Key updates

Key updates overview

For increased security, Nokia recommends frequent replacement of the keys in a key group, which is called a rekeying operation. For each key group, you can configure a rekeying scheduled task that defines how often the NFM-P generates and deploys a new key set to each NE associated with the key group. The rekeying mechanism ensures that there is no service degradation during rekeying.

The rekeying scheduled task associated with the key group must be deleted before the key group can be deleted.

A rekeying scheduled task cannot use a schedule in which a delay is configured. However, an inter-nodal wait time can be configured as part of the rekey schedule. If an inter-nodal wait time is configured, the NFM-P will wait a specified amount of time after rekeying each NE.

Note: The execution of a rekeying scheduled task is skipped if a manual encryption operation using the same key group is in progress.

You can modify the wait time of a scheduled task. If a change to another parameter of a scheduled task is required, you must create a new scheduled task and delete the current scheduled task.

A rekeying operation has the following phases:

• Phase 1: deploy new key

• Phase 2: set new key as active outbound

• Phase 3: delete old key

If a rekeying operation fails, the NFM-P runs a cleanup operation the next time a rekey is triggered. The NFM-P checks and compares where the process failed, implements correction and inactive key cleanup, and continues with the rekey process.

After a rekeying operation, the NFM-P verifies that each key is correctly set by comparing the CRC checksums of the local and NFM-P key values. If the verification is delayed or unable to complete, an alarm is raised.

If a rekeying operation is unable to complete before the next rekeying operation is to begin, for example, when a large number of NEs are rekeyed using a schedule of high frequency, the NFM-P attempts the rekeying during the next scheduled task run.

You can view the results of rekeying scheduled task runs, which include the old and new CRC checksum values, from the properties form of the task; see To view rekeying results and statistics.

The NFM-P also raises alarms for the following rekeying faults:

• failure to create an SA in a key group

• failure to delete an existing SA in a key group

Key updates with offline nodes

A node is in offline mode if the NFM-P has lost connectivity to the node at the time of specific NGE action (rekey, encrypt, or disable encryption). A node is not in offline mode if it responds to SSH and SNMP requests.

In some networks, it might be desirable to allow key groups to be rekeyed even though some of nodes in the key group are offline. For example, in a 7705 SAR-Hm network with vehicle-mounted deployments, it may not be possible to rekey the entire key group at once since some nodes (vehicles) will be periodically offline.

By default, the rekey procedure is halted if any node in the key group is offline.

Forced rekey

The Force Re-key option allows for the online nodes to be rekeyed when some nodes are offline. The offline nodes are skipped and online nodes are rekeyed. If rekey sites in a key group contain any site that belongs to a cellular domain, Force Re-key is skipped with a warning message in the server log.

When a node that has been skipped during a rekey operation comes back online, the node is rekeyed to apply the new key.

To allow nodes to learn new keys that were applied while the node was offline, the nodes require configurations that provide reachability to the NFM-P. The configuration cannot rely on any key groups that may be rekeyed while the node is offline. When the node comes back up, the node reaches the NFM-P, the NFM-P downloads the correct NGE keys for the key group to the node, and any services that were using the keys come back up.

Progressive rekey

A progressive rekey operation provides an alternative to forced rekeying if some nodes in the key group are offline. When offline nodes are encountered during the rekey operation, the NFM-P will wait for them to come back online, then proceed with the rekey operation. The use of progressive rekey prevents the need for the in-band configurations that provide reachability to the NFM-P for offline nodes if Force Re-key is in use.

The NFM-P provides the following information during the progressive rekey process:

• Current phase (Key Deployment, Key Activation, or Cleanup)

• Number of nodes remaining for key deployment

• Number of offline nodes pending rekey

If a progressive rekey operation is hung due to a node that remains offline, you can perform a force rekey operation for both the Key Deployment and Key Activation phases. While waiting in Key Deployment phase, you can also stop and fail the rekey process. When nodes come back online that did not receive the key-group keys, the NFM-P detects key groups that are not in sync and automatically updates the key group as needed.

You can add or remove sites from a key group during a progressive rekey operation. If a site is added, the new site is included in the rekey operation. If a site is deleted, the site information is deleted from the node.