Re: community feedback on removing non-encrypted support from consul-release

Amit Kumar Gupta

Hey Aaron,

That's a good point. We have done some internal stress-testing at scale
with IPsec and with consul happening to be in encrypted mode. The data
generally showed that this had negligible impact on things involving
consul. What are the chances you could validate this in one of your
environments with IPsec and secure consul, to get another data point?

Also, do you have a summary of where sensitive information is being
transmitted over NATS? Is it just traffic involving DEA/HM9k? Are you
running Diego, and do you still see sensitive info despite being on the
Diego backend?

You may also be interested to know that the DEA & HM9k team is working on
moving a lot of traffic from NATS to HTTPS:

Amit Gupta, Pivotal
CF Infrastructure team PM

On Sat, Feb 6, 2016 at 5:26 PM, aaron_huber <aaron.m.huber(a)> wrote:

The only thought I have is that for some of us that are doing network level
encryption until you guys do have everything secure by default, this would
just enforce double encrypting some things. Not necessarily the end of the
world but it would slow traffic down and increase CPU load.

Our current plan was to leave TLS disabled until everything is secure and
then switch to point-to-point security at that time and turn off IPSec.
That won't be possible until you stop sending passwords in clear text over
the wire, so at least until NATS is gone and possibly a few more things.
This isn't an argument not to make the change but just a data point for

Aaron Huber
Intel Corporation

View this message in context:
Sent from the CF BOSH mailing list archive at

Join { to automatically receive all group messages.