Many organizations use a Service Mesh to secure traffic between apps. This may use Mutual TLS, with a proxy terminating connections on behalf of apps. mTLS starts with a handshake to authenticate endpoint identities, and exchange certificates for subsequent traffic encryption. When encryption is needed but app authentication is not, approaches like WireGuard or IPSec may be more suitable. What about scenarios where authentication is important but encryption adds too much latency? With demos to make concepts concrete, let’s dive into Cilium's approach to authentication and encryption, and the differences between mTLS and in-kernel alternatives.
- Explore the mTLS handshake step-by-step
- Contrast with transparent encryption using node identities
- Understand where encryption takes place in different models
- Discuss options for encrypting L7 protocols other than HTTP
With a clear picture of how authentication and encryption work, you’ll be better able to assess which approach best meets your needs.