Assigning key groups to services requires configuring an inbound and outbound key group for directional processing on a per-service basis (see Figure: Inbound and outbound key group assignments).
The outbound key group identifies which key group to use for traffic that egresses the node for the service. The inbound key group ensures that ingress traffic is using the correct key group for the service.
If the inbound key group is not set, the node ensures that packets are either unencrypted or are using one of the valid key groups configured in the system.
In most deployment scenarios, the inbound and outbound key groups are identical; however, it is possible to configure different key groups as the outbound and the inbound key groups, as this is not checked by the node.
Including an inbound and outbound direction when assigning key groups to services allows users to:
gracefully enable and disable NGE for services
move services from one key group domain to another domain without halting encryption
The NGE feature makes use of the NSP NFM-P to help manage the assignment of key groups to services on a network-wide basis. See the NSP NFM‑P User Guide for more information.