> > @Dan, are you thinking that secured intra-cluster communication needs to > be deprecated as a whole? > > Exactly. We shouldn't be left with "partially secure" intra-cluster communication, where some stuff goes over TLS and some is plain text. Setting ssl-enabled-components=cluster without setting security-udp-dhalgo is like locking your door but leaving the window open.
Our algorithm provides only message privacy whereas DTLS provides privacy, > tamper-resistance, and message forgery protection > I'm not sure that this is true. If you have identified specific vulnerabilities with geode's UDP encryption they should be reported on priv...@geode.apache.org and not dev@geode.apache.org and let's discuss it there. That said, I'd love to see us move towards using a more standard protocol like DTLS. -Dan
