[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ipsec load balancing devices - UDP-ESP impact

To: "'William Dixon'" <wdixon@windows.microsoft.com>, jshukla <jshukla@earthlink.net>, ipsec@lists.tislabs.com, Ari Huttunen <Ari.Huttunen@F-Secure.com>
Subject: RE: Ipsec load balancing devices - UDP-ESP impact
From: Jay Ratford <Jratford@netscreen.com>
Date: Fri, 24 Aug 2001 08:32:01 -0700
Sender: owner-ipsec@lists.tislabs.com

Alteon (now Nortel) devices perform NAT and NAPT, but not in default
configurations.  They also have a "VPN Load-Balancing" solution to load
balance your VPN Gateway's - It does keep some kind of state, specifically
how i'm not sure.



-----Original Message-----
From: William Dixon [mailto:wdixon@windows.microsoft.com]
Sent: Thursday, August 23, 2001 8:11 PM
To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
Subject: Ipsec load balancing devices - UDP-ESP impact


Jayant, I've checked around on the popular load balancing product web
sites.  But the details are often not avail, or buried in technical docs
that require a customer account to access.

Does anyone know of any products that do NAT or "VLAN" translation and
specifically provide mapping support for IPSec "sessions", that is,
devices that aren't already IPSec gateways and terminating IPSec before
they do NAT ?

I'd like to know if they do something more than maintain source IP-based
mappings, like cookie-pair-SPI tracking or something.

In any case, combining IKE & ESP in the same UDP port 500 encapsulation
makes the take easier by having to track only one UDP src/dst pair - vs.
IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic, or
in addition to another critically related UDP src/dst port pair carrying
ESP.

Wm
William Dixon
Program Manager - Network Security, IPSec
Windows Networking

-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net] 
Sent: Saturday, August 18, 2001 5:10 PM
To: ipsec@lists.tislabs.com; Ari Huttunen
Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits
of , i-cookie=0



----- Original Message -----
From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
>
> At the Helsinki bakeoff there were seven implementations of the latest
drafts,
> including us. Additional three had implementations of some earlier 
> draft. This would be a good time for someone to provide really solid 
> arguments against using just one port, if such arguments exist. Like, 
> statistical calculations of actual overhead. The firewall-argument 
> doesn't cut it, it

Have you guys considered how network based load-balancing
will work in your approach? This is a general question regarding your
approach, not using IKE port for ESP will not exactly help.

regards,
Jayant

Follow-Ups:

Re: Ipsec load balancing devices - UDP-ESP impact

From: "jshukla" <jshukla@earthlink.net>

Prev by Date: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie
Next by Date: RE: Simplifying Son of IKE
Prev by thread: Ipsec load balancing devices - UDP-ESP impact
Next by thread: Re: Ipsec load balancing devices - UDP-ESP impact
Index(es):
- Main
- Thread