WDM OTN L1 Service Encryption Feature Guide 07
Uploaded by
ConstantWDM OTN L1 Service Encryption Feature Guide 07
Uploaded by
ConstantWDM OTN L1 Service Encryption
Feature Guide
Issue 7.0
Date 2020-09-20
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://www.huawei.com
Email: [email protected]
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. i
WDM OTN L1 Service Encryption Feature Guide About This Document
About This Document
On a WDM OTN network, the hard pipe encryption solution based on the AES-256
encryption algorithm is used to encrypt L1 services, achieving low bandwidth
usage, low latency, and high reliability of services.
This document describes the L1 service encryption function of Huawei WDM OTN
equipment, including the function application, technical principles, network
application suggestions, operation guide, and equipment support capability.
Related Versions
The following table lists the product initial versions to which this document can be
applied.
Product Name Initial Version
OptiX OSN 9800 U series V100R005C00
OptiX OSN 9800 M series V100R007C00SPC700
OptiX OSN 9800 UPS V100R006C00
OptiX OSN 8800/6800 V100R012C10
OptiX OSN 1800 V100R005C00
For details about the specifications of this feature supported by each product
version, see 7.1 Availability or 7.3 Feature Updates.
Intended Audience
This document is intended for:
● Network planning and design engineers
● Commissioning engineers
● Network monitoring engineers
● Data configuration engineers
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. ii
WDM OTN L1 Service Encryption Feature Guide About This Document
● Network administrators
● Maintenance engineers
● Onsite maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk which,
if not avoided, will result in death or serious
injury.
Indicates a hazard with a medium level of risk
which, if not avoided, could result in death or
serious injury.
Indicates a hazard with a low level of risk which,
if not avoided, could result in minor or moderate
injury.
Indicates a potentially hazardous situation which,
if not avoided, could result in equipment damage,
data loss, performance deterioration, or
unanticipated results.
NOTICE is used to address practices not related to
personal injury.
Supplements the important information in the
main text.
NOTE is used to address information not related
to personal injury, equipment damage, and
environment deterioration.
GUI Conventions
Convention Description
Boldface Buttons, menus, parameters, tabs, window, and
dialog titles are in boldface. For example, click
OK.
> Multi-level menus are in boldface and separated
by the ">" signs. For example, choose File >
Create > Folder.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. iii
WDM OTN L1 Service Encryption Feature Guide About This Document
Public IP Address Usage Declaration
In this document, public IP addresses may be used in feature introduction and
configuration examples and are for reference only unless otherwise specified.
Update History
Updates between document issues are cumulative. Therefore, the latest document
issue contains all updates made in previous issues.
Updates in Issue 07 (2020-09-20)
Some descriptions in this document are optimized.
Updates in Issue 06 (2020-07-30)
● The OptiX OSN 9800 M05 supports the encryption feature since
V100R019C10SPC600.
● The TNV8T402/TNV7T220/TNV2T601/TNV1T410 board is added to the OptiX
OSN 9800 U series to support the encryption feature.
● The TNV8T402/TNV7T220/TNV2T601/TNV1T410/MTNG1M210D/
TNG1M520SM/TNG1M404DM/TNG2M604SM board is added to the OptiX
OSN 9800 M series to support the encryption feature.
● The TMB1LDCA/TMB1ELOM/TMB1LDX/TMB1LTX/TMK1MDCA/TMK1GTA/
TMK1TDC/TMK1TTA board is added to the OptiX OSN 1800 to support the
encryption feature.
Updates in Issue 05 (2020-01-20)
● The TNV8T404/TNV1T502 board is added to the OptiX OSN 9800 U series to
support the encryption feature.
● The TNV8T404/TNV1T502/TNG1M504DM board is added to the OptiX OSN
9800 M series to support the encryption feature.
● The TMB1LDCD/TMB1LDC board is added to the OptiX OSN 1800 to support
the encryption feature.
Updates in Issue 04 (2019-09-15)
● The 9800 M24/M12 supports the encryption feature since
V100R007C00SPC700.
● The TNV6T220/TNV7T402 board is added to the OSN 9800 U64/U32 to
support the encryption feature.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. iv
WDM OTN L1 Service Encryption Feature Guide About This Document
Updates in Issue 03 (2019-07-30)
● The TN12LDC, TNV3G220, TNV5T401, TNV5T402, TNV5T404, and TNV1T601
boards are added to the OSN 9800 to support the encryption feature.
● The TN12LDC board is added to the OSN 8800 to support the encryption
feature.
Updates in Issue 02 (2018-11-30)
● Add the description of "Reference Standards and Protocols".
● Some bugs are fixed in this version.
Updates in Issue 01 (2018-06-08)
This issue is the first official release.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. v
WDM OTN L1 Service Encryption Feature Guide Contents
Contents
About This Document................................................................................................................ ii
1 L1 Service Encryption............................................................................................................. 1
2 Application Scenarios of L1 Service Encryption............................................................... 3
3 Encryption Features of WDM OTN Equipment................................................................ 7
4 Principle of L1 Service Encryption....................................................................................... 9
4.1 Components of the L1 Service Encryption System...................................................................................................... 9
4.2 Security of the L1 Service Encryption System............................................................................................................. 12
4.3 Encryption Process for Bidirectional Services.............................................................................................................. 13
4.4 Encryption Process for Unidirectional Services........................................................................................................... 18
5 Encryption Dependencies and Limitations......................................................................23
5.1 Limitations on the Encryption Feature.......................................................................................................................... 23
5.2 Affected Features.................................................................................................................................................................. 25
5.3 Mutually Exclusive Features.............................................................................................................................................. 26
5.4 Limitations on SMT.............................................................................................................................................................. 26
6 Configuring Encryption Using the NMS and SMT......................................................... 28
6.1 Configuration Process.......................................................................................................................................................... 28
6.2 Authorizing Encryption Management Accounts Using the NMS......................................................................... 30
6.2.1 Authorizing Encryption Management Accounts on the NCE............................................................................. 30
6.2.1.1 Setting Licenses.............................................................................................................................................................. 30
6.2.1.2 Creating an Encryption Administrator Account................................................................................................... 32
6.2.1.3 Allocating Encryption Ports to Encryption Administrator Accounts............................................................. 33
6.2.2 Authorizing an Encryption Administrator Account on the U2000....................................................................34
6.2.2.1 Setting Licenses.............................................................................................................................................................. 34
6.2.2.2 Creating an Encryption Administrator Account................................................................................................... 35
6.2.2.3 Allocating Encryption Ports to Encryption Administrator Accounts............................................................. 37
6.3 Configuring Service Encryption on the SMT................................................................................................................ 38
6.3.1 Logging In to the SMT..................................................................................................................................................... 38
6.3.2 Creating and Logging In to an NE...............................................................................................................................40
6.3.3 Performing EMK Authentication.................................................................................................................................. 43
6.3.4 Encrypting Bidirectional P2P Services......................................................................................................................... 45
6.3.4.1 Creating Bidirectional P2P Services..........................................................................................................................45
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. vi
WDM OTN L1 Service Encryption Feature Guide Contents
6.3.4.2 Configuring Bidirectional P2P Encryption.............................................................................................................. 47
6.3.5 Encrypting Unidirectional Static P2P/P2MP Services............................................................................................ 49
6.3.5.1 Creating Unidirectional Static P2P/P2MP Services............................................................................................. 49
6.3.5.2 Setting a Customer Key............................................................................................................................................... 50
6.3.5.3 Configuring Unidirectional Static P2P/P2MP Service Encryption.................................................................. 52
6.3.6 Encrypting Dynamic Group Services........................................................................................................................... 53
6.3.6.1 Creating a Dynamic Group......................................................................................................................................... 53
6.3.6.2 Setting a Customer Key............................................................................................................................................... 54
6.3.6.3 Enabling the Encryption Feature of a Dynamic Group..................................................................................... 55
6.4 Maintaining Service Encryption on the SMT............................................................................................................... 56
6.4.1 Encryption Sub-account Management...................................................................................................................... 56
6.4.1.1 Creating an Encryption Sub-account.......................................................................................................................56
6.4.1.2 Allocating Encryption Ports to Encryption Sub-accounts.................................................................................58
6.4.2 Setting the Port Maintenance Status......................................................................................................................... 59
6.4.3 Modifying Encryption Services...................................................................................................................................... 59
6.4.3.1 Modifying Unidirectional Static P2P/P2MP Services..........................................................................................59
6.4.3.2 Modifying a Dynamic Group...................................................................................................................................... 61
6.4.4 Querying Port Encryption Status and Information................................................................................................ 62
6.4.5 Setting Port Encryption Status and Information.................................................................................................... 64
6.4.6 Querying Logs.....................................................................................................................................................................66
6.5 FAQ............................................................................................................................................................................................ 66
6.5.1 How Can I Handle a Failure of Logging In to an NE from the SMT?............................................................. 66
6.5.2 How Can I Handle EMK Lockout?............................................................................................................................... 67
6.5.3 What Can I Do When the EMK Is Forgotten?.......................................................................................................... 67
6.5.4 Troubleshooting Encryption Services.......................................................................................................................... 68
6.6 Parameter Description.........................................................................................................................................................69
6.6.1 Parameter Description for NMS................................................................................................................................... 69
6.6.2 Parameter Description for SMT.................................................................................................................................... 74
7 Encryption Capability of Huawei WDM OTN Networks.............................................. 81
7.1 Availability............................................................................................................................................................................... 81
7.1.1 Required License................................................................................................................................................................ 81
7.1.2 Supported Hardware and Versions of the OSN 9800 U64/U32/U16/UPS.....................................................82
7.1.3 Supported Hardware and Versions of the OSN 9800 M Series Subracks...................................................... 84
7.1.4 Supported Hardware and Versions of the OSN 8800/6800................................................................................85
7.1.5 Supported Hardware and Versions of the OSN 1800........................................................................................... 86
7.2 Specifications.......................................................................................................................................................................... 88
7.2.1 Overview............................................................................................................................................................................... 88
7.2.2 Encryption Capability of the OSN 9800 U64/U32/U16/UPS.............................................................................. 89
7.2.3 Encryption Capability of the OSN 9800 M Series Subracks................................................................................90
7.2.4 Encryption Capability of the OSN 8800/6800......................................................................................................... 91
7.2.5 Encryption Capability of the OSN 1800.....................................................................................................................92
7.3 Feature Updates.................................................................................................................................................................... 93
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. vii
WDM OTN L1 Service Encryption Feature Guide Contents
7.3.1 OSN 9800 U64/U32/U16/UPS Feature Updates..................................................................................................... 93
7.3.2 OSN 9800 M Series Subracks Feature Updates...................................................................................................... 95
7.3.3 OSN 8800/6800 Feature Updates................................................................................................................................ 95
7.3.4 OSN 1800 Feature Updates........................................................................................................................................... 95
7.4 Reference Standards and Protocols................................................................................................................................ 96
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. viii
WDM OTN L1 Service Encryption Feature Guide 1 L1 Service Encryption
1 L1 Service Encryption
Some customers who have high requirements on transmission security expect to
establish an encryption channel for service transmission based on the physical
layer.
The service encryption function uses an encryption algorithm to encrypt client
services at the physical layer. Service encryption on a WDM OTN network is called
L1 service encryption.
With convenient deployment of Figure 1-1, the encryption processing module can
be integrated into an OTU or a tributary board to implement encrypted
transmission of services.
Figure 1-1 L1 Service Encryption System
Compared with traditional encryption solutions such as L2 encryption and L3
encryption, L1 service encryption uses transport devices to transparently transmit
client services. It has advantages in low bandwidth usage, low latency, and
support for multiple services, as shown in Table 1-1.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 1
WDM OTN L1 Service Encryption Feature Guide 1 L1 Service Encryption
Table 1-1 Comparison between the traditional encryption solution and L1 service
encryption solution
Traditional Encryption
SSL SSL VPN IPsec Ethernet L1 Service
Item Solution Solution Pipe Encryption
(Storage (Routing Encryption
Device) Device)
Encryption 4 4 3 2 1
layer
Service Multiple IP/Ethernet IP/Ethernet IP/Ethernet All services
type services service service service
Bandwidth Medium High Very high Medium Low
overhead
increased
by
encryption
Latency Seconds Hundreds Seconds Hundreds Hundreds
introduced of of of
by microsecon microsecon nanosecon
encryption ds ds ds
Application Data Enterprise Enterprise Point-to- Multiple
scenario center private private point scenarios
network network communica
tion of
small
enterprises
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 2
WDM OTN L1 Service Encryption Feature Guide 2 Application Scenarios of L1 Service Encryption
2 Application Scenarios of L1 Service
Encryption
Industries, such as finance, government, enterprise, military, law, and healthcare,
require high security. According to the networking characteristics, L1 service
encryption is usually applied to two scenarios: bidirectional point-to-point (P2P)
service encryption and unidirectional point-to-point/point-to-multipoint (P2P/
P2MP) service encryption.
Bidirectional P2P Service Encryption
In scenarios such as financial private line, enterprise private line, and DC
interconnection, bidirectional P2P networking is used, and services need to be
encrypted and transmitted in both directions. The following uses the enterprise
private line scenario as an example. Two branches of an enterprise (for example,
enterprise D) shown in Figure 2-1 are interconnected through a WDM OTN
network. Bidirectional P2P services are encrypted and transmitted between two
ends. After being encrypted at the source end, services are transmitted to the sink
end through the WDM OTN network. Then, the sink end decrypts the services. In
this way, the real information from the source end can be received and prevented
from being intercepted during transmission. The entire encryption process includes
authentication, key negotiation, and encryption.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 3
WDM OTN L1 Service Encryption Feature Guide 2 Application Scenarios of L1 Service Encryption
Figure 2-1 Bidirectional P2P networking
Unidirectional P2P/P2MP Service Encryption
Broadcast services, such as video services, are mostly unidirectional P2P/P2MP
services. Figure 2-2 shows the unidirectional P2P/P2MP networking. Services are
encrypted at the source NE, transparently transmitted over a WDM OTN network,
and then decrypted at multiple sink NEs. The entire encryption process includes
authentication, key calculation, and encryption.
Figure 2-2 Unidirectional P2P/P2MP networking
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 4
WDM OTN L1 Service Encryption Feature Guide 2 Application Scenarios of L1 Service Encryption
● Unidirectional Static P2P/P2MP Services
Unidirectional P2P/P2MP services, such as traditional fixed TV and broadcasting
services, have fixed source NEs and sink NEs. These services are called
unidirectional static P2P/P2MP services.
● Dynamic Group Services
With the life quality improvement and the diversity of entertainment activities,
static P2P/P2MP services cannot satisfy customer requirements. Many temporary
activities, such as ball games and exhibitions, are always held only once in a
region. If the source NE and sink NE remain unchanged, services will not be
transmitted after such activities end. As a result, substantial resources are wasted.
After the improvement based on static P2P/P2MP services, the actual services can
be dynamically changed as required. As shown in Figure 2-3, ports A, B, C, and D
are used as a port group. According to the actual services, one or more ports are
selected as the broadcast source end, and other sites can serve as the broadcast
sink end. If services change, the broadcast source end and sink end can also
dynamically change.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 5
WDM OTN L1 Service Encryption Feature Guide 2 Application Scenarios of L1 Service Encryption
Figure 2-3 Dynamic service networking
For the dynamic service application scenarios, dynamic multicast services can be
created. A dynamic multicast service contains all involved encryption ports,
forming a port group. When the actual service changes, ports in the port group
are selected as the source and sink ends to achieve the dynamic change of multi-
source and multi-sink configurations with the service.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 6
WDM OTN L1 Service Encryption Feature Guide 3 Encryption Features of WDM OTN Equipment
3 Encryption Features of WDM OTN
Equipment
The WDM OTN devices of Huawei support port-level service encryption as well as
various services and rates. The AES-256 algorithm is used to encrypt the OPUk
payload.
Figure 3-1 All-service port-level encryption network
Table 3-1 Encryption features of Huawei WDM OTN equipment
Item Specification
Encryption type ● Bidirectional P2P service encryption
● Unidirectionally static P2P/P2MP service
encryption
● Dynamic multicast service encryption
Typical service type SDH/SONET, Ethernet, OTN, SAN, and video services
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 7
WDM OTN L1 Service Encryption Feature Guide 3 Encryption Features of WDM OTN Equipment
Item Specification
Minimum encryption Board port level. Users can be allocated by port and
unit port-specific encryption can be configured. In this
way, service applications are more flexible.
Encryption algorithm The standard AES-256 encryption algorithm in CTR
mode is used, which has the highest security level.
Key algorithm The key is dynamically generated.
● Bidirectional P2P service encryption: key
negotiation based on the Diffie-Hellman
algorithm.
● Unidirectionally static P2P/P2MP service
encryption: key calculation based on the PBKDF2
algorithm.
● Dynamic multicast service encryption: key
calculation based on the PBKDF2 algorithm.
Key management ● The public key information is stored in the OPUk
overhead and can be transparently transmitted
over a third-party network.
● The key change period is configurable.
Anti-eavesdropping The SMT and NEs communicate with each other
using the SSL/TLSv1.2 protocol, preventing
management information from being eavesdropped.
Anti-spoofing A pair of devices checks the peer end's
authentication information before starting key
negotiation.
NOTE
The specifications vary depending on different products. For details, see 7.2 Specifications.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 8
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
4 Principle of L1 Service Encryption
4.1 Components of the L1 Service Encryption System
The L1 service encryption system consists of the OSN equipment with encryption
boards, security management tool (for example, SMT), and network management
system (for example, NCE).
4.2 Security of the L1 Service Encryption System
After a user's encryption administrator account is authorized by the network
management system, the encryption function can be configured on the security
management tool. To protect the privacy of end users, the security management
tool (SMT) cannot communicate with the network management system. They are
isolated from each other and work independently.
4.3 Encryption Process for Bidirectional Services
The procedure for encrypting bidirectional services is as follows: The source end
and sink end use the SHA-256 algorithm to check whether each other is a
legitimate device. The two ends negotiate with each other using the Diffie
+Hellman algorithm to obtain a session key. Based on the AES-256 algorithm, the
negotiated session key is used for encryption and decryption.
4.4 Encryption Process for Unidirectional Services
4.1 Components of the L1 Service Encryption System
The L1 service encryption system consists of the OSN equipment with encryption
boards, security management tool (for example, SMT), and network management
system (for example, NCE).
The signals transmitted by the OSN equipment use the Optical Transport Network
(OTN) frame structure specified in ITU-T Recommendation G.709/Y.1331. The OSN
equipment in the encryption system adds an encryption algorithm to signal
processing to encrypt the OPUk payload (excluding the overhead and FEC area). In
this way, the customer data is encrypted. The security management information
that the encryption function uses is transmitted using OPUk overheads, without
affecting client services.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 9
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Figure 4-1 Frame structure after client signal encapsulation
As shown in Figure 4-1, client-side signals are mapped to the payload area in an
OPUk frame, and then OPUk overheads are added to form a lower-order ODUk
frame. Then, multiple ODUk frames are multiplexed into a higher-order ODUj (j =
k + 1 or higher) frame, and then OTU overheads are added to form the final
signal transmitted over an optical fiber.
Figure 4-2 shows the block diagram of an encryption system. Table 4-1 describes
the functions of each system component.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 10
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Figure 4-2 Block diagram of an encryption system
Table 4-1 System components and functions
System Deployment Function
Component Location
OSN Customer's Implements service access at the port level
equipment building and encrypts and decrypts services.
with
encryption
boards
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 11
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
System Deployment Function
Component Location
Security Customer's ● The security management system (SMS)
management building running on the NE implements
tool (for encryption configuration and
example, SMT) management.
● The SMT uses the SSL/TLSv1.2 protocol
to access the SMS on the NE to issue
encryption management commands.
Network Central ● Manages and controls encryption user
management equipment room rights and encryption port resources,
system (for such as adding encryption
example, NCE) administrators and allocating encryption
port resources for encryption
administrators.
● Supports service configuration and
network O&M.
NOTE
Both the NMS and SMT communicate with gateway NEs through Ethernet and with non-
gateway NEs through embedded control channels (ECCs).
4.2 Security of the L1 Service Encryption System
After a user's encryption administrator account is authorized by the network
management system, the encryption function can be configured on the security
management tool. To protect the privacy of end users, the security management
tool (SMT) cannot communicate with the network management system. They are
isolated from each other and work independently.
Isolation Capability
Before configuring service encryption, you must complete the following tasks on
the network management system (for example, NCE):
● Create a service. The service to be encrypted must have been created on the
NCE.
● Authorize an encryption administrator account. You must create an encryption
administrator account for each user, allocate encryption port resources, and
inform each user of the account, password, and device IP address.
Users use the SMT to issue encryption management commands. The SMT uses the
SSL/TLSv1.2 protocol to access the SMS on the NE.
Privacy Protection
On the security management tool, a user can set the Encryption Management Key
(EMK) after the NE login using the account and password. Encryption
management key (EMK) is a character string consisting of 8 to 32 bytes. After the
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 12
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
EMK is authenticated, the user can perform encryption management on NE ports.
EMK, equivalent to an encrypted private password of a user, is visible only to the
user. In this way, network department cannot perform operations on user services
even if they have encryption administrator accounts.
Users can access only the allocated ports, but not other user ports. If services of
different departments need to be encrypted and managed separately, encryption
sub-accounts can be set by port based on an encryption administrator account.
The same port can be allocated to different sub-accounts.
Figure 4-3 Encryption right assignment
4.3 Encryption Process for Bidirectional Services
The procedure for encrypting bidirectional services is as follows: The source end
and sink end use the SHA-256 algorithm to check whether each other is a
legitimate device. The two ends negotiate with each other using the Diffie
+Hellman algorithm to obtain a session key. Based on the AES-256 algorithm, the
negotiated session key is used for encryption and decryption.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 13
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Entire Encryption Process
Figure 4-4 shows the overall block diagram of encrypting bidirectional services,
including authentication, key negotiation, and encryption and decryption. After a
bidirectional service link is created on the SMT, you only need to modify the
Authentication Info and enable the encryption function.
Figure 4-4 Overall block diagram of encrypting bidirectional services
● Authentication Info is a character string consisting of 20 to 32 bytes. It is used
by a pair of source and sink devices to check whether the peer end is valid
before key negotiation. Each pair of boards and client-side ports that use the
same session key have the same Authentication Info.
● Session key is a 256-bit key automatically generated by the system for service
data encryption. Session keys can be changed periodically. Each direction of a
bidirectional service has a session key.
● SHA-256 encryption algorithm: Secure Hash Algorithm (SHA) is an irreversible
encryption algorithm. When storing an EMK, the NE uses the SHA-256
encryption algorithm to encrypt the EMK.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 14
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
● Diffie-Hellman is a public algorithm of keys. Two communication parties can
obtain the shared key by exchanging some data instead of transmitting the
key across the link.
● Advanced Encryption Standard (AES) is a symmetric block cipher algorithm.
AES-256 encrypts data in groups of 256 bits in counter mode (CTR). To
decode data encrypted using the AES-256 algorithm, attackers must obtain
much more ciphertext and use much more resources and time, as compared
with decoding data encrypted using traditional encryption algorithms. AES is
widely applied, encrypts data quickly, is easy to hide, and provides high
throughput.
Authentication
Whether the peer end is a legitimate device can be determined based on the
comparison of the calculated values at the source end and sink end.
As shown in Figure 4-5, the source end and sink end use the SHA-256 digest
algorithm to calculate the Message Authentication Code (MAC) value based on
input parameters. If the input parameters are the same and the calculated values
are the same at the two ends, identity authentication is successful. After the
encryption function is enabled, authentication is performed only once. The
authentication is performed again only after services are interrupted.
Figure 4-5 Bidirectional service authentication process
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 15
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
● Authentication Key (AK): As shown in Figure 4-4, the key exported from
Authentication Info configured by a user is transmitted to the sink end before
key negotiation.
● ID: The ID is computed based on the NE ID, subrack ID, board slot ID, and port
number.
● MAC: The MAC is computed based on random number A, random number B,
ID, and AK using the SHA-256 digest algorithm.
Key Negotiation
Key negotiation between two ends generates a session key.
The source end and sink end generate a public/private key pair by using the Diffie-
Hellman algorithm, and the source-end public key is transmitted to the sink end.
At the sink end, the public key and the sink-end private key are used together to
generate a session key.
During key negotiation, man-in-the-middle attacks may occur. As shown in Figure
4-6, a hacker (C) pretends to be B during communication with A and pretends to
be A during communication with B. Both A and B negotiate a key with C. In this
way, C can communicate with A and B respectively to intercept data.
Figure 4-6 Man-in-the-middle attack
To prevent man-in-the-middle attacks and improve security, the public key is
encrypted using the AK. Therefore, the hacker can launch a man-in-the-middle
attack only after obtaining the AK to decrypt the public key. Figure 4-7 shows the
key negotiation process of a bidirectional service.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 16
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Figure 4-7 Key negotiation process of a bidirectional service
Encryption and Decryption
At the source end, original text is encrypted into cipher text, and the cipher text is
decrypted into the original text at the sink end.
The source end and sink end use the AES-256 algorithm to write the negotiated
session key as the encryption key into the hardware. After key switching is started,
the transmitted data can be encrypted or decrypted. Figure 4-8 shows this
process.
You can use the SMT to set the key replacement period or forcibly start the key
exchange. In this case, a new key is generated and written into the hardware, and
the key is switched.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 17
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Figure 4-8 Bidirectional service encryption and decryption process
4.4 Encryption Process for Unidirectional Services
The procedure for encrypting a unidirectional service is as follows:
1. By using the HMAC_SHA256 algorithm, the source end sends the calculated
value repeatedly, and the sink end authenticates the legitimacy of the local
end.
2. The two ends use the PBKDF2 algorithm to calculate a session key based on
the customer key configured by a user.
3. Then, based on the AES-256 algorithm, the SE2900 uses the new session key
for encryption and decryption.
Entire Encryption Process
Figure 4-9 shows the overall block diagram of encrypting unidirectional services,
including authentication, key calculation, and encryption and decryption. Different
from the bidirectional service encryption process, the sink end of unidirectional
service encryption cannot return information to the source end. Therefore, the two
ends cannot authenticate each other and negotiate a session key. After a
unidirectional service link is created on the SMT, in addition to modifying
Authentication Info of services and enabling the encryption function, the user
must configure the customer key to derive a session key.
● Before the encryption function is enabled for services for the first time,
because the key is empty, the customer key must be configured for
subsequent encryption operations.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 18
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
● After the encryption function is enabled, the user can also configure the
customer key. In this case, the key calculation and encryption processes are
repeated.
Figure 4-9 Overall block diagram of encrypting unidirectional services
● Customer key, which is configured by the user and consists of 2048 bits, is
used as the basis of deriving the actual encryption key. The customer key of a
bidirectional service is automatically generated by the two ends, without
requiring manual configuration. The customer key of a unidirectional service
is configured by the user before encryption is enabled or during the
encryption enabling process.
● HMAC-SHA256 is an irreversible encryption algorithm that encrypts
Authentication Info into cipher text and uses an authentication character
string with a length of 1 to 64 bytes to defend against passive attacks.
● Password-Based Key Derivation Function 2 (PBKDF2) is a common algorithm
that uses the pseudo random function to export a key.
● Advanced Encryption Standard (AES) is a symmetric block cipher algorithm.
AES-256 encrypts data in groups of 256 bits in counter mode (CTR). To
decode data encrypted using the AES-256 algorithm, attackers must obtain
much more ciphertext and use much more resources and time, as compared
with decoding data encrypted using traditional encryption algorithms. AES is
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 19
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
widely applied, encrypts data quickly, is easy to hide, and provides high
throughput.
Authentication
The legitimacy of the source end can be authenticated based on the comparison
of the calculated values at the sink end.
As shown in Figure 4-10, the source end and sink end use the HMAC_SHA256
algorithm to calculate hash values, and the sink end compares the hash values to
determine whether the source end is a legitimate device. The subsequent process
can be started only after the authentication succeeds. After the encryption
function is enabled, authentication is performed only once. The authentication is
performed again only after services are interrupted.
During the authentication process of unidirectional service encryption, the source
end needs to repeatedly calculate and send hash values. This is different from the
authentication process of bidirectional service encryption. To defend against replay
attacks, the timestamp difference between the source and sink ends is within 10s.
Figure 4-10 Unidirectional service authentication process
● Authentication Key (AK): As shown in Figure 4-9, the AK is calculated using
the HMAC_SHA256 algorithm based on the authentication information
configured by the user. AK1 indicates the source authentication key, and AK2
indicates the sink authentication key.
● Hash value: The Hash value is calculated using the HMAC_SHA256 algorithm
based on the AK (used as the algorithm key), random number (A), timestamp
(T), and key identifier (K).
● T1 indicates the source-end timestamp, and T2 indicates the sink-end
timestamp.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 20
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Key Calculation
The source end and sink end use the PBKDF2 algorithm to calculate a session key
based on the random number generated by the source end and the key identifiers
at the two ends.
Figure 4-11 Key calculation process of a unidirectional service
Encryption and Decryption
Based on the AES-256 algorithm, the source end and sink end use the new session
key as the encryption key to encrypt or decrypt the transmitted data. Figure 4-12
shows this process.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 21
WDM OTN L1 Service Encryption Feature Guide 4 Principle of L1 Service Encryption
Figure 4-12 Unidirectional service encryption and decryption process
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 22
WDM OTN L1 Service Encryption Feature Guide 5 Encryption Dependencies and Limitations
5 Encryption Dependencies and
Limitations
5.1 Limitations on the Encryption Feature
5.2 Affected Features
5.3 Mutually Exclusive Features
5.4 Limitations on SMT
5.1 Limitations on the Encryption Feature
Table 5-1 Limitations on the encryption feature
Item Dependency and Limitation Details
Encryption user The encryption administrator account and encryption sub-
account do not support RADIUS authentication and
authorization.
Unidirectional Before configuring unidirectional service encryption, you must
service ensure that the time difference between the source and sink
encryption NEs is within 10s. Otherwise, the encryption and
(unidirectional authentication may fail.
static P2P/
P2MP service or
dynamic group
service)
Authentication The value of Authentication Info must be the same at the
Info source and sink. Authentication Info cannot be modified after
client service encryption is enabled.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 23
WDM OTN L1 Service Encryption Feature Guide 5 Encryption Dependencies and Limitations
Item Dependency and Limitation Details
Encryption EMKs can be restored to the factory defaults by encryption
Management administrator accounts. Under factory default settings, only
Key (EMK) the EMK modification function among encryption functions
can be enabled. All encryption functions can be enabled only
after EMKs are set and authenticated.
100GE service To use the 100GE service encryption function, ensure that all
encryption line boards or regeneration boards on service trails are not
the following boards. Otherwise, encryption services cannot
be normally used. On an ASON network, you must ensure
that all possible rerouting trails comply with the preceding
limitation.
OptiX OSN 1800 boards (V100R007C10 or an earlier version):
● TNF1LSC
● TNF1LSCG
● TNF1LSCM
OptiX OSN 9800/8800 Universal Platform Subrack boards:
● TN54NS4, TN57NS4
● TN14LSC, TN15LSC, TN17LSC
● TN17LSCM
● TN12LTX
OptiX OSN 9800 U64 Standard/U64 Enhanced/U32
Standard/U32 Enhanced/U16 boards:
● TNV1N401, TNV2N401, TNU1N401, TNU2N401
● TNV1N402, TNV2N402, TNU1N402, TNU2N402
● TNU1N501, TNU2N501
● TNU1N601, TNU2N601
● TNU1N401P
● TNU4N404
● TNU1NP400, TNU1NP400E
● TNU4U402
● TNY1L401, TNY2L401, TNX1L401, TNX2L401
● TNY1L402, TNY2L402, TNX1L402, TNX2L402
● TNX1L501, TNX2L501
● TNX1L601, TNX2L601
● TNX1L401P
● TNX4L404
● TNX1NP400, TNX1NP400E
● TNX4U402S
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 24
WDM OTN L1 Service Encryption Feature Guide 5 Encryption Dependencies and Limitations
Item Dependency and Limitation Details
Fault locating Performing a loopback or PRBS operation on any port that
the encryption service traverses will cause an error in the
encryption function, a failure of the encryption function, and
service interruption.
Cascading ● In the client-side cascading scenario, the encryption
scenario function is not supported when OTN services are received,
but supported when other services are received.
The cascading scenario where OTU2 services are received
on the client side of an encryption board is used as an
example. As shown in the following figure, this scenario
does not support the configuration of the encryption
function.
● In the client-side cascading scenario, encryption functions
must be configured for all encryption boards.
Service Types The service types of the source and sink ports where
encryption is configured must be the same.
5.2 Affected Features
Table 5-2 Affected features
Item Dependency and Limitation Details
Client 1+1 ● Encryption links must be configured for encryption boards
protection on the working and protection channels of client 1+1
protection.
● During client 1+1 protection with the encryption function,
if a WDM-side fault occurs, the encryption function can
be normally used only when the automatic switching is
bidirectional and services are transmitted and received on
the same board.
● When a client-side fault occurs during client 1+1
protection, key negotiation is not adversely affected and
can be normally used.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 25
WDM OTN L1 Service Encryption Feature Guide 5 Encryption Dependencies and Limitations
5.3 Mutually Exclusive Features
Table 5-3 Mutually exclusive features
Item Dependency and Limitation Details
ASON In the associated service scenario of electrical-layer ASON,
the encryption feature is not supported.
Tributary SNCP Encryption and tributary SNCP cannot be configured on a
port at the same time.
Loopback ● Encryption and loopback cannot be configured on a port
at the same time.
● Loopback cannot be configured at any node on a service
trail where encryption is configured.
PRBS Encryption and PRBS cannot be configured on a port at the
same time.
5.4 Limitations on SMT
Table 5-4 Limitations on SMT
Item Dependency and Limitation Details
Installation of ● Huawei SMT can only be installed on a computer
the SMT running Windows.
● If the SMT and NMS are deployed on the same
computer, they cannot be simultaneously started.
Operations on The SMT can be used by a single user or client.
the SMT
Time zone of the The time zone of the computer where the SMT is installed
SMT and NEs must be the same. Otherwise, the time in logs will
be inconsistent.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 26
WDM OTN L1 Service Encryption Feature Guide 5 Encryption Dependencies and Limitations
Item Dependency and Limitation Details
Operation logs, ● Encryption-related logs are stored separately.
run logs, and ● Operation logs and EMK management logs cannot be
EMK deleted.
management
logs ● Run logs can be deleted only by users with the
administrator or higher-level rights.
Fault locating Before performing a fault locating operation such as a
loopback or PRBS test on any port that an encrypted service
traverses, check whether service ports have been allocated
for an encryption user. If yes, contact the encryption user
and then check whether the encryption function is enabled:
● If client service encryption is enabled, configure the
encryption port to work in maintenance state or disable
the encryption function for the encryption port, and then
perform fault locating operations.
● If client service encryption is disabled, directly perform
fault locating operations.
Maintenance ● Before configuring the enable status of the maintenance
status status, you must configure the enable status of
encryption.
● An encryption administrator account or an encryption
sub-account with the maintenance permission can set a
specified port to the maintenance state or cancel the
state for network fault isolation.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 27
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
6 Configuring Encryption Using the NMS
and SMT
After a service is created and an encryption administrator account is authorized on
the NMS, the authorized user authenticates the NE EMK and configures service
encryption on the SMT.
6.1 Configuration Process
This topic describes only the key steps to ensure successful configuration of the
encryption function. For details about other encryption maintenance operations or
troubleshooting, see the chapter contents.
6.2 Authorizing Encryption Management Accounts Using the NMS
You need to perform authorization on encryption management accounts using the
NCE or U2000 based on the actually used NMS.
6.3 Configuring Service Encryption on the SMT
This topic describes how to configure encryption for services on the SMT.
6.4 Maintaining Service Encryption on the SMT
This topic describes the common operations excluding the key operations for
configuring the encryption feature. It is generally applicable to encryption
maintenance scenarios.
6.5 FAQ
This topic provides answers to some frequently asked questions and common
handling methods.
6.6 Parameter Description
This topic describes the parameters of the NMS and SMT.
6.1 Configuration Process
This topic describes only the key steps to ensure successful configuration of the
encryption function. For details about other encryption maintenance operations or
troubleshooting, see the chapter contents.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 28
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Configuration Process
Figure 6-1 shows the process for configuring the encryption function using CLI.
Table 6-1 lists the brief descriptions of operations in Figure 6-1.
Figure 6-1 Process for configuring the encryption function
Table 6-1 Configuration procedure
No. Procedure Description
1 Authorizing Setting licenses -
an Encryption
Administrator Creating an The encryption administrator
Account on encryption account created on the NMS can
the NMS administrator be used to manage NEs on the
account SMT.
Allocating After creating an encryption
encryption administrator account on the NMS,
ports to you need to allocate encryption
encryption ports to the account.
administrator
account
2 Encrypting Logging in to The user name and password for
services on the SMT logging in to the SMT are required.
the SMT
Creating and -
logging in to an
NE
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 29
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
No. Procedure Description
Performing Encryption Management Key
EMK (EMK) is the encryption
authentication management password. The user
can log in to an NE in security
policy mode to perform encryption
management operations only after
the NE EMK is authenticated.
NOTE
The EMK of the managed NE, which is
invisible to NMS, can be set for an
encryption user account.
Encrypting After a client service passes
services: through an OSN device where the
● Encrypting encryption feature is configured at
bidirectional the local client, the service is
P2P services encrypted and transmitted over
the transmission network.
● Encrypting
NOTE
unidirectiona
The customer key of a unidirectional
l static P2P/ service must be manually set for
P2MP deriving a session key. However, a
services session key is automatically negotiated
for a bidirectional service.
● Encrypting
dynamic
group
services
6.2 Authorizing Encryption Management Accounts
Using the NMS
You need to perform authorization on encryption management accounts using the
NCE or U2000 based on the actually used NMS.
6.2.1 Authorizing Encryption Management Accounts on the
NCE
6.2.1.1 Setting Licenses
On the NCE, you can configure licenses for multiple NEs in batches or configure
licenses for only one NE at a time.
Prerequisites
● You must be an NM user with NM operator authority or higher.
● The related encryption license file has been installed on the NCE.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 30
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
● The NE environment where the port requiring service encryption is located
has been deployed on the NCE.
Tools, Equipment, and Materials
NCE
Batch Configuration
1. On the main menu, choose Configuration > NE Batch Configuration > NE
license Authorization. The Choose License window is displayed.
2. Choose License > OTN Series > Encryption Function Software Fee(per
board) and click OK.
3. Select multiple NEs under Physical Root, click , and configure the number
of licenses in a batch.
Per-NE Configuration
1. In the Physical Topology tab page, click the NE. In the right-side pane, click
NE Explorer in the Operations area.
2. For the selected NE, choose Configuration > NE License Authorization and
configure the number of licenses.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 31
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
Set the license quantity to a value in the format of "consumed number/authorized
number", such as 10/122.
6.2.1.2 Creating an Encryption Administrator Account
The encryption administrator account created on the NCE can be used to manage
NEs on the SMT.
Prerequisites
● You must be an NM user with NM operator authority or higher.
● NE rights: You must have the rights of the System Administrators NE user
group or higher.
Tools, Equipment, and Materials
NCE
Procedure
1. On the main menu, choose Security > NE User Management. The NE User
Management page is displayed.
2. Select an NE and click > Add. The Add NE User dialog box is displayed.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 32
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
3. Choose an NE and set NE User in the Add NE User tab.
NOTE
Parameter NE User must contain letters, or it can be a combination of letters, symbols
and numerals. The NE user name contains at least 4, but not more than 16 characters.
4. Select the value of User Level to System Level.
5. Set NE User Flag based on the mode in which the user accesses the NE.
NOTE
When using the TNU1CTU/TNS1CTU board, the OSN 9800 does not support this
parameter.
● General NE User: NE user available for managing the NE through any system.
● EMS NE User: NE user available for managing the NE through the EMS, that is, the
NCE.
● LCT NE User: NE user available for managing the NE through the NCE LCT.
● CMD NE User: NE user available for managing the NE through the CMD.
6. Set the password for the user to log in to the NE.
NOTE
● The password is a string of 8 to 16 characters, and a new password must be
entered twice:
● A password must contain at least three of the following types of characters:
uppercase letters, lowercase letters, digits, and special characters.
● A password cannot be the same as any of the last five passwords.
● A password cannot be the user name or the user name in the reverse order.
● A new password must have at least two characters different from the old
password.
● Keep the password confidential and change it regularly.
7. Set the value of User Security Policy to Encryption.
8. On the NE User Management page, click Query to check whether the
encryption administrator account information is consistent with the actual
configuration.
6.2.1.3 Allocating Encryption Ports to Encryption Administrator Accounts
After creating an encryption administrator account on the NCE, you need to
allocate encryption ports to the account.
Prerequisites
● You must be an NM user with NM operator authority or higher.
● NE rights: You must have the rights of the System Administrators NE user
group or higher.
Tools, Equipment, and Materials
NCE
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 33
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Legend Information
Figure 6-2 Legend information
Procedure
1. In the Physical Topology tab page, click the NE. In the right-side pane, click
NE Explorer in the Operations area.
2. Click Advanced Attributes, select a board port, and allocate the port to a
created encryption user.
3. After encryption ports are allocated, you can click Query to query the
allocation situation of encryption ports.
6.2.2 Authorizing an Encryption Administrator Account on the
U2000
6.2.2.1 Setting Licenses
On the U2000, you can configure licenses for multiple NEs in batches or configure
licenses for only one NE at a time.
Prerequisites
● You must be an NM user with NM operator authority or higher.
● The related encryption license file has been installed on U2000.
● The NE environment where the port requiring service encryption is located
has been deployed on the U2000.
Tools, Equipment, and Materials
U2000
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 34
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Batch Configuration
1. On the main menu, choose Configuration > NE Batch Configuration > NE
license Authorization. The Choose License window is displayed.
2. Choose License > OTN Series > Encryption Function Software Fee(per
board) and click OK.
3. Select multiple NEs under Physical Root, click , and configure the number
of licenses in a batch.
Per-NE Configuration
1. On the main menu, right-click the NE, choose NE Explorer from the shortcut
menu to display the NE Explorer.
2. For the selected NE, choose Configuration > NE License Authorization and
configure the number of licenses.
NOTE
Set the license quantity to a value in the format of consumed number/authorized number,
such as 10/122.
6.2.2.2 Creating an Encryption Administrator Account
The encryption administrator account created on the U2000 can be used to
manage NEs on the SMT.
Prerequisites
● You must be an NM user with NM operator authority or higher.
● NE rights: You must have the rights of the System Administrators NE user
group or higher.
Tools, Equipment, and Materials
U2000
Procedure
1. On the main menu, choose Administration > NE Security Management >
NE User Management. The NE User Management page is displayed.
2. Select an NE and click > Add. The Add NE User dialog box is displayed.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 35
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
3. Choose an NE and set NE User in the Add NE User tab.
NOTE
The NE user must contain letters, or it can be a combination of letters, symbols and
numerals. The NE user name contains at least 4, but not more than 16 characters.
4. Select the value of User Level to System Level.
5. Set NE User Flag based on the mode that the user accesses the NE.
NOTE
When using the TNU1CTU/TNS1CTU board, the OSN 9800 does not support this
parameter.
● General NE User: manages NEs on all NMSs.
● EMS NE User: manages NEs on the element management system (EMS) U2000.
● LCT NE User: manages NEs on local craft terminal (LCT) U2000.
● CMD NE User: manages NEs on CMD terminals.
6. Set the password for the user to log in to the NE.
NOTE
● The password is a string of 8 to 16 characters, and a new password must be
entered twice:
● A password must contain at least three of the following types of characters:
uppercase letters, lowercase letters, digits, and special characters.
● A password cannot be the same as any of the last five passwords.
● A password cannot be the user name or the user name in the reverse order.
● A new password must have at least two characters different from the old
password.
● Keep the password confidential and change it regularly.
7. Set the value of User Security Policy to Encryption.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 36
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
8. On the NE User Management page, click Query to check whether the
encryption administrator account information is consistent with the actual
configuration.
6.2.2.3 Allocating Encryption Ports to Encryption Administrator Accounts
After creating an encryption administrator account on the U2000, you need to
allocate encryption ports to the account.
Prerequisites
● You must be an NM user with NM operator authority or higher.
● NE rights: You must have the rights of the System Administrators NE user
group or higher.
Tools, Equipment, and Materials
U2000
Legend Information
Figure 6-3 shows legend information about U2000 operations.
Figure 6-3 Legend information
Procedure
1. Right-click the selected NE on the Main Topology tab, select NE Explorer.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 37
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
2. Click Advanced Attributes, select a board port, and allocate the port to a
created encryption user.
3. After encryption ports are allocated, you can click Query to query the
allocation situation of encryption ports.
6.3 Configuring Service Encryption on the SMT
This topic describes how to configure encryption for services on the SMT.
6.3.1 Logging In to the SMT
Before using the SMT to perform encryption operations, you need to log in to the
SMT first.
Prerequisites
● Operation rights: You have the permission to log in to the SMT.
● The SMT installation package is ready. If you want to obtain the SMT
installation package, please contact the local Huawei engineer.
Context
● The encryption tool SMT can be assigned to multiple users, and each user
manages its own NEs and service data.
● Only one user can log in to the SMT at a time. Multiple users cannot log in to
the SMT at the same time.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 38
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Procedure
Step 1 Decompress the SMT installation package to a local path.
NOTE
The local path cannot be the root directory of a disk and cannot contain any Chinese,
spaces, or special characters.
Step 2 Double-click OptiX SMT_en.bat to start the English UI. When the following page
is displayed, the server process has been started.
NOTE
If the server process has not been started, check whether the port used by the server has
been occupied.
Step 3 After the server process is successfully started, the login window shown in the
following figure is displayed. Enter the User Name and Password and click OK.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 39
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● The default user name and password are Admin and Changeme_123. Change the
password upon the first login. To ensure system security, regularly change the password
and remember it. The new password cannot be the same as any of the last three
passwords. The validity period of the new password is 90 days.
● The password must be the combination of at least two of the lowercase letters,
uppercase letters, digits, and special characters.
● If you enter incorrect passwords for three consecutive times when logging in to the SMT,
the system will lock the account. The account will be automatically unlocked after 5
minutes, and then you can enter the login password again.
● After you log in to the SMT, the system locks the account if you do not perform any
operation within 10 minutes. Press Ctrl+Alt+U or click Close to unlock the account.
Then, enter the login password again.
Step 4 After the login is successful, the main window of the SMT shown in the following
figure is displayed.
----End
6.3.2 Creating and Logging In to an NE
After logging in to the SMT, you need to configure the NE environment on the
SMT, so that you can configure the encryption function for services on the NE.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 40
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Prerequisites
● Operation rights: encryption administrator accounts or encryption sub-
accounts. If the operation is performed for the first time, only the encryption
administrator account can be used.
● The encryption user account has the permission to manage the NE to be
created.
Context
● Upon the first login to the SMT, you must add the NEs to be managed.
● You can add the NEs to be managed at any time when using the SMT.
● If it is not the first login to the SMT, the SMT directly queries NEs from the
database and displays the list of NEs managed by the current login user.
Legend Information
Figure 6-4 shows legend information about SMT operations.
Figure 6-4 Legend information
Procedure
Step 1 Create an NE. For details about the parameters of Create NE, see Table 6-5 of
6.6.2-Parameter.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 41
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
: The ID, extended ID, and IP address must be set to actual NE information, which is
provided by the NMS user.
Step 2 Continue to create other NEs by repeating Step 1.
NOTE
A service requires at least two NEs. Therefore, two or more NEs need to be created.
Step 3 Right-click an NE and choose Log NE from the shortcut menu.
NOTE
● The login is successful when the NE icons are changed from to .
● If the login to an NE fails, check whether the NE information is correctly configured or
the network connection is normal.
● A service requires at least two NEs. Therefore, two or more NEs need to be logged in.
● The SMT obtains the login status every 60 seconds to check whether the NE is logged
in. After an encryption administrator logs in to the NE from another client:
– If you are not operating the local SMT, the SMT UI is automatically refreshed to
the logout state after 60 seconds.
– If you are operating the local SMT, the SMT UI is refreshed to the logout state
immediately.
----End
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 42
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Follow-up Procedure
● 6.5.1 How Can I Handle a Failure of Logging In to an NE from the SMT?
● You can delete an NE as required. Before deleting an NE, you should log out
of the NE.
6.3.3 Performing EMK Authentication
Encryption Management Key (EMK) is the encryption management password.
After logging in to an NE, a user must be authenticated for the login in security
policy mode, so that service encryption can be configured.
Prerequisites
● Operation rights: encryption administrator accounts or encryption sub-
accounts.
● Logging in to the NE whose services need to be encrypted is successful.
Context
● If it is your first time to log in to an NE, or the EMK has been initialized, the
EMK is empty, and you must set the EMK value before using the encryption
function.
● If you need to change the EMK value, begin with Setting the EMK value.
● If it is not the first time for you to log in to an NE and the EMK value has
been set, begin with Starting EMK authentication.
Legend Information
Figure 6-5 shows legend information about SMT operations.
Figure 6-5 Legend information
Procedure
Step 1 Select the NE that you have logged in to and right-click it. A dialog box is
displayed.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 43
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Step 2 Set EMK. The EMK of an NE is set by using an encryption user account. Different
EMKs can be set for different user accounts or different NEs of the same user
account.
NOTE
● When the EMK is empty, the Old EMK value is empty by default and you do not need to
enter any character after you click Old EMK.
● If the New EMK value has been set before and needs to be changed, you must enter
the New EMK value that is set last time as the Old EMK value.
● On the Input EMK tab page, set EMK and Confirm EMK that the values must be the
same and meet the following requirements:
– The EMK value must contain 8 to 32 characters.
– The EMK value must be different from the user name.
– The value must contain two or more of the following types of characters: digits,
uppercase letters, lowercase letters, and special characters.
● Select Display EMK to display the old and new EMK values.
Step 3 Start EMK authentication.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 44
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● You can select multiple NEs and right-click them to perform batch authentication.
● EMK authentication is successful when the NE icon is changed from to .
● If there is no operation within 30 minutes after the EMK is successfully authenticated,
the NE icon will change from to . You need to repeat Step 3 to authenticate the
EMK again.
● EMK will be locked if the EMK value is incorrectly entered for four consecutive times.
Table 6-2 lists the relationship between the numbers of consecutive incorrect input
times and the lockout duration.
Table 6-2 Relationship between the numbers of consecutive incorrect input times
and the lockout duration
Number of 1 to 3 4 5 6 7 8 ≥9
Consecutive Incorrect
Input Times
Lockout Duration (s) 0 30 60 120 300 600 180
0
----End
Follow-up Procedure
6.5.2 How Can I Handle EMK Lockout?
6.3.4 Encrypting Bidirectional P2P Services
A bidirectional P2P service consists of a source end and a sink end, implementing
bidirectional one-to-one configuration.
6.3.4.1 Creating Bidirectional P2P Services
This operation creates a link for encrypted transmission of bidirectional services.
Prerequisites
● Operation rights: encryption administrator accounts.
● The bidirectional P2P service to be created exists on the physical NE, and the
EMK of the encryption administrator account has been successfully
authenticated.
Context
Bidirectional P2P, Unidirectional Static P2P/P2MP, and Dynamic Group cannot
be configured on the same port.
Legend Information
Figure 6-6 shows legend information about SMT operations.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 45
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Figure 6-6 Legend information
Procedure
Step 1 Query the current port service resources and all idle port resources. The query
results are displayed on the Management View page.
Step 2 Create a service. On the main menu, you can choose P2P Management > Manual
Create P2P, select information about the source end and sink end, and click Add >
Apply.
NOTE
● An encryption service must be created by port. The source and sink NEs must be
different NEs, and the source and sink ports must be disabled.
● When the value of Creation status changes from to
, a service is created successfully.
Step 3 Repeat Step 2 to add multiple services.
----End
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 46
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
6.3.4.2 Configuring Bidirectional P2P Encryption
After the encryption feature is enabled for bidirectional P2P services, the source
end and sink end start the encryption function, so that services can be encrypted
and decrypted at ports.
Prerequisites
● Operation rights: encryption administrator accounts or encryption sub-
accounts (on the operation or maintenance level).
● The encryption administrator has created bidirectional P2P service.
Legend Information
Figure 6-7 shows legend information about SMT operations.
Figure 6-7 Legend information
Procedure
Step 1 Select the created bidirectional P2P service and right-click Modify Authentication
Information.
Before key negotiation, the source and sink encryption devices automatically check
whether the peer device is a legitimate device based on the authentication
information set by the user. To ensure high system security, you need to modify
initial authentication information and update it regularly for the newly created
bidirectional P2P service.
NOTE
● The initial authentication information is HuaweiEncryption_123.
● The authentication information must be a string of 20 to 32 characters, including letters,
digits, and special characters (spaces excluded).
● Authentication information can be modified only when the encryption enable status is
Disable.
● The authentication information of the source and sink ports must be the same.
● Authentication information cannot be queried.
● You can select multiple services to perform batch operations.
Step 2 Select the created bidirectional P2P service and right-click Enable.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 47
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● The service enable status needs to be set based on actual services.
– Enable: indicates that transmit-end data that passes through the port is encrypted.
– Disable (by default): indicates that transmit-end data that passes through the port
is not encrypted.
● Enabling or disabling the encryption function will transiently interrupt services. The
services will be restored within 10s. The operations of enabling and disabling service
encryption should be performed at an interval of more than 10s.
● You can select multiple services to perform batch operations.
Step 3 Verify services. That is, check whether the service encryption link is available.
NOTE
● When performing this operation, ensure that the encryption enable status of the service or
port is Enable.
● You can select multiple services to perform batch operations.
Step 4 Select the bidirectional P2P service and query the port status to view the
encryption and decryption status of the source and sink ends of the service. For
details, see 6.4.4 Querying Port Encryption Status and Information.
----End
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 48
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
6.3.5 Encrypting Unidirectional Static P2P/P2MP Services
A unidirectional static P2P service contains one source and one sink. A
unidirectional static P2MP service contains one source and multiple sinks so that
multiple sinks can receive signals from the same source.
6.3.5.1 Creating Unidirectional Static P2P/P2MP Services
This operation creates a group of links for encrypted transmission of unidirectional
static broadcast services.
Prerequisites
● Operation rights: encryption administrator accounts.
● The unidirectional static broadcast group service to be created exists on the
physical NE. And the EMK of the encryption administrator account has been
successfully authenticated.
Context
Bidirectional P2P, Unidirectional Static P2P/P2MP, and Dynamic Group cannot
be configured on the same port.
Procedure
Step 1 Query service resources on the current port. On the main menu, you can choose
Unidirectional Static P2P/P2MP > NE > . The query results are displayed
on the Management View page.
Step 2 Create a Unidirectional Static P2P/P2MP service. On the main menu, you can
choose Unidirectional Static P2P/P2MP Management > Manual Create P2P/
P2MP, enter the P2P/P2MP ID and source end information, click Add, select sink
end information, and click Apply > Create.
NOTE
● During the adding of service ports, if a drop-down button is displayed in the Port ID
area of the NE, there are idle ports that can be added on the NE. In this case, you can
double-click Port ID to select the specific port number to be added.
● The P2P/P2MP ID can be set to an integer ranging from 1 to 60000.
● When the value of Creation status changes from to
, a service is created successfully.
Step 3 Verify whether the source and sink ports are configured correctly. Choose the
service and click Operation > Test Trail Detection. In Trail Detection Result, you
can view the detection result.
NOTE
You can select multiple services to perform batch operations.
Step 4 Repeat Step 2 to add multiple services.
----End
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 49
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
6.3.5.2 Setting a Customer Key
The unidirectional static P2P/P2MP service cannot negotiate a session key
automatically. Therefore, you must manually set the customer key during the
encryption configuration for deriving the session key.
Prerequisites
● Operation rights: encryption administrator accounts or encryption sub-
accounts (on the operation or maintenance level).
● The encryption administrator has created unidirectional static P2P/P2MP
service.
Context
● By default, the customer key is configured for all broadcast group services. It
can also be configured for ports. For unidirectional static P2P/P2MP services,
the customer keys of the sink ends with the same source end must be the
same.
● The content of the customer key cannot be queried.
Legend Information
Figure 6-8 shows legend information about SMT operations.
Figure 6-8 Legend information
Procedure
Step 1 For the created unidirectional static P2P/P2MP service, before enabling the
encryption function, set the customer key first.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 50
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
: When setting the customer key for the first time, you are not advised to select Set
Port. In this case, the customer key takes effect on all source and sink ends by default.
Key configuration: The customer key can be set to a character string (by default) or a
binary code stream.
● The customer key can be a character string of 32 to 256 bytes, consisting of letters,
digits, and special characters (except spaces).
● The user secret key can also be set to a binary code stream of 256 to 2048 bits.
You can select multiple services to perform batch operations.
Step 2 Check whether the keys used at the source and sink ends in the broadcast group
are the same. Choose the service, click Operation > Test Encryption and
Decryption. In Encryption and Decryption Result, you can view the result.
NOTE
You can select multiple services to perform batch operations.
----End
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 51
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
6.3.5.3 Configuring Unidirectional Static P2P/P2MP Service Encryption
After the encryption feature is enabled for unidirectional static P2P/P2MP services,
the source end starts the encryption function and the sink end automatically starts
the decryption function.
Prerequisites
● Operation rights: encryption administrator accounts or encryption sub-
accounts (on the operation or maintenance level).
● The encryption administrator has created unidirectional static P2P/P2MP
services and performed the operation of setting the customer key for the
services.
Procedure
Step 1 Select the created unidirectional static P2P/P2MP service and right-click modify
authentication information.
Before key negotiation, the source or sink encryption device automatically checks
whether the peer device is a legitimate device based on the authentication
information set by the user. To ensure high system security, you need to modify
initial authentication information and update it regularly for the newly created
unidirectional static P2P/P2MP service.
NOTE
● The initial authentication information is HuaweiEncryption_123.
● The authentication information must be a string of 20 to 32 characters, including letters,
digits, and special characters (spaces excluded).
● By default, the authentication information is set for all unidirectional static broadcast
group services. It can also be set for ports. The authentication information of the source
and sink ports must be the same. You can select multiple services to set them in
batches.
● Authentication information can be modified only when the encryption enable status is
Disable.
● When modifying the authentication information for the first time, you do not need to
select Set Port.
● After the authentication information is modified, new ports are added for services:
– If all services are interrupted or not started, set the authentication information as
you modify the authentication information for the first time.
– If services are running, set authentication information for new ports by clicking Set
Port. The authentication information at the new sink end must be consistent with
that of the current services at the source end. Otherwise, service transmission fails.
● The authentication information cannot be queried.
Step 2 Enable service encryption. Select the created unidirectional static P2P/P2MP
service and right-click Enable.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 52
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● The service enable status needs to be set based on actual services.
– Enable: indicates that the service is encrypted.
– Disable (by default): indicates that the service is not encrypted.
● Enabling or disabling the encryption function will transiently interrupt services. The
services will be restored within 10s. The operations of enabling and disabling service
encryption should be performed at an interval of more than 10s.
● This operation can be performed only on the source port of a service and can be
performed for multiple services simultaneously.
Step 3 Select the unidirectional static P2P/P2MP service and query the port status to view
the encryption and decryption status of the source and sink ends of the service.
For details, see 6.4.4 Querying Port Encryption Status and Information.
----End
6.3.6 Encrypting Dynamic Group Services
A dynamic group service contains encryption ports involved in the associated
dynamic services. Sources and sinks can be dynamically changed according to the
actual situation for multi-source multi-sink configuration.
6.3.6.1 Creating a Dynamic Group
This operation creates a link for encrypted transmission of a group of multicast
services.
Prerequisites
● Operation rights: encryption administrator account.
● Before creating a dynamic multicast group, you need to specify the allocation
of all ports involved in the services in the port group.
● The EMK of the encryption administrator account has been successfully
authenticated.
Context
Bidirectional P2P, Unidirectional Static P2P/P2MP, and Dynamic Group cannot
be configured on the same port.
Procedure
Step 1 Query service resources on the current port. On the main menu, you can choose
Dynamic Group > NE > . The query results are displayed on the
Management View page.
Step 2 Create a dynamic group service. On the main menu, you can choose Group
Management > Manual Create Group, enter the multicast ID, click Add, select
multiple ports, and click Apply > Create.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 53
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● When a dynamic group is created, a drop-down button displayed in the Port ID column
indicates that there are idle ports to be added. Double-click Port ID to choose a desired
port number or choose All to add all idle ports of the NE.
● Group ID is mandatory and is an integer ranging from 60001 to 65534.
● At least two ports need to be added to configure a dynamic group.
● When the status displayed in the Creation Status column changes from
to , the service is successfully
created. The result is displayed on the Management View page.
● Each multicast group must be encrypted. All services in a multicast group must use the
same user secret key.
Step 3 Check whether the configurations of source and sink ports are correct. You can
select services in a port group, click Operation > Test Trail Detection, and view
results in the Trail Detection Result column.
NOTE
● You can select multiple services to perform batch operations.
● You can perform either of the following steps to select services in a port group.
1. Click the icon before Group ID to expand the port group.
2. Choose Query > Trails to expand the port group.
----End
6.3.6.2 Setting a Customer Key
The dynamic group service cannot negotiate a session key automatically.
Therefore, you must manually set the customer key during the configuration of
dynamic multicast service encryption for deriving the session key.
Prerequisites
Operation rights: encryption administrator accounts or encryption sub-accounts
(on the operation or maintenance level).
The encryption administrator has created the dynamic group service.
Context
● A customer key can be set by port group but cannot be set by port. Users in
each port group use the same customer key (in the receive and transmit
directions).
● The content of the customer key cannot be queried.
Procedure
Step 1 For the created dynamic multicast service, before enabling the encryption
function, set the customer key first. You can select a port group service, right-click
it, choose Set a Customer Key from the shortcut menu, configure a customer key,
and click OK.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 54
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
Key configuration: The customer key can be set to a character string (by default) or a
binary code stream.
● The customer key can be a character string of 32 to 256 bytes, consisting of letters,
digits, and special characters (except spaces).
● The user secret key can also be set to a binary code stream of 256 to 2048 bits.
You can select multiple port groups to set customer keys in batches.
Step 2 Check whether the source and sink ends in the port group use the same customer
key. You can select a port group service, click Operation > Test Encryption and
Decryption, and view results in the Encryption and Decryption Result column.
NOTE
You can select multiple port groups to set customer keys in batches.
----End
6.3.6.3 Enabling the Encryption Feature of a Dynamic Group
After the encryption feature is enabled for dynamic group services, service
encryption is performed on all ports in the port group. That is, the data passing
through each port in the group is encrypted.
Prerequisites
Operation rights: encryption administrator accounts or encryption sub-accounts
(on the operation or maintenance level).
The encryption administrator has created dynamic group services and performed
the operation of setting the customer key for the services.
Procedure
Step 1 Select the created dynamic multicast service and right-click Modify
Authentication Information.
Authentication information is used to check whether the encryption devices at the
source and sink ends are authorized before key negotiation between the devices.
To ensure high system security, you need to modify initial authentication
information and update it regularly for the newly created dynamic multicast
service.
NOTE
● The initial authentication information is HuaweiEncryption_123.
● The authentication information must be a string containing 20 to 32 characters
including letters, digits, and special characters (except spaces).
● The authentication information of the source and sink ports must be the same. You can
select multiple port groups to perform batch operations.
● Authentication information can be modified only when the encryption enable status is
Disable.
● The authentication information cannot be queried.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 55
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Step 2 Select the created dynamic group service and right-click Enable.
NOTE
● This operation can be used to issue enabling and disabling messages to all ports in a
dynamic group.
– Enable: indicates that all ports in a port group are encrypted and data transmitted
through this port group will be encrypted.
– Disable (by default): indicates that encryption is enabled on all ports in a port
group and data transmitted through this port group will not be encrypted.
– Enabling and disabling service encryption should be performed at an interval of
more than 10s.
– You can select multiple port groups to perform batch operations.
Step 3 Select the dynamic multicast service. In the Port Encryption State window, query
Authentication Status to determine whether the source end of the service is
successfully authenticated by the sink end. For details, see 6.4.4 Querying Port
Encryption Status and Information.
----End
6.4 Maintaining Service Encryption on the SMT
This topic describes the common operations excluding the key operations for
configuring the encryption feature. It is generally applicable to encryption
maintenance scenarios.
6.4.1 Encryption Sub-account Management
If an encryption administrator account needs to work with an encryption sub-
account to manage services, you can create an encryption sub-account on the
SMT. A sub-account is attached to an encryption administrator account. The
permission of the encryption sub-account is assigned by the encryption
administrator account. The encryption sub-account can be used to query, set, or
maintain encryption information.
6.4.1.1 Creating an Encryption Sub-account
An encryption administrator account can be used to create an encryption sub-
account on an NE to assist in managing encryption services.
Prerequisites
● Operation rights: encryption administrator accounts.
● The encryption administrator account has logged in to the SMT.
Context
The encryption administrator account can be used to assign an encryption sub-
account as required. The encryption sub-account can be used to query, set, or
maintain encryption information.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 56
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Legend Information
Figure 6-9 shows legend information about SMT operations.
Figure 6-9 Legend information
Procedure
Step 1 Create an encryption sub-account. That is, set the sub-account name, user level,
and password on the NE.
1. Set NE User.
2. Set User Level. Table 6-3 lists the user levels.
NOTE
– NE User: indicates the NE encryption sub-account name to be added.
– User Level: indicates the encryption sub-account level. When an encryption sub-
account is added, the encryption sub-account level must be specified as required.
– Encryption sub-accounts cannot be used to enable or disable EMK Initialization
Interrupt Service State, to allocate ports, or to create/modify/delete services.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 57
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Table 6-3 User levels
Account Description
Level
Monitor Indicates that the account can be used only to query the
Level encryption information.
You can query service information, Port Encryption Status,
Port Encryption Information, and log information.
Operation Indicates that the account can be used only to query or set the
Level encryption information.
– You can query service information, Port Encryption Status,
Port Encryption Information, and log information.
– You can set a customer key, Port Encryption Status, Port
Encryption Information, Initialize Failure Times, and
Forced Start Key Swap.
Maintena Indicates that the account can be used to query, set, or
nce Level maintain the encryption information.
– You can query service information, Port Encryption Status,
Port Encryption Information, and log information.
– You can set a customer key, Port Encryption Status, Port
Encryption Information, Initialize Failure Times, and
Forced Start Key Swap.
– You can set the maintenance status.
3. Set Password.
NOTE
The password cannot be the same as the user name (for example, sub1) or the reverse
order of the user name (for example, 1bus) and must be the combination of at least
two of the lowercase letters, uppercase letters, digits, and special characters.
----End
6.4.1.2 Allocating Encryption Ports to Encryption Sub-accounts
After an encryption sub-account is created for an encryption administrator
account, a port must be allocated to the encryption sub-account.
Prerequisites
● Operation rights: encryption administrator accounts.
● The EMK has been authenticated on the NE to which a port is to be assigned.
Procedure
Step 1 On the main menu, choose NE Management > Port Account Management >
NEs > . The Port Account Management page is displayed.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 58
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Step 2 Allocate encryption ports of the NE for encryption sub-accounts. On the Port
Account Management page, click Add, select the account to which ports can be
allocated, select ports, and click Apply.
NOTE
● Only the encrypted administrator account can allocate ports to encrypted sub-accounts
on the selected NE. Each port can be allocated to multiple encryption sub-accounts.
● During encrypted sub-account port allocation, you can set a port alias containing at
most 32 characters in the Port Alias column.
● Parameter descriptions are as follows:
1. Assigned Account Port: lists information about all assigned ports.
2. All Ports to Manage: lists information about all manageable ports.
3. Unassigned Account: lists information about all unassigned ports.
----End
6.4.2 Setting the Port Maintenance Status
An encryption administrator account or an encryption sub-account with the
maintenance permission can set the specified port to the maintenance state or
cancel the status for network fault isolation.
Procedure
Step 1 Select a service and right-click Set Port Maintenance Status.
NOTE
● Enable: indicates that a port is in the maintenance state. The port maintenance status can
be setting only in the enable status.
● Disable (by default): indicates that a port is not in the maintenance state.
● You can select multiple services to perform batch operations.
----End
6.4.3 Modifying Encryption Services
6.4.3.1 Modifying Unidirectional Static P2P/P2MP Services
You can delete, move, or add source and sink ports for a unidirectional static P2P/
P2MP service.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 59
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Procedure
Step 1 Select a service to be modified and right-click Modify Unidirectional Static P2P/
P2MP. The Modify Unidirectional Static P2P/P2MP dialog box is displayed.
NOTE
There is no specified sequence for the addition, deletion, and moving operations. You can select
the operations as required.
Step 2 Add a source end and a sink end. In the Modify Unidirectional Static P2P/P2MP
window, you can select information about the source end, click Add, select
information about the sink end, and click Apply.
NOTE
If a unidirectional static P2P/P2MP service does not have a source end, click Add to add a
source end. If a unidirectional static P2P/P2MP service has a source end, click Add to add a
sink end.
When a source NE related to a service is not logged in, the source end of the service will be
missing, and the P2P/P2MP alias will be displayed as . In this case, you can
perform only Delete P2P/P2MP and Modify P2P/P2MP operations.
Step 3 Delete a source end and a sink end. In the Modify Unidirectional Static P2P/
P2MP window, you can select information about the source end, click Delete,
select information about the sink end, and click Delete > Apply.
NOTE
● When a source end is deleted, the sink-end information cannot be deleted.
● The sink-end information can be deleted only when a source end exists. Ensure that at
least one sink end is not deleted. If the sink ends are all deleted, no broadcast group can
be created.
● You can perform this operation only when the value of Source Encryption and Port
Enable State is Disable.
Step 4 Click Move to move a port to a new broadcast group. The port can function as the
source or sink end. In the Modify Unidirectional Static P2P/P2MP window, you
can click Move, modify the move information, and click OK > Move > Apply.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 60
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
The following are principles of moving a source end to another broadcast group:
● If a broadcast group has no source end, a source end can be moved to this broadcast group.
● If a source end functions as a sink end in a broadcast group, it cannot be moved to another
broadcast group to function as a sink end.
The following are principles of moving a sink end to another broadcast group:
● If a broadcast group has no source end, a sink end can be moved to this broadcast group
and functions as a source end.
● The sink end can be moved to other broadcast groups and functions as a sink end.
You can perform this operation only when the value of Source Encryption and Port Enable
State is Disable.
----End
6.4.3.2 Modifying a Dynamic Group
You can delete, move, or add ports for a dynamic group.
Procedure
Step 1 Select a service to be modified and right-click Modify Group. The Modify
Dynamic Group dialog box is displayed.
Step 2 Click Add to add ports for the dynamic group. In the Modify Dynamic Group
window, you can select an idle port and click Add > Apply.
NOTE
To add all the idle ports of an NE, you can double-click Port ID and select All.
Step 3 Delete a port. In the Modify Dynamic Group window, you can select a port and
click Delete > Apply.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 61
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● This operation can be performed only when Encryption Port Enable State is in Disable
state.
● The Delete operation can be performed only when the number of ports in a dynamic group
is greater than or equal to 3.
Step 4 Move a port. In the Modify Dynamic Group window, you can select a port, click
Move, modify the move information, and click OK > Apply.
NOTE
● This operation can be performed only when Encryption Port Enable State is in Disable
state.
● The Move operation can be performed only when the number of ports in a dynamic group is
greater than or equal to 3.
----End
6.4.4 Querying Port Encryption Status and Information
You can query the encryption status and information of a port on SMT. There is no
specified sequence for operations in this topic.
Prerequisites
Operation rights: encryption administrator accounts or encryption sub-accounts.
The EMK has been authenticated on the NE where the encryption service resides.
Legend Information
Figure 6-10 shows legend information about SMT operations.
Figure 6-10 Legend information
Procedure
Step 1 Query the service resources of the current ports. The query result is displayed in
Management View. The parameters in the Management View window are
described as Table 6-6.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 62
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Step 2 Query the encryption status and maintenance status of the service or port. In
Management View, you can select a specific service and click Query.
NOTE
To query the encryption enable status of port services in Dynamic Group, select the port group
and Query Enable Status.
Step 3 Select a specific service and click Port Encryption State > Query. The main
parameters on the Port Encryption State tab page are described as Table 6-9.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 63
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
● Before querying the encryption status of the current service port, you can perform the
Forced Start Key Swap operation first. Then, you can select a specific service and click
Operation > Forced Start Key Swap.
● Forced Start Key Swap: If a security risk is detected from a user secret key, you can
click Forced Start Key Swap to change the key promptly for security purposes instead
of waiting until the key change period ends. When performing this operation, ensure
that the encryption enable status of the service or port is Enable.
● EMK Initialization Interrupt Service State cannot be set for the encryption sub-
account. On the GUI, EMK Initialization Interrupt Service State is displayed as -.
● For an EMK that has been configured with an encryption administrator account,
initializing the EMK does not interrupt the services on the encryption port allocated to
the encryption administrator account by default. When the encryption administrator
account sets EMK Initialization Interrupt Service State to Enable on the SMT,
initializing the EMK for the encryption administrator account on the NMS will interrupt
the managed services.
● In Dynamic Group, you need to select specific services in the port group before
performing operations.
Step 4 Select a specific service and click Port Encryption Information > Query. The main
parameters on the Port Encryption Information tab page are described as Table
6-10.
NOTE
In Dynamic Group, you need to select specific services in the port group before performing
operations.
----End
6.4.5 Setting Port Encryption Status and Information
On the SMT, you can set the port encryption status and port encryption
information. There is no specified sequence for operations in this topic.
Prerequisites
Operation rights: encryption administrator accounts.
The EMK has been authenticated on the NE where the encryption service resides.
Procedure
Step 1 Set EMK Initialization Interrupt Service State. On the main menu, you can
choose NE Management > NE Account Management. The NE Account
Management page is displayed. Then, you can select a specific NE and choose
Operation > Set EMK Initialization Interrupt Service State > Disable.
NOTICE
Only the encryption administrator account has permission to modify EMK
Initialization Interrupt Service State. If this status is Enable, and you need to
initialize the EMK value of the encryption administrator account on the NMS, the
services managed by the encryption administrator account will be interrupted.
Exercise caution when you initialize the EMK value.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 64
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
NOTE
An encryption sub-account cannot be used to set or query EMK Initialization Interrupt
Service State.
Step 2 For the selected service port, set the encryption enable status. In Management
View, you can select a specific service, click Port Encryption State > Query, set
the encryption enable status, and click Apply.
NOTE
● When the encryption status is Disable, only EMK Initialization Interrupt Service State
and Encryption Enable State can be queried, and all the subsequent fields are
displayed as /, indicating that the query fails.
● When the encryption status is Enable, all fields can be queried.
● Here, you can enable only ports but cannot enable services. In the Management View
window, you can enable both ports and services.
● If a field is displayed as -, the field cannot be queried.
● In Dynamic Group, you need to select specific services in the port group before
performing operations.
Step 3 For the selected service decryption port, set the decryption pattern. In
Management View, you can select a specific service, click Port Encryption State
> Query, set the decryption pattern, and click Apply.
NOTE
● In Unidirectional Static P2P/P2MP and Dynamic Group, set Decryption Pattern.
● The decryption modes are valid only for sink ends.
● Auto Adaption: indicates that whether broadcast group services are decrypted at the
sink end depends on the configuration of the source end. If the encryption function is
enabled at the source end, the services will be decrypted at the sink end.
● Disable: indicates that broadcast services are not decrypted at the sink end and the
services will be interrupted.
● In Dynamic Group, you need to select specific services in the port group before
performing operations.
Step 4 For the selected service encryption port, set the key update interval. In
Management View, you can select a specific service, click Port Encryption
Information > Query, set the key update interval for the selected port, and click
Apply.
NOTE
● The encryption keys of an encryption service can be replaced regularly. This parameter
can be user-defined and be set to 10Min, 30Min, 1H, 3H, 6H, 1D, 7D, or 30D, and the
default value is 30Min (30 minutes).
● Key Replacement Interval can be set only on encryption ports and the setting will be
automatically synchronized to the decryption ports. Therefore, there are different
replacement intervals for both directions of a bidirectional service and the intervals are
not affected by each other.
● In Dynamic Group, you need to select specific services in the port group before
performing operations.
----End
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 65
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
6.4.6 Querying Logs
You can query SMT operation logs, EMK logs, operation logs, and run logs on the
SMT. There is no specified sequence for operations in this topic.
Procedure
Step 1 Query SMT operation logs. On the main menu, you can choose System
Management > Log Management. The Operation Log Filter Dialog page is
displayed. Then, you can select the start time and end time of logs and click Filter.
The queried results are displayed in Log Management.
NOTE
● If the start and end time are not set, all logs will be queried by default.
● To query operation logs again, click Filter and select the query date again.
Step 2 Save the SMT operation logs to a local directory. On the main menu of Log
Management, you can click the Save As button in the lower-right corner, filter
the logs to be saved, click OK, and set the saving information.
Step 3 View other log information. In Management View, you can select the type of logs
to be view and click the Filter button in the lower-right corner. In the dialog box
that is displayed, you can set the start time and end time of logs and click Filter.
The queried results are displayed in the log status column.
NOTE
● On the EMK Log tab, you can query EMK operation log information such as EMK
authentication, and initialization.
● On the Operation Log tab, you can query encryption operation log information such as
the encryption service enable status.
● On the Running Log tab, you can query the encryption running log information.
● If the start and end time are not set, 24-hour log information is queried by default. The
log display depends on the device space.
● The procedure for saving other log information is the same as that for saving the SMT
operation logs. For details, see Step 2.
----End
6.5 FAQ
This topic provides answers to some frequently asked questions and common
handling methods.
6.5.1 How Can I Handle a Failure of Logging In to an NE from
the SMT?
When a user logs in to an NE through the SMT, if the user name or password is
incorrect or the actual NE information changes, the system displays a message
indicating that the login fails.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 66
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Procedure
Step 1 If the account for logging in to the NE needs to be switched or the NE login fails
due to incorrect user name or password, set the login account first. On the main
menu, you can select an NE, right-click Set Login Account, and set the user name
and password.
NOTE
● User: Enter the user name of an encryption administrator account to which an
encryption policy has been allocated or the user name of an encryption sub-account.
● Password: Enter the login password corresponding to the encryption account on an NE.
You can select multiple NEs and set the login accounts of the NEs to the same account.
Step 2 If the NE login fails due to the change of NE information, change the NE login IP
address. On the main menu, you can select an NE, right-click Set Login IP, and set
parameters Login Type, IP Address, and Port.
NOTE
You cannot select multiple NEs and modify them in batches.
----End
6.5.2 How Can I Handle EMK Lockout?
For an encryption administrator account that is locked, you must wait for the
lockout timer to expire or log in to the NMS to unlock the EMK. For an encryption
sub-account that is locked, you must wait for the lockout timer to expire or ask
the encryption administrator to log in to the SMT to cancel the EMK lockout for
the encryption sub-account.
Procedure
Step 1 If the EMK of the encryption sub-account is locked, the encryption administrator
can perform the Unlock Sub User EMK Locked operation.
On the main menu, choose NE Management > NE Account Management, select
an NE, and click . The NE Account Management page is displayed.
Click Operation > Unlock Sub User EMK Locked > OK in the lower right corner.
----End
6.5.3 What Can I Do When the EMK Is Forgotten?
If the encryption management key (EMK) of a user is forgotten, the EMK needs to
be initialized. The EMK of the encryption administrator account is initialized on the
NMS, the EMK of the encryption sub-account is initialized by the encryption
administrator account using the SMT.
Prerequisites
● NE rights: To initialize the EMK of an encryption administrator account, you
must have the rights of the System Administrators Ne user group or higher.
To initialize the EMK of an encryption sub-account, you must have the rights
of encryption administrator accounts.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 67
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
● NM rights: To initialize the EMK of an encryption administrator account, you
must be an NM user with Operator Group authority or higher.
Tools, Equipment, and Materials
U2000 and NCE
Initializing the EMK of an Encryption Administrator Account (U2000)
1. Choose Administration > NE Security Management > NE Login
Management from the main menu of the U2000.
2. Click the Encryption EMK Management tab, select a specific NE account,
and choose Reset Encryption EMK > Yes.
NOTE
If a user EMK is locked after multiple incorrect EMK are entered, click Unlock Encryption
User to unlock the EMK of the encryption user.
If the account is in use, the EMK initialization will fail.
Initializing the EMK of an Encryption Administrator Account (NCE)
1. On the main menu, choose Security > NE Login Management. The NE Login
Management page is displayed.
2. Click the Encryption EMK Management tab, select a specific NE account,
and choose Reset Encryption EMK > Yes.
NOTE
If a user EMK is locked after multiple incorrect EMK are entered, click Unlock Encryption
User to unlock the EMK of the encryption user.
If the account is in use, the EMK initialization will fail.
Initializing the EMK of an Encryption Sub-account
1. On the main menu of the SMT, choose NE Management > NE Account
Management, select an NE, click , select a specific NE account, and
choose Operation > Initialize Account EMK > OK.
6.5.4 Troubleshooting Encryption Services
When detecting faults in encryption services, users need to handle them
immediately.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 68
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Figure 6-11 Figure 1 Troubleshooting process for encryption services
6.6 Parameter Description
This topic describes the parameters of the NMS and SMT.
6.6.1 Parameter Description for NMS
Table 6-4 User attribute parameters
Parameter Valid Value Default Value Description
NE user - - Configures the
user name
registered on the
NE.
NOTE
The NE name
cannot contain
Chinese characters.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 69
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Valid Value Default Value Description
User level Monitor level Monitor level ● Monitor-level
Operation level users have the
lowest rights.
Maintenance level They are
System level authorized to
Debug level issue query
commands and
modify their
own attributes.
● Operation-
level users are
authorized to
query the
system
information
and perform
some
configuration
operations.
● Maintenance-
level users are
authorized to
perform all
maintenance
operations.
● System-level
users are
authorized to
perform all
query and
configuration
operations.
● Debug-level
users are
authorized to
perform all
operations in
the debugging
process.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 70
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Valid Value Default Value Description
NOTE
For an NE that
houses an F1SCC
board as the
system control
board, the created
account can be set
as the
maintenance,
operation, or
monitor level, and
the account
encryption policy
must be set as
encrypted.
NE user flag LCT NE user LCT NE user Sets the NE user
EMS NE user flag.
CMD NE user ● General NE
User: manages
General NE user NEs on all
NMSs.
● EMS NE User:
manages NEs
on the element
management
system (EMS)
U2000 or NCE.
● LCT NE User:
manages NEs
on local craft
terminal (LCT)
U2000 or NCE.
● CMD NE User:
manages NEs
on CMD
terminals.
Detailed - - Describes the
description configured NE
users.
New password - - Sets a new user
password.
Confirm password - - The password to
be entered must
be the same as
the new
password.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 71
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Valid Value Default Value Description
Immediate Yes Yes Specifies whether
password change No the new user
password can be
modified. It is
valid only for an
NE user lower
than the
administrator
level.
Valid Permanently Yes Yes This parameter
No displays whether
a registered NE
user is
permanently
valid.
Valid From Presented in Specified by the Specifies the valid
YYYYMMDDHHM user. start time of a
MSS. user.
● If the value of
the Valid
Permanently
parameter is
Yes, the field
cannot be
modified.
● If the value of
the Valid
Permanently
parameter is
No, the field
can be set
manually.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 72
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Valid Value Default Value Description
Valid Until Presented in Specified by the Specifies the valid
YYYYMMDDHHM user. end time of a
MSS. user.
● If the value of
the Valid
Permanently
parameter is
Yes, the field
cannot be
modified.
● If the value of
the Valid
Permanently
parameter is
No, the field
can be set
manually.
Password Yes Yes This parameter
Permanently Valid No displays whether
the password is
permanently
valid.
Password Valid 25 to 999 days 90 days ● If the value of
Days the Password
Permanently
Valid
parameter is
Yes, the field
cannot be
modified.
● If the value of
the Password
Permanently
Valid
parameter is
No, the field
can be set
manually.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 73
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Valid Value Default Value Description
User security Encryption - Specifies the
policy None security policy for
an NE user.
● Encryption:
indicates that
this user can
deliver only
encryption
related
commands.
● None:
indicates that
this user
cannot deliver
encryption
related
commands.
6.6.2 Parameter Description for SMT
Table 6-5 Parameters for Create NE
Parameter Description
ID Enter the actual NE ID.
Expand ID Enter the actual NE extended ID.
NE Name The NE name is automatically generated based on the NE
ID and NE extended ID. The NE name can also be user-
defined.
Login Type The NE type can be a gateway NE or non-gateway NE.
IP Address Enter the actual NE IP address.
Connection Mode SSL
Port The SSL mode corresponds to port 5432.
User Enter the login an encryption administrator account name
or an encryption sub-account name that has been allocated
with an encryption policy.
Password Enter the login password corresponding to the encrypted
account on an NE.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 74
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Table 6-6 Parameters in the Management View (Bidirectional Static P2P/P2MP)
Parameter Description
Trail Name Indicates the trail name and has four display modes.
● When the service name is displayed as -, the current
port does not carry any service or has any alias.
● When the service name is displayed as a port name, the
current port does not carry any services.
● When the service name is displayed as source port name
1 <-> sink port name 2, the current port carries
bidirectional services.
● When the service name is displayed as source port name
1 -> sink port name 2, the current port carries
unidirectional services.
Direction Indicates the direction of the current port or service and
has three values.
● Only Port: indicates a port.
● Unidirectional: indicates a unidirectional service.
● Bidirectional: indicates a bidirectional service.
Source Encryption Indicates the encryption enable status (Enable or Disable)
Port Enable State of the current port.
● Disable (by default): indicates that the source port is
not encrypted and data transmitted through this port
will not be encrypted.
● Enable: indicates that the source port is encrypted, and
data transmitted through this port will be encrypted.
Source Encryption Indicates the encryption maintenance status (Enable or
Port Maintenance Disable) of the current port.
State ● Enable: indicates that the source port is in the
maintenance state. In this case, the encryption and
decryption functions are unavailable on the port.
● Disable (by default): indicates that the source port is
not in the maintenance state. In this case, the original
encryption status on the port is restored, and the
decryption status is automatically synchronized from
that on the sink end.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 75
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Description
Verification Result Indicates that the verification result of the current service
and has seven possible values.
● Invalid Trail: indicates that the current trail is invalid.
● Unidirectional Trail: indicates that the current trail is a
unidirectional trail.
● Verification Succeeded: indicates that the current trail
has been successfully verified.
● Verification Failed: indicates that the current trail has
been verified but failed.
● Please enable port: indicates that the encryption enable
status of some ports is Disable. You are advised to
enable the ports, and then verify the services and query
the verification result.
● Unverified: indicates that the current service is not
verified.
● -: indicates that the port does not support the query of
the verification result.
Table 6-7 Parameters in the Management View (Unidirectional Static P2P/P2MP)
Parameter Description
Source Encryption Indicates the encryption enable status (Enable or Disable)
Port Enable State of the current port.
● Disable (by default): indicates that the source port is
not encrypted and data transmitted through this port
will not be encrypted.
● Enable: indicates that the source port is encrypted, and
data transmitted through this port will be encrypted.
Encryption and Indicates whether user secret keys used by the source and
Decryption Result sink ends inside the broadcast group are consistent.
● Succeeded: indicates that user secret keys used by the
source and sink ends inside the broadcast group are
consistent.
● Failed: indicates that user secret keys used by the source
and sink ends inside the broadcast group are
inconsistent.
Trail Detection Indicates whether the source and sink ports are correctly
Result configured.
● Succeeded: indicates that the source and sink ports are
correctly configured.
● Failed: indicates that the source and sink ports are
incorrectly configured.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 76
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Table 6-8 Parameters in the Management View (Dynamic Group)
Parameter Description
Source Encryption Displays the encryption enable status of a port group.
Port Enable State ● Disable (by default): indicates that encryption is
disabled on all ports in the port group. Service data
transmitted through the broadcast group will not be
encrypted.
● Enable: indicates that encryption is enabled on all ports
in the port group. Service data transmitted through the
broadcast group will be encrypted.
Encryption and Indicates whether the keys used by the source and sink
Decryption Result ends of a specific service in a port group are consistent.
● Succeeded: The keys used by the source and sink ends
of the service in the port group are consistent.
● Failed: The keys used by the source and sink ends of the
service in the port group are inconsistent.
Trail Detection Indicates whether the source and sink ports of a specific
Result service in a port group are configured correctly.
● Succeeded: indicates that the source and sink ports are
correctly configured.
● Failed: indicates that the source and sink ports are
incorrectly configured.
Table 6-9 Major parameters for Port Encryption State
Parameter Description
EMK Initialization Indicates whether the service will be interrupted when the
Interrupt Service EMK value is initialized on the current port.
State ● Disable (by default): indicates that the service will not
be interrupted.
● Enable: indicates that the service will be interrupted.
Encryption Enable Indicates the encryption enable status of the current port.
State ● Disable (by default): indicates that the data transmitted
through this port will not be encrypted.
● Enable: indicates that the data transmitted through this
port will be encrypted.
Decryption Enable Indicates the decryption enable status of the current port.
State ● Disable (by default): indicates that the data transmitted
through this port will not be decrypted.
● Enable: indicates that the encryption data transmitted
through this port will be decrypted.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 77
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Description
Authentication Indicates the authentication information swap status of the
Information Swap current port.
Status ● Succeeded: indicates that the authentication
(Bidirectional information of the current port is successfully swapped.
P2P)
● Failed: indicates that the authentication information
swap of the current port fails.
Encryption Keys The current key swap status can be queried only when the
Swap Status encryption function is enabled on the port. The key swap
(Bidirectional statuses are classified into the following types:
P2P) ● IDLE: indicates that the key swap function of the current
port is not enable.
● SUCCESS: indicates that the keys of the current port are
successfully swapped.
● EXCHANGE: indicates that the current port is swapping
the keys.
● FAILURE: indicates that the key swap of the current port
fails.
● SUSPEND: indicates that the key swap of the current
port pauses.
Decryption The decryption modes are valid only for sink ends.
Pattern ● Auto Adaption: indicates that whether broadcast group
(Unidirectional services are decrypted at the sink end depends on the
Static P2P/P2MP configuration of the source end. If the encryption
and Dynamic function is enabled at the source end, the services will
Group) be decrypted at the sink end.
● Disable: indicates that broadcast services are not
decrypted at the sink end and the services will be
interrupted.
Authentication Indicates the status of identity authentication that the sink
Status end performs on the source end. The sink end supports this
(Unidirectional parameter, but the source end does not.
Static P2P/P2MP ● Unready: indicates that the source end is not enabled.
and Dynamic
Group) ● Succeeded: indicates that the sink end successfully
authenticates the source end.
● Failed: indicates that the sink end fails to authenticate
the source end.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 78
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Table 6-10 Major parameters for Port Encryption Information
Parameter Description
Key Replacement Indicates the encryption key replacement cycle of a port.
Interval The encryption keys of an encryption service can be
replaced regularly.
● The default value is 30Min (30 minutes). This parameter
can be user-defined and be set to 10Min, 30Min, 1H,
3H, 6H, 1D, 7D, or 30D.
● Key Replacement Interval can be set only on
encryption ports and the setting will be automatically
synchronized to the decryption ports. Therefore, there
are different replacement cycles for both directions of a
bidirectional service and the cycles are not affected by
each other.
DH Encryption Indicates the DH encryption key length of a port. The
Key Length default value is 2048.
● For OSN 1800: DH Encryption Key Length can only be
queried but cannot be set on an NE whose system
control board is not an F1SCC board. DH Encryption
Key Length can only be set on an NE whose system
control board is an F1SCC board.
NOTICE
TNF1CE6 boards support 1024-bit and 2048-bit DH keys for
backward compatibility. For security purposes, the
recommended key length is 2048.
● For OSN 6800/8800/9800: DH Encryption Key Length
can only be queried but cannot be set.
Joint Pattern Indicates the interconnection mode of a port.
(Bidirectional ● For OSN 1800:
P2P)
– For an NE whose system control board is not an
F1SCC board: The interconnection mode is not
supported, and the value of Joint Pattern is displayed
as -.
– For an NE with an F1SCC board as the system control
board: If the value of Last-Fail-Time is displayed as -,
the value of Joint Pattern is also displayed as -.
Otherwise, the value of Joint Pattern is the actual
interconnection mode.
● For OSN 6800/8800/9800: The interconnection mode is
not supported, and the value of Joint Pattern is
displayed as -.
Key Residual Indicates the key residual effective time of the current port.
Effective Time The default unit is minute.
Last Time Key Indicates the last time for successful key replacement.
Swap Success
Time
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 79
WDM OTN L1 Service Encryption Feature Guide 6 Configuring Encryption Using the NMS and SMT
Parameter Description
Last Time Key Indicates the last time for failed key replacement.
Swap Failure Time
Key Cumulative Indicates the number of key replacement failures.
Failure Times
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 80
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
7 Encryption Capability of Huawei WDM
OTN Networks
7.1 Availability
To use the encryption function normally, you must obtain the corresponding
license, hardware version, SMT tool, and NMS tool.
7.2 Specifications
This topic describes the L1 service encryption specifications that the product
supports.
7.3 Feature Updates
This topic describes the feature updates in each version and the corresponding
documentation updates. The versions that are not listed in the document are
those without feature updates.
7.4 Reference Standards and Protocols
This section lists the standards and protocols associated with L1 service
encryption.
7.1 Availability
To use the encryption function normally, you must obtain the corresponding
license, hardware version, SMT tool, and NMS tool.
7.1.1 Required License
The encryption function can be used only when the corresponding license is
applied on the NMS.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 81
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Table 7-1 License function and application description
Function Requirement
The L1 service encryption function can ● License usage: One license is
be used only after a license is required if one or more ports on a
obtained. board are configured as encryption
ports.
● License release: The license is
released if all encryption ports on
the board are released.
7.1.2 Supported Hardware and Versions of the OSN 9800
U64/U32/U16/UPS
This topic describes the mapping between encryption boards, devices, NMS
versions, and SMT versions.
Table 7-2 Mapping between bidirectional service encryption boards and products
Board Type Product Applicable-Initial Board
Version
TNV3T230, TNV3T220, and TNV3T210 U64 standard/U32 standard/U16
subrack-V100R005C00
U32 enhanced subrack-V100R006C00
U64 enhanced subrack-
V100R007C00SPC200
TNV3T404 and TNU1G404 U64 standard/U32 standard/U16
subrack-V100R005C10
U32 enhanced subrack-V100R006C00
U64 enhanced subrack-
V100R007C00SPC200
TNV3T401, TNV3T402, and TNU1G402 U64 standard/U32 standard/U32
enhanced/U16 subrack-V100R006C00
U64 enhanced subrack-
V100R007C00SPC200
TNV5T404 U64 standard/U64 enhanced/U32
standard/U32 enhanced subrack-
V100R007C00SPC200
TNV5T401 and TNV5T402 U64 standard/U64 enhanced/U32
standard/U32 enhanced/U16 subrack-
V100R007C00SPC500
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 82
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Board Type Product Applicable-Initial Board
Version
TNV3G220 and TNV1T601 U64 standard/U64 enhanced/U32
standard/U32 enhanced subrack-
V100R007C00SPC500
TNV6T220 and TNV7T402 U64 standard/U32 standard/U32
enhanced/U64 enhanced subrack
-V100R007C00SPC700
TNV1T120S U64 standard/U32 standard/U16
subrack-V100R006C00
TN11LDC UPS-V100R006C00
TN17LTX P18/UPS subrack-V100R006C00
TN11LQCP and TN12LDC UPS subrack-V100R006C10
TNV8T404 U64 standard/U64 enhanced/U32
standard/U32 enhanced/U16 subrack-
V100R019C10SPC300
TNV1T502 U64 standard/U64 enhanced/U32
standard/U32 enhanced subrack-
V100R019C10SPC300
TNV8T402, TNV7T220, TNV2T601 U64 standard/U64 enhanced/U32
standard/U32 enhanced/U16-
V100R019C10SPC600
TNV1T410 U64 enhanced/U32 enhanced-
V100R019C10SPC600
NOTE
● When working in ODU1 convergence and ODU1_ODU0 mode, the board does not
support encryption.
● When OTU4 services are received on the client side of the encryption board, the
encryption feature is not supported.
Table 7-3 Mapping between unidirectional broadcast service encryption boards
and products
Board Type Product Applicable-Initial Board
Version
TNV1T120S U64 standard/U32 standard/U16
subrack-V100R006C00
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 83
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Table 7-4 Mapping between product versions and NMS versions and between
product versions and SMT versions
Start Device Start NMS Version Start SMT Version
Version
OSN 9800 iManager U2000 SMT 19.1.110
V100R005C00 V200R018C60
iMaster NCE
V100R019C00
7.1.3 Supported Hardware and Versions of the OSN 9800 M
Series Subracks
This topic describes the mapping between encryption boards, devices, NMS
versions, and SMT versions.
Table 7-5 Mapping between bidirectional service encryption boards and products
Board Type Initial Version
TNG1M402 and TNG1M502DM V100R007C00SPC700
TNG1M504DM V100R019C10SPC300
TNG1M210D, TNG1M520SM, V100R019C10SPC600
TNG1M404DM, TNG2M604SM
TNG1T212, TNV3T230, TNV6T220, and V100R007C00SPC700
TNV7T402
TNV1T502 and TNV8T404 V100R019C10SPC300
TNV8T402, TNV7T220, TNV2T601, V100R019C10SPC600
TNV1T410
NOTE
● When working in ODU1 convergence and ODU1_ODU0 mode, the board does not
support encryption.
● When OTU4 services are received on the client side of the encryption board, the
encryption feature is not supported.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 84
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Table 7-6 Mapping between product versions and NMS versions and between
product versions and SMT versions
Start Device Version Start NMS Version Start SMT Version
OSN 9800 iManager U2000 SMT 19.1.110
V100R007C00SPC700 V200R018C60
iMaster NCE
V100R019C00
7.1.4 Supported Hardware and Versions of the OSN 8800/6800
This topic describes the mapping between encryption boards, devices, NMS
versions, and SMT versions.
Table 7-7 Mapping between the OSN 8800 boards and devices that support
bidirectional service encryption, NMS versions, and SMT versions
Board Type Product Applicable-Initial Board
Version
TN17LTX T64/T32/T16/Platform subrack/UPS-
V100R012C10
TN11LDC T64/T32/T16/UPS-V100R012C10
TN11LQCP and TN12LDC T64/T32/T16/UPS-V100R013C00
NOTE
When the TN11LDC, TN12LDC, or TN11LQCP board receives OTU4 services on the client
side, the encryption feature is not supported.
Table 7-8 Mapping between the OSN 6800 boards and devices that support
bidirectional service encryption, NMS versions, and SMT versions
Board Type Product Applicable-Initial Board
Version
TN17LTX OSN 6800 subrack-V100R012C10
Table 7-9 Mapping between product versions and NMS versions and between
product versions and SMT versions
Start Device Version Start NMS Version Start SMT Version
OSN 8800/6800 iManager U2000 SMT 19.1.110
V100R012C10 V200R017C60
NCE V100R019C00
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 85
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
7.1.5 Supported Hardware and Versions of the OSN 1800
This topic describes the mapping between encryption boards, product versions,
NMS versions, and SMT versions.
Table 7-10 Mapping between bidirectional service encryption boards and products
Board Type Product Applicable-Initial Board
Version
TNF1CE6 1800 I&II Compact (F1SCC)-
V100R005C00
1800 I&II Compact (F3SCC)-
V100R006C20
1800 V-V100R006C20
TNF2LTX 1800 I&II Compact -V100R006C20
1800 V-V100R006C20
1800 II Enhanced-V100R007C10
TNF3LTX, TNF1LSC, TNF1LSCG, 1800 I&II Compact V100R008C00
TNF1LSCM 1800 V-V100R008C00
1800 II Enhanced-V100R008C00
TNF6TTA, TNF6TOA 1800 V-V100R008C00
1800 II Enhanced-V100R008C00
TNF1LDCA 1800 I&II Compact -V100R008C10
1800 V-V100R008C10
1800 II Enhanced-V100R008C10
TNF7TTA 1800 V-V100R009C00
1800 II Enhanced-V100R009C00
TMB1LDCD 1800 V-V100R019C10SPC300
1800 II TP-V100R019C10SPC300
1800 II Pro-V100R019C10SPC600
1800 V Pro-V100R019C10SPC600
TMB1LDC 1800 I&II Compact -
V100R019C10SPC300
1800 II Enhanced-
V100R019C10SPC300
1800 V-V100R019C10SPC300
1800 II TP-V100R019C10SPC300
1800 II Pro-V100R019C10SPC600
1800 V Pro-V100R019C10SPC600
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 86
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Board Type Product Applicable-Initial Board
Version
TMB1LDCA 1800 I&II Compact -
V100R019C10SPC600
1800 II Enhanced--
V100R019C10SPC600
1800 V--V100R019C10SPC600
1800 II TP--V100R019C10SPC600
1800 II Pro--V100R019C10SPC600
1800 V Pro--V100R019C10SPC600
TMB1ELOM 1800 I&II Compact -
V100R019C10SPC600
1800 II Enhanced-
V100R019C10SPC600
1800 V-V100R019C10SPC600
1800 II TP-V100R019C10SPC600
1800 II Pro-V100R019C10SPC600
1800 V Pro-V100R019C10SPC600
TMB1LDX, TMB1LTX 1800 I&II Compact -
V100R019C10SPC600
1800 II Enhanced-
V100R019C10SPC600
1800 V-V100R019C10SPC600
1800 II TP-V100R019C10SPC600
1800 II Pro-V100R019C10SPC600
1800 V Pro-V100R019C10SPC600
TMK1MDCA 1800 II TP-V100R019C10SPC600
1800 II Pro-V100R019C10SPC600
1800 V Pro-V100R019C10SPC600
TMK1GTA, TMK1TDC, TMK1TTA 1800 II Pro-V100R019C10SPC600
1800 V Pro-V100R019C10SPC600
NOTE
● In an OSN 1800 V subrack, the TNF6TOA board supports the encryption function only
when the system control board is TNZ5UXCMS.
● In an OSN 1800 V subrack of V100R008C10 or an earlier version, the TNF6TTA board
supports the encryption function only when the system control board is TNZ5UXCMS.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 87
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Table 7-11 Mapping between product versions and NMS versions and between
product versions and SMT versions
Start Device Version Start NMS Version Start SMT Version
1800 I&II Compact iManager U2000 SMT 19.1.110
V100R005C00 V200R017C60
iMaster NCE
V100R019C00
1800 V V100R006C20 iManager U2000 SMT 19.1.110
V200R016C50
iMaster NCE
V100R019C00
1800 II Enhanced iManager U2000 SMT 19.1.110
V100R007C10 V200R017C50
1800 II TP iMaster NCE SMT 19.1.110
V100R019C10 V100R019C00
1800 II Pro iMaster NCE SMT 19.1.110
V100R019C10 V100R019C00
1800 V Pro iMaster NCE SMT 19.1.110
V100R019C10 V100R019C00
7.2 Specifications
This topic describes the L1 service encryption specifications that the product
supports.
7.2.1 Overview
This topic lists the overall specifications that products support.
Table 7-12 Encryption features of Huawei WDM OTN equipment
Item Specification
Encryption type ● Bidirectional P2P service encryption
● Unidirectionally static P2P/P2MP service
encryption
● Dynamic multicast service encryption
Typical service type SDH/SONET, Ethernet, OTN, SAN, and video services
Minimum encryption Board port level. Users can be allocated by port and
unit port-specific encryption can be configured. In this
way, service applications are more flexible.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 88
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Item Specification
Encryption algorithm The standard AES-256 encryption algorithm in CTR
mode is used, which has the highest security level.
Key algorithm The key is dynamically generated.
● Bidirectional P2P service encryption: key
negotiation based on the Diffie-Hellman
algorithm.
● Unidirectionally static P2P/P2MP service
encryption: key calculation based on the PBKDF2
algorithm.
● Dynamic multicast service encryption: key
calculation based on the PBKDF2 algorithm.
Key management ● The public key information is stored in the OPUk
overhead and can be transparently transmitted
over a third-party network.
● The key change period is configurable.
Anti-eavesdropping The SMT and NEs communicate with each other
using the SSL/TLSv1.2 protocol, preventing
management information from being eavesdropped.
Anti-spoofing A pair of devices checks the peer end's
authentication information before starting key
negotiation.
7.2.2 Encryption Capability of the OSN 9800
U64/U32/U16/UPS
This topic describes the service types that support the encryption function and the
number of supported encryption ports on the OSN 9800 U64/U32/U16/UPS.
Table 7-13 shows the encryption capability of the OSN 9800.
Table 7-13 Service types that support the encryption function and number of
supported encryption ports
Item Specifications
Encryption type ● Bidirectional services encryption
● Unidirectional services
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 89
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Item Specifications
Service type that ● SDH/SONET service:
supports STM-1/OC-3
bidirectional STM-4/OC-12
encryption
STM-16/OC-48
STM-64/OC-192
● Ethernet service:
FE/GE/10GE LAN/10GE WAN/40GE/50GE/100GE/
200GE/400GE
● OTN service: OTU1/OTU2/OTU2e
● SAN service: FC100/FC200/FC400/FICON/FICON
Express/FICON4G/FC800/FICON8G/FC1200/FC1600/
FC3200/ESCON/FDDI/Infiniband 5G
● Video service:
SDI/HD-SDI/HD-SDIRBR/3G-SDI/3G-SDIRBR/DVB-ASI
● FlexE service
NOTE
● When working in ODU1 convergence and ODU1_ODU0
mode, the board does not support encryption.
● When OTU4 services are received on the client side of the
encryption board, the encryption feature is not supported.
Service type that Video service:
supports SDI/HD-SDI/HD-SDIRBR/3G-SDI/3G-SDIRBR/DVB-ASI
unidirectional
encryption
7.2.3 Encryption Capability of the OSN 9800 M Series
Subracks
This topic describes the service types that support the encryption function and the
number of supported encryption ports on the OSN 9800 M series subracks.
Table 7-14 Service types that support the encryption function and number of
supported encryption ports
Item Specifications
Encryption type ● Bidirectional services encryption
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 90
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Item Specifications
Service type that ● SDH/SONET service:
supports STM-1/OC-3
bidirectional STM-4/OC-12
encryption
STM-16/OC-48
STM-64/OC-192
● Ethernet service:
FE/GE/10GE LAN/10GE WAN/40GE/50GE/100GE/
200GE
● OTN service: OTU1/OTU2/OTU2e
● SAN service: FC100/FC200/FC400/FICON/FICON
Express/FICON4G/FC800/FICON8G/FC1200/FC1600/
FC3200/ESCON/FDDI/Infiniband 5G
● Video service:
SDI/HD-SDI/HD-SDIRBR/3G-SDI/3G-SDIRBR/DVB-ASI
● FlexE service
NOTE
● When working in ODU1 convergence and ODU1_ODU0
mode, the board does not support encryption.
● When OTU4 services are received on the client side of the
encryption board, the encryption feature is not supported.
7.2.4 Encryption Capability of the OSN 8800/6800
This topic describes the service types that support the encryption function and the
number of supported encryption ports on the OSN 8800/6800.
Table 7-15 shows the encryption capability of the OSN 8800/6800.
Table 7-15 Service types that support the encryption function and number of
supported encryption ports
Item Specifications
Encryption type Bidirectional services encryption
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 91
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Item Specifications
Service type that ● SDH/SONET service:
supports STM-64/OC-192
bidirectional ● Ethernet service:
encryption 10GE LAN/10GE WAN/40GE/100GE
● OTN service: OTU2/OTU2e
● SAN service:
FC800/FC1200/FC1600/FC3200/Infiniband 5G
NOTE
● When working in ODU1 convergence and ODU1_ODU0
mode, the board does not support encryption.
● When OTU4 services are received on the client side of the
encryption board, the encryption feature is not supported.
7.2.5 Encryption Capability of the OSN 1800
This topic describes the service types that support the encryption function and the
number of supported encryption ports on the OSN 1800.
Table 7-16 shows the encryption capability of the OSN 1800.
Table 7-16 Service types that support the encryption function and number of
supported encryption ports
Item Specifications
Encryption type Bidirectional services encryption
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 92
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Item Specifications
Service type that ● Ethernet service:
supports FE/GE/10GE LAN/10GE WAN/40GE/100GE
bidirectional ● SAN service: FC100/FC200/FC400/FC800/FC1200/
encryption FC1600/FICON/FICON 4G/FICON 8G/FICON 10G/
FICON EXPRESS/Infiniband 2.5G/Infiniband 5G (not
supported when the system control board is F1SCC)/
Infiniband 10G/ESCON/FDDI/ISC 1G/ISC 2G
● SDH/SONET service:
STM-1/OC-3
STM-4/OC-12
STM-16/OC-48
STM-64/OC-192
● OTN service: OTU2/OTU2e
● Video services:
DVB-ASI/SDI/HD-SDI/3G-SDI
NOTE
● When working in ODU1 convergence and ODU1_ODU0
mode, the board does not support encryption.
● When OTU4 services are received on the client side of the
encryption board, the encryption feature is not supported.
7.3 Feature Updates
This topic describes the feature updates in each version and the corresponding
documentation updates. The versions that are not listed in the document are
those without feature updates.
7.3.1 OSN 9800 U64/U32/U16/UPS Feature Updates
L1 service encryption is available since OSN 9800 U64/U32/U16 V100R005C00. L1
service encryption is available since OSN 9800 UPS V100R006C00.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 93
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Updates in V100R006C00 Compared with V100R005C10
Feature Updates Update Description
Type
U64, U32 standard, Addition Enhanced product functions, involving
and U16 subracks updates in the following topic:
newly support ● 7.2 Specifications: Unidirectional
unidirectional service encryption is added.
service encryption.
● 5 Encryption Dependencies and
Limitations: The restrictions for
unidirectional service encryption are
added.
● 6.3.5 Encrypting Unidirectional Static
P2P/P2MP Services: This chapter is
added.
Updates in V100R005C10 Compared with V100R005C00
Feature Updates Update Description
Type
TNV3T404 and Addition Enhanced product functions, involving
TNU1G404 boards updates in the following topic:
support the 7.1.2 Supported Hardware and Versions
encryption function of the OSN 9800 U64/U32/U16/UPS: The
and can be installed mapping between TNV3T404 and
in U64, U32 TNU1G404 boards and subracks is added.
standard, and U16
subracks.
For the application Modified Updated the following topic:
of 100GE service 5 Encryption Dependencies and
encryption, the Limitations: The restrictions for 100GE
corresponding service encryption are added.
restrictions must be
met.
Updates in V100R005C00
Feature Updates Update Description
Type
The encryption Addition Added the full text.
feature is available
since this version.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 94
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
7.3.2 OSN 9800 M Series Subracks Feature Updates
L1 service encryption is available since OSN 9800 M Series Subracks
V100R007C00SPC700.
Updates in V100R019C10SPC600
Feature Update Update Description
Type
The encryption Addition Added the description of M05 encryption.
feature is available
for 9800 M05 since
this version.
Updates in V100R007C00SPC700
Feature Update Update Description
Type
The encryption Addition Added the description of M24/M12
feature is available encryption.
for 9800 M24/M12
since this version.
7.3.3 OSN 8800/6800 Feature Updates
L1 service encryption is available since OSN 8800 V100R012C10.
Updates in V100R012C10
Feature Updates Update Description
Type
The encryption Addition Added the full text.
feature is available
since this version.
7.3.4 OSN 1800 Feature Updates
L1 service encryption is available since OSN 1800 V100R005C00.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 95
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
Updates in V100R007C10 Compared with V100R007C00
Feature Updates Update Description
Type
The 1800 II Addition Enhanced product functions, involving
Enhanced chassis updates in the following topics:
supports the ● 7.2 Specifications: The encryption
encryption function. specifications are added for the 1800 II
Enhanced chassis.
● 7.1.5 Supported Hardware and
Versions of the OSN 1800: The 1800 II
Enhanced chassis is added.
Feature Updates in V100R006C20 Compared with V100R005C00
Feature Updates Update Description
Type
● The 1800 I&II Addition Enhanced product functions, involving
Compact (F3SCC) updates in the following topics:
chassis supports ● 7.2 Specifications: The encryption
the encryption specifications are added for the 1800
function. I&II Compact (F3SCC) and 1800 V
● The 1800 V chassis.
chassis supports ● 7.1.5 Supported Hardware and
the encryption Versions of the OSN 1800: The 1800
function. I&II Compact (F3SCC) chassis is added.
● 7.1.5 Supported Hardware and
Versions of the OSN 1800: The 1800 V
chassis is added.
Feature Updates in V100R005C00
Feature Updates Update Description
Type
The encryption Addition Added the full text.
feature is available
since this version.
7.4 Reference Standards and Protocols
This section lists the standards and protocols associated with L1 service
encryption.
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 96
7 Encryption Capability of Huawei WDM OTN
WDM OTN L1 Service Encryption Feature Guide Networks
● RFC 2631: Diffie-Hellman Key Agreement Method
● FIPS PUB 197: The official AES standard
Issue 7.0 (2020-09-20) Copyright © Huawei Technologies Co., Ltd. 97
You might also like
- Huawei Optixstar S800E Datasheet: Product OverviewNo ratings yetHuawei Optixstar S800E Datasheet: Product Overview3 pages
- Fpga Timeline & Applications: Fpgas Past, Present & FutureNo ratings yetFpga Timeline & Applications: Fpgas Past, Present & Future39 pages
- OSN 3500 V200R011C03 Hardware Description 03100% (1)OSN 3500 V200R011C03 Hardware Description 031,699 pages
- Hardware Description (V100R006C01 - 01) PDF100% (1)Hardware Description (V100R006C01 - 01) PDF2,578 pages
- OSN 8800 6800 3800 V100R008C10 Hardware Description 03No ratings yetOSN 8800 6800 3800 V100R008C10 Hardware Description 033,608 pages
- ECS Concepts and Features-Participant GuideNo ratings yetECS Concepts and Features-Participant Guide132 pages
- OSN 8800 6800 3800 V100R007C02 Hardware Description 03100% (10)OSN 8800 6800 3800 V100R007C02 Hardware Description 033,027 pages
- OSN 8800 6800 3800 V100R009C10 Hardware Description 02 PDF0% (1)OSN 8800 6800 3800 V100R009C10 Hardware Description 02 PDF3,852 pages
- Introduction To Agricultural Information SystemsNo ratings yetIntroduction To Agricultural Information Systems13 pages
- Huawei OptiX OSN 3500 Hardware Description (V200R012)100% (1)Huawei OptiX OSN 3500 Hardware Description (V200R012)1,756 pages
- OSN 500 550 V100R007C00 Configuration Guide (Packet Transport Domain) 03100% (2)OSN 500 550 V100R007C00 Configuration Guide (Packet Transport Domain) 03782 pages
- OSN 7500 II&7500&3500&1500 V200R012C01 Configuration Guide (Packet Transport Domain) 03No ratings yetOSN 7500 II&7500&3500&1500 V200R012C01 Configuration Guide (Packet Transport Domain) 03794 pages
- OptiX OSN 7500 II&7500&3500&1500 Configuration Guide (Packet Transport Domain) (V200R011)100% (4)OptiX OSN 7500 II&7500&3500&1500 Configuration Guide (Packet Transport Domain) (V200R011)1,027 pages
- OptiX OSN 1800 I II Compact Hardware Description (V100R003)0% (1)OptiX OSN 1800 I II Compact Hardware Description (V100R003)962 pages
- OptiX OSN 8800 6800 3800 Configuration Guide (V100R007)No ratings yetOptiX OSN 8800 6800 3800 Configuration Guide (V100R007)924 pages
- OSN 8800 6800 3800 V100R010C00 Configuration Guide 01No ratings yetOSN 8800 6800 3800 V100R010C00 Configuration Guide 011,078 pages
- OptiX OSN 8800 6800 3800 Supporting Tasks (V100R008) PDFNo ratings yetOptiX OSN 8800 6800 3800 Supporting Tasks (V100R008) PDF290 pages
- Product Overview: Optix Osn 3500 Intelligent Optical Transmission System V100R008No ratings yetProduct Overview: Optix Osn 3500 Intelligent Optical Transmission System V100R00889 pages
- OSN 3500 V200R011C00 Product Description PDFNo ratings yetOSN 3500 V200R011C00 Product Description PDF372 pages
- OSN 8800 6800 3800 V100R011C00 Configuration Guide 01No ratings yetOSN 8800 6800 3800 V100R011C00 Configuration Guide 011,116 pages
- AIM: To Study About NS2 Simulator in Detail TheoryNo ratings yetAIM: To Study About NS2 Simulator in Detail Theory75 pages
- 01-04 Principle of L1 Service EncryptionNo ratings yet01-04 Principle of L1 Service Encryption14 pages
- OTC119101 OptiX OSN 9800 Hardware Description ISSUE1.11100% (2)OTC119101 OptiX OSN 9800 Hardware Description ISSUE1.1176 pages
- OptiX OSN 3500 V200R011 Product Overview V1.0 PDFNo ratings yetOptiX OSN 3500 V200R011 Product Overview V1.0 PDF148 pages
- OTA105105 OptiX OSN 1500250035007500 Hardware Description ISSUE 1.13No ratings yetOTA105105 OptiX OSN 1500250035007500 Hardware Description ISSUE 1.13185 pages
- Bhagwan Mahavir University: Diploma Engineering (Electronics and Communication Engineering)No ratings yetBhagwan Mahavir University: Diploma Engineering (Electronics and Communication Engineering)4 pages
- OTC107001 - OptiX - NG - WDM - System - Description - ISSUE1.12No ratings yetOTC107001 - OptiX - NG - WDM - System - Description - ISSUE1.1263 pages
- Railway Operational Communication Solution OptiX OSN 1500 Product Overview (Hybrid)No ratings yetRailway Operational Communication Solution OptiX OSN 1500 Product Overview (Hybrid)77 pages
- WDM OTN Clock Synchronization Feature Guide 12No ratings yetWDM OTN Clock Synchronization Feature Guide 12892 pages
- OSN 9800 V100R001C01 Product Overview 01 REVISADO PDFNo ratings yetOSN 9800 V100R001C01 Product Overview 01 REVISADO PDF52 pages
- 6-NG WDM Hardware Description V4 (1) .0-20081030-ANo ratings yet6-NG WDM Hardware Description V4 (1) .0-20081030-A159 pages
- OSN 8800 6800 3800 V100R007C02 Hardware Description 01No ratings yetOSN 8800 6800 3800 V100R007C02 Hardware Description 012,987 pages
- OptiX OSN 1800 I&II Compact Product BrochureNo ratings yetOptiX OSN 1800 I&II Compact Product Brochure3 pages
- OptiX OSN 1800 V Pro Product Brochure SANo ratings yetOptiX OSN 1800 V Pro Product Brochure SA9 pages
- OptiX OSN 1800 V100R019C10 Product Description 06No ratings yetOptiX OSN 1800 V100R019C10 Product Description 06301 pages
- Hidaya Tun Nahv - English Australian Islamic Library WWW - Australianislamiclibrary.org Free Download, Borrow, and StreamiNo ratings yetHidaya Tun Nahv - English Australian Islamic Library WWW - Australianislamiclibrary.org Free Download, Borrow, and Streami1 page
- Tasmota Integration and Configuration Guide: Definitive Reference for Developers and EngineersFrom EverandTasmota Integration and Configuration Guide: Definitive Reference for Developers and EngineersNo ratings yet
- Programming NodeMCU for IoT Applications: Definitive Reference for Developers and EngineersFrom EverandProgramming NodeMCU for IoT Applications: Definitive Reference for Developers and EngineersNo ratings yet
- The Palo Alto Networks Handbook: Practical Solutions for Cyber Threat ProtectionFrom EverandThe Palo Alto Networks Handbook: Practical Solutions for Cyber Threat ProtectionNo ratings yet
- CompTIA Security+ SY0-601 Exam Practice TestsFrom EverandCompTIA Security+ SY0-601 Exam Practice TestsNo ratings yet
- Computer Networking: Beginners Guide to Network Security & Network Troubleshooting FundamentalsFrom EverandComputer Networking: Beginners Guide to Network Security & Network Troubleshooting FundamentalsNo ratings yet
- Study Guide Cisco 300-915 DEVIOT Developing Solutions using Cisco IoT and Edge Platforms ExamFrom EverandStudy Guide Cisco 300-915 DEVIOT Developing Solutions using Cisco IoT and Edge Platforms ExamNo ratings yet
- The CompTIA Network+ & Security+ Certification: 2 in 1 Book- Simplified Study Guide Eighth Edition (Exam N10-008) | The Complete Exam Prep with Practice Tests and Insider Tips & Tricks | Achieve a 98% Pass Rate on Your First Attempt!From EverandThe CompTIA Network+ & Security+ Certification: 2 in 1 Book- Simplified Study Guide Eighth Edition (Exam N10-008) | The Complete Exam Prep with Practice Tests and Insider Tips & Tricks | Achieve a 98% Pass Rate on Your First Attempt!5/5 (1)
- InduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System SecurityFrom EverandInduSoft Application Design and SCADA Deployment Recommendations for Industrial Control System SecurityNo ratings yet
- Learning iOS Penetration Testing: Secure your iOS applications and uncover hidden vulnerabilities by conducting penetration testsFrom EverandLearning iOS Penetration Testing: Secure your iOS applications and uncover hidden vulnerabilities by conducting penetration testsNo ratings yet
