Summary:
PTP 820 radios can be configured for AES encryption. This document will explain the requirements and configuration required for the PTP 820 link to work with AES encryption.
PTP 820C and PTP 820S support AES-256 payload encryption. The purpose of payload encryption is to secure the radio link and provide protection against eavesdropping and/or personification (“man-in-the-middle”) attacks.
AES is enabled and configured separately for each radio carrier.
Cause:
- When wireless link encryption is required.
- When the AES-256 license key is installed, and AES configured; however, the link is not forming.
- When the link is configured with AES-256 on demo license key.
- When the Payload Encryption Key Mismatch alarm or Payload Encryption Failure alarms are active.
Solution:
In PTP 820C, AES provides full payload encryption for all L1 radio traffic. AES encryption operates on a point-to-point radio link level. It also encrypts control data passing through the radio link, such as the Link ID, ATPC data, and SSM messages. AES encryption operates on a point-to-point radio link level. AES is enabled and configured separately for each radio carrier.
AES Interoperability
PTP 820’s AES implementation is interoperable among PTP 820 products that support AES. This means that for all PTP 820 products that are otherwise interoperable with each other, AES can be used in links between two such products.
AES hardware readiness check:
For PTP 820C, any radio manufactured after July 1, 2015 is AES hardware-ready. An easy way to validate this is to check the radio’s serial number. Serial numbers starting from F265xxx or above are AES hardware-ready.
Important point:
- This feature is only relevant for PTP 820C, PTP 820S and PTP 820G units.
- This feature is not supported with MIMO or space diversity links.
This feature requires an activation key per radio. If no valid AES activation key has been applied to the unit, AES will not operate on the unit. The AES feature will not work on the Demo Mode.
To configure payload encryption:
- Verify that both the local and remote units are running with no alarms. If any alarm is present, take corrective actions to clear the alarms before proceeding.
- If the link is using in-band management, identify which unit is local and which unit is remote from the management point of view.
- In a protected link, enable protection lockout, first on the remote and then on the local unit. See Disabling Automatic Switchover to the Standby Unit.
- On the remote unit, select Radio > Payload Encryption. The Payload Encryption page opens.
For PTP 820C units, the Payload Encryption page initially displays a table as shown in Payload Encryption
For PTP 820S units, a page appears like the below screenshot:
- Select the carrier you want to configure and click Edit. The Payload Encryption – Edit page opens.
- Configure the master key by doing one of the following:
- Enter a master key in the Master Key field. You must enter between 8 and 32 ASCII characters.
- Click Generate key to generate a master key automatically
You must use the same master key on both sides of the link. This means that if you generate a master key automatically on one side of the link, you must copy that key and for use on the other side of the link.
Once AES encryption has been enabled on both sides of the link, the Key Exchange Protocol periodically verifies that both ends of the link have the same master key.
If a mismatch is detected, an alarm is raised, and traffic transmission is stopped for the mismatched carrier at both sides of the link. The link becomes non-valid and traffic stops being forwarded.
When you enter a master key, or when the master key is automatically generated, the key is hidden behind dots. To copy the master key, you must display the key.
To display the master key, click Show Key. A new Master key field appears, displaying the master key. You can copy the key to the clipboard from this field.
- Record and save the master key generated in Step 6.
- On the local unit, follow Steps 4 through 6 to configure the same master key configured on the remote unit also on the local unit.
- Enable payload encryption on the remote unit:
In the Admin Mode field, select AES-256 to enable payload encryption.
In the Session Key Period field, configure a time interval in hours and minutes (HH:MM). This is the interval at which the session key is automatically regenerated.
When you are finished, click Apply
The Session Key Period must be the same on both sides of the link.
This step will cause the link status to be Down until payload encryption is successfully enabled on the local unit. However, the RSL measured on the link should remain at an acceptable level.
- Enable payload encryption on the local unit by following the procedure described in Step 9 Verify that on both the local and remote active units, the link status returns to Up and user traffic is restored. In links using in-band management, verify also that in-band management returns.
- In a protected link, perform copy-to-mate, first on the remote and then on the local unit. After the copy-to-mate operation, wait for both standby units to re-boot and verify that there are no alarms
The standby unit may have a payload encryption failure alarm for up to about one minute after the unit is up and running.
- In a protected link, remove the protection lockout, first on the remote and then on the local unit.
- Verify that there are no alarms on the link.
Configuring AES-256 Payload Encryption (CLI)
To display the current payload encryption status for all available radio links on the unit, enter the following command in root view:
root> payload encryption status show
The following is a sample output of this command in which payload encryption is enabled but not operational on radio interface 1 and disabled on radio interface 2.
To configure AES on a radio carrier, you must first enter traffic encryption view for the specific radio. To enter Payload Encryption view, enter the following command in root view:
root> payload encryption slot 2 port <port>
For example, to configure AES on radio interface 1, enter the following command in root view:
root> payload encryption slot 2 port 1
Payload Encryption [1/1]>
To display the payload encryption mode of the radio interface, enter the following command in Payload Encryption view:
PayloadEncryption [2/x]> payload encryption mode show
The following display indicates that payload encryption is enabled on radio interface 1:
PayloadEncryption [2/1]> payload encryption mode show Admin Mode: AES-256
The following display indicates that payload encryption is disabled on radio interface 1:
PayloadEncryption [2/1]> payload encryption mode show Admin Mode: Disable
Configure the master key by doing one of the following:
- Enter a master key manually
- Generate the master key automatically.
To define the master key manually, enter the following command in Payload Encryption view:
PayloadEncryption [2/x]> payload encryption mkey
When you press <Enter>, the following prompt appears:
Please enter key:
Enter the master key and press <Enter>.
The master key must be between 8 and 32 ASCII characters. The characters do not appear as you type them. To display the master key and verify that you typed it correctly, enter the payload encryption status show command described above.
You can copy the master key from the output of this command.
To generate the master key automatically, enter the following command in Payload Encryption view:
PayloadEncryption [2/x]> master key generate
A random master key is generated. You must copy and paste this key to the other end of the link to ensure that both sides of the link have the same master key. To display and copy the master key, enter the traffic encryption status show command described above. You can copy the master key from the output of this command.
Enable payload encryption on the remote unit:
- Enter the following command in Payload Encryption view: Payload Encryption [2/x]> payload encryption mode admin AES-256
This step will cause the link status to be Down until payload encryption is successfully enabled on the local unit. However, the RSL measured on the link should remain at an acceptable level.
To disable payload encryption, enter the following command in Payload Encryption view:
Payload Encryption [2/x]> payload encryption mode admin Disable
- The session key is automatically regenerated at defined intervals. To set the session key regeneration interval, enter the following command in Payload Encryption view:
Payload Encryption [x/x]> payload encryption session-key period set <00:00-00:00>
Enter the regeneration interval in hours and minutes (HH:MM).
For example, the following command configures radio interface 1 to regenerate the session key every 4 hours and 15 minutes:
Payload Encryption [2/1]> payload encryption session-key period set 04:15
To display the session key regeneration interval, enter the following command in Payload Encryption view:
Payload Encryption [2/x]> payload encryption session-key period show