Cryptography

Transport layer security (TLS)

All network endpoints exposed by MicroOVN services are secured using multiple components of the TLS protocol, including encryption, authentication and integrity. Through the use of the Ubuntu OpenSSL packages, TLS versions below 1.2 are disabled for security reasons.

There are two self-signed certificate authorities in use, one for the MicroCluster based microovnd daemon, another for the OVN daemons. These are initialised during the initial bootstrap of the cluster.

Keys are generated using a 384 bit Elliptic Curve algorithm often referred to as P-384.

Both sets of daemons are by default configured to make use of TLS to encrypt on the wire communication, as well as using certificate data for authenticating and verifying remote peers, ensuring only trusted components can participate in the cluster.