[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ipsec load balancing devices - UDP-ESP impact

To: Jay Ratford <Jratford@netscreen.com>
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
From: Dan Harkins <dharkins@lounge.org>
Date: Fri, 24 Aug 2001 12:58:55 -0700
Cc: "'jshukla'" <jshukla@earthlink.net>, "'William Dixon'" <wdixon@windows.microsoft.com>, ipsec@lists.tislabs.com, Ari Huttunen <Ari.Huttunen@F-Secure.com>
In-Reply-To: Your message of "Fri, 24 Aug 2001 09:54:51 PDT." <9D048F4A422CD411A56500B0D0209C5B02861C8B@NS-CA>
Sender: owner-ipsec@lists.tislabs.com

  Actually you're not. There's another vendor out there that does
dynamic load balancing and active session failover of IPsec and IKE SAs--
fully meshed if so configured-- as well as PPTP and L2TP tunnels and BGP, 
OSPF, and RIP. (It was a great day when I failed the box who was currently
assigned the workload of sucking down a full Internet routing table via
BGP and watched the entire session-- including all the routing state and
the TCP state-- failover to another node without a hitch). It's subsecond
failover too and beat the crap out of the competition in a trade rag's
head-to-head comparison. And it's not just between "2 active devices",
the size of the cluster can be 2, 3, 4 or more and adding nodes gives you
a non-linear increase in performance (that eventually tapers off).

  This vendor has had this capability for around three years. I won't
mention who it is because for some strange reason they don't advertise
this expertise. 

  Dan.

On Fri, 24 Aug 2001 09:54:51 PDT you wrote
> It doesn't support fail-over, unless your using something like our device
> which maintains "state" between two active vpn gateways. As far as I know
> where the only vendors doing this: Fully Meshed, Active Active with
> session&sa mirroring between 2 active devices for statefull failover.
> 
> -----Original Message-----
> From: jshukla [mailto:jshukla@earthlink.net]
> Sent: Friday, August 24, 2001 9:21 AM
> To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari Huttunen
> Subject: Re: Ipsec load balancing devices - UDP-ESP impact
> 
> 
> how does the load balancing work when one of
> the VPN gateways dies?
> 
> regards,
> Jayant
> 
> ----- Original Message -----
> From: "Jay Ratford" <Jratford@netscreen.com>
> To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
> <jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen"
> <Ari.Huttunen@F-Secure.com>
> Sent: Friday, August 24, 2001 8:32 AM
> Subject: RE: Ipsec load balancing devices - UDP-ESP impact
> 
> 
> > Alteon (now Nortel) devices perform NAT and NAPT, but not in default
> > configurations.  They also have a "VPN Load-Balancing" solution to load
> > balance your VPN Gateway's - It does keep some kind of state, specifically
> > how i'm not sure.
> >
> >
> >
> > -----Original Message-----
> > From: William Dixon [mailto:wdixon@windows.microsoft.com]
> > Sent: Thursday, August 23, 2001 8:11 PM
> > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
> > Subject: Ipsec load balancing devices - UDP-ESP impact
> >
> >
> > Jayant, I've checked around on the popular load balancing product web
> > sites.  But the details are often not avail, or buried in technical docs
> > that require a customer account to access.
> >
> > Does anyone know of any products that do NAT or "VLAN" translation and
> > specifically provide mapping support for IPSec "sessions", that is,
> > devices that aren't already IPSec gateways and terminating IPSec before
> > they do NAT ?
> >
> > I'd like to know if they do something more than maintain source IP-based
> > mappings, like cookie-pair-SPI tracking or something.
> >
> > In any case, combining IKE & ESP in the same UDP port 500 encapsulation
> > makes the take easier by having to track only one UDP src/dst pair - vs.
> > IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic, or
> > in addition to another critically related UDP src/dst port pair carrying
> > ESP.
> >
> > Wm
> > William Dixon
> > Program Manager - Network Security, IPSec
> > Windows Networking
> >
> > -----Original Message-----
> > From: jshukla [mailto:jshukla@earthlink.net]
> > Sent: Saturday, August 18, 2001 5:10 PM
> > To: ipsec@lists.tislabs.com; Ari Huttunen
> > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits
> > of , i-cookie=0
> >
> >
> >
> > ----- Original Message -----
> > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
> > >
> > > At the Helsinki bakeoff there were seven implementations of the latest
> > drafts,
> > > including us. Additional three had implementations of some earlier
> > > draft. This would be a good time for someone to provide really solid
> > > arguments against using just one port, if such arguments exist. Like,
> > > statistical calculations of actual overhead. The firewall-argument
> > > doesn't cut it, it
> >
> > Have you guys considered how network based load-balancing
> > will work in your approach? This is a general question regarding your
> > approach, not using IKE port for ESP will not exactly help.
> >
> > regards,
> > Jayant

Follow-Ups:

Re: Ipsec load balancing devices - UDP-ESP impact

From: Marc Solsona-Palomar <marc@iprg.nokia.com>

References:

RE: Ipsec load balancing devices - UDP-ESP impact

From: Jay Ratford <Jratford@netscreen.com>

Prev by Date: Re: Simplifying Son of IKE
Next by Date: RE: Ipsec load balancing devices - UDP-ESP impact
Prev by thread: RE: Ipsec load balancing devices - UDP-ESP impact
Next by thread: Re: Ipsec load balancing devices - UDP-ESP impact
Index(es):
- Main
- Thread