[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ipsec load balancing devices - UDP-ESP impact

To: "Jay Ratford" <Jratford@netscreen.com>, "'William Dixon'" <wdixon@windows.microsoft.com>, <ipsec@lists.tislabs.com>, "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
From: "jshukla" <jshukla@earthlink.net>
Date: Fri, 24 Aug 2001 09:20:59 -0700
References: <9D048F4A422CD411A56500B0D0209C5B02861C88@NS-CA>
Sender: owner-ipsec@lists.tislabs.com

how does the load balancing work when one of
the VPN gateways dies?

regards,
Jayant

----- Original Message -----
From: "Jay Ratford" <Jratford@netscreen.com>
To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
<jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen"
<Ari.Huttunen@F-Secure.com>
Sent: Friday, August 24, 2001 8:32 AM
Subject: RE: Ipsec load balancing devices - UDP-ESP impact


 > Alteon (now Nortel) devices perform NAT and NAPT, but not in default
 > configurations.  They also have a "VPN Load-Balancing" solution to load
 > balance your VPN Gateway's - It does keep some kind of state, specifically
 > how i'm not sure.
 >
 >
 >
 > -----Original Message-----
 > From: William Dixon [mailto:wdixon@windows.microsoft.com]
 > Sent: Thursday, August 23, 2001 8:11 PM
 > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
 > Subject: Ipsec load balancing devices - UDP-ESP impact
 >
 >
 > Jayant, I've checked around on the popular load balancing product web
 > sites.  But the details are often not avail, or buried in technical docs
 > that require a customer account to access.
 >
 > Does anyone know of any products that do NAT or "VLAN" translation and
 > specifically provide mapping support for IPSec "sessions", that is,
 > devices that aren't already IPSec gateways and terminating IPSec before
 > they do NAT ?
 >
 > I'd like to know if they do something more than maintain source IP-based
 > mappings, like cookie-pair-SPI tracking or something.
 >
 > In any case, combining IKE & ESP in the same UDP port 500 encapsulation
 > makes the take easier by having to track only one UDP src/dst pair - vs.
 > IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic, or
 > in addition to another critically related UDP src/dst port pair carrying
 > ESP.
 >
 > Wm
 > William Dixon
 > Program Manager - Network Security, IPSec
 > Windows Networking
 >
 > -----Original Message-----
 > From: jshukla [mailto:jshukla@earthlink.net]
 > Sent: Saturday, August 18, 2001 5:10 PM
 > To: ipsec@lists.tislabs.com; Ari Huttunen
 > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits
 > of , i-cookie=0
 >
 >
 >
 > ----- Original Message -----
 > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
 > >
 > > At the Helsinki bakeoff there were seven implementations of the latest
 > drafts,
 > > including us. Additional three had implementations of some earlier
 > > draft. This would be a good time for someone to provide really solid
 > > arguments against using just one port, if such arguments exist. Like,
 > > statistical calculations of actual overhead. The firewall-argument
 > > doesn't cut it, it
 >
 > Have you guys considered how network based load-balancing
 > will work in your approach? This is a general question regarding your
 > approach, not using IKE port for ESP will not exactly help.
 >
 > regards,
 > Jayant

References:

RE: Ipsec load balancing devices - UDP-ESP impact

From: Jay Ratford <Jratford@netscreen.com>

Prev by Date: RE: Simplifying Son of IKE
Next by Date: RE: Ipsec load balancing devices - UDP-ESP impact
Prev by thread: RE: Ipsec load balancing devices - UDP-ESP impact
Next by thread: RE: Ipsec load balancing devices - UDP-ESP impact
Index(es):
- Main
- Thread