The network group encryption (NGE) feature enables end-to-end encryption of MPLS services, Layer 3 user traffic, and IP/MPLS control traffic. NGE is an encryption method that uses a group-based keying security architecture, which removes the need to configure individual encryption tunnels to achieve network-wide encryption.
NGE relies on the NSP NFM-P to manage the network and apply encryption to specific MPLS services, Layer 3 user traffic, or control plane traffic depending on the security requirements of the network. Operators designate traffic types that require added security and then apply NGE to those traffic types using the NSP NFM-P. The NSP NFM-P also acts as the network-wide NGE key manager, downloading encryption and authentication keys to nodes and performing hitless rekeying of the network at operator-defined intervals. For more information about managing NGE within a network, see the NSP NFM‑P User Guide.
Figure 1 shows an NGE network with NSP NFM-P services, control plane configuration, and key management.
NGE provides five main types of encryption to secure an IP/MPLS network:
SDP encryption — MPLS user plane encryption enabled on MPLS tunnels (SDPs) supporting VPRN or IES services using spoke SDPs, VPLS using spoke or mesh SDPs, routed VPLS into VPRN, Epipes, and Cpipes
VPRN encryption
unicast VPRN — MP-BGP-based VPRN-level encryption using auto-bind of LDP, GRE, RSVP-TE, MPLS (LDP or RSVP-TE), or segment routing (SR-ISIS, SR-OSPF, and SR-TE) tunnels
multicast VPRN — NG-mVPN using mLDP with auto-discovery
router interface — Layer 3 user plane and control plane encryption
WLAN-GW group interface — L2oMPLSoGRE level encryption from WLAN access points (APs) that support NGE
PW template encryption — BGP-VPLS- and BGP-VPWS-based MPLS services encryption, which uses a PW template with auto-gre-sdp configured
See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide for information about configuring NGE on router interfaces. See the 7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide for information about configuring group encryption on the WLAN-GW group interface.
NGE is supported on the following platforms:
VSR-I
VSR-a
WLAN-GW group interfaces enabled with NGE is further supported on the following platforms:
7750 SR-7
7750 SR-12
7750 SR-12e
7750 SR-1e
7750 SR-2e
7750 SR-3e