Configuring NGE with CLI

NGE is fully managed by the NSP NFM-P. The NSP NFM-P ensures correct network synchronization of key groups, services, and NGE domains. Managing NGE without the NSP NFM-P is not recommended. See the NSP NFM-P User Guide for more information.

This section provides information about configuring NGE using the command line interface.

Basic NGE configuration overview

This procedure configures NGE for an MPLS service or router interface.
  1. Configure the group encryption label. The label must be unique, and the same label must be used on all nodes in the network group.
  2. Create a key group, duplicating this configuration on all nodes participating in this key group.
    1. Configure the encryption and authentication algorithms for the group.
    2. Configure a security association (SA) that contains the encryption and authentication keys.
    3. Configure the active outbound SA for the group.
  3. Select the SDPs, VPRN services, or router interfaces that require encryption.
    1. For each SDP, VPRN service, or router interface, configure the outbound direction key group.
    2. For each SDP, VPRN service, or router interface, configure the inbound direction key group.

Configuring NGE components

Use the CLI syntax in the subsequent sections to configure NGE.

Configuring the global encryption label

The global encryption label is the network-wide, unique MPLS encryption label used for all nodes in the network group. The same encryption label must be configured on each node in the group.

Use the following command to configure the global encryption label.

configure group-encryption group-encryption-label 

Configuring a key group

To configure a key group, set the following command options:

  • encryption and authentication algorithms

  • security association

  • active outbound SA

The authentication and encapsulation keys must contain the exact number of hexadecimal characters required by the algorithm used. For example, using sha256 requires 64 hexadecimal characters.

Keys are entered in cleartext using the following command:

configure group-encryption encryption-keygroup security-association

Once entered, keys are never displayed in their original, clear text form. Keys are displayed in an encrypted form, which is indicated by the system-appended crypto keyword when an info command is run.

The NGE node also includes the crypto keyword with an admin save operation so that the NGE node can decrypt the keys when reloading a configuration database. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

Use the commands in the following context to configure key group options.

configure group-encryption encryption-keygroup

The following example displays the key group configuration.

MD-CLI

[ex:/configure group-encryption]
A:admin@node-2# info detail
    group-encryption-label 34
    encryption-keygroup 2 {
        description "Main_secure_KG"
        keygroup-name "KG1_secure"
        authentication-algorithm sha256
        encryption-algorithm aes128
        active-outbound-security-association 6
        security-association 2 {
            authentication-key "0XLyKVjy88fjyz0FGgpoklHAPB8344vN42vv6LMy5Zy1e08aiZe2CLaLstrqXQaw" hash2
            encryption-key "bxYkRG2enIPs85zNMSDhX1BzGMaro8TAIFrwcysTRf8= hash2"
        }
        security-association 6 {
            authentication-key "RmzyeCJNICozfGXXQ4jfBQ1zRbW6nf5GcjTuCYSjQCAri1ufVhABj9NoZqcmtwb8" hash2
            encryption-key "jWYIDREOTd3jeViBBprxGQ4Dixn87UypaM1dNosk7Iw= hash2"
        }
    }

classic CLI

A:node-2>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            security-association spi 2 authentication-
key 0x78d9e66a6669bd17454fe3184 ee161315b67adb8912949ceda20b6b741eb63604abe17de478e2
4723a7d1d5f7b6ffafc encryption-
key 0x8d51db8f826239f672457442cecc73665f52cbe00aedfb4eda6166001247b4eb crypto
            security-association spi 6 authentication-key 0x7fb9fc5553630924ee29973f
7b0a48f801b0ae1cb38b7666045274476a268e8d694ab6aa7ea050b7a43cdf8d80977625 encryption-
key 0x72bd9b87841dbebcb2d114031367ab5d9153a41b7c79c8f889ac56b950d8fffa crypto
            active-outbound-sa 6
        exit
----------------------------------------------

Assigning a key group to an SDP, VPRN service, PW template, or WLAN-GW group interface

A key group can be assigned to the following entities:

  • SDPs

  • VPRNs

  • PW templates

  • WLAN-GW group interface

Note: Key groups can only be assigned to SDPs or VPRNs using the classic CLI commands.

NGE supports encrypting the following services when key groups are assigned to an SDP, VPRN service, PW template, or WLAN-GW group interface:

  • VLL services (Epipe or BGP-VPWS)

  • VPRN service using Layer 3 spoke-SDP termination

  • IES service using Layer 3 spoke-SDP termination

  • VPLS service using spoke and mesh SDPs

  • routed VPLS service into a VPRN or IES

  • MP-BGP-based VPRNs

  • BGP-VPLS and BGP-VPWS with an auto-created GRE SDP

For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP), or GRE or MPLSoUDP tunnels.

For MP-BGP services, resolving routes using spoke SDPs or auto-bind SDPs is supported using LDP, GRE, RSVP-TE, or segment routing (SR-ISIS, SR-OSPF, or SR-TE).

Use the following commands to assign a key group to an SDP, VPRN service, or PW template:

  • MD-CLI
    configure service pw-template encryption-keygroup inbound
    configure service pw-template encryption-keygroup outbound
    configure service vprn subscriber-interface group-interface wlan-gw group-encryption encryption-keygroup-inbound
    configure service vprn subscriber-interface group-interface wlan-gw group-encryption encryption-keygroup-outbound
  • classic CLI
    configure service sdp encryption-keygroup direction {inbound | outbound} 
    configure service vprn encryption-keygroup direction {inbound | outbound}
    configure service pw-template encryption-keygroup direction {inbound | outbound}
    configure service vprn subscriber-interface group-interface wlan-gw group-encryption encryption-keygroup direction {inbound | outbound} 
Note: After assigning a key group to the PW template, execute the following command:
tools perform service eval-pw-template allow-service-impact