TLS for everything
|
Jon Price
Hi everyone,
There has been a lot of excellent progress in securing all CF traffic with TLS and as far as I can tell there are only a few things that are still unencrypted. Is there a timeline or any plans for these last few things? 1) routing-api - still using both TLS and non-TLS in the cf-deployment. The http endpoint is what is registered in the router. Is there a reason for still enabling both? 2) metrics-discovery-registrar-windows - not using nats-tls hostname, falling back to 4222
3) route_registrar - not using nats-tls
4) gorouter - not using nats-tls We have a requirement that all traffic on the network is encrypted and I would really love to stop running IPsec. :) Jon Price Intel Corp. |
|
|
|
Peter Burkholder
We may run into similar requirements for cloud.gov, so TLS everywhere would be A+. On Tue, Sep 15, 2020 at 1:45 PM Jon Price <jon.price@...> wrote:
-- - Peter Burkholder | cloud.gov compliance & security please use cloud-gov-compliance@... for cloud.gov matters |
|
|
|
Miki Mokrysz <miki.mokrysz@...>
+1 on desiring everything to be encrypted on the network. On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
|
|
|
|
David McClure
Hi everyone,
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts"
that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
From: cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
Sent: Tuesday, September 15, 2020 11:41 AM To: cf-dev@... <cf-dev@...> Subject: Re: [cf-dev] TLS for everything +1 on desiring everything to be encrypted on the network.
On Tuesday, 15 September 2020, Peter Burkholder via lists.cloudfoundry.org <peter.burkholder=gsa.gov@...> wrote:
|
|
|
|
Jon Price
Hi David,
Done – Issue 906.
I too have been involved in several conversations over the past several years about this, back in 2015 we had a meeting with Dieu Cao (Hi Dieu!) and the former chief security officer a Pivotal, Justin Smith about this and I also did a talk at the 2015 CF Summit about using IPsec.
It’s exciting to see how close we are getting to securing every endpoint, only a few more thousand lines of PEM text in the deployment manifest and we are done!
-- Jon Price
From: cf-dev@... <cf-dev@...>
On Behalf Of David McClure
Sent: Tuesday, September 15, 2020 4:36 PM To: cf-dev@... Subject: Re: [cf-dev] TLS for everything
Hi everyone,
Glad to see this conversation happening. I've been involved in several conversations about this over the years but I'm not sure what public artifacts exist about these efforts. Historically, it has been a challenge to organize so-called "cross-cutting efforts" that require the involvement of many different teams and it may be especially challenging now that much of the community has shifted its focus to developing cf-for-k8s.
That said, here's a thought: perhaps we can approach this feature request and other "cross-cutting" features for cf-for-vms with the following strategy going forward:
Jon, would you like to do the honors as the thread starter here?
From:
cf-dev@... <cf-dev@...> on behalf of Miki Mokrysz via lists.cloudfoundry.org <miki.mokrysz=digital.cabinet-office.gov.uk@...>
+1 on desiring everything to be encrypted on the network.
We’re under the impression that Silk (apps.internal) traffic between cells is also unencrypted.
|
|
|
|
caitlyny@...
Hi Jon,
I provided an update for #2 within the issue on Github. Caitlyn |
|
|