quotation marks

marciocloudflare · marciocloudflare · commit ea90b8f4d716 · 2024-12-04T11:14:13.000Z
diff --git a/src/content/partials/magic-transit/static-routes/static-routes1.mdx b/src/content/partials/magic-transit/static-routes/static-routes1.mdx
@@ -8,7 +8,7 @@ params:
 
 import { GlossaryTooltip, Markdown } from "~/components";
 
-{props.productName} uses a static configuration to route your traffic through <GlossaryTooltip term="anycast" link={props.anycastURL}>anycast tunnels</GlossaryTooltip> from Cloudflare’s global network to your locations.
+{props.productName} uses a static configuration to route your traffic through <GlossaryTooltip term="anycast" link={props.anycastURL}>anycast tunnels</GlossaryTooltip> from Cloudflare's global network to your locations.
 
 You must assign a route priority to each tunnel–subnet pair in your configuration, as follows:
 
diff --git a/src/content/partials/magic-transit/traffic-steering.mdx b/src/content/partials/magic-transit/traffic-steering.mdx
@@ -51,7 +51,7 @@ Using ECMP has a number of consequences:
 As a result, ECMP provides load balancing across tunnels with the same prefix and priority.
 
 :::note[Note:]
-Packets in the same flow use the same tunnel unless the tunnel priority changes. Packets for different flows can use different tunnels depending on which tunnel the flow’s 4-tuple – source and destination IP and source and destination port – hash to.
+Packets in the same flow use the same tunnel unless the tunnel priority changes. Packets for different flows can use different tunnels depending on which tunnel the flow's 4-tuple – source and destination IP and source and destination port – hash to.
 :::
 
 ### Examples
diff --git a/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx b/src/content/partials/magic-transit/tunnel-endpoints/add-tunnels.mdx
@@ -24,8 +24,8 @@ import { Details, Markdown, Render, TabItem, Tabs } from "~/components";
 
 5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information.
 6. Give your tunnel a description in **Description**. You do not have character restrictions here.
-7. In **Interface address**, enter the internal IP address for your tunnel along with the interface’s prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
-8. In **Customer GRE endpoint**, enter your router’s public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it.
+7. In **Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
+8. In **Customer GRE endpoint**, enter your router's public IP address. This value is not needed if you intend to use a physical or virtual connection like Cloudflare Network Interconnect because Cloudflare will provide it.
 9. In **Cloudflare GRE endpoint**, enter the anycast address you received from your account team.
 10. Leave the default values for **TTL** and **MTU**.
 11. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks, your tunnels will appear 100% down in your <a href={props.tunnelHealthDash}>tunnel health dashboard</a> even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to <a href={props.productPathProbe}>Tunnel health checks</a> for more information.
@@ -43,8 +43,8 @@ import { Details, Markdown, Render, TabItem, Tabs } from "~/components";
 
 5. In **Name**, give your tunnel a descriptive name. This name must be unique, must not contain spaces or special characters, and must be 15 or fewer characters. Hover the mouse over `i` in the dashboard for more information.
 6. Give your tunnel a description in **Description**. You do not have character restrictions here.
-7. In **Interface address**, enter the internal IP address for your tunnel along with the interface’s prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
-8. In **Customer endpoint**, enter your router’s public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`.
+7. In **Interface address**, enter the internal IP address for your tunnel along with the interface's prefix length (either `/31` or `/30`). This is used to route traffic through the tunnel on the Cloudflare side. We recommend using an RFC1918 address scheme with a `/31` netmask, as it provides the most efficient use of IP address space.
+8. In **Customer endpoint**, enter your router's public IP address. This value is only required if your router is using an IKE ID of type `ID_IPV4_ADDR`.
 9. In **Cloudflare endpoint**, enter the anycast address you received from your account team.
 10. _(Optional)_ **Tunnel health checks** are enabled by default. If you disable Tunnel health checks,, your tunnels will appear 100% down in your <a href={props.tunnelHealthDash}>tunnel health dashboard</a> even when working. Cloudflare will keep sending traffic through the tunnel, without the means to detect if the tunnel goes down. You will have to set up your own system to detect down tunnels, as Cloudflare will not be able to warn you about down tunnels. Refer to <a href={props.productPathProbe}>Tunnel health checks</a> for more information.
 11. _(Optional)_ If you keep **Tunnel health checks** enabled, choose the <a href={props.healthCheck}>**Health check rate**</a> for your tunnel. Available options are _Low_, _Medium_ and _High_.
@@ -190,7 +190,7 @@ https://api.cloudflare.com/client/v4/accounts/{account_id}/magic/ipsec_tunnels/{
 }
 ```
 
-3. Use the above `psk` value to configure the IPsec tunnel on your equipment. You do not need to take further action to use the PSK on Cloudflare’s side, as this value is automatically set.
+3. Use the above `psk` value to configure the IPsec tunnel on your equipment. You do not need to take further action to use the PSK on Cloudflare's side, as this value is automatically set.
 
 </Details>
 
diff --git a/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx b/src/content/partials/magic-transit/tunnel-endpoints/anti-replay.mdx
@@ -6,6 +6,6 @@ params:
 
 import { GlossaryTooltip, Markdown } from "~/components";
 
-If you use {props.productName} and <GlossaryTooltip term="anycast">anycast</GlossaryTooltip> IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare’s side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
+If you use {props.productName} and <GlossaryTooltip term="anycast">anycast</GlossaryTooltip> IPsec tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
 
 Refer to <a href={props.antiReplayPagePath}>Anti-replay protection</a> for more information on this topic, or [Add IPsec tunnels](#add-tunnels) below to learn how to enable this feature.
diff --git a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-mt-network-analytics.mdx b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-mt-network-analytics.mdx
@@ -5,6 +5,6 @@
 
 ## Network Analytics
 
-Cloudflare’s Network Analytics provides near real-time visibility into network and transport layer traffic patterns and DDoS attacks which can help troubleshoot IP traffic issues. You can also use Network Analytics to view information about the traffic that leaves Cloudflare’s global network by reviewing ingress and egress tunnel traffic over a specific amount of time.
+Cloudflare's Network Analytics provides near real-time visibility into network and transport layer traffic patterns and DDoS attacks which can help troubleshoot IP traffic issues. You can also use Network Analytics to view information about the traffic that leaves Cloudflare's global network by reviewing ingress and egress tunnel traffic over a specific amount of time.
 
 For more information, refer to [Analytics](/magic-transit/analytics/).
diff --git a/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx b/src/content/partials/magic-transit/tunnels-reference/tunnels-encapsulation-opening.mdx
@@ -210,8 +210,8 @@ The Child SA. Sometimes referred to as Phase 2 as per IKEv1 language.
 
 Additionally, the IKE ID type of `ID_IPV4_ADDR` is supported if the following two conditions are met:
 
-1. The IPsec tunnel’s `customer_endpoint` value is set.
-2. The combination of `cloudflare_endpoint` and `customer_endpoint` is unique among the customer’s IPsec tunnels.
+1. The IPsec tunnel's `customer_endpoint` value is set.
+2. The combination of `cloudflare_endpoint` and `customer_endpoint` is unique among the customer's IPsec tunnels.
 
 :::caution
 Make sure each IPsec tunnel has a unique combination of a <a href={props.tunnelEndpoints}>Cloudflare endpoint and customer endpoint</a>. If this combination is not unique among your IPsec tunnels, you should use one of the custom IKE formats (`ID_RFC822_ADDR`, `ID_FQDN`, or `ID_KEY_ID`) to specify the tunnel ID and account ID. This helps Cloudflare link the IKE packet to the right IPsec tunnel for tasks like authentication.
diff --git a/src/content/partials/magic-wan/anti-replay-protection.mdx b/src/content/partials/magic-wan/anti-replay-protection.mdx
@@ -6,7 +6,7 @@ params:
 
 import { GlossaryTooltip, Markdown } from "~/components";
 
-If you use {props.productName} and <GlossaryTooltip term="anycast">anycast</GlossaryTooltip> <GlossaryTooltip term="IPsec tunnel">IPsec</GlossaryTooltip> tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare’s side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
+If you use {props.productName} and <GlossaryTooltip term="anycast">anycast</GlossaryTooltip> <GlossaryTooltip term="IPsec tunnel">IPsec</GlossaryTooltip> tunnels, we recommend disabling anti-replay protection. This setting is disabled on Cloudflare's side by default. However, it can be enabled via the API or the Cloudflare dashboard for devices that do not support disabling it, including Cisco Meraki, Velocloud, and AWS VPN Gateway.
 
 Refer to <a href={props.productPath}>Add tunnels</a> to learn how to set up replay protection. Review the information below to learn about replay attacks, why we recommend disabling IPsec anti-replay, and related considerations.
 
@@ -16,9 +16,9 @@ Replay attacks occur when a malicious actor intercepts and records a packet, and
 
 ### Example
 
-For example, consider a poorly designed IOT garage door opener. The device has a simple protocol for operation: A UDP packet contains the garage door password and either `open` or `shut` in its data segment. The data segment is then encrypted with the garage door’s key and sent from the owner’s phone to either open or close the garage door.
+For example, consider a poorly designed IOT garage door opener. The device has a simple protocol for operation: A UDP packet contains the garage door password and either `open` or `shut` in its data segment. The data segment is then encrypted with the garage door's key and sent from the owner's phone to either open or close the garage door.
 
-An attacker likely cannot open or close the garage door by guessing the encryption key and password. While the attacker cannot see the recorded packet’s encrypted content, if the garage is in their line-of-sight, they could potentially correlate and guess which packets are responsible for opening the garage door. When the attacker wants to open the door, they send the recorded `open` packet, and because the recorded packet would contain the password and already be encrypted with the right key, this door would open.
+An attacker likely cannot open or close the garage door by guessing the encryption key and password. While the attacker cannot see the recorded packet's encrypted content, if the garage is in their line-of-sight, they could potentially correlate and guess which packets are responsible for opening the garage door. When the attacker wants to open the door, they send the recorded `open` packet, and because the recorded packet would contain the password and already be encrypted with the right key, this door would open.
 
 To prevent this replay attack, a user could add a packet number to each command sent to the garage door. The first could be `packet 1`, the second `packet 2` and so on, and the garage door would only accept packets containing the next number in the sequence each time. For example, after the garage door receives `packet 1`, it would only accept packet 2, and if an attacker tries to replay `packet 1`, the request is ignored.
 
@@ -28,9 +28,9 @@ IPsec anti-replay protection works similarly to the prevention example in the sc
 
 ## {props.productName} and anti-replay protection
 
-Cloudflare’s global anycast network consists of thousands of servers in hundreds of data centers around the world. Similar to Cloudflare’s anycast <GlossaryTooltip term="GRE tunnel">GRE</GlossaryTooltip> tunnel implementation, Cloudflare’s IPsec implementation is also anycast, which enables users to enjoy all the benefits of Cloudflare’s anycast network architecture. These benefits include unparalleled performance and low latency, greatly simplified configuration and management, and native network resiliency with automatic failover. By default, any packet for {props.productName} may go through any one of these servers where it will be encrypted and encapsulated with IPsec and sent to our user’s router.
+Cloudflare's global anycast network consists of thousands of servers in hundreds of data centers around the world. Similar to Cloudflare's anycast <GlossaryTooltip term="GRE tunnel">GRE</GlossaryTooltip> tunnel implementation, Cloudflare's IPsec implementation is also anycast, which enables users to enjoy all the benefits of Cloudflare's anycast network architecture. These benefits include unparalleled performance and low latency, greatly simplified configuration and management, and native network resiliency with automatic failover. By default, any packet for {props.productName} may go through any one of these servers where it will be encrypted and encapsulated with IPsec and sent to our user's router.
 
-IPsec anti-replay protection was not designed for such a distributed scenario — the protection scheme is designed for a single sender and single receiver. For a single sender, keeping track of the sequence number is trivial, and the sequence number is stored in memory and incremented for every packet sent. If replay protection is enabled for {props.productName} IPsec tunnels, packets for a single tunnel are routed to one server that keeps track of the sequence number. This means the replay protection mechanism will work correctly, but users lose the benefits of automatically distributing traffic across Cloudflare’s global servers. It also will only be actioned in one direction (Cloudflare to customer network) — packets from the customer network to Cloudflare will not be routed to a single server, and will not have replay protection applied.
+IPsec anti-replay protection was not designed for such a distributed scenario — the protection scheme is designed for a single sender and single receiver. For a single sender, keeping track of the sequence number is trivial, and the sequence number is stored in memory and incremented for every packet sent. If replay protection is enabled for {props.productName} IPsec tunnels, packets for a single tunnel are routed to one server that keeps track of the sequence number. This means the replay protection mechanism will work correctly, but users lose the benefits of automatically distributing traffic across Cloudflare's global servers. It also will only be actioned in one direction (Cloudflare to customer network) — packets from the customer network to Cloudflare will not be routed to a single server, and will not have replay protection applied.
 
 ## ​​Additional considerations
 
@@ -42,4 +42,4 @@ There are several reasons that make replay attacks difficult with tunnel mode:
 - Replay attacks are only viable when the same encryption keys are used. After rekeying, old replayed packets will result in dropped packets at the router.
 - Most protocols are not susceptible to replay at the packet level. The Internet can duplicate packets, which means TCP and many protocols built on UDP already include sequence numbers or similar to handle duplicate packets coming off the wire. For those, the replay traffic just looks like a duplicate packet and is handled by the end host correctly.
 - Anti-replay protection is available in a higher OSI layer. Many modern day applications use secure communication protocols such as SSL/TLS, SSH, or SFTP to transport application data. These secure communication protocols (at a higher OSI layer than network layer) natively support anti-replay protection.
-- The attack surface is reduced which lowers the probability for packet interception. IPsec tunnels are site-to-site VPN tunnels between a user’s site router and Cloudflare’s global network, via dedicated ISP network connections, which are typically very secure. Additionally, the anycast nature of Cloudflare’s IPsec implementation terminates the IPsec tunnel to one of the more than 300 Cloudflare data centers closest to the customer’s edge router, which minimizes the physical distance and footprint the encrypted packets have to traverse.
+- The attack surface is reduced which lowers the probability for packet interception. IPsec tunnels are site-to-site VPN tunnels between a user's site router and Cloudflare's global network, via dedicated ISP network connections, which are typically very secure. Additionally, the anycast nature of Cloudflare's IPsec implementation terminates the IPsec tunnel to one of the more than 300 Cloudflare data centers closest to the customer's edge router, which minimizes the physical distance and footprint the encrypted packets have to traverse.
