9.16. NGE Command Reference

9.16.1. Command Hierarchies

  1. Configuration Commands
    1. NGE Commands
    2. Services Commands
  2. Show Commands
  3. Clear Commands

9.16.1.1. Configuration Commands

9.16.1.1.1. NGE Commands

config
group-encryption
encryption-keygroup keygroup-id [create]
— no encryption-keygroup keygroup-id
active-outbound-sa spi
— no active-outbound-sa
description description-string
— no description
esp-auth-algorithm {sha256 | sha512}
— no esp-auth-algorithm
esp-encryption-algorithm {aes128 | aes256}
— no esp-encryption-algorithm
keygroup-name keygroup-name
— no keygroup-name
security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
— no security-association spi spi
group-encryption-label encryption-label
— no group-encryption-label

9.16.1.1.2. Services Commands

config
— service
— sdp
— encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}
— vprn
— encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}

See Global Service Command Reference for information on encryption key groups for an SDP and VPRN Services Command Reference for information on encryption key groups for a VPRN service.

9.16.1.1.3. Router Interface Encryption Commands

config
— router
[no] interface ip-int-name
[no] group-encryption
— encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}
— ip-exception filter-id direction {inbound | outbound}
— no ip-exception direction {inbound | outbound}

Refer to the “IP Router Command Reference” section in the 7705 SAR Router Configuration Guide for information on router interface encryption commands.

9.16.1.1.4. Ethernet Port Encryption Commands

config
[no] port port-id
— ethernet
[no] group-encryption
— encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}

Refer to the “Configuration Command Reference” section in the 7705 SAR Interface Configuration Guide for information on Ethernet port encryption commands.

9.16.1.2. Show Commands

show
group-encryption
encryption-keygroup keygroup-id
encryption-keygroup keygroup-id spi spi
summary

9.16.1.3. Clear Commands

clear
group-encryption
encryption-keygroup keygroup-id
encryption-keygroup keygroup-id spi spi

9.16.2. Command Descriptions

  1. Configuration Commands
  2. Show Commands
  3. Clear Commands

9.16.2.1. Configuration Commands

  1. Generic Commands
  2. Group Encryption Commands

9.16.2.1.1. Generic Commands

description

Syntax 
description description-string
no description
Context 
config>grp-encryp>encryp-keygrp
Description 

This command is used to add a description to the key group being referenced.

The no form of the command reverts to the default value.

Default 

n/a

Parameters 
description-string—
the description of the key group

9.16.2.1.2. Group Encryption Commands

group-encryption

Syntax 
group-encryption
Context 
config
Description 

This command enables the context to configure group encryption parameters.

encryption-keygroup

Syntax 
encryption-keygroup keygroup-id [create]
no encryption-keygroup keygroup-id
Context 
config>grp-encryp
Description 

This command is used to create a key group. Once the key group is created, use the command to enter the key group context or delete a key group.

The no form of the command removes the key group. Before using the no form, the key group association must be deleted from all services that are using this key group.

Default 

n/a

Parameters 
keygroup-id—
the number or name of the key group being referenced
Values—
1 to 15, or keygroup-name (up to 64 characters)

 

create—
mandatory keyword when creating a key group

active-outbound-sa

Syntax 
active-outbound-sa spi
no active-outbound-sa
Context 
config>grp-encryp>encryp-keygrp
Description 

This command specifies the Security Association, referenced by the Security Parameter Index (SPI), to use when performing encryption and authentication on NGE packets egressing the node for all services configured using this key group.

The no form of the command returns the parameter to its default value and is the same as removing this key group from all outbound direction key groups in all services configured with this key group (that is, all packets of services using this key group will egress the node in without being encrypted).

Default 

n/a

Parameters 
spi—
specifies the SPI to use for packets of services using this key group when egressing the node
Values—
1 to 127

 

esp-auth-algorithm

Syntax 
esp-auth-algorithm {sha256 | sha512}
no esp-auth-algorithm
Context 
config>grp-encryp>encryp-keygrp
Description 

This command specifies the hashing algorithm used to perform authentication on the Encapsulating Security Payload (ESP) within NGE packets for services configured using this key group. All SPI entries must be deleted before the no form of the command may be entered or the esp-auth-algorithm value changed from its current value.

The no form of the command reverts to the default value.

Default 

sha256

Parameters 
sha256—
configures the ESP to use the HMAC-SHA-256 algorithm for authentication
sha512—
configures the ESP to use the HMAC-SHA-512 algorithm for authentication

esp-encryption-algorithm

Syntax 
esp-encryption-algorithm {aes128 | aes256}
no esp-encryption-algorithm
Context 
config>grp-encryp>encryp-keygrp
Description 

This command specifies the encryption algorithm used to perform encryption on the Encapsulating Security Payload (ESP) within NGE packets for services configured using this key group. All SPI entries must be deleted before the no form of the command may be entered or the esp-encryption-algorithm value changed from its current value.

The no form of the command resets the parameter to the default value.

Default 

aes128

Parameters 
aes128—
configures the AES algorithm with a block size of 128 bits. This is a very strong algorithm choice.
aes256—
configures the AES algorithm with a block size of 256 bits. This is the strongest available version of AES.

keygroup-name

Syntax 
keygroup-name keygroup-name
no keygroup-name
Context 
config>grp-encryp>encryp-keygrp
Description 

This command is used to name the key group. The key group name can be used to reference a key group when configuring services or displaying information.

The no form of the command reverts to the default value.

Default 

n/a

Parameters 
keygroup-name—
up to 64 characters

security-association

Syntax 
security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
no security-association spi spi
Context 
config>grp-encryp>encryp-keygrp
Description 

This command is used to create a security association for a specific SPI value in a key group. The command is also used to enter the authentication and encryption key values for the security association, or to delete a security association.

The SPI value used for the security association is a node-wide unique value, meaning that no two security associations in any key group on the node may share the same SPI value.

Keys are entered in clear text. Once configured, they are never displayed in their original, clear text form. Keys are displayed in a 7705 SAR-encrypted form, which is indicated by the system-appended crypto keyword when an info or an admin>save command is run. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

The no form of the command removes the security association and related key values from the list of security associations for the key group. If the no form of the command is attempted using the same SPI value that is configured for active-outbound-sa, then a warning is issued and the command is blocked. If the no form of the command is attempted on the last SPI in the key group and the key group is configured on a service, then the command is blocked.

Default 

n/a

Parameters 
spi—
specifies the SPI ID of the SPI being referenced for the security association
Values—
1 to 127

 

authentication-key—
specifies the authentication key for the SPI, in hexadecimal format. The number of characters in the hexadecimal string must be 64 or 128, depending on whether the authentication algorithm is set to sha256 or sha512, respectively.
encryption-key—
specifies the encryption key for the SPI, in hexadecimal format. The number of characters in the hexadecimal string must be 32 or 64, depending on whether the encryption algorithm is set to aes128 or aes256, respectively.
crypto—
indicates that the keys showing on the CLI info display are in 7705 SAR-encrypted form

group-encryption-label

Syntax 
group-encryption-label encryption-label
no group-encryption-label
Context 
config>grp-encryp
Description 

This command configures the group encryption label used to identify when an MPLS payload is encrypted. This label must be unique network-wide and must be configured consistently on all nodes participating in a network group encryption domain. The label cannot be changed or deleted when there are any key groups configured on the node.

The no form of the command reverts to the default setting.

Default 

n/a

Parameters 
encryption-label—
the network-wide, unique reserved MPLS label for group encryption
Values—
32 to 2047

 

9.16.2.2. Show Commands

group-encryption

Syntax 
group-encryption
Context 
show
Description 

This command accesses the show>group encryption context.

encryption-keygroup

Syntax 
encryption-keygroup keygroup-id
encryption-keygroup keygroup-id spi spi
Context 
show>grp-encryp
Description 

This command displays NGE information for a key group.

Parameters 
keygroup-id—
specifies the key group identifier to use for the output display
Values—
1 to 15 or keygroup-name (up to 64 characters)

 

spi—
specifies the SPI to use for the output display
Output 

The following output is an example of encryption key group information, and Table 179 describes the fields.

Output Example
*A:7705custDoc:Sar18>show>grp-encryp#  encryption-keygroup 2
===============================================================================
Encryption Keygroup Configuration Detail
===============================================================================
Keygroup Id        : 2
Keygroup Name      : KG1_secure
Description        : Most_secure_KG
Authentication Algo: sha256
Encryption Algo    : aes128
Active Outbound SA : 6
Activation Time    : 04/20/2015 20:07:31
-------------------------------------------------------------------------------
Security Associations
-------------------------------------------------------------------------------
Spi                : 2
Install Time       : 04/20/2015 20:08:17
Key CRC            : 0x806fb970
Spi                : 6
Install Time       : 04/20/2015 19:43:40
Key CRC            : 0xa4f2d262
-------------------------------------------------------------------------------
Encryption Keygroup Forwarded Statistics
-------------------------------------------------------------------------------
Encrypted Pkts          : 0             Encrypted Bytes         : 0
Decrypted Pkts          : 0             Decrypted Bytes         : 0
-------------------------------------------------------------------------------
Encryption Keygroup Outbound Discarded Statistics (Pkts)
-------------------------------------------------------------------------------
Total Discard           : 0             Unsupported Uplink      : 0
Enqueue Error           : 0             Other                   : 0
-------------------------------------------------------------------------------
Encryption Keygroup Inbound Discarded Statistics (Pkts)
-------------------------------------------------------------------------------
Total Discard           : 0             Invalid Spi             : 0
Authentication Failure *: 0             Control Word Mismatch   : 0
Padding Error           : 0             Enqueue Error           : 0
Other                   : 0
-------------------------------------------------------------------------------
 
---------------------------------------------
SDP Keygroup Association Table
---------------------------------------------
SDP ID         Direction
---------------------------------------------
61             Inbound   Outbound
---------------------------------------------
Inbound Keygroup SDP Association Count:  1
Outbound Keygroup SDP Association Count: 1
 
---------------------------------------------
VPRN Keygroup Association Table
---------------------------------------------
VPRN SVC ID    Direction
---------------------------------------------
12             Inbound   Outbound
---------------------------------------------
Inbound Keygroup VPRN Association Count:  1
Outbound Keygroup VPRN Association Count: 1
---------------------------------------------
===============================================================================
* indicates that the corresponding row element may have been truncated.
A:ALU-1:Sar18>show>grp-encryp#
*A:7705:ALU-1# show group-encryption encryption-keygroup 1 spi 1
===============================================================================
Encryption Keygroup Security Association Detail
===============================================================================
Keygroup Id      : 1                    SPI Id           : 1
Install Time     : 06/16/2015 11:28:49
Key CRC          : 0x36e5af55
-------------------------------------------------------------------------------
Encryption Keygroup Security Association Forwarded Statistics
-------------------------------------------------------------------------------
Encrypted Pkts          : 1662534       Encrypted Bytes         : 837917136
Decrypted Pkts          : 1662333       Decrypted Bytes         : 837815832
-------------------------------------------------------------------------------
Encryption Keygroup Security Association Outbound Discarded Statistics (Pkts)
-------------------------------------------------------------------------------
Total Discard           : 0             Enqueue Error           : 0
Other                   : 0
-------------------------------------------------------------------------------
Encryption Keygroup Security Association Inbound Discarded Statistics (Pkts)
-------------------------------------------------------------------------------
Total Discard           : 0             Authentication Failure  : 0
Control Word Mismatch   : 0             Padding Error           : 0
Enqueue Error           : 0             Other                   : 0
===============================================================================
Table 179:  Show Encryption Key Group Output Fields  

Label

Description

Encryption Keygroup Configuration Detail

Keygroup Id

The key group identifier

Keygroup Name

The key group name

Description

The key group description

Authentication Algo

The authentication algorithm used for the key group

Encryption Algo

The encryption algorithm used for the key group

Active Outbound SA

The active outbound SA for the key group

Activation Time

The date and time that the key group was activated

Security Associations

Spi

The security parameter index for the SA in the key group

Install Time

The date and time that the SA was installed in the key group

Key CRC

The CRC for the key belonging to the SA

Encryption Keygroup Forwarded Statistics

Encrypted Pkts

The number of encrypted packets forwarded by the key group

Encrypted Bytes

The number of encrypted bytes forwarded by the key group

Decrypted Pkts

The number of decrypted packets forwarded by the key group

Decrypted Bytes

The number of decrypted bytes forwarded by the key group

Encryption Keygroup Outbound Discarded Statistics (Pkts)

Total Discard

The total number of outbound packets discarded by the key group

Unsupported Uplink

The total number of outbound packets discarded by the key group due to an unsupported uplink

Enqueue Error

The total number of outbound packets discarded by the key group due to an enqueuing error

Other

The total number of outbound packets discarded by the key group due to some other reason, such as an internal configuration error (for example, a key group that points to an SA, but the SA is not valid)

Encryption Keygroup Inbound Discarded Statistics (Pkts)

Total Discard

The total number of inbound packets discarded by the key group

Invalid Spi

The total number of inbound packets discarded by the key group due to an invalid SPI

Authentication Failure *

The total number of inbound packets discarded by the key group due to an authorization failure

Control Word Mismatch

The total number of inbound packets discarded by the key group due to a control word (CW) mismatch between the encrypted (protected) CW in the ESP payload and the CW that is not encrypted

Padding Error

The total number of inbound packets discarded by the key group due to a padding error

Enqueue Error

The total number of inbound packets discarded by the key group due to an enqueuing error

Other

The total number of inbound packets discarded by the key group due to some other reason (for example, an incoming packet length is incorrect)

SDP Keygroup Association Table

SDP ID

The SDP ID

Direction

The direction in which key group authentication and encryption occurs for traffic on the SDP

Inbound Keygroup SDP Association Count

The number of SDPs configured to use inbound SA

Outbound Keygroup SDP Association Count

The number of SDPs configured to use outbound SA

VPRN Keygroup Association Table

VPRN SVC ID

The VPRN service identifier

Direction

The direction in which key group authentication and encryption occurs for traffic on the VPRN

Inbound Keygroup VPRN Association Count

The number of VPRNs configured to use inbound SA

Outbound Keygroup VPRN Association Count

The number of VPRNs configured to use outbound SA

summary

Syntax 
summary
Context 
show>grp-encryp
Description 

This command shows NGE summary information.

Output 

The following output is an example of NGE summary information, and Table 180 describes the fields.

Output Example
A:ALU-1:Sar18>show>grp-encryp# summary
============================
Group Encryption
============================
Encryption Label : 34
============================
=======================================================
Encryption Keygroup
=======================================================
Id Name         Auth Algo    Encr Algo    Active OutSA
-------------------------------------------------------
2  KG1_secure   sha256       aes128                  6
4               sha256       aes128                  0
-------------------------------------------------------
No. of Encryption Keygroup: 2
=======================================================
A:ALU-1:Sar18>show>grp-encryp#
Table 180:  Show Group Encryption Summary Output Fields  

Label

Description

Group Encryption

Encryption Label

The unique network-wide group encryption label

Encryption Keygroup

Id

The key group identifier value

Name

The key group name

Auth Algo

The authentication algorithm used by the key group

Encr Algo

The encryption algorithm used by the key group

Active OutSA

The active outbound SA for the key group

No. of Encryption Keygroup

The number of encryption key groups currently configured on the node

9.16.2.3. Clear Commands

group-encryption

Syntax 
group-encryption
Context 
clear
Description 

This command accesses the context to clear group encryption parameters.

encryption-keygroup

Syntax 
encryption-keygroup keygroup-id
encryption-keygroup keygroup-id spi spi
Context 
clear>grp-encryp
Description 

This command clears NGE information for a key group.

Parameters 
keygroup-id—
specifies the key group identifier
Values—
1 to 127 or keygroup-name (up to 64 characters)

 

spi—
specifies the SPI ID
Values—
1 to 127