TLS for everything


Jon Price
 

Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.


Peter Burkholder
 

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters


Miki Mokrysz <miki.mokrysz@...>
 

+1 on desiring everything to be encrypted on the network.

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.


On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters


David McClure
 

Hi everyone,

Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.

That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:

  1. Create an issue to track this feature of cf-for-vms in the cf-deployment github repo
    https://github.com/cloudfoundry/cf-deployment/issues
  2. While it's good to continue discussing this anywhere and everywhere (Slack, email, etc), let's make that that Github issue the canonical home for discussion about this going forward and try to "close the loop" back there if discussions are had elsewhere.
  3. If separate issues can be carved out for specific components, create issues on their repositories and link them back to the Github issue on cf-deployment.
    Github's auto-linking between issues should help us make these more discoverable, regardless of which direction the link is going.
Jon, would you like to do the honors as the thread starter here?


From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] TLS for everything
 
+1 on desiring everything to be encrypted on the network.

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?
2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--
Peter Burkholder |  cloud.gov compliance & security


Jon Price
 

Hi David,

 

Done – Issue 906.

 

I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec. 

 

It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!

 

-- Jon Price

 

From: cf-dev@... <cf-dev@...> On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM
To: cf-dev@...
Subject: Re: [cf-dev] TLS for everything

 

Hi everyone,

 

Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.

 

That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:

 

  1. Create an issue to track this feature of cf-for-vms in the cf-deployment github repo
    https://github.com/cloudfoundry/cf-deployment/issues
  2. While it's good to continue discussing this anywhere and everywhere (Slack, email, etc), let's make that that Github issue the canonical home for discussion about this going forward and try to "close the loop" back there if discussions are had elsewhere.
  3. If separate issues can be carved out for specific components, create issues on their repositories and link them back to the Github issue on cf-deployment.
    Github's auto-linking between issues should help us make these more discoverable, regardless of which direction the link is going.

Jon, would you like to do the honors as the thread starter here?

 


From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] TLS for everything

 

+1 on desiring everything to be encrypted on the network.

 

We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.

On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:

We may run into similar requirements for cloud.gov, so TLS everywhere would be A+.

 

On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:

Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. 
Is there a timeline or any plans for these last few things?  

1) routing-api - still using both TLS and non-TLS in the cf-deployment.  The http endpoint is what is registered in the router.  Is there a reason for still enabling both?

2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222

3) route_registrar - not using nats-tls

4) gorouter - not using nats-tls

We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :)

Jon Price
Intel Corp.



--

Peter Burkholder |  cloud.gov compliance & security

please use cloud-gov-compliance@... for cloud.gov matters

 


caitlyny@...
 

Hi Jon,

I provided an update for #2 within the issue on Github.

Caitlyn