Layer 6 (L6) - Network and API Security
Objective
Protect data in transit and authenticate endpoints using approved cipher suites and validated certificate paths.
Responsibilities
- Enforce TLS and optional mTLS at service and edge layers
- Control cipher suites and protocol versions
- Validate certificate chains to trusted anchors from L7
Common components
- Load balancers, API gateways, and service meshes
- SSH and IPsec for administrative and network protection
- Reverse proxies and ingress or egress controllers
Implementation guidance
- Disable insecure protocol versions and suites. Prefer AEAD with forward secrecy
- Standardize certificate validation rules. Fail closed on policy violations
- Use hardware backed keys where required and record SNI and policy decisions for evidence
Validation and evidence
- Gateway and mesh configurations with explicit suites and protocols
- Certificate inventories and trust store baselines
- Logs that show handshake policy decisions
Common pitfalls
- Allowing legacy suites for compatibility without compensating controls
- Accepting wildcard or self signed certificates outside policy
- Not enforcing client authentication where required
Relationship to other AFIPS Layers
| From | To | Why this edge exists | Typical operations | Evidence |
|---|---|---|---|---|
| L7 | L6 | Distribute trust anchors and certificates | mTLS, CRLs or OCSP. | Trust store baselines, issuance logs |
| L6 | L2 | Handshakes and channel protection | TLS 1.2 or 1.3 suites, ECDHE, RSA PSS, certificate path validation. | Gateway or mesh policy with suite list |