Controllerless Networks

Hi

If anyone is sitting with some good knowledge about this I would  appreciate a statement very much.

Q1
Are there any technical drawbacks or any other thing that could cause head ace by enabling DTLS cluster security ? Asking as I think this otherwise would default be on instead of default off.  Performance? Any features that cannot be used if enabled?

Q2
What certificate does it use for the encryption? The built in device certificate that has 10 year lifetime and ends year 2032? Just want to know if I by enabling DTLS will have to to any additional task with regular intervals to not break my IAP cluster encryption. Like for example renew certificates or so... I really hope id won't use my own certificate and CA I installed for the IAP web access, which is also in the certificate list. 


I use an instant setup with two 535 and two 225 running 8.6.0.16. 

Many thanks in advance
/Peo

------------------------------
Per-Olov Sj�holm
------------------------------

I think it uses TPM device certificate to establish DTLS, you dont need to use your own certificate. But the most important thing is to have a valid NTP server configured.

here you can find more info on it.
https://www.arubanetworks.com/techdocs/Instant_87_WebHelp/Content/instant-ug/services/cluster-security.htm

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Feb 10, 2022 02:56 PM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

If anyone is sitting with some good knowledge about this I would  appreciate a statement very much.

Q1
Are there any technical drawbacks or any other thing that could cause head ace by enabling DTLS cluster security ? Asking as I think this otherwise would default be on instead of default off.  Performance? Any features that cannot be used if enabled?

Q2
What certificate does it use for the encryption? The built in device certificate that has 10 year lifetime and ends year 2032? Just want to know if I by enabling DTLS will have to to any additional task with regular intervals to not break my IAP cluster encryption. Like for example renew certificates or so... I really hope id won't use my own certificate and CA I installed for the IAP web access, which is also in the certificate list. 


I use an instant setup with two 535 and two 225 running 8.6.0.16. 

Many thanks in advance
/Peo

------------------------------
Per-Olov Sj�holm
------------------------------

@pos42 - Did you set this up, and if so, did you determine if there's any noteworthy overhead or impact on performance after enabling DTLS?
Original Message:
Sent: Feb 10, 2022 02:56 PM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

If anyone is sitting with some good knowledge about this I would  appreciate a statement very much.

Q1
Are there any technical drawbacks or any other thing that could cause head ace by enabling DTLS cluster security ? Asking as I think this otherwise would default be on instead of default off.  Performance? Any features that cannot be used if enabled?

Q2
What certificate does it use for the encryption? The built in device certificate that has 10 year lifetime and ends year 2032? Just want to know if I by enabling DTLS will have to to any additional task with regular intervals to not break my IAP cluster encryption. Like for example renew certificates or so... I really hope id won't use my own certificate and CA I installed for the IAP web access, which is also in the certificate list. 


I use an instant setup with two 535 and two 225 running 8.6.0.16. 

Many thanks in advance
/Peo

------------------------------
Per-Olov Sj�holm
------------------------------

Hi

Yes. I have set it up now... I waited for my last 535 (delayed 5 months...). So now I removed the last 225 AP, so I only have 535:s and one 505. After removing the 225 I upgraded from 8.6 to 8.10.0.2 as I was no longer bond to 8.6. After this I went on for DTLS... I first checked the NTP was set up properly and double checked the time in each AP ( I only have 6). After that I enabled DTLS.

I cannot say I have noted anything negative at all. And nothing  noted on performance. I *guess* the CPU usage for the encrypted control traffic between the AP:s is very low. I should have enabled DTLS for security reasons years ago... But now it is enabled, and with no negative impact at all. *Maybe* you could see some performance impact if you have weaker hardware than my 535:s. But I guess from me would be that you won't notice this even with weaker hardware. Maybe any Aruba expert could make a statement on this.

I think I have read though, that there are new things to make notes of when adding/joining new APs to a cluster when DTLS is enabled. Maybe there are more things to make notes of as well.  If so, I will probably run into that at some point :)


However... I would appreciate if any Aruba guy could post here and tell if there is a reason DTLS is not enable by default? As it increases security and seems to have no impact, why isn't it on by default?

//Peo​​​
Original Message:
Sent: Aug 15, 2022 03:48 PM
From: Derrick Mertz
Subject: Enable DTLS IAP cluster security

@pos42 - Did you set this up, and if so, did you determine if there's any noteworthy overhead or impact on performance after enabling DTLS?
Original Message:
Sent: Feb 10, 2022 02:56 PM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

If anyone is sitting with some good knowledge about this I would  appreciate a statement very much.

Q1
Are there any technical drawbacks or any other thing that could cause head ace by enabling DTLS cluster security ? Asking as I think this otherwise would default be on instead of default off.  Performance? Any features that cannot be used if enabled?

Q2
What certificate does it use for the encryption? The built in device certificate that has 10 year lifetime and ends year 2032? Just want to know if I by enabling DTLS will have to to any additional task with regular intervals to not break my IAP cluster encryption. Like for example renew certificates or so... I really hope id won't use my own certificate and CA I installed for the IAP web access, which is also in the certificate list. 


I use an instant setup with two 535 and two 225 running 8.6.0.16. 

Many thanks in advance
/Peo

------------------------------
Per-Olov Sj�holm
------------------------------

Thanks for all the detail. In a sandbox environment we found that the only other setting that came up after DTLS was enabled was an option to disallow non-DTLS members, and no visible performance/load issues, but this was very limited testing. We have hundreds of 535s in production, making it's impossible to simulate a comparable test environment and so we need to gather as much info as I can before enabling DTLS, especially regarding overhead / load / performance and large swarms.

I'm trying to get more info about this from Aruba via different channels - if I'm successful I'll share it here.

Original Message:
Sent: Aug 17, 2022 07:13 AM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

Yes. I have set it up now... I waited for my last 535 (delayed 5 months...). So now I removed the last 225 AP, so I only have 535:s and one 505. After removing the 225 I upgraded from 8.6 to 8.10.0.2 as I was no longer bond to 8.6. After this I went on for DTLS... I first checked the NTP was set up properly and double checked the time in each AP ( I only have 6). After that I enabled DTLS.

I cannot say I have noted anything negative at all. And nothing  noted on performance. I *guess* the CPU usage for the encrypted control traffic between the AP:s is very low. I should have enabled DTLS for security reasons years ago... But now it is enabled, and with no negative impact at all. *Maybe* you could see some performance impact if you have weaker hardware than my 535:s. But I guess from me would be that you won't notice this even with weaker hardware. Maybe any Aruba expert could make a statement on this.

I think I have read though, that there are new things to make notes of when adding/joining new APs to a cluster when DTLS is enabled. Maybe there are more things to make notes of as well.  If so, I will probably run into that at some point :)


However... I would appreciate if any Aruba guy could post here and tell if there is a reason DTLS is not enable by default? As it increases security and seems to have no impact, why isn't it on by default?

//Peo​​​
Original Message:
Sent: Aug 15, 2022 03:48 PM
From: Derrick Mertz
Subject: Enable DTLS IAP cluster security

@pos42 - Did you set this up, and if so, did you determine if there's any noteworthy overhead or impact on performance after enabling DTLS?
Original Message:
Sent: Feb 10, 2022 02:56 PM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

If anyone is sitting with some good knowledge about this I would  appreciate a statement very much.

Q1
Are there any technical drawbacks or any other thing that could cause head ace by enabling DTLS cluster security ? Asking as I think this otherwise would default be on instead of default off.  Performance? Any features that cannot be used if enabled?

Q2
What certificate does it use for the encryption? The built in device certificate that has 10 year lifetime and ends year 2032? Just want to know if I by enabling DTLS will have to to any additional task with regular intervals to not break my IAP cluster encryption. Like for example renew certificates or so... I really hope id won't use my own certificate and CA I installed for the IAP web access, which is also in the certificate list. 


I use an instant setup with two 535 and two 225 running 8.6.0.16. 

Many thanks in advance
/Peo

------------------------------
Per-Olov Sj�holm
------------------------------

@pos42 - No luck - their support tell me they have no documented data, only that it works fine in clusters up to 128 and is recommended to be enabled in best practice guidelines.​​
Original Message:
Sent: Aug 17, 2022 11:26 AM
From: Derrick Mertz
Subject: Enable DTLS IAP cluster security

Thanks for all the detail. In a sandbox environment we found that the only other setting that came up after DTLS was enabled was an option to disallow non-DTLS members, and no visible performance/load issues, but this was very limited testing. We have hundreds of 535s in production, making it's impossible to simulate a comparable test environment and so we need to gather as much info as I can before enabling DTLS, especially regarding overhead / load / performance and large swarms.

I'm trying to get more info about this from Aruba via different channels - if I'm successful I'll share it here.

Original Message:
Sent: Aug 17, 2022 07:13 AM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

Yes. I have set it up now... I waited for my last 535 (delayed 5 months...). So now I removed the last 225 AP, so I only have 535:s and one 505. After removing the 225 I upgraded from 8.6 to 8.10.0.2 as I was no longer bond to 8.6. After this I went on for DTLS... I first checked the NTP was set up properly and double checked the time in each AP ( I only have 6). After that I enabled DTLS.

I cannot say I have noted anything negative at all. And nothing  noted on performance. I *guess* the CPU usage for the encrypted control traffic between the AP:s is very low. I should have enabled DTLS for security reasons years ago... But now it is enabled, and with no negative impact at all. *Maybe* you could see some performance impact if you have weaker hardware than my 535:s. But I guess from me would be that you won't notice this even with weaker hardware. Maybe any Aruba expert could make a statement on this.

I think I have read though, that there are new things to make notes of when adding/joining new APs to a cluster when DTLS is enabled. Maybe there are more things to make notes of as well.  If so, I will probably run into that at some point :)


However... I would appreciate if any Aruba guy could post here and tell if there is a reason DTLS is not enable by default? As it increases security and seems to have no impact, why isn't it on by default?

//Peo​​​
Original Message:
Sent: Aug 15, 2022 03:48 PM
From: Derrick Mertz
Subject: Enable DTLS IAP cluster security

@pos42 - Did you set this up, and if so, did you determine if there's any noteworthy overhead or impact on performance after enabling DTLS?
Original Message:
Sent: Feb 10, 2022 02:56 PM
From: Per-Olov Sj�holm
Subject: Enable DTLS IAP cluster security

Hi

If anyone is sitting with some good knowledge about this I would  appreciate a statement very much.

Q1
Are there any technical drawbacks or any other thing that could cause head ace by enabling DTLS cluster security ? Asking as I think this otherwise would default be on instead of default off.  Performance? Any features that cannot be used if enabled?

Q2
What certificate does it use for the encryption? The built in device certificate that has 10 year lifetime and ends year 2032? Just want to know if I by enabling DTLS will have to to any additional task with regular intervals to not break my IAP cluster encryption. Like for example renew certificates or so... I really hope id won't use my own certificate and CA I installed for the IAP web access, which is also in the certificate list. 


I use an instant setup with two 535 and two 225 running 8.6.0.16. 

Many thanks in advance
/Peo

------------------------------
Per-Olov Sj�holm
------------------------------