Key Chain

Keychain management provides a secure mechanism for rotating shared secrets used by routing protocol authentication (BGP, OSPF, IS-IS, RSVP) and MACsec link-layer encryption on IOS-XR devices. Each key chain contains one or more keys with configurable lifetimes, enabling hitless key rollover — seamless transitions between active keys without disrupting established protocol sessions or encrypted links.

Diagram

Classes

configuration (iosxr.devices)

Name	Type	Constraint	Mandatory	Default Value
key_chains	List	`[key_chains]`	No

key_chains (iosxr.devices.configuration)

Name	Type	Constraint	Mandatory
name	String		Yes
timezone	Choice	`local`, `gmt`	No
accept_tolerance	Any	Integer[min: `1`, max: `8640000`] or Choice[`infinite`] or String[Regex: `^.[\$\%]\{.$`]	No
standard_keys	List	`[standard_keys]`	No
macsec_keys	List	`[macsec_keys]`	No

standard_keys (iosxr.devices.configuration.key_chains)

Name	Type	Constraint	Mandatory
name	Any	String or Integer[min: `0`, max: `281474976710655`] or String[Regex: `^.[\$\%]\{.$`]	Yes
password_type	Choice	`6`, `7`	No
password	String		No
algorithm	Choice	`aes-128-cmac-96`, `hmac-md5`, `hmac-sha-256`, `hmac-sha1-12`, `hmac-sha1-20`, `hmac-sha1-96`, `md5`, `sha-1`	No
accept_lifetime	Class	`[accept_lifetime]`	No
send_lifetime	Class	`[send_lifetime]`	No

macsec_keys (iosxr.devices.configuration.key_chains)

Name	Type	Constraint	Mandatory
name	String		Yes
password_type	Choice	`6`, `7`	No
password	String		No
algorithm	Choice	`aes-128-cmac`, `aes-256-cmac`	Yes
lifetime	Class	`[lifetime]`	No

accept_lifetime (iosxr.devices.configuration.key_chains.standard_keys)

Name	Type	Constraint	Mandatory
from_time	String		Yes
from_date	String		Yes
to_time	String		No
to_date	String		No
duration	Integer	min: `1`, max: `2147483646`	No
infinite	Boolean	`true`, `false`	No

Guidelines and Limitations

Lifetime Date and Time Formats

Lifetime fields use combined string formats.

from_time / to_time: "HH:MM:SS" (e.g., "08:30:00", "23:59:59")
from_date / to_date: "MM-DD-YYYY" (e.g., "01-15-2025", "12-31-2026")

Example YAML Code:

Example-1: Configure a BGP authentication key chain with HMAC-SHA-256 and infinite accept/send lifetimes.

iosxr:
  devices:
    - name: router-1
      host: 10.10.10.1:57400
      configuration:
        key_chains:
          - name: "BGP_AUTH"
            timezone: local
            accept_tolerance: 300
            standard_keys:
              - name: 1
                password_type: 7
                password: "00071A150754"
                algorithm: hmac-sha-256
                accept_lifetime:
                  from_time: "00:00:00"
                  from_date: "01-01-2025"
                  infinite: true
                send_lifetime:
                  from_time: "00:00:00"
                  from_date: "01-01-2025"
                  infinite: true

Example-2: Configure an OSPF key chain with two keys for hitless rollover using end-time and duration lifetimes.

iosxr:
  devices:
    - name: router-1
      host: 10.10.10.1:57400
      configuration:
        key_chains:
          - name: "OSPF_ROLLOVER"
            timezone: gmt
            accept_tolerance: infinite
            standard_keys:
              - name: 1
                password_type: 7
                password: "05080F1C2243"
                algorithm: hmac-sha1-20
                accept_lifetime:
                  from_time: "00:00:00"
                  from_date: "01-01-2025"
                  to_time: "23:59:59"
                  to_date: "06-30-2025"
                send_lifetime:
                  from_time: "00:00:00"
                  from_date: "01-01-2025"
                  duration: 15552000
              - name: 2
                password_type: 6
                password: "ENCRYPTED_TYPE6_KEY"
                algorithm: aes-128-cmac-96
                accept_lifetime:
                  from_time: "00:00:00"
                  from_date: "06-01-2025"
                  infinite: true
                send_lifetime:
                  from_time: "00:00:00"
                  from_date: "07-01-2025"
                  infinite: true

Example-3: Configure a MACsec pre-shared key chain with multiple CKNs for link-layer encryption.

iosxr:
  devices:
    - name: router-1
      host: 10.10.10.1:57400
      configuration:
        key_chains:
          - name: "MACSEC_PSK"
            macsec_keys:
              - name: "A1B2C3D4E5F6"
                password_type: 7
                password: "115949554642595C577A7F747D63637244574E535806580851040D531C465C0851020204055A0957540903554657520A5C575770151F08480746115A08552F7A22"
                algorithm: aes-256-cmac
                lifetime:
                  from_time: "00:00:00"
                  from_date: "01-01-2025"
                  infinite: true
              - name: "F6E5D4C3B2A1"
                password_type: 7
                password: "094F471A1A0A5C575770151F08480746"
                algorithm: aes-128-cmac
                lifetime:
                  from_time: "00:00:00"
                  from_date: "07-01-2025"
                  to_time: "23:59:59"
                  to_date: "12-31-2026"