forked from joemoore/docs-addon-ipsec
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html.md.erb
More file actions
103 lines (84 loc) · 3.29 KB
/
index.html.md.erb
File metadata and controls
103 lines (84 loc) · 3.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
title: IPsec for VMware Tanzu
owner: Platform Security & Compliance Team
---
<strong><%= modified_date %></strong>
This guide describes <%= vars.product_full %>, which secures data transmissions
inside [<%= vars.app_runtime_full %> (<%= vars.app_runtime_abbr %>)](https://network.pivotal.io/products/elastic-runtime/).
Topics covered in this guide include <%= vars.product_full %> installation and configuration,
troubleshooting, and certificate rotation.
Your organization might require <%= vars.product_short %> if you transmit sensitive data.
## <a id="overview"></a> Overview
<%= vars.product_full %> provides security to the network layer of the OSI model with a
[strongSwan](https://www.strongswan.org/) implementation of <%= vars.product_short %>.
It provides a strongSwan job in FIPS mode to each BOSH-deployed VM.
<%= vars.product_full %> encrypts IP data flow between hosts, between security gateways, between service tiles, and between security gateways and hosts.
It secures network traffic within a Cloud Foundry deployment
and provides internal system protection if a malicious actor breaches your firewall.
## <a id='snapshot'></a> Product Snapshot
The following table provides version and version-support information about <%= vars.product_full %>.
<table class="nice">
<th>Element</th>
<th>Details</th>
<tr>
<td>Version</td>
<td>v1.10.0</td>
</tr>
<tr>
<td>Release date</td>
<td>Month DD, 2019</td>
</tr>
<tr>
<td>Compatible <%= vars.ops_manager %> versions</td>
<td>2.3, 2.4, 2.5, 2.6, and 2.7</td>
</tr>
<tr>
<td>Compatible <%= vars.app_runtime_full %> versions</td>
<td>2.11, 2.10, 2.9, and 2.8</td>
</tr>
<tr>
<td>Compatible BOSH stemcells</td>
<td>Ubuntu Xenial and Trusty</td>
</tr>
<tr>
<td>IaaS support</td>
<td>vSphere, GCP, AWS, Azure, and Openstack</td>
</tr>
</table>
## <a id="implementation"></a> <%= vars.product_short %> Implementation Details
<%= vars.product_full %> implements the following cryptographic suite:
<table border='1' class='nice'>
<tr>
<th>Key Agreement (Diffie-Hellman)</th>
<td>IKEv2 Main Mode</td>
</tr>
<tr>
<th>Bulk Encryption</th>
<td>AES128GCM16</td>
</tr>
<tr>
<th>Hashing</th>
<td><code>SHA2 256</code></td>
</tr>
<tr>
<th>Integrity/Authentication Tag</th>
<td>128 bit GHASH ICV</td>
</tr>
<tr>
<th>Digital Signing</th>
<td>RSA 3072/4096</td>
</tr>
<tr>
<th>Peer Authentication Method</th>
<td>Public/Private Key</td>
</tr>
</table>
## <a id='limitations'></a> Limitations
<%= vars.product_full %> has the following limitations:
* <%= vars.product_full %> is not compatible with VMware NSX-T Container Plug-in for <%= vars.app_runtime_full %>.
* VMware recommends configuring <%= vars.product_full %> to use a self-signed certificate to sign instance certificates.
VMware does not recommend using a certificate signed by a public or third-party CA.
* <%= vars.product_full %> is not supported on Windows.
* Container-to-container traffic is not encrypted unless the underlying network is also encrypted.
Both the overlay network for container-to-container networking and the underlying, physical network
for Diego Cell to Diego Cell networking must be included in the `ipsec_subnets` section of the IPsec manifest.