-
Notifications
You must be signed in to change notification settings - Fork 14
/
index.html.md.erb
53 lines (44 loc) · 2.01 KB
/
index.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
---
title: Securing Data in Transit with the IPsec Add-on
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This guide describes the [Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF) IPsec add-on. The topics included in this guide cover installation and configuration, troubleshooting, and credential rotation. Your organization may require IPSec if you transmit sensitive data.
<p class="note"><strong>Note</strong>: If you apply the IPsec add-on to your PCF deployment, you cannot remove IPsec without removing and reinstalling the entire deployment.</p>
## Overview ##
The IPsec add-on for PCF provides security to the network layer of the OSI model with a [strongSwan](https://www.strongswan.org/) implementation of IPsec. The IPsec add-on provides a strongSwan job to each BOSH-deployed virtual machine (VM).
IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The PCF IPsec add-on secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.
## PCF IPsec Implementation Details ##
The PCF IPsec add-on implements the following cryptographic suite:
<table border='1' class='nice'>
<tr>
<th>Key Agreement (Diffie-Hellman)</th>
<td>IKEv2 Main Mode</td>
</tr>
<tr>
<th>Bulk Encryption</th>
<td>AES128GCM16</td>
</tr>
<tr>
<th>Hashing</th>
<td><code>SHA1</code></td>
</tr>
<tr>
<th>Integrity/Authentication Tag</th>
<td>128 bit GHASH ICV</td>
</tr>
<tr>
<th>Digital Signing</th>
<td>RSA 3072/4096</td>
</tr>
<tr>
<th>Peer Authentication Method</th>
<td>Public/Private Key</td>
</tr>
</table>
Refer to the following topics for more information about the IPsec add-on:
* [Downloading, Installing, and Configuring IPsec](./installing.html)
* [Setting Up and Rotating Certificates for IPsec](./credentials.html)
* [Troubleshooting IPsec](./troubleshooting.html)
* [Rotating IPsec Credentials](./credentials.html)
* [Release Notes](./release-notes.html)