toggle quoted messageShow quoted text
+1 on desiring everything to be encrypted on the network.
We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.
On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org
We may run into similar requirements for cloud.gov
, so TLS everywhere would be A+.
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted.
Is there a timeline or any plans for these last few things?
1) routing-api - still using both TLS and non-TLS in the cf-deployment. The http endpoint is what is registered in the router. Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls
We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)
Peter Burkholder | cloud.gov compliance & security