Encryption
MACsec Pre-Shared Keys (PSK)
The NFM-P may optionally be used to configure MACsec PSKs for encrypted switch-to-switch connectivity between supported NEs. Each Security Association in the NE contains a Single Secret Key (SAK) where the cryptographic operations used to encrypt the datapath PDUs. SAK is the secret key used by an SA to encrypt the channel.
A pre-shared key may be created by NSP. Each PSK is configured with two fields:
The NFM-P can be configured with scheduled hitless re-keying of PSK.
The NFM-P supports two sources for keying material:
-
Hardware Security Module (HSM): PSK is generated by a supported HSM; see the NSP NFM-P Network Element Compatibility Guide for a list of supported HSMs
Before an HSM can be used for key management, the HSM must be added to the NFM-P configuration. See the NSP System Administrator Guide for more information.
Note: The NFM-P does not store CAKs generated by an HSM
Note: For increased security, Nokia recommends scheduling periodic re-keying of PSK.
Network Group Encryption
The NFM-P may optionally be used to deploy Network Group Encryption (NGE) attributes to NEs. The NFM-P uses SNMP to deploy general NGE attributes to NEs, and SSH2 sessions to configure the key values. You can use an existing SSH2 user account on each NE, or, to facilitate the tracking of key value configuration activity, you can use the User NGE account. The NFM-P creates the account on each participating NGE NE and uses the account only for creating and updating key values. The NFM-P user activity log records all NGE configuration activity.
Note: To facilitate the tracking of key value configuration activity, use the "User NGE" account on each NE.
Note: For increased security, Nokia recommends using a scheduled task for the regular and automatic replacement of the keys in the key group.
FIPS
The NFM-P supports Federal Information Processing Standards (FIPS) for NE management and client communication. See the NSP Installation and Upgrade Guide for information about enabling FIPS.