NGE overview

The network group encryption (NGE) feature enables end-to-end encryption of MPLS services, Layer 3 user traffic, and IP/MPLS control traffic. NGE is an encryption method that uses a group-based keying security architecture, which removes the need to configure individual encryption tunnels to achieve network-wide encryption.

NGE relies on the NSP NFM-P to manage the network and apply encryption to specific MPLS services, Layer 3 user traffic, or control plane traffic depending on the security requirements of the network. Operators designate traffic types that require added security and then apply NGE to those traffic types using the NSP NFM-P. The NSP NFM-P also acts as the network-wide NGE key manager, downloading encryption and authentication keys to nodes and performing hitless rekeying of the network at operator-defined intervals. For more information about managing NGE within a network, see the NSP NFM‑P User Guide.

Figure: NGE network with NSP NFM-P management shows an NGE network with NSP NFM-P services, control plane configuration, and key management.

Figure: NGE network with NSP NFM-P management

NGE provides five main types of encryption to secure an IP/MPLS network:

Note: See the 7450 ESS, 7750 SR, 7950 XRS, and VSR Router Configuration Guide for information about configuring NGE on router interfaces. See the 7450 ESS, 7750 SR, and VSR Triple Play Service Delivery Architecture Guide for information about configuring group encryption on the WLAN-GW group interface.

NGE is supported on the following platforms:

WLAN-GW group interfaces enabled with NGE is further supported on the following platforms:

Parent topic: NGE