9.12. Configuring NGE with the CLI

NGE is fully managed by the NSP NFM-P. The NSP NFM-P ensures proper network synchronization of key groups, services, and NGE domains. Managing NGE without the NSP NFM-P is not recommended. See the NSP NFM-P User Guide for more information.

This section provides information about configuring NGE using the command line interface.

Topics in this chapter include:

9.13. Basic NGE Configuration Overview

Use the following steps to configure NGE for an MPLS service, router interface, or Ethernet port. The steps must be performed in order.

  1. Configure the group encryption label. The label must be unique, and the same label must be used on all nodes in the network group.
  2. Create a key group, duplicating this configuration on all nodes participating in this key group.
    1. Configure the encryption and authentication algorithms for the group.
    2. Configure a security association (SA) that contains the encryption and authentication keys.
    3. Configure the active outbound SA for the group.
  3. Select the SDPs, VPRN services, router interfaces, or Ethernet ports that require encryption.
    1. For each SDP, VPRN service, router interface, or Ethernet port, configure the outbound direction key group.
    2. For each SDP, VPRN service, router interface, or Ethernet port, configure the inbound direction key group.

9.14. Configuring NGE Components

Use the CLI syntax below to configure the following NGE parameters:

9.14.1. Configuring the Global Encryption Label

The global encryption label is the network-wide, unique MPLS encryption label used for all nodes in the network group. The same encryption label must be configured on each node in the group.

Use the following CLI syntax to configure the global encryption label:

CLI Syntax:
config>group-encryption
group-encryption-label encryption-label

The following example displays global encryption label usage:

Example:
config# group-encryption
config>grp-encryp# group-encryption-label 34

The following example displays the global encryption label configuration:

ALU-1>config>grp-encryp# info
-------------------------------------------------------
     group-encryption-label 34
-------------------------------------------------------
ALU-1>config>grp-encryp# 

9.14.2. Configuring a Key Group

To configure a key group, set the following parameters:

  1. encryption and authentication algorithms
  2. security association
  3. active outbound SA

The authentication and encapsulation keys must contain the exact number of hexadecimal characters required by the algorithm used. For example, using sha256 requires 64 hexadecimal characters.

Keys are entered in clear text using the security-association command. Once entered, they are never displayed in their original, clear text form. Keys are displayed in a 7705 SAR-encrypted form, which is indicated by the system-appended crypto keyword when an info command is run (see the CLI Syntax, Example, and CLI output below). The 7705 SAR also includes the crypto keyword with an admin>save operation so that the 7705 SAR can decrypt the keys when reloading a configuration database. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

Use the following CLI syntax to configure key group options:

CLI Syntax:
config# group-encryption
encryption-keygroup keygroup-id [create]
description description-string
esp-auth-algorithm {sha256|sha512}
esp-encryption-algorithm {aes128|aes256}
keygroup-name keygroup-name
security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
active-outbound-sa spi

The following example displays key group command usage:

Example:
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# description Main_secure_KG
config>grp-encryp>encryp-keygrp# esp-auth-algorithm sha256
config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes128
config>grp-encryp>encryp-keygrp# keygroup-name KG1_secure
config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C6 encryption-key 0x63DCDD501B66F85441E4A55B597DA617
config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C5 encryption-key 0x63DCDD501B66F85441E4A55B597DA616
config>grp-encryp>encryp-keygrp# active-outbound-sa 6 ]

The following example displays the key group configuration:

ALU-1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            security-association spi 2 authentication-
key 0x78d9e66a6669bd17454fe3184 ee161315b67adb8912949ceda20b6b741eb63604abe17de478e2
4723a7d1d5f7b6ffafc encryption-
key 0x8d51db8f826239f672457442cecc73665f52cbe00aedfb4eda6166001247b4eb crypto
            security-association spi 6 authentication-key 0x7fb9fc5553630924ee29973f
7b0a48f801b0ae1cb38b7666045274476a268e8d694ab6aa7ea050b7a43cdf8d80977625 encryption-
key 0x72bd9b87841dbebcb2d114031367ab5d9153a41b7c79c8f889ac56b950d8fffa crypto
            active-outbound-sa 6
        exit
----------------------------------------------
ALU-1>config>grp-encryp# 

9.14.3. Assigning a Key Group to an SDP or VPRN Service

A key group can be assigned to the following entities:

  1. SDPs
  2. VPRN services

NGE supports encryption of the following services when key groups are assigned to an SDP or VPRN service:

  1. VLL services (Epipe and Cpipe)
  2. VPRN services using Layer 3 spoke-SDP termination
  3. IES services using Layer 3 spoke-SDP termination
  4. VPLS services using spoke and mesh SDPs
  5. routed VPLS services into a VPRN or IES
  6. MP-BGP-based VPRNs
  7. NG-MVPN

For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP) or GRE tunnels. NGE is not supported on IP tunnels.

For VPRNs, the following encryptions are supported:

  1. unicast VPRN— MP-BGP-based VPRN-level encryption using spoke SDPs (spoke-sdp) or auto-bind SDPs (auto-bind-tunnel) with LDP, GRE, RSVP-TE, or segment routing (SR-ISIS, SR-OSPF, or SR-TE) tunnels
  2. multicast VPRN — NG-MVPN using mLDP with auto-discovery

Use the following CLI syntax to assign a key group to an SDP or a VPRN service:

CLI Syntax:
config>service# sdp sdp-id [create]
encryption-keygroup keygroup-id direction {inbound|outbound}
CLI Syntax:
config>service# vprn service-id
encryption-keygroup keygroup-id direction {inbound|outbound}

The following examples display a key group assigned to an SDP or a VPRN service:

Example:
config>service# sdp 61 create
config>service>sdp# encryption-keygroup 4 direction inbound
config>service>sdp# encryption-keygroup 4 direction outbound
Example:
config>service# vprn 22
config>service>vprn# encryption-keygroup 2 direction inbound
config>service>vprn# encryption-keygroup 2 direction outbound

The following example displays key group configuration for an SDP or a VPRN service.

ALU-1:Sar18>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 4 direction inbound
            encryption-keygroup 4 direction outbound
        exit
...
        vprn 22 customer 1 create
            shutdown
            encryption-keygroup 2 direction inbound
            encryption-keygroup 2 direction outbound
        exit
...
----------------------------------------------

9.14.4. Assigning a Key Group to a Router Interface

Use the following CLI syntax to assign a key group to a router interface:

CLI Syntax:
config>router# interface ip-int-name [create]
group-encryption
encryption-keygroup keygroup-id direction {inbound | outbound}

The following example displays a key group assigned to a router interface:

Example:
config>router# interface demo
config>router>if# group-encryption
config>router>if>group-encryp# encryption-keygroup 6 direction inbound
config>router>if>group-encryp# encryption-keygroup 6 direction outbound

The following example displays key group configuration for a router interface.

ALU-1:Sar18>config>router# info 
----------------------------------------------
...
        interface demo
            group-encryption
                encryption-keygroup 6 direction inbound
                encryption-keygroup 6 direction outbound
                exit
            no shutdown
            exit
        exit
...
----------------------------------------------

9.14.5. Assigning a Key Group to an Ethernet Port

Use the following CLI syntax to assign a key group to an Ethernet port:

CLI Syntax:
config# port port-id
ethernet
group-encryption
encryption-keygroup keygroup-id direction {inbound | outbound}

The following example displays a key group assigned to an Ethernet port:

Example:
config# port 1/2/2
config>port# ethernet
config>port>ethernet# group-encryption
config>port>ethernet>group-encryp# encryption-keygroup 6 direction inbound
config>port>ethernet>group-encryp# encryption-keygroup 6 direction outbound

The following example displays key group configuration for an Ethernet port.

ALU-1:Sar18>config>port# info 
----------------------------------------------
...
        ethernet
            group-encryption
                encryption-keygroup 6 direction inbound
                encryption-keygroup 6 direction outbound
                exit
            no shutdown
            exit
        exit
...
----------------------------------------------

9.15. NGE Management Tasks

This section discusses the following NGE management tasks:

9.15.1. Modifying a Key Group

When modifying a key group, observe the following conditions.

  1. The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.
  2. The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.
  3. Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group

In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA. The output display shows the new configuration based on those shown in Configuring a Key Group.

Use the following CLI syntax to modify a key group. The first syntax deconfigures the key-group items and the second syntax reconfigures them.

CLI Syntax:
config# group-encryption
encryption-keygroup keygroup-id
no active-outbound-sa
no security-association spi spi
exit
CLI Syntax:
config# group-encryption
encryption-keygroup keygroup-id
security-association spi spi authentication-key auth-key encryption-key encrypt-key
esp-encryption-algorithm {aes128|aes256}
exit
Example:
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# no active-outbound-sa
config>grp-encryp>encryp-keygrp# no security-association spi 2
config>grp-encryp>encryp-keygrp# no security-association spi 6
Example:
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes256
config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-key 0x0123456789012345678901234567890123456789012345678901234567890123
config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF [crypto]
config>grp-encryp>encryp-keygrp# active-outbound-sa 2

The following example displays the commands used to modify a key group. The first example deconfigures the key-group items and the second example reconfigures them. The encryption algorithm is changed from 128 to 256, the keys are changed, and the active outbound SA is changed to SPI 2.

ALU-1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            no security-association spi 2 
            no security-association spi 6 
            no active-outbound-sa
        exit
----------------------------------------------
ALU-1>config>grp-encryp# 
ALU-1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes256
            security-association spi 2 authentication-
key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-
key 0x0123456789012345678901234567890123456789012345678901234567890123 
            security-association spi 6 authentication-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF crypto
            active-outbound-sa 2
        exit
----------------------------------------------
ALU-1>config>grp-encryp# 

9.15.2. Removing a Key Group

Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Including keygroup-id is optional.

9.15.2.1. Removing a Key Group from an SDP or VPRN Service

Use the following CLI syntax to remove a key group from an SDP or a VPRN service:

CLI Syntax:
config>service# sdp sdp-id
no encryption-keygroup keygroup-id direction {inbound|outbound}
CLI Syntax:
config>service# vprn service-id
no encryption-keygroup keygroup-id direction {inbound|outbound}

The following examples display a key group removed from an SDP or a VPRN service:

Example:
config>service# sdp 61
config>service>sdp# no encryption-keygroup 4 direction inbound
config>service>sdp# no encryption-keygroup 4 direction outbound
Example:
config>service# vprn 22
config>service>vprn# no encryption-keygroup 2 direction inbound
config>service>vprn# no encryption-keygroup 2 direction outbound

The following example shows that the key group configuration has been removed from an SDP or a VPRN service.

ALU-1:Sar18>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
        exit
...
...
        vprn 22 customer 1 create
            shutdown
        exit
...
----------------------------------------------
ALU-1:Sar18>config>service# info 

9.15.2.2. Removing a Key Group from a Router Interface

Use the following CLI syntax to remove a key group from a router interface:

CLI Syntax:
config>router# interface ip-int-name
group-encryption
no encryption-keygroup keygroup-id direction {inbound | outbound}

The following example displays a key group removed from a router interface:

Example:
config>router# interface demo
config>router>if# group-encryption
config>router>if>group-encryp# no encryption-keygroup 6 direction inbound
config>router>if>group-encryp# no encryption-keygroup 6 direction outbound

The following example shows that the key group configuration has been removed from a router interface.

ALU-1:Sar18>config>router# info 
----------------------------------------------
...
        interface demo
            group-encryption
                exit
            no shutdown
            exit
        exit
...
----------------------------------------------

9.15.2.3. Removing a Key Group from an Ethernet Port

Use the following CLI syntax to remove a key group from an Ethernet port:

CLI Syntax:
config# port port-id
ethernet
group-encryption
no encryption-keygroup keygroup-id direction {inbound | outbound}

The following example displays a key group removed from an Ethernet port:

Example:
config# port 1/2/2
config>port# ethernet
config>port>ethernet# group-encryption
config>port>ethernet>group-encryp# no encryption-keygroup 6 direction inbound
config>port>ethernet>group-encryp# no encryption-keygroup 6 direction outbound

The following example shows that the key group configuration has been removed from an Ethernet port.

ALU-1:Sar18>config>port# info 
----------------------------------------------
...
        ethernet
            group-encryption
                exit
            no shutdown
            exit
        exit
...
----------------------------------------------

9.15.3. Changing Key Groups

Use the following sequence of CLI commands to change key groups:

  1. Remove the inbound direction key group.
  2. Change the outbound direction key group.
  3. Install the new inbound direction key group.

9.15.3.1. Changing the Key Group for an SDP or VPRN Service

Changing key groups for an SDP or VPRN service must be performed on all nodes for the service.

The following CLI syntax changes the key group on an SDP. The syntax for a VPRN service is similar. In the example below, the inbound and outbound key groups are changed from key group 4 to key group 6.

CLI Syntax:
config>service# sdp sdp-id
no encryption-keygroup keygroup-id direction {inbound|outbound}
Example:
config>service# sdp 61
config>service>sdp# no encryption-keygroup 4 direction inbound
config>service>sdp# encryption-keygroup 6 direction outbound
config>service>sdp# encryption-keygroup 6 direction inbound

The following example shows that the key group configuration has been changed for the SDP or the VPRN service.

ALU-1:Sar18>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 6 direction inbound
            encryption-keygroup 6 direction outbound
        exit
...
...
        vprn 22 customer 1 create
            shutdown
            encryption-keygroup 2 direction inbound
            encryption-keygroup 2 direction outbound
        exit
...
----------------------------------------------
ALU-1:Sar18>config>service# info 

9.15.3.2. Changing the Key Group for a Router Interface

The following CLI syntax changes the key group on a router interface. In the example below, the inbound and outbound key groups are changed from key group 6 to key group 8.

CLI Syntax:
config>router# interface ip-int-name
group-encryption
no encryption-keygroup keygroup-id direction {inbound|outbound}
Example:
config>router# interface demo
config>router>if# group-encryption
config>router>if>group-encryp# no encryption-keygroup 6 direction inbound
config>router>if>group-encryp# encryption-keygroup 8 direction outbound
config>router>if>group-encryp# encryption-keygroup 8 direction inbound

The following example shows that the key group configuration has been changed for the router interface.

ALU-1:Sar18>config>router# info 
----------------------------------------------
...
        interface demo
            group-encryption
                encryption-keygroup 8 direction inbound
                encryption-keygroup 8 direction outbound
                exit
            no shutdown
            exit
        exit
...
----------------------------------------------

9.15.3.3. Changing the Key Group for an Ethernet Port

The following CLI syntax changes the key group on an Ethernet port. In the example below, the inbound and outbound key groups are changed from key group 6 to key group 8.

CLI Syntax:
config# port port-id
ethernet
group-encryption
no encryption-keygroup keygroup-id direction {inbound|outbound}
Example:
config# port 1/2/2
config>port# ethernet
config>port>ethernet# group-encryption
config>port>ethernet>group-encryp# no encryption-keygroup 6 direction inbound
config>port>ethernet>group-encryp# encryption-keygroup 8 direction outbound
config>port>ethernet>group-encryp# encryption-keygroup 8 direction inbound

The following example shows that the key group configuration has been changed for the Ethernet port.

ALU-1:Sar18>config>port# info 
----------------------------------------------
...
        ethernet
            group-encryption
                encryption-keygroup 8 direction inbound
                encryption-keygroup 8 direction outbound
                exit
            no shutdown
            exit
        exit
...
----------------------------------------------

9.15.4. Deleting a Key Group from a 7705 SAR

To delete a key group from a 7705 SAR, the key group must be removed (unbound) from all SDPs, VPRN services, router interfaces, and Layer 2 NGE-encrypted Ethernet ports that use it.

To locate the key group bindings, use the CLI command show>group-encryption> encryption-keygroup keygroup-id.

Use the following CLI syntax to delete a key group:

CLI Syntax:
config# group-encryption
no encryption-keygroup keygroup-id
Example:
config>grp-encryp# no encryption-keygroup 8