This document provides a detailed description of the DIRAC server.

The DIRAC system is composed of a server-side software, called “DIRAC server”, and several SENC1 boards operated in FOX61x NEs. The DIRAC system constitutes a security zone which is integrated with the ENP and ESM of FOXMAN-UN and/or FOXCST managing FOX61x network elements.

The DIRAC management network can be the same physical network as the FOXMAN-UN-FOX61x NE management network since the DIRAC system has its own authentication and encryption means.

The DIRAC server is a centralized key management system and is responsible for the generation and distribution of the Master Keys used by the SENC1 Crypto Engines. The random numbers required for the Master Keys are generated by a Quantis USB device, attached to the DIRAC server.

The DIRAC server has a command line interface (CLI) through which it is managed. In addition there is a secure interface between the network management system FOXMAN-UN and the DIRAC server in order to synchronize paired information (Crypto Engine identifiers, encrypted MPLS tunnels and tunnel endpoints, DIRAC server alarm status) between both systems.

The communication between the DIRAC server and FOXMAN-UN is done via a REST interface, based on HTTPS.

The DIRAC server also forwards the MPLS tunnels crypto configuration information from the FOXMAN-UN to all SENC1 Crypto Engines in the DIRAC system via secured channels over Ethernet or MPLS-TP links, depending on the preferred configuration.

SENC1 boards are the HW units that provide encryption in the FOX61x network element. The SENC1-4 and SENC1F4 boards have one Functional Unit with two Crypto Engines. The SENC1-8 and SENC1F8 boards have two Functional Units with two Crypto Engines each, i.e. four Crypto Engines in total. One Crypto Engine is equipped with two Ethernet interfaces. It encrypts and decrypts bidirectional user traffic. For more information on SENC1 units refer to [1KHW029028] FOX61x User Manual “SENC1-4, SENC1F4, SENC1-8, SENC1F8”.

The enrollment of SENC1 units and the establishment of trust between the DIRAC server and the SENC1 Crypto Engines is done by the crypto officer via FOXMAN-UN/ESM. The FOXMAN-UN/ESM use the GRPC channel (see below) to set up crypto configurations for MPLS tunnels.

The communication between the DIRAC server and the SENC1 Functional Units is based on the encrypted GRPC protocol (management channel). The certificates used for the GRPC encryption are created on the DIRAC server and on the SENC1 Functional Units and are automatically exchanged between the DIRAC server and the SENC1 Functional Units.

The user traffic interfaces of the SENC1 Crypto Engines are interconnected with 1 Gbit/s or 10 Gbit/s secure channels over a MPLS-TP network. For details refer to [1KHW029028] FOX61x User Manual “SENC1-4, SENC1F4, SENC1-8, SENC1F8”.

The alarm status of the SENC1 boards is collected by the core units of the FOX61x network elements and forwarded via the FOX61x NE management network to the network management system FOXMAN-UN and to FOXCST.