Encrypt the east-west traffic¶
Consider this section as part of Deploy an OpenStack cluster.
MOSK allows configuring Internet Protocol Security (IPSec) encryption for the east-west tenant traffic between the OpenStack compute nodes and gateways. The feature uses the strongSwan open source IPSec solution. Authentication is accomplished through a pre-shared key (PSK). However, other authentication methods are upcoming.
To encrypt the east-west tenant traffic, enable
ipsec in the
spec:features:neutron settings of the
spec: features: neutron: ipsec: enabled: true
Enabling IPSec adds extra headers to the tenant traffic. The header size varies depending on IPSec configuration.
Therefore, Mirantis recommends decreasing network MTU for virtual networks and reserve 73 bytes overhead for the worst-case scenario as described in Cisco documentation: Configuring IPSec VPN Fragmentation and MTU.