Encrypt the east-west traffic¶
TechPreview
Note
Consider this section as part of Deploy an OpenStack cluster.
MOSK allows configuring Internet Protocol Security (IPSec) encryption for the east-west tenant traffic between the OpenStack compute nodes and gateways. The feature uses the strongSwan open source IPSec solution. Authentication is accomplished through a pre-shared key (PSK). However, other authentication methods are upcoming.
To encrypt the east-west tenant traffic, enable ipsec
in the
spec:features:neutron
settings of the OpenStackDeployment
CR:
spec:
features:
neutron:
ipsec:
enabled: true
Caution
Enabling IPSec adds extra headers to the tenant traffic. The header size varies depending on IPSec configuration.
Therefore, Mirantis recommends decreasing network MTU for virtual networks and reserve 73 bytes overhead for the worst-case scenario as described in Cisco documentation: Configuring IPSec VPN Fragmentation and MTU.