- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Using Digital Certificates for IPsec
Using Digital Certificates for IPsec
A popular way for network administrators to scale an IPsec network is to use digital certificates instead of preshared keys. To enable digital certificates in your network, you need to use a combination of operational mode commands and configuration statements. The following tasks enable you to implement digital certificates on AS and MultiServices PICs installed in M Series and T Series routers:
See Also
Configuring a CA Profile
The CA profile contains the name and URL of the
CA or RA, as well as some retry timer settings. CA certificates issued
by Entrust, VeriSign, and Microsoft are all compatible with M Series,
and T Series routers. To configure the domain name of the CA or RA,
include the ca-identity statement at the [edit security
pki ca-profile ca-profile-name] hierarchy
level. To configure the URL of the CA, include the url statement
at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level. To configure the number of enrollment
attempts the router should perform, include the retry statement
at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level. To configure the amount of time
the router should wait between enrollment attempts, include the retry-interval statement at the [edit security pki ca-profile ca-profile-name enrollment] hierarchy level.
[edit security pki] ca-profile ca-profile-name { ca-identity ca-identity; enrollment { url url-name; retry number-of-enrollment-attempts; # The range is 0 though 100 attempts. retry-interval seconds; # The range is 0 though 3600 seconds. } }
When you delete the entire public key infrastructure (PKI) configuration, all the CA certificates in the device are not deleted as expected. These CA certificates are accessible after you create the CA profiles again.
Configuring a Certificate Revocation List
A certificate revocation list (CRL) contains
a list of digital certificates that have been canceled before their
expiration date. When a participating peer uses a digital certificate,
it checks the certificate signature and validity. It also acquires
the most recently issued CRL and checks that the certificate serial
number is not on that CRL. By default, CRL verification is enabled
on any CA profile running on Junos OS Release 8.1 or later. To disable
CRL verification, include the disable statement at the
[edit security pki ca-profile ca-profile-name revocation-check] hierarchy level.
To specify the URL for the Lightweight Directory
Access Protocol (LDAP) server where your CA stores its current CRL,
include the url statement at the [edit security pki ca-profile ca-profile-name revocation-check crl] hierarchy level. If the LDAP server
requires a password to access the CRL, include the password statement at the [edit security pki ca-profile ca-profile-name revocation-check crl url] hierarchy level.
You do not need to specify a URL for the LDAP server if the certificate includes a certificate distribution point (CDP). The CDP is a field within the certificate that contains information about how to retrieve the CRL for the certificate. The router uses this information to download the CRL automatically. Any LDAP URL you configure takes precedence over the CDP included in the certificate.
If you manually downloaded the CRL, you must manually
install it on the router. To manually install the CRL, issue the request security pki crl load ca-profile ca-profile-name filename path/filename command.
To configure the time interval between CRL updates,
include the refresh-interval statement at the [edit
security ca-profile ca-profile-name revocation-check
crl] hierarchy level.
To override the default behavior and permit IPsec
peer authentication to continue when the CRL fails to download, include
the disable on-download-failure statement at the [edit security ca-profile ca-profile-name revocation-check
crl] hierarchy level.
[edit security pki ca-profile ca-profile-name] revocation-check { disable; crl { disable on-download-failure; refresh-interval number-of-hours { # The range is 0 through 8784 hours. url { url-name; password; } } } }
