Configuration

Configuration overview

You can configure NGE using an NFM-P GUI or OSS client.

Global encryption label

NFM-P NGE management requires a global encryption label that is used as a common NGE identifier by all participating NEs in the managed network. A global encryption label must be configured before any services are encrypted. A global encryption label is intended to be set once, for permanent use, and cannot be modified. The global encryption label can be deleted only if no key groups exist in the NFM-P and no local key groups exist on NEs.

If the deployment of a global encryption label fails, the NFM-P and NE labels do not match, or a global encryption label is detected during device discovery, an alarm is raised.

Note: An attempt to create a static MPLS ingress label is blocked if the label has the same value as the NGE group encryption label.

An attempt to create the group encryption label is blocked if the label has the same value as a static MPLS ingress label in the network.

If the NFM-P discovers an NE that supports NGE, and the NE has a static MPLS ingress label that matches the group encryption label, an alarm is raised.

Key groups

NGE deployment to one or more NEs requires a key group that contains the NGE keys. A key group defines the algorithms that the NFM-P uses to generate the encryption and authorization keys. A key group also contains a list of the current Security Associations (SAs) between the key group and the service objects that use the key group.

After you create a key group, you cannot modify the encryption and authentication algorithms; if such changes are required, you must create a new key group and delete the previous key group.

After the initial key group deployment, you can use a scheduled task for the regular and automatic replacement of the keys in the key group; see Key updates .

Keys are always encrypted when stored in the database; transfer of keys to the network elements is over a secure and encrypted connection.

Note: You cannot delete a key group if any SDPs, service objects, NGE domains, L3 router interfaces, or L2 Ethernet ports are associated with the key group.

NGE cleanup scheduled task

The NGE cleanup task is auto-created during NFM-P system initialization. The NGE cleanup task removes unused SPIs and key groups from the NE.

Key groups that are only present on CLI, but not on NFM-P, will be removed by the NGE cleanup schedule if there is no service association in the CLI.

When encryption is disabled on the last service using the key group of a site, the cleanup task will remove the key group from the site.

The NGE cleanup task runs every night at midnight by default. The task must not be deleted, however, it can be executed manually at any time.

Choose Manage→Network Group Encryption from the NFM-P main menu and choose Cleanup Scheduled Task from the drop-down menu to open the NGE Cleanup Scheduled Task.