forked from joemoore/docs-addon-ipsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html.md.erb
91 lines (78 loc) · 3.11 KB
/
index.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
---
title: IPsec Add-on for PCF
owner: Security Engineering
---
<strong><%= modified_date %></strong>
This guide describes the IPsec Add-on for PCF, which secures data transmissions inside [Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF). Topics covered in this guide include IPsec Add-on for PCF installation and configuration, troubleshooting, and certificate rotation.
Your organization may require IPsec if you transmit sensitive data.
## <a id="overview"></a> Overview
The IPsec Add-on for PCF provides security to the network layer of the OSI model with a [strongSwan](https://www.strongswan.org/) implementation of IPsec. The IPsec Add-on provides a strongSwan job to each BOSH-deployed virtual machine (VM).
IPsec encrypts IP data flow between hosts, between security gateways, and between security gateways and hosts. The IPsec Add-on for PCF secures network traffic within a Cloud Foundry deployment and provides internal system protection if a malicious actor breaches your firewall.
## <a id='snapshot'></a> Product Snapshot
The following table provides version and version-support information about the IPsec Add-on for PCF.
<table class="nice">
<th>Element</th>
<th>Details</th>
<tr>
<td>Version</td>
<td>v1.9.0</td>
</tr>
<tr>
<td>Release date</td>
<td>Month XX, 2018</td>
</tr>
<tr>
<td>Compatible Ops Manager version(s)</td>
<td>v1.10.x, v1.11.x, v1.12.x, and v2.0.x</td>
</tr>
<tr>
<td>Compatible Elastic Runtime version(s)</td>
<td>v1.10.x, v1.11.x, and v1.12.x</td>
</tr>
<tr>
<td>Compatible Pivotal Application Service (PAS)<sup>*</sup> version(s)</td>
<td>v2.0.x</td>
</tr>
<tr>
<td>IaaS support</td>
<td>vSphere, GCP, AWS, Azure, and Openstack</td>
</tr>
</table>
\* As of PCF v2.0, _Elastic Runtime_ is renamed _Pivotal Application Service (PAS)_.
[//]: # (For more information, see [Pivotal Application Service (PAS) Highlights](http://docs.pivotal.io/pivotalcf/2-0/installing/highlights.html#ert). )
## <a id="implementation"></a> IPsec Implementation Details
The IPsec Add-on for PCF implements the following cryptographic suite:
<table border='1' class='nice'>
<tr>
<th>Key Agreement (Diffie-Hellman)</th>
<td>IKEv2 Main Mode</td>
</tr>
<tr>
<th>Bulk Encryption</th>
<td>AES128GCM16</td>
</tr>
<tr>
<th>Hashing</th>
<td><code>SHA2 256</code></td>
</tr>
<tr>
<th>Integrity/Authentication Tag</th>
<td>128 bit GHASH ICV</td>
</tr>
<tr>
<th>Digital Signing</th>
<td>RSA 3072/4096</td>
</tr>
<tr>
<th>Peer Authentication Method</th>
<td>Public/Private Key</td>
</tr>
</table>
Refer to the following topics for more information about the IPsec Add-on for PCF:
* [Installing the IPsec Add-on for PCF](./installing.html)
* [Rotating IPsec Certificates](./credentials.html)
* [Renewing Expired IPsec Certificates](./renewing.html)
* [Troubleshooting the IPsec Add-on for PCF](./troubleshooting.html)
* [Upgrading the IPsec Add-on for PCF](./upgrading.html)
* [Uninstalling the IPsec Add-on for PCF](./uninstalling.html)
* [Release Notes](./release-notes.html)