Configuring NGE with CLI

This section provides information about configuring NGE using the command line interface.

Topics in this chapter include:

  1. Basic NGE Configuration Overview
  2. Configuring NGE Components
  3. Service Management Tasks

Basic NGE Configuration Overview

Use the following steps to configure NGE for a particular service. The steps must be performed in order.

  1. Configure the group encryption label. The label must be unique, and the same label must be used on all nodes in the network group.
  2. Create a key group, duplicating this configuration on all nodes participating in this key group.
    1. Configure the encryption and authentication algorithms for the group.
    2. Configure a security association (SA) that contains the encryption and authentication keys.
    3. Configure the active outbound SA for the group.
  3. Select the SDPs or VPRN services that require encryption.
    1. For each SDP or VPRN service, configure the outbound direction key group.
    2. For each SDP or VPRN service, configure the inbound direction key group.

Configuring NGE Components

Use the CLI syntax below to configure the following NGE parameters:

  1. Configuring the Global Encryption Label
  2. Configuring a Key Group
  3. Assigning a Key Group to an SDP or Service

Configuring the Global Encryption Label

The global encryption label is the network-wide, unique MPLS encryption label used for all nodes in the network group. The same encryption label must be configured on each node in the group.

Use the following CLI syntax to configure the global encryption label:

CLI Syntax:
config>group-encryption
group-encryption-label encryption-label

The following example displays global encryption label usage:

Example:
config# group-encryption
config>grp-encryp# group-encryption-label 34

The following example displays the global encryption label configuration:

ALU-1>config>grp-encryp# info
-------------------------------------------------------
     group-encryption-label 34
-------------------------------------------------------
ALU-1>config>grp-encryp# 

Configuring a Key Group

To configure a key group, set the following parameters:

  1. encryption and authentication algorithms
  2. security association
  3. active outbound SA

The authentication and encapsulation keys must contain the exact number of hexadecimal characters required by the algorithm used. For example, using sha256 requires 64 hexadecimal characters.

Keys are entered in clear text using the security-association command. Once entered, they are never displayed in their original, clear text form. Keys are displayed in a 7705 SAR OS-encrypted form, which is indicated by the system-appended crypto keyword when an info command is run (see the CLI Syntax, Example, and sample output below). The 7705 SAR OS also includes the crypto keyword with an admin>save operation so that the 7705 SAR OS can decrypt the keys when reloading a configuration database. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

Use the following CLI syntax to configure key group options:

CLI Syntax:
config# group-encryption
encryption-keygroup keygroup-id [create]
description description-string
esp-auth-algorithm {sha256|sha512}
esp-encryption-algorithm {aes128|aes256}
keygroup-name keygroup-name
security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
active-outbound-sa spi

The following example displays key group command usage:

Example:
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# description Main_secure_KG
config>grp-encryp>encryp-keygrp# esp-auth-algorithm sha256
config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes128
config>grp-encryp>encryp-keygrp# keygroup-name KG1_secure
config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C6 encryption-key 0x63DCDD501B66F85441E4A55B597DA617
config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C5 encryption-key 0x63DCDD501B66F85441E4A55B597DA616
config>grp-encryp>encryp-keygrp# active-outbound-sa 6 ]

The following example displays the key group configuration:

ALU-1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            security-association spi 2 authentication-key 0x78d9e66a6669bd17454fe3184 ee161315b67adb8912949ceda20b6b741eb63604abe17de478e24723a7d1d5f7b6ffafc encryption-key 0x8d51db8f826239f672457442cecc73665f52cbe00aedfb4eda6166001247b4eb crypto
            security-association spi 6 authentication-key 0x7fb9fc5553630924ee29973f
7b0a48f801b0ae1cb38b7666045274476a268e8d694ab6aa7ea050b7a43cdf8d80977625 encryption-
key 0x72bd9b87841dbebcb2d114031367ab5d9153a41b7c79c8f889ac56b950d8fffa crypto
            active-outbound-sa 6
        exit
----------------------------------------------
ALU-1>config>grp-encryp# 

Assigning a Key Group to an SDP or Service

A key group can be assigned to the following entities:

  1. VLL services (Epipe and Cpipe)
  2. VPRN service using Layer 3 spoke-SDP termination
  3. IES service using Layer 3 spoke-SDP termination
  4. VPLS service using spoke and mesh SDPs
  5. routed VPLS service into a VPRN or IES
  6. MP-BGP-based VPRNs

For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP) or GRE tunnels.

For MP-BGP services, auto-bind is supported using LDP, GRE, RSVP-TE, or MPLS (LDP or RSVP-TE).

Use the following CLI syntax to assign a key group to an SDP or a VPRN service:

CLI Syntax:
config>service# sdp sdp-id [create]
encryption-keygroup keygroup-id direction {inbound|outbound}
CLI Syntax:
config>service# vprn service-id
encryption-keygroup keygroup-id direction {inbound|outbound}

The following examples display a key group assigned to an SDP or a VPRN service:

Example:
config>service# sdp 61 create
config>service>sdp# encryption-keygroup 4 direction inbound
config>service>sdp# encryption-keygroup 4 direction outbound
Example:
config>service# vprn 22
config>service>vprn# encryption-keygroup 2 direction inbound
config>service>vprn# encryption-keygroup 2 direction outbound

The following example displays key group configuration for an SDP or a VPRN service.

ALU-1:Sar18>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 4 direction inbound
            encryption-keygroup 4 direction outbound
        exit
...
        vprn 22 customer 1 create
            shutdown
            encryption-keygroup 2 direction inbound
            encryption-keygroup 2 direction outbound
        exit
...
----------------------------------------------

Service Management Tasks

This section discusses the following service management tasks:

  1. Modifying a Key Group
  2. Removing a Key Group from an SDP or VPRN Service
  3. Changing the Key Group for an SDP or VPRN Service
  4. Deleting a Key Group from a 7705 SAR

Modifying a Key Group

When modifying a key group, observe the following conditions.

  1. The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.
  2. The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.
  3. Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group

In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA. The output display shows the new configuration based on those shown in Configuring a Key Group.

Use the following CLI syntax to modify a key group. The first syntax deconfigures the key-group items and the second syntax reconfigures them.

CLI Syntax:
config# group-encryption
encryption-keygroup keygroup-id
no active-outbound-sa
no security-association spi spi
exit
CLI Syntax:
config# group-encryption
encryption-keygroup keygroup-id
security-association spi spi authentication-key auth-key encryption-key encrypt-key
esp-encryption-algorithm {aes128|aes256}
exit
Example:
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# no active-outbound-sa
config>grp-encryp>encryp-keygrp# no security-association spi 2
config>grp-encryp>encryp-keygrp# no security-association spi 6
Example:
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes256
config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-key 0x0123456789012345678901234567890123456789012345678901234567890123
config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF [crypto]
config>grp-encryp>encryp-keygrp# active-outbound-sa 2

The following example displays the commands used to modify a key group. The first example deconfigures the key-group items and the second example reconfigures them. The encryption algorithm is changed from 128 to 256, the keys are changed, and the active outbound SA is changed to SPI 2.

ALU-1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            no security-association spi 2 
            no security-association spi 6 
            no active-outbound-sa
        exit
----------------------------------------------
ALU-1>config>grp-encryp# 
ALU-1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes256
            security-association spi 2 authentication-key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-key 0x0123456789012345678901234567890123456789012345678901234567890123 
            security-association spi 6 authentication-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF crypto
            active-outbound-sa 2
        exit
----------------------------------------------
ALU-1>config>grp-encryp# 

Removing a Key Group from an SDP or VPRN Service

Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Including keygroup-id is optional.

Use the following CLI syntax to remove a key group from an SDP or a VPRN service.

CLI Syntax:
config>service# sdp sdp-id
no encryption-keygroup keygroup-id direction {inbound|outbound}
CLI Syntax:
config>service# vprn service-id
no encryption-keygroup keygroup-id direction {inbound|outbound}

The following examples display a key group removed from an SDP or a VPRN service:

Example:
config>service# sdp 61
config>service>sdp# no encryption-keygroup 4 direction inbound
config>service>sdp# no encryption-keygroup 4 direction outbound
Example:
config>service# vprn 22
config>service>vprn# no encryption-keygroup 2 direction inbound
config>service>vprn# no encryption-keygroup 2 direction outbound

The following example shows that the key group configuration has been removed from an SDP or a VPRN service.

ALU-1:Sar18>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
        exit
...
...
        vprn 22 customer 1 create
            shutdown
        exit
...
----------------------------------------------
ALU-1:Sar18>config>service# info 

Changing the Key Group for an SDP or VPRN Service

Use the following sequence of CLI commands to change key groups:

  1. Remove the inbound direction key group on each node for the service.
  2. Change the outbound direction key group on each node for the service.
  3. Install the new inbound direction key group on each node for the service.

The following CLI syntax changes the key group on an SDP. The syntax for a VPRN service is similar. In the example below, the inbound and outbound key groups are changed from key group 4 to key group 6.

CLI Syntax:
config>service# sdp sdp-id
no encryption-keygroup keygroup-id direction {inbound|outbound}
Example:
config>service# sdp 61
config>service>sdp# no encryption-keygroup 4 direction inbound
config>service>sdp# encryption-keygroup 6 direction outbound
config>service>sdp# encryption-keygroup 6 direction inbound

The following example shows that the key group configuration has been changed for the SDP or the VPRN service.

ALU-1:Sar18>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 6 direction inbound
            encryption-keygroup 6 direction outbound
        exit
...
...
        vprn 22 customer 1 create
            shutdown
            encryption-keygroup 2 direction inbound
            encryption-keygroup 2 direction outbound
        exit
...
----------------------------------------------
ALU-1:Sar18>config>service# info 

Deleting a Key Group from a 7705 SAR

To delete a key group from a 7705 SAR, the key group must be removed (unbound) from all SDPs and VPRN services that use it.

To locate the key group bindings, use the CLI command show>group-encryption> encryption-keygroup keygroup-id.

Use the following CLI syntax to delete a key group:

CLI Syntax:
config# group-encryption
no encryption-keygroup keygroup-id
Example:
config>group-encryption# no encryption-keygroup 8