Is this already available with R80.20?

Hi Sabine,

Only R80.30+

To further clarify, CCP encryption is enabled by default on R80.30 Gaia kernel version 3.10 only.  CCP encryption is disabled by default on R80.30 Gaia kernel version 2.6.18.  See sk162358: R80.30 cluster, with CCP Encryption enabled, managed by an R80.10 Security Management come...  Just noticed this difference in my lab and could not figure out what was going on until I found that SK.

Also tagging @PhoneBoy with this follow-up question: If CCP encryption is enabled it impacts both CCP traffic emanating out all clustered interfaces presenting a Cluster IP, and the CCP traffic on the sync interface, correct?  Is there any way to disable CCP encryption just for the state sync traffic (FWHAP_SYNC) yet leave it enabled for all the clustered interfaces presenting a Cluster IP?  My guess is no, but if one has a crossover cable connecting the sync ports in a 2-member cluster, it would be nice to save the overhead involved encrypting/decrypting that heavy sync traffic if the sync network is known to be secure.  Securing CCP on the cluster interfaces is still very important of course since they are accessible to the surrounding networks.

Yes I suppose someone could vampire into the sync cable and mess with the cluster if the sync network CCP traffic is not encrypted, but if the attacker already has physical access to your cluster and the sync cable you've got much bigger problems afoot...

nice

Hi Heiko,

Thank you, that share this information with CheckMates. Did you mean "R80.30 - ClusterXL CCP Encryption!", right?

Regards,

Dmitry.

Hi Dmitry,

Thanks, I made a mistake. That must be named ClusterXL:-)

Regards

Heiko

Very nice feature. I have all cluster encrypted:-)

Is it possible to use certificates to protect ccp sessions.

I don't know that.

Hi Heiko,

I would to provide more information about the CCP encryption, could you update your article according to it.

The CCP Encryption:

• Supports SHA-256 encryption.
• Key replacement is done on every policy installation
• Encryption & decryption is done by CPU using AES-GCM to achieve minimal effect on performance.

You don't need to set key manually, it will be generated automatically and we recommend to use only this mode, at least because every policy installation will be generated new key (this option doesn't work if a key was set manually). The key can be set manually only as option for troubleshooting.

The CLISH commands:

• Toggle encryption mode: “set cluster member ccpenc <on/off>”
• Show encryption mode: “show cluster members ccpenc”

The commands under expert mode:

• Toggle encryption mode: "cphaconf ccp_encrypt <on/off>"
• Show encryption mode: "cphaprob ccp_encrypt"
• Display encryption key: "cphaprob ccp_encrypt_key"

Regards,

Dmitry.

Hi Aviel,

No, it isn't possible. In my opinion, we don't have a reason to use certificates here.

Regards,

Dmitry.

What kind of performance impact are we talking about when enabling CCP encryption ?

It says: "minimal effect on performance"

But are there numbers available ?

The encryption/decryption is most likely using AES-NI instructions built into recent Intel processors.

On systems that don't have AES-NI instructions, I imagine the performance impact will be a bit more noticeable.

As for exact numbers, I don't think we can comment until after GA.

Can I change the encrytion algorithm. 

We use now the encryption. It works fine. 

Thanks

Unfortunately, it is no longer possible to analyze the CCP packets via "ccp_analyzer " when encryption is enabled.

Is there any other way to analyze CCP packets, or do I need to simply disable encryption when debugging clusterxl?

BR Jernej