Enable carrier-grade cipher suites#

About carrier-grade cipher suites#

Availability#

Carrier-grade cipher suites are available in Aspen Mesh 1.14.6-am4 and later.

Important

Carrier-grade cipher suites are intended for service providers (carriers) only. They are not recommended for enterprise customers.

Definition: On-mesh traffic#

On-mesh traffic is traffic that originates and terminates on the mesh.

Definition: Mesh-ingress traffic#

Mesh-ingress traffic is traffic that originates off the mesh and terminates at an ingress gateway on the mesh.

When to enable carrier-grade cipher suites#

Enable carrier-grade cipher suites when you want to increase the security of the following types of traffic whose encryption is negotiated using TLS 1.2:

  • On-mesh traffic

  • Mesh-ingress traffic to ingress gateways whose TLS mode for the associated port (.spec.servers[].tls.mode) is set to SIMPLE or MUTUAL (the default is PASSTHROUGH)

The on-mesh carrier-grade cipher suites#

These are the on-mesh carrier-grade cipher suites, listed in order of preference from most to least preferred:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384

Note

Because these cipher suites are always the same for clients and servers, the first cipher suite (ECDHE-ECDSA-AES128-GCM-SHA256) is used when ECC workload certificates are enabled, and the third cipher suite (ECDHE-RSA-AES128-GCM-SHA256) is used when ECC workload certificates are not enabled.

The mesh-ingress carrier-grade cipher suites#

These are the mesh-ingress carrier-grade cipher suites, listed in order of preference from most to least preferred:

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256

What happens when you enable carrier-grade cipher suites#

When you enable carrier-grade cipher suites, Aspen Mesh overrides:

These cipher suites

With these cipher suites

The fixed server cipher suites for on-mesh traffic whose encryption is negotiated using TLS 1.2, 1.1, or 1.0

The on-mesh carrier-grade cipher suites

The default server cipher suites for mesh-ingress traffic whose encryption is negotiated using TLS 1.2, 1.1, or 1.0 to ingress gateways whose TLS mode for the associated port is set to SIMPLE or MUTUAL

The mesh-ingress carrier-grade cipher suites

Note

  • The fixed server cipher suites (on-mesh) may vary for different versions of Aspen Mesh. For Aspen Mesh 1.18, see Mutual TLS authentication (Istio 1.18).

  • The default server cipher suites (mesh-ingress) may vary for different versions of the Istio proxy (Envoy). For Envoy 1.26, which is used by Aspen Mesh 1.18, see the default server cipher list for non-FIPS builds for the cipher_suites field of the extensions.transport_sockets.tls.v3.TlsParameters message in Common TLS configuration (Envoy 1.26).

  • You can further restrict the server cipher suites for the mesh-ingress traffic at an ingress gateway by specifying a subset of the carrier-grade cipher suites in the ingress gateway’s manifest.

Important

  • None of the carrier-grade cipher suites are supported for encryption negotiated using TLS 1.0 or TLS 1.1. Therefore, if you enable carrier-grade cipher suites, encryption negotiated using TLS 1.0 or TLS 1.1 will fail for on-mesh traffic and for mesh-ingress traffic to ingress gateways whose TLS mode for the associated port is set to SIMPLE or MUTUAL.

  • The carrier-grade cipher suites have no effect when negotiating TLS 1.3 because a unique fixed set of cipher suites is used.

Enable carrier-grade cipher suites#

Before you enable carrier-grade cipher suites#

Before you enable carrier-grade cipher suites, make sure all the following are true:

  • On-mesh traffic is configured to use a minimum TLS version of 1.2 (the default).

  • Mesh-ingress traffic uses a minimum TLS version of 1.2.

  • Ingress gateways whose TLS mode for a port is set to SIMPLE or MUTUAL are configured to use a minimum TLS version of 1.2 (the default).

Enable carrier-grade cipher suites#

  1. Open your Aspen Mesh override values file (aspen-mesh-override-values.yaml) in a text editor.

  2. Make sure the file includes the .global.carrierGradeCipherSuites field and its value is set to true.

  3. Save and close the file.

  4. Perform an upgrade of Aspen Mesh from the current version to the same version (perform only the tasks in that section).