Configuring NGE with CLI

NGE is fully managed by the NSP NFM-P. The NSP NFM-P ensures correct network synchronization of key groups, services, and NGE domains. Managing NGE without the NSP NFM-P is not recommended. See the NSP NFM-P User Guide for more information.

This section provides information about configuring NGE using the command line interface.

Basic NGE configuration overview

This procedure configures NGE for an MPLS service or router interface.
  1. Configure the group encryption label. The label must be unique, and the same label must be used on all nodes in the network group.
  2. Create a key group, duplicating this configuration on all nodes participating in this key group.
    1. Configure the encryption and authentication algorithms for the group.
    2. Configure a security association (SA) that contains the encryption and authentication keys.
    3. Configure the active outbound SA for the group.
  3. Select the SDPs, VPRN services, or router interfaces that require encryption.
    1. For each SDP, VPRN service, or router interface, configure the outbound direction key group.
    2. For each SDP, VPRN service, or router interface, configure the inbound direction key group.

Configuring NGE components

Use the CLI syntax in the subsequent sections to configure NGE parameters.

Configuring the global encryption label

The global encryption label is the network-wide, unique MPLS encryption label used for all nodes in the network group. The same encryption label must be configured on each node in the group.

Use the following CLI syntax to configure the global encryption label:

config>group-encryption
        — group-encryption-label encryption-label

The following example displays global encryption label usage:

config# group-encryption 
    config>grp-encryp# group-encryption-label 34 

The following example displays the global encryption label configuration:

domain1>config>grp-encryp# info
-------------------------------------------------------
     group-encryption-label 34
-------------------------------------------------------
domain1>config>grp-encryp# 

Configuring a key group

To configure a key group, set the following parameters:

  • encryption and authentication algorithms

  • security association

  • active outbound SA

The authentication and encapsulation keys must contain the exact number of hexadecimal characters required by the algorithm used. For example, using sha256 requires 64 hexadecimal characters.

Keys are entered in clear text using the security-association command. Once entered, they are never displayed in their original, clear text form. Keys are displayed in an encrypted form, which is indicated by the system-appended crypto keyword when an info command is run. The NGE node also includes the crypto keyword with an admin>save operation so that the NGE node can decrypt the keys when reloading a configuration database. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

Use the following CLI syntax to configure key group options:

config# group-encryption 
        — encryption-keygroup keygroup-id [create]
            — description description-string
            — esp-auth-algorithm {sha256|sha512}
            — esp-encryption-algorithm {aes128|aes256} 
            — keygroup-name keygroup-name
            — security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
            — active-outbound-sa spi

The following example displays key group command usage:

config>grp-encryp# encryption-keygroup KG1_secure
    config>grp-encryp>encryp-keygrp# description Main_secure_KG
    config>grp-encryp>encryp-keygrp# esp-auth-algorithm sha256
    config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes128
    config>grp-encryp>encryp-keygrp# keygroup-name KG1_secure
    config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C6 encryption-key 0x63DCDD501B66F85441E4A55B597DA617 
    config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C5 encryption-key 0x63DCDD501B66F85441E4A55B597DA616 
    config>grp-encryp>encryp-keygrp# active-outbound-sa 6 ]

The following example displays the key group configuration:

domain1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            security-association spi 2 authentication-
key 0x78d9e66a6669bd17454fe3184 ee161315b67adb8912949ceda20b6b741eb63604abe17de478e2
4723a7d1d5f7b6ffafc encryption-
key 0x8d51db8f826239f672457442cecc73665f52cbe00aedfb4eda6166001247b4eb crypto
            security-association spi 6 authentication-key 0x7fb9fc5553630924ee29973f
7b0a48f801b0ae1cb38b7666045274476a268e8d694ab6aa7ea050b7a43cdf8d80977625 encryption-
key 0x72bd9b87841dbebcb2d114031367ab5d9153a41b7c79c8f889ac56b950d8fffa crypto
            active-outbound-sa 6
        exit
----------------------------------------------
domain1>config>grp-encryp# 

Assigning a key group to an SDP, VPRN service, or PW template

A key group can be assigned to the following entities:

  • SDPs

  • VPRNs

  • PW templates

NGE supports encrypting the following services when key groups are assigned to an SDP, VPRN service, or PW template:

  • VLL services (Epipe or BGP-VPWS)

  • VPRN service using Layer 3 spoke-SDP termination

  • IES service using Layer 3 spoke-SDP termination

  • VPLS service using spoke and mesh SDPs

  • routed VPLS service into a VPRN or IES

  • MP-BGP-based VPRNs

  • BGP-VPLS and BGP-VPWS with auto-gre-sdp

For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP), or GRE or MPLSoUDP tunnels.

For MP-BGP services, resolving routes using spoke SDPs (spoke-sdp) or auto-bind SDPs (auto-bind-tunnel) is supported using LDP, GRE, RSVP-TE, or segment routing (SR-ISIS, SR-OSPF, or SR-TE).

Use the following CLI syntax to assign a key group to an SDP, VPRN service, or PW template:

Note: After assigning a key group to the PW template, the following tools command must be executed:

tools>perform>service>eval-pw-template>allow-service-impact

config>service# sdp sdp-id [create]
        — encryption-keygroup keygroup-id direction {inbound | outbound} 
config>service# vprn service-id 
        — encryption-keygroup keygroup-id direction {inbound | outbound} 
config>service# pw-template policy-id auto-gre-sdp [create]
        — encryption-keygroup keygroup-id direction {inbound | outbound}

The following examples display a key group assigned to an SDP, VPRN service, or PW template:

config>service# sdp 61 create
    config>service>sdp# encryption-keygroup 4 direction inbound
    config>service>sdp# encryption-keygroup 4 direction outbound
config>service# vprn 22
    config>service>vprn# encryption-keygroup 2 direction inbound
    config>service>vprn# encryption-keygroup 2 direction outbound
config>service# pw-template 12 auto-gre-sdp create
    config>service>pw-template# encryption-keygroup 4 direction inbound
    config>service>pw-template# encryption-keygroup 4 direction outbound
    config>service>pw-template# exit all
    tools>perform>service>eval-pw-template>allow-service-impact

The following example displays key group configuration for an SDP or a VPRN service.

domain1>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 4 direction inbound
            encryption-keygroup 4 direction outbound
        exit
...
        vprn 22 customer 1 create
            shutdown
            encryption-keygroup 2 direction inbound
            encryption-keygroup 2 direction outbound
        exit
...
----------------------------------------------