Avaya Configuring Data Encryption Services User's Manual
Contents
1. 1 6 Entering the NPR on ihe ROUSTI assassins agas p d e en aat prd d a RR 1 6 Choosing a Secure Shell Password iret easete ate eetas E 1 7 Entering the NPK into Site Manage ssa iscei retener annann precited 1 7 Long Tenn Shared Secret ETSI uasa oun Una Fo batk du Lr Cb ERE EUR ti Cut a Sae cu Ra 1 7 Master Eneryplon Koy i um o 1 8 Tane Encryp on Key TEKI 2isxcebtonsaenden benicgsaadpai atari Maas Eat td aod d 1 8 308618 14 00 Rev 00 V Chapter 2 Considerations Before You Enable Encryption Requirements tar Enabling EMG yin ucccace isse pe cesasne ovs e cena pU cesa apt E Ure sena aeeai 2 1 Select Edncry pop Strengt 2i assai rata dpi E RP Dra p Rer pb orba E n d S REAL 2 1 Synchronizing Router Clocks m re icis nicus isses T e e 2 2 Using Eneryptar wiih AN Roulers 2d ec RERO EB RELY REA REEF IA PRX RUN REP LE eos 2 2 Encryption and POITeUmall eB ances cient sels Gunes iu siety ese ddo stie Becas saci een ub Ya ep AU OL e uk 2 2 Maintenance Considerations for thi NPK iiiiise cocer reunir ctetu karen tee Ea 2 3 Using Floppy Disks to Store Key Files Lusso c rrr E rer OPERE Ferne iia hpc baa 2 3 Reading Key Files on PC Floppy Disk from UNIX bstbse poti R 2 3 Using Eneryption with Dial Berviceg sisustamine iai ki 2 4 Encryplon wiih Dial BackUp iius ur innana ii 2 4 Chapter 3 Enabling Encryption Belg TOR GONG eee 3 1 Modifying Encryption Parameters Using Technician Interface E c2. Note Store the files containing NPKs and LTSSs on removable media such as floppy disks and store that media in a safe place Changing the Length of the LTSS Key Generator You can set the length of the LTSSs to a value other than the default of 128 bits by editing the WF LTSS KEY GEN LEN line in the Site Manager initialization NwindowsNiteman ini file Use an editor such as Notepad You can enter a value from 128 to 248 Running the wfkseed Command The wfkseed command creates the seed that enables WEP to generate random numbers You run this command twice to create seeds once for the NPK key file and and once for the LTSS key file 1 Insert your choice of removable media such as floppy disk in an available drive on your PC 2 Atthe DOS prompt enter wfkseed 308618 14 00 Rev 00 3 3 Configuring Data Encryption Services WEP asks Do you wish to create the LTSS or NPK Key File LTSS Press Return to create the LTSS key file WEP displays this message Enter the path of the key path Enter n where n is the letter assigned to a drive with the removable media that you are using to store the key files WEP then displays this message To initialize the seed for the cryptographic random number generator please now enter a series of characters which you would consider to be random As you enter them dots will be displayed to indicate progress If your string is not random enough questi
3. Click on Add The FR PVC Add window opens Enter a DLCI number For instructions see You return to the FR PVC List window Configuring Frame Relay Services published by Nortel Networks Click on OK 5 Set the Node Protection Key parameter The NPK Values that you generated Click on Help or see the parameter previously appear in the WEP NPK description on page A 1 window 6 Click on Apply The Frame Relay PVC List window remains open After you enter the NPK the remaining parameters become available If you are editing a configuration file that you created during a previous session you must enter exactly the same NPK that you used before 4 Enter the values for the LTSS Value and LTSS Name parameters When you enter the LTSS Value you automatically enter the LTSS Name Site Manager Path You do this System response 1 Set the LTSS Value parameter Click on Help or see the parameter description on page A 3 2 Click on Apply The Frame Relay PVC List window remains open 308618 14 00 Rev 00 3 17 Configuring Data Encryption Services 5 Set the Enable Encryption parameter to Enable The Encrypt Enable parameter defaults to Disable You must set both the frame relay Encrypt Enable parameter and the WEP Enable parameter to Enable for WEP to function Instruction on setting the WEP Enable parameter is provided in Configuring WEP Parameters on page 3 19
4. For instructions on how to enter an NPK on a router see page 3 9 If you install a new CPU board on a router or swap boards between routers you must reenter the NPK on the affected routers The NPK remains on a board that you remove from a router using data encryption For security reasons you need to plan ahead to make sure that an NPK you are using resides only on a router that carries encrypted traffic Using Floppy Disks to Store Key Files For security reasons you should use removable media such as floppy disks to store key files Reading Key Files on PC Floppy Disk from UNIX You can use the same floppy disks on both PCs and UNIX platforms if you have UNIX personal computer file system pcfs compatibility which allows UNIX platforms to access data on floppy disks formatted for PCs Issue the following series of commands 308618 14 00 Rev 00 2 3 Configuring Data Encryption Services 1 Log on as superuser su 2 Enter the superuser password password password 3 Move to the root file system cd 4 Make a mount point directory mkdir directory name 5 Mount the floppy disk mount t pcfs dev fdO directory name Using Encryption with Dial Services You can configure WEP to work with dial on demand dial backup and bandwidth on demand services Using WEP for these three dial services enables you to protect sensitive traffic across switched circuits Configure encryption for a PPP
5. Management Encryption Key MEK 1 8 MEK Change parameter 3 15 3 18 A 3 Index 2 Message Digest 5 MD5 1 3 N Node Protection Key NPK defined 1 6 Node Protection Key parameter A 1 NPK changing 3 10 creating a seed for on a PC 3 3 on a UNIX platform 3 5 entering in MIB 1 7 entering on router 1 6 3 9 function A 1 generating 3 7 in nonvolatile RAM 3 9 overwriting 3 10 selecting 2 3 storing on removable media 3 3 O opening Site Manager 3 7 3 8 overwriting an NPK 3 10 P password secure shell 1 7 pefs utility 2 3 performance effect of encryption on 2 2 product support xv publications hard copy xiv R Random Number Generator RNG 1 5 removable media for storing key files 1 8 3 3 routers synchronizing dates and times 2 2 S secure shell 3 9 secure shell password 1 7 3 12 security 1 2 1 3 1 8 308618 14 00 Rev 00 seeds creating 3 2 to 3 6 defined 1 5 SEO software license agreement 1 2 setting a path to the key files UNIX platform 3 5 setting change rates MEK 3 15 3 18 TEK 3 20 3 22 starting encryption frame relay 3 16 PPP 3 13 3 16 summary of requirements 3 2 storing NPKs and LTSSs 3 3 strong encryption option SEO 1 2 support Nortel Networks xv synchronizing routers 2 2 T technical publications xiv technical support xv Technician Interface 3 1 TEK function 1 8 generating 3 11 TEK Change Bytes parameter 1 8 3
6. Site Manager Path You do this System responds 1 Set the Encrypt Enable parameter Click on Help or see the parameter description on page A 2 2 Click on Apply The Frame Relay PVC List window remains open 6 Set a change time for the MEK The MEK Change parameter sets the amount of time in minutes between changes in the MEK The value for this attribute must be the same on both sides of a link Site Manager Path You do this System responds 1 Set the MEK Change parameter Click on Help or see the parameter description on page A 3 2 Click on Apply The Frame Relay PVC List window remains open 7 Click on Done to exit the window 8 Configure the WEP parameters For instructions see the section Configuring WEP Parameters on page 3 19 3 18 308618 14 00 Rev 00 Configuring WEP Parameters Enabling Encryption WEP has both line and circuit interface parameters WEP parameters have default values To customize WEP for your network you can edit those values Note Enabling WCP adds 5 bytes to the frame s header In most cases this has no effect on your data and you do not need to adjust the default configuration If you want to increase the maximum transmission unit MTU to avoid fragmenting or dropping large packets refer to the manual for the WAN protocol you are using Configuring WEP Line Parameters 1 Enable encryption on this line The WEP Enable parameter defaults to Enable when
7. text xii creating seeds 3 2 to 3 6 customer support xv D data 1 1 data compression 2 2 308618 14 00 Rev 00 Index data encryption 40 and 56 bit 1 2 architecture 1 1 keys 1 2 starting 3 2 Data Encryption Standard DES 1 1 deleting encryption 3 25 disks floppy for storing key files 1 8 2 3 dropping traffic 2 1 E EDIT using to enter an NPK 1 7 editing encryption 2 3 editors using to enter an NPK on a router 1 7 emacs using to enter an NPK 1 7 Enable parameter WEP circuit interface A 5 WEP line A 4 enabling encryption frame relay 3 18 PPP 3 15 requirements 2 1 WEP 3 19 3 21 Encrypt Enable parameter 3 15 3 18 A 2 encryption 40 and 56 bit 1 2 architecture 1 1 disabling telnet access when using 2 2 keys 1 2 starting 3 2 using with AN routers 2 2 encryption strength selecting 40 bit or 56 bit 2 1 3 20 3 22 Index 1 entering an NPK on a router 3 9 F floppy disks for storing key files 1 8 2 3 G generating a TEK 3 11 an LTSS 3 8 an NPK 3 7 K k commands B 1 key files security 1 8 setting a path to UNIX 3 5 keys 1 2 integrity of 1 3 LTSS 1 7 MEK 1 8 NPK 1 6 summary 1 4 TEK 1 8 L LTSS changing 3 11 creating a seed for on a PC 3 3 on a UNIX platform 3 5 defined 1 7 function A 3 generating 3 8 storing on removable media 3 3 LTSS Name parameter 1 8 3 17 A 2 LTSS Value parameter 3 17 A 3 M
8. NPK the LTSS Value and LTSS Name parameters following the directions in the steps below make sure that the path that appears in the top bar of the Configuration Manager window the WEP NPK window and the WEP LTSS window is the path that you set for your NPK and LTSS files 2 Select the WEP protocol Site Manager Path You do this System responds Select a port to configure for PPP The Add Circuit window opens Click on OK The WAN Protocols window opens The Select Protocols window opens 1 2 3 Choose PPP and click on OK 4 Scroll down to choose WEP Click on OK You return to the Configuration Manager 308618 14 00 Rev 00 3 13 Configuring Data Encryption Services 3 Enter the NPK You need to do this once for each router or configuration file Site Manager Path You do this System responds 1 Set the Node Protection Key parameter Click on Help or see the parameter description on page A 1 2 Click on Apply The PPP Interface Lists window remains open After you enter the NPK the remaining parameters become available If you are editing a configuration file that you created during a previous session you must enter exactly the same NPK that you used before 4 Enter the value for the LTSS Value and LTSS Name parameters When you enter the LTSS Value you automatically enter the LTSS Name Site Manager Path You do this
9. Rev 00 3 15 Configuring Data Encryption Services Starting Encryption for Frame Relay To configure encryption for frame relay 1 Insert the floppy disk or other removable media that contains your NPK and LTSS files Note Take the following precaution to make sure that your NPK and LTSS source files are the ones you generated when you enter values for the NPK the LTSS Value and the LTSS Name parameters following the directions in the steps below make sure that the path that appears in the top bar of the Configuration Manager window the WEP NPK window and the WEP LTSS window is the path that you set for your NPK and LTSS files 2 Select the WEP protocol Site Manager Path You do this System responds 1 Select a port to configure for Frame Relay The Add Circuit window opens 2 Click on OK The WAN Protocols window opens 3 Select Frame Relay and click on OK The Select Protocols window opens 4 Scroll down to select WEP Click on OK You return to the Configuration Manager 3 16 308618 14 00 Rev 00 Enabling Encryption 3 Enter the NPK You need to do this once for each router or configuration file Site Manager Path You do this System responds 1 In the Configuration Manager window The Frame Relay Service List window select Protocols gt Frame Relay gt opens Services 2 Click on PVCs The FR PVC List window opens 3
10. Secure Shell Password The Secure Shell password protects all of the secret data in the router that WEP uses Select a password of at least 10 to 12 characters Do not use anything obvious like your nickname family birthdates or your social security number Change this password often and randomly Entering the NPK into Site Manager You must also enter the NPK into Site Manager using the PPP or frame relay Node Protection Key parameter When you enter an NPK its value is visible only until you click on the Apply button When you modify the security configuration for a router you must enter the NPK exactly as you entered it when you first configured encryption otherwise you cannot make changes Long Term Shared Secret LTSS The LTSS is the source for the Master Encryption Key MEK It consists of 128 to 248 bits of secret data that each end of a secure link shares The LTSS resides in the MIB encrypted by the NPK which you must have previously entered into Site Manager You need a different LTSS for each circuit that you configure to use encryption 308618 14 00 Rev 00 1 7 Configuring Data Encryption Services The key manager uses an RNG to generate LTSSs and you specify a name for each of these values After you create a file of LTSS keys you assign the same key to each end of a secure circuit Note Store the files of NPKs and LTSSs on removable media such as floppy disks and store that media in a safe place
11. This appendix contains definitions of the k commands that you use to work in the secure shell of the router Use these commands at the Technician Interface Command kexit kget subcommand kpassword kseed ksession kset lt subcommand gt lt flags gt ktranslate lt old_NPK gt System Response Exits the secure shell Obtains a parameter in the secure shell Example kget ppp s21 obtains parameter values for PPP circuit 21 Example kget fr lt arguments gt obtains parameters for frame relay circuit arguments Changes the password of the secure shell Initializes the cryptographic random number generator while in the secure shell Initiates a secure shell session Sets parameter values in the secure shell Example kset npk value sets the router Node Protection Key Translates a configuration from an old Node Protection Key NPK value to the current NPK value Example ktranslate old npk new npk 308618 14 00 Rev 00 B 1 Numbers 40 bit and 56 bit encryption 1 2 2 1 A acronyms xiii AN routers using encryption 2 2 authentication 1 3 C changing an LTSS 3 11 an NPK 3 10 the length of the RNGs for LTSSs on a PC 3 3 on a UNIX platform 3 5 the path to the key files on a PC 3 3 Cipher Mode Mask WEP circuit interface A 6 Cipher Mode Mask parameter WEP line A 4 configuring frame relay encryption 3 16 PPP encryption 3 13 3 16 WEP 3 19 conventions
12. anything obvious Change it often The prompt changes to SSHELL gt indicating that you are now in the secure shell Enter the kseed command and press Return WEP asks Do you wish to create the TEK Key File Press Return to create the TEK key file WEP displays To initialize the seed for the cryptographic random number generator please now enter a series of characters which you would consider to be random As you enter them dots will be displayed to indicate progress If your string is not random enough questions will be displayed In that case modify the pattern you are entering When enough data is input you will be prompted to stop near 3 lines of input As you type the screen displays a dot for each keystroke the WEP accepts If your keystrokes are not random enough the screen displays When you have entered a sufficient number of random keystrokes WEP displays a message telling you you re done and returns you to the prompt All done thank you 3 12 308618 14 00 Rev 00 5 Exit the secure shell by entering kexit You return to the regular prompt Starting Encryption for PPP To configure encryption for PPP Enabling Encryption 1 Insert the floppy disk or other removable media that contains your NPK and LTSS files Note Take the following precaution to make sure that your NPK and LTSS source files are the ones you generated When you enter values for the
13. changes according to the values in the TEK Change Seconds and TEK Change Bytes parameters A sending router generates a new TEK and WEP encrypts it The receiving router notes the change decrypts it replaces the old TEK with the new one and uses the new one to decrypt current and future data until the TEK changes again Each router has its own TEK and TEK Change attributes that it uses to protect data that it sends A link therefore has two TEKs which are different and which change independently of each other For more information on configuring key change attributes refer to Appendix A Encryption Parameters 308618 14 00 Rev 00 1 9 Chapter 2 Considerations Before You Enable Encryption This chapter presents some essential points that you should consider in preparing to configure encryption at your site Requirements for Enabling Encryption To configure encryption you must configure WEP parameters and either PPP or frame relay encryption parameters You must enable encryption for both the line and circuit WEP parameters and for either PPP or frame relay If you enable encryption for the WEP line and circuit but not for a PPP or frame relay protocol data does not travel over the network If you enable encryption for the line circuit and protocol and some other attribute for encryption is misconfigured WEP drops data rather than sending it unencrypted Selecting Encryption Strength Both sides of a link must use
14. or frame relay switched circuit as you would for a leased circuit Encryption with Dial Backup If you configure encryption to work with dial backup service encrypted data travels over the backup circuit if the primary line fails You do not have to configure WEP over the backup circuit because the backup circuit takes the configuration of the primary circuit Encryption works with any PPP or frame relay primary and backup circuit combination If PPP is the protocol for the backup circuit ensure that the parameter RFC1661 Compliance Site Manager or mru compliance BCC is set to the default Enable for encryption to work successfully To configure RFC 1661 compliance with Site Manager see Configuring PPP Services To configure RFC 1661 compliance with the BCC see Configuring Dial Services 2 4 308618 14 00 Rev 00 Chapter 3 Enabling Encryption This chapter describes how to configure data encryption Before You Begin Before you can start data encryption you must start Site Manager and 1 Create and save a configuration file that has at least one PPP or frame relay interface 2 Specify router hardware if this is a local mode configuration file 3 Retrieve the configuration file in local remote or dynamic mode 4 Reboot the router Modifying Encryption Parameters Using Technician Interface The Technician Interface allows you to modify parameters by issuing set and commit commands with the management inf
15. screen displays After you enter a sufficient number of random keystrokes WEP displays a completion message and returns you to the prompt All done thank you Enter the wfkseed command again to generate the NPK key file WEP asks Do you wish to create the LTSS or NPK Key File LTSS Type npk and press Return Repeat Step 3 to generate the NPK key file 3 6 308618 14 00 Rev 00 Enabling Encryption Creating Seeds on the Router Using the Technician Interface you create one seed for the NPK using the kseed command To store the seed in nonvolatile memory execute the kset npk command If you do not execute both of these commands the encryption software will not run Creating NPKs and LTSSs After you generate the NPK and LTSS seeds you open Site Manager on your router s management console and use the WEP Key Manager tool to generate NPKs and LTSSs You enter an NPK on each router and in the Site Manager NPK parameter You enter the LTSSs in the MIBs of each router on a link Creating NPKs To generate an NPK 1 Start Site Manager Note that you open Site Manager after you set the path to the key files Select Tools gt WEP Key Manager gt NPK Manager In the NPK name box type a name for the NPK Specify a name that identifies this router perhaps by location for example Boston Click on Generate Click on Add The NPK name and value appear in the NPK list box Repeat Steps 3 4 and 5
16. shared secret LTSS must be the same on both sides of the link When you enter the LTSS Value you automatically enter the LTSS Name PPP 1 3 6 1 4 1 18 3 4 28 5 1 5 Frame Relay 1 3 6 1 4 1 18 3 4 28 4 1 8 MEK Change PPP Configuration Manager Protocols PPP PPP Interface Lists window Frame Relay Configuration Manager gt Protocols gt Frame Relay gt Services gt Frame Relay Service List window gt PVCs gt Add 60 minutes 1 through 65 535 minutes Sets the amount of time in minutes between changes in the value of the Master Encryption Key MEK Accept the default or select another value within the specified range The value for this parameter must be the same on both sides of a link If the router clocks are not synchronized and you want to use encryption set this parameter to a value large enough to compensate for the time difference between the routers This ensures that the MEKs are the same on both sides of a link PPP 1 3 6 1 4 1 18 3 4 28 5 1 6 Frame Relay 1 3 6 1 4 1 18 3 4 28 4 1 9 308618 14 00 Rev 00 A 3 Configuring Data Encryption Services WEP Line Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Enable Configuration Manager gt Protocols gt WEP gt Lines Enable Enable Disable Enables or disables encryption on this line Defaults to Enable only
17. the DES key secret and protected from unauthorized change 40 Bit and 56 Bit Encryption Strengths Nortel Networks offers two encryption strengths e The standard router software includes encryption that uses 40 bit DES keys This version provides reasonably strong security e A strong encryption option SEO for router software that uses 56 bit DES keys SEO software is generally available only in the United States and Canada U S law allows export of the SEO only with a U S export license For more information on the export import and use of SEO outside the United States and Canada refer to the SEO software license agreement 308618 14 00 Rev 00 Data Encryption Overview Message Digest 5 MD5 MDS is a secure hash algorithm and is a component in a number of IETF standard protocols MD5 operates on data of varying lengths and produces from it a single 128 bit output called the digest It is very difficult given one message and its digest to fabricate another message that has the same digest This property enables MDS to function like a checksum to detect errors in the integrity of a message When a message that contains a secret key is hashed the resulting digest also authenticates the origin of the message only a source that possesses the secret key could have calculated the digest This technique is called keyed MD5 Nortel Networks encryption uses MDS to e Authenticate the originator of the message that is t
18. the same encryption strength Note that you can select both encryption strengths enabling a router that has 56 bit encryption strength to use 40 bit encryption with a router that has only 40 bit encryption 308618 14 00 Rev 00 2 1 Configuring Data Encryption Services Synchronizing Router Clocks The Master Encryption Key MEK must be the same at both ends of a link Therefore the MEK Change parameter value which sets the amount of time between changes in the value of the MEK must also be the same For these values to be the same routinely the MEK changes must occur at approximately the same time which requires that the routers use the same date and time If the routers clocks differ by more than the MEK Change value WEP drops all packets To synchronize the routers you can use either or both of these options e Network Time Protocol NTP e MEK Change parameter Set to a value large enough to accommodate differences between the routers clocks Caution You should disable TELNET access of any kind between secure routers If anyone changes the date on either of the routers traffic stops Using Encryption with AN Routers AN router models earlier than Version 8 12 2 12 lose both date and time if they are powered off To use encryption with these older ANs you must synchronize the router clocks before you configure encryption Newer models have a battery that maintains the router clock If your AN has a model nu
19. to Disable For help click on Help or see the parameter description on page A 2 5 Click on Apply The Frame Relay PVC List window remains open 6 Click on Done 3 24 308618 14 00 Rev 00 Enabling Encryption Deleting Encryption from an Interface To delete encryption from an interface on which it is currently configured 1 In the Configuration Manager window select Circuits gt Edit Circuits The Circuit List window opens 2 Click on Edit The Circuit Definition window opens 3 Select Protocols Add Delete The Select Protocols window opens 4 Deselect WEP and click on OK Encryption is no longer operating on the interface 308618 14 00 Rev 00 3 25 Configuring Data Encryption Services Deleting Encryption from a Router To delete encryption from all circuits on which it is currently configured 1 In the Configuration Manager window select Protocols gt WEP gt Delete WEP A window opens and asks Do you REALLY want to delete WI Click on OK EP You return to the Configuration Manager Encryption is no longer operating on the router 3 26 308618 14 00 Rev 00 Appendix A Encryption Parameters This appendix contains parameter descriptions for PPP and frame relay encryption parameters and for WEP line and circuit interface parameters PPP and Frame Relay Encryption Parameters Encryption parameters for PPP and frame relay are the same but Si
20. use and copy the associated user manual solely in support of authorized use of the Software by Licensee This license applies to the Software only and does not extend to Nortel Networks Agent software or other Nortel Networks software products Nortel Networks Agent software or other Nortel Networks software products are licensed for use under the terms of the applicable Nortel Networks NA Inc Software License Agreement that accompanies such software and upon payment by the end user of the applicable license fees for such software 2 Restrictions on use reservation of rights The Software and user manuals are protected under copyright laws Nortel Networks and or its licensors retain all title and ownership in both the Software and user manuals including any revisions made by Nortel Networks or its licensors The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals Licensee may not modify translate decompile disassemble use for any competitive analysis reverse engineer distribute or create derivative works from the Software or user manuals or any copy in whole or in part Except as expressly provided in this Agreement Licensee may not copy or transfer the Software or user manuals in whole or in part The Software and user manuals embody Nortel Networks and its licensors confidential and proprietary intellectual property Licensee shall not sublicense assign or otherwise disclose t
21. you select WEP from the Protocols menu Both the WEP Enable parameter and the PPP or frame relay Enable parameter must be set to Enable for WEP to function Instructions for setting the Enable parameter for PPP can be found in the section Starting Encryption for PPP on 3 13 Instructions for setting this parameter for frame relay can be found in the section Starting Encryption for Frame Relay on page 3 16 Site Manager Path You do this System responds 1 In the Configuration Manager window choose Protocols The Protocols menu opens Choose WEP The WEP menu opens 3 Choose Lines The WEP Line Parameters window opens Set the Enable parameter Click on Help or see the parameter description on page A 4 Click on Apply The WEP Line Parameters window remains open 308618 14 00 Rev 00 3 19 Configuring Data Encryption Services 2 Select the encryption strength for this line Encryption is available in two versions regular and strong The standard router software includes encryption that uses regular encryption that is 40 bit keys Nortel Networks also offers a strong encryption option that uses 56 bit keys Strong encryption is generally available only in the United States and Canada Select the encryption strength that is appropriate for your network Note that you can select both encryption strengths This optio
22. 2 1 parameter value you enter ethernet 2 1 and as many parameter value pairs as needed xii 308618 14 00 Rev 00 italic text screen text separator gt vertical line Acronyms Preface Indicates file and directory names new terms book titles and variables in command syntax descriptions Where a variable is two or more words the words are connected by an underscore Example If the command syntax is show at lt valid_route gt valid_route is one variable and you substitute one value for it Indicates system output for example prompts and system messages Example Set Trap Monitor Filters Shows menu paths Example Protocols IP identifies the IP option on the Protocols menu Separates choices for command keywords and arguments Enter only one of the choices Do not type the vertical line when entering the command Example If the command syntax is show ip alerts routes you enter either show ip alerts or show ip routes but not both This guide uses the following acronyms ANSI DES DLCI IETF ISDN LTSS MD5 American National Standards Institute Data Encryption Standard data link connection identifier Internet Engineering Task Force Integrated Services Digital Network long term shared secret Message Digest 5 308618 14 00 Rev 00 xiii Configuring Data Encryption Services MEK Master Encryption Key MIB management information base NPK Node Prote
23. 20 3 22 WEP circuit interface A 6 WEP line A 5 TEK Change Seconds parameter WEP circuit interface A 7 WEP line A 5 TEK Change Time parameter 1 8 3 21 3 23 TELNET access disabling when using encryption 2 2 text conventions xii throughput effect of encryption on 2 2 Traffic Encryption Key TEK defined 1 8 U United States law and encryption 1 2 308618 14 00 Rev 00 V vi editor using to enter an NPK 1 7 W WAN Encryption Protocol WEP defined 1 3 WEP configuring 3 19 overview 1 3 parameters 3 19 security of the link 1 3 WEP Enable parameter 3 19 3 21 wep ltss dat 3 8 WF KEY FILE PATH environment variable 3 3 3 5 WF LTSS KEY GEN LEN environment variable 3 3 3 5 wfkseed command 3 3 3 6 Index 3
24. AT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN NORTEL NETWORKS AND LICENSEE WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST NORTEL NETWORKS UNLESS NORTEL NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT iv 308618 14 00 Rev 00 Contents Preface nl fleas erii eM eee ee es teen ene ere Rete ree cere DL TL xi PENS EE xii PO E bep EXE rata d naan rhet aa e nae a Hua cap RR Fa P RR xiii Hard Gopy Technical BASES 1uissuszx debutto nene ke a haan Sce oxi de e cra Ox dk xiv ac to Get ur ee bias adetae de cdae edd aaa a ai XV Chapter 1 Data Encryption Overview Dola Cee OSs cot Css UE ee eaten E E D o t o S S 1 1 Data Eneryplon Standard DES savoie Logebcs pert debcoudardeqon ra c en Ld aa PRA 1 2 40 Bit and 56 Bit Encryption Strengths 1i dar caduca ska ecu 1 2 Message Digest o MDO T 1 3 PWAN Encryptor Poro WEP ds arse Bebe a nasa 1 3 Sup and Dala EBbCVDHDON ariaa eie E batexests Gb ERAS 1 3 unc n n a Ae E A A E E E 1 4 One UO S OUI sossar E san dlls cU KON AE co 1 4 Encryption Keys eseese Sitio PET E T N T ee cae 14 Random Number Generator RNG sascsiezeizeccds on ata m eevee ands a pub a eee 1 5 Node Frotecion Bay NPR cei cnsikis Ra ENROLUd ESRRER E E BU EXE talis 1 6 prp p ec
25. BayRS Version 14 00 Part No 308618 14 00 Rev 00 September 1999 4401 Great America Parkway Santa Clara CA 95054 Configuring Data Encryption Services NORTEL NETWORKS Copyright 1999 Nortel Networks All rights reserved Printed in the USA September 1999 The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks NA Inc The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that license A summary of the Software License is included in this document Trademarks NORTEL NETWORKS is a trademark of Nortel Networks AN and BN are registered trademarks and ARN ASN BayStack and System 5000 are trademarks of Nortel Networks All other trademarks and registered trademarks are the property of their respective owners Restricted Rights Legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithstanding any other license agreement th
26. Master Encryption Key MEK The MEK encrypts the Traffic Encryption Key TEK The LTSS for a circuit combined with the current time is the source of its MEK You do not actually generate enter or view the MEK The WEP software automatically calculates this value Like the LTSS the MEK must be the same on each end of a link The value of an individual MEK periodically changes according to the value of the MEK Change parameter For the encryption software to generate identical MEKs and for the MEKs to remain identical on both sides of a link as their values change they must change at approximately the same time That can only happen if The MEK Change parameter is set to the same value on each end of a link For more information see the description of this parameter on page A 3 e The clocks on both routers are synchronized For further information about router clocks in relation to encryption see the section Synchronizing Router Clocks on page 2 2 Traffic Encryption Key TEK The TEK encrypts the data that travels across the network The RNG on a transmitting router creates the TEK WEP then encrypts the TEK using the MEK At the receiving router WEP decrypts the TEK and uses it to decrypt the data The TEK that the standard encryption software generates is 40 bits long The strong encryption option SEO can generate both 40 bit and 56 bit TEKs 308618 14 00 Rev 00 Data Encryption Overview The TEK automatically
27. NPK in the MIB To change the NPK value in the MIB 1 Atthe Technician Interface enter ksession You enter the secure shell which prompts you for the password 2 Enter the password The prompt changes to SSHELL 3 Enter ktranslate old NPK value The MIB now has the same NPK as the router 4 Save the configuration file Changing LTSSs You should change LTSSs periodically To change LTSSs create new ones using the WEP Key Manager tool as described in the section Creating NPKs and LTSSs on page 3 7 Creating TEKs The router stores its TEK seed in nonvolatile memory WEP uses and manages the TEK to encrypt data Your only task is to create a seed for the RNG that generates TEKs computer directly to the console port of the router For instructions on connecting a computer to the router console port refer to the installation guide that came with your router Note These instructions assume that you have connected a PC or UNIX gt 308618 14 00 Rev 00 3 11 Configuring Data Encryption Services The kseed command creates the seed that enables WEP to generate random numbers To create a TEK seed you work in the secure shell of the router 1 At the C shell prompt on a UNIX platform or at the DOS prompt on a PC enter ksession You enter the secure shell which prompts you for the password Enter the password Your password should be at least 10 to 12 characters long It should not be
28. RRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE In addition the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure that may incorporate by reference certain limitations and notices imposed by third parties Nortel Networks NA Inc Software License Agreement NOTICE Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre enabled software each of which is referred to as Software in this Agreement BY COPYING OR USING THE SOFTWARE YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH NORTEL NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE If you do not accept ii 308618 14 00 Rev 00 these terms and conditions return the product unused and in the original shipping container within 30 days of purchase to obtain a credit for the full purchase price 1 License Grant Nortel Networks NA Inc Nortel Networks grants the end user of the Software Licensee a personal nonexclusive nontransferable license a to use the Software either on a single computer or if applicable on a single authorized device identified by host ID for which it was originally acquired b to copy the Software solely for backup purposes in support of authorized use of the Software and c to
29. System response 1 Set the LTSS Value parameter Click on Help or see the parameter description on page A 3 2 Click on Apply The PPP Interface Lists window remains open 308618 14 00 Rev 00 Enabling Encryption 5 Set the Encrypt Enable parameter to Enable The Encrypt Enable parameter defaults to Disable Both the Encrypt Enable parameter for PPP and the WEP Enable parameter must be set to Enable for WEP to function Instruction on setting the WEP Enable parameter is provided in Configuring WEP Parameters on page 3 19 Site Manager Path You do this System responds 1 Select the Encrypt Enable parameter Click on Help or see the parameter description on page A 2 2 Click on Apply The PPP Interface Lists window remains open 6 Set a change time for the MEK The MEK Change parameter sets the amount of time in minutes between changes in the MEK The value for this attribute must be the same on both sides of a link Site Manager Path You do this System responds 1 Set the MEK Change parameter Click on Help or see the parameter description on page A 3 2 Click on Apply You have entered a value you entered for the MEK Change parameter The PPP Interface Lists window remains open 7 Click on Done to exit the window 8 Configure the WEP parameters For instructions see the section Configuring WEP Parameters on page 3 19 308618 14 00
30. al form and you must include the Ox notation 6 Save the configuration file 7 Exit the secure shell by entering kexit You return to the regular prompt Changing NPKs To maintain security you should change NPKs on a router periodically For many applications a period of three to six months is appropriate To change an NPK issue the kset NPK command as described in the section Entering an NPK on a Router on page 3 9 The new NPK overwrites its predecessor and WEP now uses the new NPK value Remember that you must also enter the new NPK in the PPP or frame relay Node Protection key parameter the next time you want to change your encryption configuration Monitoring NPKs If the NPK on a router does not match the NPK in the MIB encryption does not work This situation occurs most frequently when you change a CPU board on one slot of a router and that slot therefore lacks the current NPK You can view the log notes to make sure that the NPK for each slot matches the value of the NPK in the MIB If they do not match you can change either the router NPK value or the MIB NPK value by working in the secure shell of the router To view the log notes in the Technician Interface enter log ffwidt eKEYMGR 3 10 308618 14 00 Rev 00 Enabling Encryption Changing an NPK on a Router To change the router NPK value follow the procedure in the section Entering an NPK on a Router on page 3 9 Changing an
31. at Nortel Networks encryption services use on removable media such as floppy disks and you should store this media in a secure place This is the easiest way to prevent unauthorized persons from gaining access to these files You should always configure the node protection keys NPKs locally not over a network When you connect a computer to a router s console port to configure encryption use a computer that is not connected to any other equipment You can however configure long term shared secrets LTSSs remotely because LTSSs are encrypted Follow recommendations about network security in this guide Encryption Keys Figure 1 1 illustrates the hierarchy of keys that Nortel Networks encryption uses to protect and transmit data 1 4 308618 14 00 Rev 00 Data Encryption Overview Site Manager J Billerica NPK Santa Clara NPK2 E23 Billerica SC LTSS42 Billerica NY LTSS 43 FR or PPP NPK Ei CS E Eg NPK d 1 Uss Santa Clara TEK Billerica TSS 5 LTSS 93 LTSS 43 LTSS 54 LTSS 44 MEK LTSS 9 TIME WEPO001A Figure 1 1 Hierarchy of Encryption Keys The keys are the e Node Protection Key NPK It encrypts the LTSS Long Term Shared Secret LTSS It is the source for the Master Encryption Key e Master Encryption Key MEK It encrypts the Traff
32. at may pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Statement of Conditions In the interest of improving internal design operational function and or reliability Nortel Networks NA Inc reserves the right to make changes to the products described in this document without notice Nortel Networks NA Inc does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Portions of the code in this software product may be Copyright 1988 Regents of the University of California All rights reserved Redistribution and use in source and binary forms of such portions are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California Berkeley The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WA
33. ction Key NTP Network Time Protocol pcfs personal computer file system PPP Point to Point Protocol PVC permanent virtual circuit PRI Primary Rate Interface RNG random number generator SEO strong encryption option TEK Traffic Encryption Key WAN wide area network WEP WAN Encryption Protocol Hard Copy Technical Manuals You can print selected technical manuals and release notes free directly from the Internet Go to support baynetworks com library tpubs Find the product for which you need documentation Then locate the specific category and model or version for your hardware or software product Using Adobe Acrobat Reader you can open the manuals and release notes search for the sections you need and print them on most standard printers You can download Acrobat Reader free from the Adobe Systems Web site www adobe com You can purchase selected documentation sets CDs and technical publications through the collateral catalog The catalog is located on the World Wide Web at support baynetworks com catalog html and is divided into sections arranged alphabetically e The CD ROMs section lists available CDs e The Guides Books section lists books on technical topics e The Technical Manuals section lists available printed documentation sets xiv 308618 14 00 Rev 00 How to Get Help Preface If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller co
34. ee EE R r ES AICI oce E aaslaaend eet ead A Fecerat add 3 2 Creating cie ae ee ene Rees T 3 2 Creating Seeds on a PC Ber re rte A UU Ebr a CR E 3 3 Changing the Path to the Key Files iuis dene jt da t Ra taa bc aa 3 3 Changing the Length of the LTSS Key Generator ssssessssss 3 3 Running the wikseed Command eit rnnt cnt aatinaa 3 3 Greating Seeds on a UNIX PISEHORUI 2525 ritiro Gabr Ea labe eque bbc RED Ree pir cba Ene 3 5 Each of these steps is detailed in the following sections TT 3 5 Seting a Fath to the key PGS EET 3 5 Changing the Length of the LTSS Key Generator sssssssssss 3 5 Running the WEP wfkseed Command metals Crete bist NS TE TE e Geding seeds on thia ROUGI auis ax eta irat uina dix p a ates Dod pabo ERE RRas 3 7 Eran Balled Cote 12 LIS uniesiona bue cut acta idt LE Rd ad 3 7 uoc pepuu i e 3 7 uec mp T V C 3 8 Entering an NPK on a Router obey aas Roan EO PERA seis eres bred exruvepeldy fe c 3 10 Vp e Se da EET D ES 3 10 Changing an NPK on a Router penal rere rrr E rere 3 11 vi 308618 14 00 Rev 00 Changing an NPI tel Bassi soie tas anil nee are fane TS SS sx ies ashen cess kic od KE UO eg anes x ark d OQ KEEN E TA 3 11 RO CRMC TEEN EE A Ma 3 11 sir EXC BUB OE PPP eiue pb aed cnra p bei anette 3 13 Starting Encryption for Frame R
35. elay TT Rie 3 16 sese ete WEF miri i i EE TEE 3 19 Configuring WEP Libe Parameltels 1a eei cet tacet then bari ttd xn cna nnmis ia 3 19 Configuring WEP Interface Parameters eee URT AT TT PES Td 3 21 Eisabling BROFVBUOI oos doi as Deren kata N ede ad da d ard DE 3 23 Deleting Encryption from an Interface sse 3 25 Delisting Engrupion TON a ROUET iuc acc nici Spe e er nha arara eaan 3 26 Appendix A Encryption Parameters PPP and Frame Relay Encryption Parameters OERS oraa week UT n A 1 WEP Linie Paramete daa ey boc perra diu dde ba boi dr e pte ud A 4 WEP Circuit Interface Parameters uuuiseeduseed ut kae quae Dres ba det ut pda aain A 5 Appendix B Definitions of k Commands Index 308618 14 00 Rev 00 vii Figures Figure i t Mierarchy of Encryption Neve nasse reti rcs cierto Ro noa dodo ade 1 5 308618 14 00 Rev 00 ix Preface This guide describes data encryption and what you do to start and customize data encryption services on a Nortel Networks router Before You Begin Before using this guide you must complete the following procedures For a new router e Install the router see the installation guide that came with your router Connect the router to the network and create a pilot configuration file see Quick Starting Routers Configuring BayStack Remote Access or Connecting ASN Routers to a Network Make sure that you are ru
36. for each NPK 2 You use the Technician Interface to enter an NPK value in the router s nonvolatile memory You do this for each secure router 3 You enter the same NPK in the Site Manager PPP or frame relay Node Protection Key parameter for that router Generating an NPK To generate an NPK you must 1 Use the WEP software to create a seed that initializes the random number generator for the NPKs 2 Use the WEP NPK Key Manager in Site Manager to generate NPKs Entering the NPK on the Router You enter the NPK into a router locally using the console port and the secure shell section of the Technician Interface A password protects access to the secure shell 308618 14 00 Rev 00 Data Encryption Overview The easiest way to enter the NPK is to use a text editor in read only mode to display the contents of the file that contains your NPKs Examples of editors include vi or emacs on a UNIX platform and EDIT on a PC Copy the value of the appropriate NPK and paste it into the Technician Interface command line Note You should never use a terminal server to enter the NPK Instead you should enter the NPK in each router using a laptop computer that you attach directly to the router The NPK is stored in the router s nonvolatile memory You cannot access the NPK or the password by means of the MIB or by using normal Technician Interface debug commands Nor can you invoke the secure shell ina TELNET session Choosing a
37. ge 1 3 6 1 4 1 18 3 4 28 1 1 6 TEK Change Seconds Configuration Manager gt Protocols gt WEP gt Lines 10 seconds 1 through 65 535 seconds Sets the number of seconds between changes in the value of the Traffic Encryption Key TEK Accept the default or select another value within the specified range 1 3 6 1 4 1 18 3 4 28 1 1 7 WEP Circuit Interface Parameters Parameter Path Default Options Function Instructions MIB Object ID Enable Configuration Manager gt Protocols gt WEP gt Circuit Interface Enable Enable Disable Enables or disables encryption on this interface Defaults to Enable only if you select WEP in the Protocols menu Accept the default Enable to use encryption on this interface Remember to enable either the PPP or frame relay Encrypt Enable parameter also 1 3 6 1 4 1 18 3 4 28 2 1 2 308618 14 00 Rev 00 A 5 Configuring Data Encryption Services Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Cipher Mode Mask Configuration Manager gt Protocols gt WEP gt Circuit Interface Inherit from Line Inherit from Line 40156 Both Determines whether this line uses 40 bit or 56 bit encryption Accept the default Inherit from Line or select another option To select another option first deselect Inherit from Line and then select either 40 bit o
38. ger Path You do this System responds 1 Set the TEK Change Seconds parameter Click on Help or see the parameter description on page A 5 2 Click on Apply The WEP Line Parameters window remains open 4 Click on Done to exit the window Disabling Encryption To disable data encryption on a PPP circuit follow these instructions Site Manager Path You do this System responds 1 In the Configuration Manager window choose Protocols The Protocols window opens 2 Choose PPP The PPP menu opens 3 Choose Interfaces The PPP Interfaces window opens 308618 14 00 Rev 00 3 23 Configuring Data Encryption Services Site Manager Path You do this System responds 4 Click on Lines The PPP Line Lists window opens 5 Set the Encrypt Enable parameter to Disable For help click on Help or see the parameter description on page A 2 6 Click on Apply The PPP Interface Lists window remains open 7 Click on Done To disable data encryption on a frame relay circuit follow these instructions Site Manager Path You do this System responds 1 In the Configuration Manager window The Frame Relay Service List window select Protocols gt Frame Relay gt opens Services 2 Click on PVCs The FR PVC List window opens 3 Click on Add The FR PVC Add window opens 4 Setthe Encrypt Enable parameter
39. he backup circuit is unencrypted Data Encryption Architecture Nortel Networks uses the following standards and protocols to provide encryption services e Data Encryption Standard DES Message Digest 5 MD5 e WAN Encryption Protocol WEP proprietary to Nortel Networks 308618 14 00 Rev 00 1 1 Configuring Data Encryption Services Data Encryption Standard DES Nortel Networks bases encryption services on DES which the United States government has adopted to protect sensitive but nonclassified data The American National Standards Institute ANSI the Internet Engineering Task Force IETF and various banking and financial standards groups have also incorporated DES into security standards DES describes the process that transforms 64 bit blocks of data from readable plaintext to scrambled ciphertext A 40 bit or 56 bit number that you generate known as a key controls the scrambling and unscrambling Both ends of a link must use the same key value for one end to be able to decipher the data that the other end sends DES is designed so that even if someone knows some of the plaintext data and the corresponding ciphertext there is no way to determine the key without trying all possible keys The strength of encryption based security rests on the size of the key and on properly protecting the key Because DES is a public standard the encryption is secure only if the communicating routers and the management station keep
40. hichever is applicable 6 Use of Software in the European Community This provision applies to all Software acquired for use within the European Community If Licensee uses the Software within a country in the European Community the Software Directive enacted by the Council of European Communities Directive dated 14 May 1991 will apply to the examination of the Software to facilitate interoperability Licensee agrees to notify Nortel Networks of any such intended examination of the Software and may procure support and assistance from Nortel Networks 7 Term and termination This license is effective until terminated however all of the restrictions with respect to Nortel Networks copyright in the Software and user manuals will cease being effective at the date of expiration of the Nortel Networks copyright those restrictions relating to use and disclosure of Nortel Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any reason Licensee will immediately destroy or return to Nortel Networks the Software user manuals and all copies Nortel Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license 8 Export and Re export Licensee agrees not to export directly or indirectly the Software or rela
41. ic Encryption Key e Traffic Encryption Key TEK The TEK encrypts the data that travels across the network Random Number Generator RNG The Nortel Networks key management software uses an RNG in Site Manager to generate values for the keys These values are statistically random An RNG uses as its source a seed that you supply For instructions see Creating Seeds on page 3 2 Site Manager also uses its RNG to generate NPKs and LTSSs The router software uses the RNG to generate TEKs 308618 14 00 Rev 00 1 5 Configuring Data Encryption Services Node Protection Key NPK The NPK encrypts and decrypts LTSSs The NPK is stored in the router s nonvolatile memory and its fingerprint which is a 128 bit version of the NPK generated by the hash algorithm is in the management information base MIB The NPK and its fingerprint must match for encryption to occur You should create and use a different NPK for each secure router on your network Caution The NPK is the most critical key in the hierarchy If the NPK is compromised all encrypted data on the router could be compromised Protect the files that store the NPKs preferably by using removable media that you store securely Also protect the routers on which the NPKs reside The process of generating and using NPKs is as follows 1 The key management software uses an RNG in Site Manager to generate as many NPKs as your network requires and you specify a name
42. if you select WEP in the Protocols menu Accept the default Enable to use encryption on this line Remember to enable either the PPP or frame relay Encrypt Enable parameter also 1 3 6 1 4 1 18 3 4 28 1 1 2 Cipher Mode Mask Configuration Manager gt Protocols gt WEP gt Lines DES 40 bit keys DES 40 bit keys DES 56 bit keys Both Determines whether this line uses 40 bit or 56 bit encryption Accept the default DES at 40 bit keys unless you have the strong encryption option SEO that enables you to use 56 bit encryption Select the Both option if you have 56 bit encryption and don t know the value on the other side of the link If you select Both the link uses 56 bit encryption if both sides support it if not it uses 40 bit encryption The Site Manager screen displays the value of this parameter in hexadecimal notation Ox 10000000 56 bit encryption Ox 20000000 40 bit encryption Ox 30000000 Both 1 3 6 1 4 1 18 3 4 28 1 1 5 A 4 308618 14 00 Rev 00 Encryption Parameters Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID TEK Change Bytes Configuration Manager gt Protocols gt WEP gt Lines 65 535 bytes 256 through 2 147 483 647 bytes Sets the number of data bytes between changes in the value of the TEK Accept the default or select another value within the specified ran
43. iguring WEP Interface Parameters 1 Enable encryption on this interface The WEP Enable parameter defaults to Enable when you select WEP from the Protocols menu Both the WEP Enable parameter and the PPP or frame relay Enable parameter must be set to Enable for WEP to function Instructions for setting the Enable parameter for PPP can be found in the section Starting Encryption for PPP on 3 13 Instructions for setting this parameter for frame relay can be found in the section Starting Encryption for Frame Relay on page 3 16 Site Manager Path You do this System responds 1 In the Configuration Manager window The Protocols menu opens choose Protocols 2 Choose WEP The WEP menu opens 3 Choose Lines The WEP Line Parameters window opens 308618 14 00 Rev 00 3 21 Configuring Data Encryption Services Site Manager Path You do this System responds 4 Set the Enable parameter Click on Help The options available for the Enable or see the parameter description on parameter appear page A 5 5 Click on Apply The WEP Line Parameters window remains open 2 Select the encryption strength for this interface Encryption is available in two versions regular and strong The standard router software includes encryption that uses regular encryption that is 40 bit keys Nortel Networks also offers a strong encryption option that use
44. imitation of liability IN NO EVENT WILL NORTEL NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT SPECIAL INDIRECT INCIDENTAL OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE EVEN IF NORTEL NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO EVENT 308618 14 00 Rev 00 iii SHALL THE LIABILITY OF NORTEL NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO NORTEL NETWORKS FOR THE SOFTWARE LICENSE 5 Government Licensees This provision applies to all Software and documentation acquired directly or indirectly by or on behalf of the United States Government The Software and documentation are commercial products licensed on the open market at market prices and were developed entirely at private expense and without the use of any U S Government funds The license to the U S Government is granted only with restricted rights and use duplication or disclosure by the U S Government is subject to the restrictions set forth in subparagraph c 1 of the Commercial Computer Software Restricted Rights clause of FAR 52 227 19 and the limitations set out in this license for civilian agencies and subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause of DFARS 252 227 7013 for agencies of the Department of Defense or their successors w
45. mber in the format AE xxxxxxx it is anew BayStack AN and it has the battery Encryption and Performance Using encryption requires substantial resources and reduces router throughput Consider this when you select the interfaces on which to use encryption You can however lower the cost of using encryption by using data compression with encryption You can configure both hardware and software based data compression over PPP and frame relay networks running encryption 2 2 308618 14 00 Rev 00 Considerations Before You Enable Encryption Enabling compression improves bandwidth efficiency by eliminating redundant strings in data streams This in turn improves network response times and reduces line costs Hardware compression is particularly effective in improving a router s throughput when you use encryption When you use encryption with compression the software compresses the data before it encrypts it For instructions on how to use data compression refer to Configuring Data Compression Services Maintenance Considerations for the NPK Your configuration file includes a fingerprint of the Node Protection Key NPK The NPK in the MIB must match the NPK in the router s nonvolatile memory or encryption cannot occur This means that if you want to change anything in your encryption configuration after you have exited from the original configuration session you must reenter the NPK exactly as you entered it initially
46. n 2 At the C shell prompt enter setenv WF KEY FILE PATH n where n is a removable disk that you are using to store the key files Changing the Length of the LTSS Key Generator You can set the length of the RNGs for the LTSSs to a value other than the default of 128 bits At the C shell prompt enter setenv WF LTSS KEY GEN LEN number of bits from 128 to 248 308618 14 00 Rev 00 3 5 Configuring Data Encryption Services Running the WEP wfkseed Command The wfkseed command creates the seed that enables you to generate random numbers You run this command twice to create seeds once for the NPK key file and once for the LTSS key file To create the LTSS seed 1 At the C shell prompt enter wfkseed WEP asks Do you wish to create the LTSS or NPK Key File LTSS Press Return to create the LTSS key file WEP displays this message To initialize the seed for the cryptographic random number generator please now enter a series of characters which you would consider to be random As you enter them dots will be displayed to indicate progress If your string is not random enough questions will be displayed In that case modify the pattern you are entering When enough data is input you will be prompted to stop near 3 lines of input Type a series of random characters The screen displays a dot for each 5 keystrokes that WEP accepts If your keystrokes are not random enough the
47. n enables a system that has 56 bit encryption strength to support secure links with either 40 bit and 56 bit strength encryption sites If you select both WEP uses 56 bit encryption if both sides of the link can support it Site Manager Path You do this System responds 1 Set the Cipher Mode Mask parameter Click on Help or see the parameter description on page A 4 2 Click on Apply The WEP Line Parameters window remains open 3 Set the change rates for the TEK The TEK changes depending on the values of the TEK Change Seconds parameter and TEK Change Bytes parameter The TEK Change Bytes parameter sets the number of bytes between changes in the value of the TEK To set the TEK Change Bytes parameter for a line Site Manager Path You do this System responds 1 Set the TEK Change Bytes parameter Click on Help or see the parameter description on page A 5 2 Click on Apply The WEP Line Parameters window remains open 3 20 308618 14 00 Rev 00 Enabling Encryption The TEK Change Seconds parameter sets the number of seconds between changes in the value of the TEK To set the TEK Change Seconds parameter for a line Site Manager Path You do this System responds 1 Set the TEK Change Seconds parameter Click on Help or see the parameter description on page A 5 Click on Apply The WEP Line Parameters window remains open 4 Click on Done to exit the window Conf
48. nable parameter are set to Enable If you select WEP in the Protocols menu but set this parameter to Disable data does not travel over this circuit PPP 1 3 6 1 4 1 18 3 4 28 5 1 2 Frame Relay 1 3 6 1 4 1 18 3 4 28 4 1 2 Parameter LTSS Name Path PPP Configuration Manager gt Protocols gt PPP gt PPP Interface Lists window Frame Relay Configuration Manager gt Protocols gt Frame Relay gt Services gt Frame Relay Service List window gt PVCs gt Add Default None Options A string of up to 29 characters Function Distinguishes this long term shared secret LTSS from others Instructions Select the LTSS from the list in the Site Manager WEP LTSS window Refer to instructions in Chapter 3 When you enter the LTSS Value you automatically enter the LTSS Name it represents A 2 308618 14 00 Rev 00 Parameter Path Default Options Function Instructions MIB Object ID Parameter Path Default Options Function Instructions MIB Object ID Encryption Parameters LTSS Value PPP Configuration Manager gt Protocols gt PPP gt PPP Interface Lists window Frame Relay Configuration Manager gt Protocols gt Frame Relay gt Services gt Frame Relay Service List window gt PVCs gt Add None 32 through 62 hexadecimal characters Creates the Master Encryption Key MEK Select the LTSS from the list in the Site Manager WEP LTSS window Refer to instructions in Chapter 3 The long term
49. nning the latest version of Nortel Networks BayRS and Site Manager software For information about upgrading BayRS and Site Manager see the upgrading guide for your version of BayRS 308618 14 00 Rev 00 xi Configuring Data Encryption Services Text Conventions This guide uses the following text conventions angle brackets lt gt Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example If the command syntax is ping ip address you enter ping 192 32 10 12 bold text Indicates command names and options and text that you need to enter Example Enter show ip alerts routes Example Use the dinfo command braces Indicate required elements in syntax descriptions where there is more than one option You must choose only one of the options Do not type the braces when entering the command Example If the command syntax is show ip alerts routes you must enter either show ip alerts or show ip routes but not both brackets Indicate optional elements in syntax descriptions Do not type the brackets when entering the command Example If the command syntax is show ip interfaces alerts you can enter either show ip interfaces or show ip interfaces alerts ellipsis points Indicate that you repeat the last element of the command as needed Example If the command syntax is ethernet
50. ntact the technical support staff for that distributor or reseller for assistance If you purchased a Nortel Networks service program contact one of the following Nortel Networks Technical Solutions Centers Technical Solutions Center Telephone Number Billerica MA 800 2LANWAN 800 252 6926 Santa Clara CA 800 2LANWAN 800 252 6926 Valbonne France 33 4 92 96 69 68 Sydney Australia 61 2 9927 8800 Tokyo Japan 81 3 5402 7041 308618 14 00 Rev 00 XV Chapter 1 Data Encryption Overview Nortel Networks data encryption services enable you to protect sensitive traffic on your network Encryption prevents unauthorized persons from reading changing or replaying data that travels between Nortel Networks routers Data encryption services include e Software based encryption for PPP dedicated links for the BN AN ARN ASN System 5000 router modules and all serial interfaces This includes encryption on multiline and multilink e Software based encryption for frame relay circuits that have one permanent virtual circuit PVC per service record This includes encryption on multiline e Encryption configurable on a line or circuit basis e Encryption independent or combined with data compression You can configure PPP dial backup for a frame relay circuit that uses data encryption Be aware however that if the primary circuit fails data that travels over t
51. o any third party the Software or any information about the operation design performance or implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accordance with the terms of this license 3 Limited warranty Nortel Networks warrants each item of Software as delivered by Nortel Networks and properly installed and operated on Nortel Networks hardware or other equipment it is originally licensed for to function substantially as described in its accompanying user manual during its warranty period which begins on the date Software is first shipped to Licensee If any item of Software fails to so function during its warranty period as the sole remedy Nortel Networks will at its discretion provide a suitable fix patch or workaround for the problem that may be included in a future Software release Nortel Networks further warrants to Licensee that the media on which the Software is provided will be free from defects in materials and workmanship under normal use for a period of 90 days from the date Software is first shipped to Licensee Nortel Networks will replace defective media at no charge if it is returned to Nortel Networks during the warranty period along with proof of the date of shipment This warranty does not ap
52. o verify that the source possesses the secret key e Verify the integrity of the DES keying material e Create new keys as part of a process that changes key values WAN Encryption Protocol WEP WEP employs the DES algorithm combined with MD5 and the appropriate key to encrypt data and add protocol information the receiver requires to identify the data as encrypted This encryption protocol is proprietary to Nortel Networks WEP begins by establishing the security of the link and verifying that both ends have the same key The two sides of the link issue connection request and acknowledgment messages They use keyed MD5 to exchange and authenticate these messages If the negotiation fails data communication does not occur on that circuit Security and Data Encryption To use data encryption effectively you must take precautions to protect the security of your network equipment and the configuration process 308618 14 00 Rev 00 1 3 Configuring Data Encryption Services Site Security Carefully restrict unauthorized access to routers that encrypt data and the workstations you use to configure encryption Because DES is a public standard data is secure only if you properly protect the encryption keys The configuration files that contain these keys include safeguards to prevent unauthorized access However a good strategy is to physically protect your equipment Configuration Security You store the key management files th
53. ollow these instructions to copy the NPK to the router from the file you created using the Site Manager WEP tool You enter an NPK on each secure router Note These instructions assume that you have connected a PC or UNIX computer directly to the console port of the router For instructions on connecting a computer to the router console port refer to the installation guide that came with your router To enter an NPK on a router 1 Atthe Technician Interface enter ksession You enter the secure shell which prompts you for the password 2 Enter the password If you have not yet created a password enter kpassword password If you have already created a password enter password Your password should be at least 10 to 12 characters long It should not be anything obvious Change it often using the kpassword command The prompt changes to SSHELL gt indicating that you are in the secure shell 3 To view NPKs display the wep npk file created by the wfkseed command On a PC use an editor such as EDIT or Notepad On a Unix platform use an editor such as vi or emacs in read only mode For example vi R a wep npk file 4 Using a text editor copy the NPK for this router 308618 14 00 Rev 00 3 9 Configuring Data Encryption Services 5 Atthe SSHELL prompt enter the kset command followed by a space and paste in the NPK kset npk 0x lt NPK_value gt You must enter the NPK value in hexadecim
54. ons will be displayed In that case modify the pattern you are entering When enough data is input you will be prompted to stop near 3 lines of input Type a series of random characters The screen displays a dot for each 5 keystrokes that WEP accepts If your keystrokes are not random enough the screen displays After you enter a sufficient number of random keystrokes WEP displays a completion message and returns you to the prompt All done thank you Enter the wfkseed command again to generate the NPK key file WEP asks Do you wish to create the LTSS or NPK Key File LTSS Type npk and press Return Repeat Steps 3 and 4 above to generate the NPK key file 8 4 308618 14 00 Rev 00 Enabling Encryption Creating Seeds on a UNIX Platform To create a seed on a UNIX platform 1 Set the environment variable for the path to the key files 2 Ifyou want to set a length other than the default value 128 bits for the LTSSs change the value before you generate the seeds 3 Enter the WEP wfkseed command Each of these steps is detailed in the following sections Setting a Path to the Key Files You must set an environment variable to establish a location for the key files Note Store the files containing NPKs and LTSSs on removable media such as floppy disks and store that media in a safe place 1 Insert your choice of removable media in an available drive attached to the UNIX workstatio
55. ormation base MIB object ID This process is equivalent to modifying parameters using Site Manager For more information about using the Technician Interface to access the MIB refer to Using Technician Interface Software Caution Unlike using Site manager the Technician Interface does not verify parameter values you enter Entering an invalid value can corrupt your configuration 308618 14 00 Rev 00 3 1 Configuring Data Encryption Services Starting Encryption To enable Nortel Networks data encryption on your network you must 1 Create the seeds that the randon number generator RNG uses as source values for the node protection keys NPKs and long term shared secrets LTSSs Create an NPK for each secure router Create an LTSS for each secure line or interface Create the seeds that are source values for Traffic Encryption Keys TEKs 2 3 4 Enter an NPK on each secure router using the console interface 5 6 Enterthe NPK in the PPP or frame relay Node Protection Key parameter 7 Enter the LTSS in the PPP or frame relay and LTSS Value parameters You can also customize encryption by editing the PPP or frame relay encryption parameters as well as the WEP line and interface parameters Creating Seeds From the management console a PC or UNIX workstation on which you have installed Site Manager you create two seeds to initialize the RNG that generates keys Site Manager 6 00 or higher includes
56. ply if the media has been damaged as a result of accident misuse or abuse The Licensee assumes all responsibility for selection of the Software to achieve Licensee s intended results and for the installation use and results obtained from the Software Nortel Networks does not warrant a that the functions contained in the software will meet the Licensee s requirements b that the Software will operate in the hardware or software combinations that the Licensee may select c that the operation of the Software will be uninterrupted or error free or d that all defects in the operation of the Software will be corrected Nortel Networks is not obligated to remedy any Software defect that cannot be reproduced with the latest Software release These warranties do not apply to the Software if it has been i altered except by Nortel Networks or in accordance with its instructions ii used in conjunction with another vendor s product resulting in the defect or iii damaged by improper environment abuse misuse accident or negligence THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE Licensee is responsible for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files data or programs 4 L
57. r 56 bit encryption or the Both oprion Accept the default 40 unless you have the strong encryption option that enables you to use 56 bit encryption Select the Both option if you have 56 bit encryption and don t know the value on the other side of the link If you select the Both option the link uses 56 bit encryption if both sides support it if not it uses 40 bit encryption The Site Manager screen displays the value of this parameter in hexadecimal notation Ox 10000000 56 bit encryption Ox 20000000 40 bit encryption 0x 30000000 Both Ox 40000000 Inherit from Line 1 3 6 1 4 1 18 3 4 28 2 1 4 TEK Change Bytes Configuration Manager gt Protocols gt WEP gt Lines 65 535 bytes 256 through 2 147 483 647 bytes Sets the number of data bytes between changes in the value of the Traffic Encryption Key TEK Accept the default or select another value within the specified range 1 3 6 1 4 1 18 3 4 28 1 1 6 A 6 308618 14 00 Rev 00 Encryption Parameters Parameter TEK Change Seconds Path Configuration Manager gt Protocols gt WEP gt Lines Default 10 seconds Options 1 through 65 535 seconds Function Sets the number of seconds between changes in the value of the Traffic Encryption Key TEK Instructions Accept the default or select another value within the specified range MIB Object ID 1 3 6 1 4 1 18 3 4 28 1 1 7 308618 14 00 Rev 00 A 7 Appendix B Definitions of k Commands
58. s 56 bit keys Strong encryption is generally available only in the United States and Canada Select the encryption strength that is appropriate for your network Note that you can select both encryption strengths This option enables a system that has 56 bit encryption strength to support secure links with either 40 bit and 56 bit strength encryption sites If you select both WEP uses 56 bit encryption if both sides of the link can support it Site Manager Path You do this System responds 1 Set the Cipher Mode Mask parameter Click on Help or see the parameter description on page A 4 2 Click on Apply The WEP Line Parameters window remains open 3 Set the change rates for the TEK The TEK changes depending on the values of the TEK Change Seconds and TEK Change Bytes parameters The TEK Change Bytes parameter sets the number of bytes between changes in the value of the TEK 3 22 308618 14 00 Rev 00 Enabling Encryption To set the TEK Change Bytes parameter for an interface You do this Site Manager Path System responds 1 Select the TEK Change Bytes parameter Click on Help or see the parameter description on page A 5 2 Click on Apply The WEP Line Parameters window remains open The TEK Change Seconds parameter sets the number of seconds between changes in the value of the TEK To set the TEK Change Seconds parameter for an interface Site Mana
59. software that enables you to create these seeds Site Manager for the PC includes an environment variable that defines the location where the files that will contain the NPKs and LTSSs reside On a UNIX platform you must set this path From the Technician Interface you create one seed for the NPK for each router The following sections provide information about creating seeds for the NPKs and LTSSs The section Creating TEKs later in this chapter describes how to create the seed for a TEK 3 2 308618 14 00 Rev 00 Enabling Encryption Creating Seeds on a PC To use a PC to create seeds that the WEP software uses to generate NPKs and LTSSs you issue the wfkseed command at the DOS prompt Default values exist for the key file path and the length of the LTSS key If you want to change either value you must do so before you create the seeds Instructions follow Changing the Path to the Key Files WF_KEY_FILE_PATH is an environment variable that resides in the Site Manager initialization windows siteman ini file It defines the location or path to which WEP can write the seeds and from which Site Manager can both retrieve the seeds and write the generated keys to NPK and LTSS files The default value of the path is lt n gt where n is assigned to a drive with removable media If you want to change the storage place for your generated key files use an editor such as Notepad to edit the WF KEY FILE PATH line
60. te Manager paths and MIB object IDs differ Parameter Node Protection Key Path PPP Configuration Manager gt Protocols gt PPP gt PPP Interface Lists window Frame Relay Configuration Manager gt Protocols gt Frame Relay gt Services gt Frame Relay Service List window gt PVCs gt Add Default None Options 16 hexadecimal digits Function 1 Protects LTSSs on Site Manager 2 Encrypts and decrypts long term shared secrets LTSSs stored in the router s management information base MIB 3 Works as a password The router compares the Node Protection Key NPK from RAM to the NPK entered in Site Manager this ensures that the MIB values are encrypted under the same NPK Each router or configuration file requires an NPK Instructions Select the NPK from the list in the Site Manager WEP NPK window Refer to instructions in Chapter 3 308618 14 00 Rev 00 A 1 Configuring Data Encryption Services Parameter Path Default Options Function Instructions MIB Object ID Encrypt Enable PPP Configuration Manager gt Protocols gt PPP gt PPP Interface Lists window Frame Relay Configuration Manager gt Protocols gt Frame Relay gt Services gt Frame Relay Service List window gt PVCs gt Add Disable Enable Disable Enables or disables encryption services on this port Set to Enable if you want to use encryption on this interface Encryption will not work unless both this parameter and the WEP E
61. ted technical data or information without first obtaining any required export licenses or other governmental approvals Without limiting the foregoing Licensee on behalf of itself and its subsidiaries and affiliates agrees that it will not without first obtaining all export licenses and approvals required by the U S Government i export re export transfer or divert any such Software or technical data or any direct product thereof to any country to which such exports or re exports are restricted or embargoed under United States export control laws and regulations or to any national or resident of such restricted or embargoed countries or ii provide the Software or related technical data or information to any military end user or for any military end use including the design development or production of any chemical nuclear or biological weapons 9 General If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction the remainder of the provisions of this Agreement shall remain in full force and effect This Agreement will be governed by the laws of the state of California Should you have any questions concerning this Agreement contact Nortel Networks 4401 Great America Parkway PO Box 58185 Santa Clara California 95054 8185 LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT UNDERSTANDS IT AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS LICENSEE FURTHER AGREES TH
62. to generate as many NPKs as you need After you finish click on OK Site Manager saves the NPKs on the removable media you selected when you set the key file path 308618 14 00 Rev 00 3 7 Configuring Data Encryption Services The file name that stores NPKs on both PC and UNIX platforms is wep_npk dat Caution Do not attempt to edit this file If you do the NPKs may become invalid Creating LTSSs To generate an LTSS 1 Start Site Manager Note that you open Site Manager after you have set the path to the key files Select Tools gt WEP Key Manager gt LTSS Manager In the LTSS name box type a name for the LTSS Remember that the routers on both ends of a link share the LTSS Choose a name that identifies the link perhaps by locations for example Boston_Sacramento Click on Generate Click on Add The LTSS name and value appear in the LTSS list box Repeat Steps 3 4 and 5 to generate as many LTSSs as you need After you finish click on OK Site Manager saves the LTSSs on the removable media you selected when you set the key file path The file name that stores LTSSs on a PC or UNIX platform is wep_Itss dat Caution Do not attempt to edit this file If you do the LTSS may become invalid 3 8 308618 14 00 Rev 00 Enabling Encryption Entering an NPK on a Router The router stores its NPK in nonvolatile memory To enter the NPK you work in the secure shell of the router F
Download Pdf Manuals
Related Search