Enable carrier-grade cipher suites#
About carrier-grade cipher suites#
Availability#
Carrier-grade cipher suites are available in Aspen Mesh 1.14.6-am4 and later.
Important
Carrier-grade cipher suites are intended for service providers (carriers) only. They are not recommended for enterprise customers.
Definition: On-mesh traffic#
On-mesh traffic is traffic that originates and terminates on the mesh.
Definition: Mesh-ingress traffic#
Mesh-ingress traffic is traffic that originates off the mesh and terminates at an ingress gateway on the mesh.
When to enable carrier-grade cipher suites#
Enable carrier-grade cipher suites when you want to increase the security of the following types of traffic whose encryption is negotiated using TLS 1.2:
On-mesh traffic
Mesh-ingress traffic to ingress gateways whose TLS mode for the associated port (
.spec.servers[].tls.mode
) is set toSIMPLE
orMUTUAL
(the default isPASSTHROUGH
)
The on-mesh carrier-grade cipher suites#
These are the on-mesh carrier-grade cipher suites, listed in order of preference from most to least preferred:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
Note
Because these cipher suites are always the same for clients and servers, the first cipher suite (ECDHE-ECDSA-AES128-GCM-SHA256) is used when ECC workload certificates are enabled, and the third cipher suite (ECDHE-RSA-AES128-GCM-SHA256) is used when ECC workload certificates are not enabled.
The mesh-ingress carrier-grade cipher suites#
These are the mesh-ingress carrier-grade cipher suites, listed in order of preference from most to least preferred:
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
What happens when you enable carrier-grade cipher suites#
When you enable carrier-grade cipher suites, Aspen Mesh overrides:
These cipher suites |
With these cipher suites |
---|---|
The fixed server cipher suites for on-mesh traffic whose encryption is negotiated using TLS 1.2, 1.1, or 1.0 |
The on-mesh carrier-grade cipher suites |
The default server cipher suites for mesh-ingress traffic whose encryption is negotiated using TLS 1.2, 1.1, or 1.0 to ingress gateways whose TLS mode for the associated port is set to |
The mesh-ingress carrier-grade cipher suites |
Note
The fixed server cipher suites (on-mesh) may vary for different versions of Aspen Mesh. For Aspen Mesh 1.18, see Mutual TLS authentication (Istio 1.18).
The default server cipher suites (mesh-ingress) may vary for different versions of the Istio proxy (Envoy). For Envoy 1.26, which is used by Aspen Mesh 1.18, see the default server cipher list for non-FIPS builds for the
cipher_suites
field of theextensions.transport_sockets.tls.v3.TlsParameters
message in Common TLS configuration (Envoy 1.26).You can further restrict the server cipher suites for the mesh-ingress traffic at an ingress gateway by specifying a subset of the carrier-grade cipher suites in the ingress gateway’s manifest.
Important
None of the carrier-grade cipher suites are supported for encryption negotiated using TLS 1.0 or TLS 1.1. Therefore, if you enable carrier-grade cipher suites, encryption negotiated using TLS 1.0 or TLS 1.1 will fail for on-mesh traffic and for mesh-ingress traffic to ingress gateways whose TLS mode for the associated port is set to
SIMPLE
orMUTUAL
.The carrier-grade cipher suites have no effect when negotiating TLS 1.3 because a unique fixed set of cipher suites is used.
Enable carrier-grade cipher suites#
Before you enable carrier-grade cipher suites#
Before you enable carrier-grade cipher suites, make sure all the following are true:
On-mesh traffic is configured to use a minimum TLS version of 1.2 (the default).
Mesh-ingress traffic uses a minimum TLS version of 1.2.
Ingress gateways whose TLS mode for a port is set to
SIMPLE
orMUTUAL
are configured to use a minimum TLS version of 1.2 (the default).
Enable carrier-grade cipher suites#
Open your Aspen Mesh override values file (
aspen-mesh-override-values.yaml
) in a text editor.Make sure the file includes the
.global.carrierGradeCipherSuites
field and its value is set totrue
.Save and close the file.
Perform an upgrade of Aspen Mesh from the current version to the same version (perform only the tasks in that section).