Document ID: 116055
Updated: Oct 25, 2013
Contributed by Wen Zhang and Anthony Grieco, Cisco TAC Engineers.
This document describes next generation encryption (NGE) support on Cisco IOS® and IOS-XE platforms.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
- Cisco IOS, multiple versions as noted in the table
- Cisco IOS-XE, multiple versions as noted in the table
- Multiple Cisco platforms as noted in the table
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
NGE and Suite B Algorithms
The algorithms that make up NGE are the result of more than 30 years of global advances and evolution in cryptography. Each component of NGE has its own history, depicting the diverse history of the NGE algorithms and their longstanding academic and community review. NGE comprises globally created, globally reviewed, and publicly available algorithms.
The U.S. National Security Agency (NSA) has also identified a set of cryptographic standards for public networks. These algorithms, called Suite B, are the preferred method to help ensure the security and integrity of information passed over public networks such as the Internet. Several Suite B algorithms are used in NGE.
NGE algorithms are integrated into Internet Engineering Task Force (IETF), IEEE, and other international standards. As a result, NGE algorithms have been applied to the most recent and highly secure protocols for protecting user data, such as Internet Key Exchange Version 2 (IKEv2).
Types of cryptographic algorithms include:
- Symmetric encryption - 128-bit or 256-bit Advanced Encryption Standard (AES) in GCM (Galois/Counter mode)
- Hash - Secure Hash Algorithms (SHA)-2 (SHA-256 and SHA-384)
- Digital signatures - Elliptic Curve Digital Signature Algorithm (ECDSA)
- Key agreement - Elliptic Curve Diffie-Hellman (ECDH)
NGE Support on IOS and IOS-XE Platforms
This table summarizes NGE support on Cisco IOS-based and IOS-XE-based platforms.
|Platforms||Crypto Engine Type||Supported by NGE||First Version of Cisco IOS/IOS-XE to Support NGE|
|All platforms that run IOS classic||IOS software crypto engine||Yes||15.1(2)T|
|ISR G2 2951, 3925, 3945||Onboard1||Yes||15.1(3)T|
|ISR G2 (excluding 3925E/3945E)||VPN-ISM1||Yes||15.2(1)T1|
|ISR G2 800, 1900, 2901, 2911, 2921, 3935R, 3925E, 3945E||Onboard1||Yes||15.2(4)M|
|ISR4451-X||Onboard||Yes||IOS-XE 3.9 (15.3(2)S)|
Note 1: On ISR G2 platform, if ECDH/ECDSA is configured, these cryptographic operations will be run in software irrespective of the cryptographic engine.
Note 2: Support for Suite B control plane (ECDH and ECDSA) has been introduced with XE37. Control plane SHA-2 support is for IKEv2 only (with planned IKEv1 support for XE3.10). Dataplane support is added in XE3.8 for Octeon based platforms (ASR1002-X and ESP100).
Other Suite B Feature Support
GETVPN Support for Suite B
- Cisco IOS software support on ISR G2 platforms starts with Version 15.2(4)M.
- ASR support starts with Cisco IOS-XE software, Version 3.10S (15.3(3)S).
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.