partym authalg sha1 \ authkey 012345678921001234abcdeffedcba9876543210 # for outbound packets add ah spi 0x235211 dst enigma authalg sha1 \ authkey 21001234abcdef98765432100123456789fedcba
Edit the ipseckeys file on enigma:
# for inbound packets add ah spi 0x235235 dst enigma authalg sha1 \ authkey 123456780123456789abcdeffedcba9876543210 # for outbound packets add ah spi 0x123456 dst partym authalg sha1 \ authkey abcdef98765432100123456789fed12345678bac
To make sure that latched sockets use the new keys, reboot both systems. The ipseckeys file is read automatically at boot time.
# /usr/sbin/reboot
If you are testing, you can place the new keys into the security database on each system without rebooting:
# ipseckey -f /etc/inet/secret/ipseckeys