[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ipsec load balancing devices - UDP-ESP impact

To: "Dan Harkins" <dharkins@lounge.org>, "Jay Ratford" <Jratford@netscreen.com>
Subject: RE: Ipsec load balancing devices - UDP-ESP impact
From: "William Dixon" <wdixon@windows.microsoft.com>
Date: Fri, 24 Aug 2001 13:15:51 -0700
Cc: "jshukla" <jshukla@earthlink.net>, <ipsec@lists.tislabs.com>, "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcEs12rhhOexguHEQy6OcFzhTkLOqQAAfEFg
Thread-Topic: Ipsec load balancing devices - UDP-ESP impact

I'm aware of the Crytocluster capabilities - great stuff.  Which is why
my original question for the thread was when the devices aren't
terminating the IPSec SAs, rather in the middle looking at a packet
stream, and doing NAT.

-----Original Message-----
From: Dan Harkins [mailto:dharkins@lounge.org] 
Sent: Friday, August 24, 2001 12:59 PM
To: Jay Ratford
Cc: 'jshukla'; William Dixon; ipsec@lists.tislabs.com; Ari Huttunen
Subject: Re: Ipsec load balancing devices - UDP-ESP impact 


  Actually you're not. There's another vendor out there that does
dynamic load balancing and active session failover of IPsec and IKE
SAs-- fully meshed if so configured-- as well as PPTP and L2TP tunnels
and BGP, 
OSPF, and RIP. (It was a great day when I failed the box who was
currently assigned the workload of sucking down a full Internet routing
table via BGP and watched the entire session-- including all the routing
state and the TCP state-- failover to another node without a hitch).
It's subsecond failover too and beat the crap out of the competition in
a trade rag's head-to-head comparison. And it's not just between "2
active devices", the size of the cluster can be 2, 3, 4 or more and
adding nodes gives you a non-linear increase in performance (that
eventually tapers off).

  This vendor has had this capability for around three years. I won't
mention who it is because for some strange reason they don't advertise
this expertise. 

  Dan.

On Fri, 24 Aug 2001 09:54:51 PDT you wrote
> It doesn't support fail-over, unless your using something like our 
> device which maintains "state" between two active vpn gateways. As far

> as I know where the only vendors doing this: Fully Meshed, Active 
> Active with session&sa mirroring between 2 active devices for 
> statefull failover.
> 
> -----Original Message-----
> From: jshukla [mailto:jshukla@earthlink.net]
> Sent: Friday, August 24, 2001 9:21 AM
> To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari 
> Huttunen
> Subject: Re: Ipsec load balancing devices - UDP-ESP impact
> 
> 
> how does the load balancing work when one of
> the VPN gateways dies?
> 
> regards,
> Jayant
> 
> ----- Original Message -----
> From: "Jay Ratford" <Jratford@netscreen.com>
> To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla" 
> <jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen" 
> <Ari.Huttunen@F-Secure.com>
> Sent: Friday, August 24, 2001 8:32 AM
> Subject: RE: Ipsec load balancing devices - UDP-ESP impact
> 
> 
> > Alteon (now Nortel) devices perform NAT and NAPT, but not in default

> > configurations.  They also have a "VPN Load-Balancing" solution to 
> > load balance your VPN Gateway's - It does keep some kind of state, 
> > specifically how i'm not sure.
> >
> >
> >
> > -----Original Message-----
> > From: William Dixon [mailto:wdixon@windows.microsoft.com]
> > Sent: Thursday, August 23, 2001 8:11 PM
> > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
> > Subject: Ipsec load balancing devices - UDP-ESP impact
> >
> >
> > Jayant, I've checked around on the popular load balancing product 
> > web sites.  But the details are often not avail, or buried in 
> > technical docs that require a customer account to access.
> >
> > Does anyone know of any products that do NAT or "VLAN" translation 
> > and specifically provide mapping support for IPSec "sessions", that 
> > is, devices that aren't already IPSec gateways and terminating IPSec

> > before they do NAT ?
> >
> > I'd like to know if they do something more than maintain source 
> > IP-based mappings, like cookie-pair-SPI tracking or something.
> >
> > In any case, combining IKE & ESP in the same UDP port 500 
> > encapsulation makes the take easier by having to track only one UDP 
> > src/dst pair - vs. IPSec ESP inbound and outbound SPIs, in addition 
> > to the IKE traffic, or in addition to another critically related UDP

> > src/dst port pair carrying ESP.
> >
> > Wm
> > William Dixon
> > Program Manager - Network Security, IPSec
> > Windows Networking
> >
> > -----Original Message-----
> > From: jshukla [mailto:jshukla@earthlink.net]
> > Sent: Saturday, August 18, 2001 5:10 PM
> > To: ipsec@lists.tislabs.com; Ari Huttunen
> > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 
> > 32bits of , i-cookie=0
> >
> >
> >
> > ----- Original Message -----
> > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
> > >
> > > At the Helsinki bakeoff there were seven implementations of the 
> > > latest
> > drafts,
> > > including us. Additional three had implementations of some earlier

> > > draft. This would be a good time for someone to provide really 
> > > solid arguments against using just one port, if such arguments 
> > > exist. Like, statistical calculations of actual overhead. The 
> > > firewall-argument doesn't cut it, it
> >
> > Have you guys considered how network based load-balancing will work 
> > in your approach? This is a general question regarding your 
> > approach, not using IKE port for ESP will not exactly help.
> >
> > regards,
> > Jayant

Prev by Date: Re: Ipsec load balancing devices - UDP-ESP impact
Next by Date: Re: Ipsec load balancing devices - UDP-ESP impact
Prev by thread: Re: Ipsec load balancing devices - UDP-ESP impact
Next by thread: RE: Ipsec load balancing devices - UDP-ESP impact
Index(es):
- Main
- Thread