[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ipsec load balancing devices - UDP-ESP impact

To: "Marc Solsona-Palomar" <marc@iprg.nokia.com>, "Dan Harkins" <dharkins@lounge.org>
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
From: "jshukla" <jshukla@earthlink.net>
Date: Sat, 25 Aug 2001 09:50:17 -0700
Cc: "Jay Ratford" <Jratford@netscreen.com>, "'William Dixon'" <wdixon@windows.microsoft.com>, <ipsec@lists.tislabs.com>, "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
References: <200108241959.f7OJwtF00872@dharkins@lounge.orgatty.lounge.org> <3B86B7CF.847A8ADF@iprg.nokia.com>
Sender: owner-ipsec@lists.tislabs.com

Your solution is based on sharing SAs and
session keys between node, right?! I thought
that was a big no no.

Secondly, what I gather from the one paragraph
blurb that I found on IP-clustering on your web
site is that it is a layer-2 solution. You use
Ethernet multicast, unicast, and forwarding.
In unicast same Ethernet address is used by
all ports according to the article. That means
all nodes get the same packet. The situation
is same in multicast and all nodes receive all
packets. So every node is processing the
packet?! Doesn't seem like this is what one
should be doing.

The last case, is forwarding. Here only one
node gets the packet. This is real load balancing.
However, a layer 2 solution is something that
I find hard to digest.

Another question, when you have to debug/maintain
a node, won't you have to disconnect it from the cluster
as all nodes are sharing the same IP address?

In case I have misunderstood your solution,
please accept my apologies.

regards,
Jayant

p.s.: we have an all IP layer based load balancing
solution for IPsec coming up.


----- Original Message -----
From: "Marc Solsona-Palomar" <marc@iprg.nokia.com>
To: "Dan Harkins" <dharkins@lounge.org>
Cc: "Jay Ratford" <Jratford@netscreen.com>; "'jshukla'"
<jshukla@earthlink.net>; "'William Dixon'" <wdixon@windows.microsoft.com>;
<ipsec@lists.tislabs.com>; "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
Sent: Friday, August 24, 2001 1:23 PM
Subject: Re: Ipsec load balancing devices - UDP-ESP impact


 >
 > You can have a look at Nokia VPN products, you'll see clustering, fail
over and
 > such. I know we shouldn't be using IETF groups for advertising, but I'm
answering
 > a question guys!
 >
 > http://www.nokia.com/vpn/nokiavpn.html
 >
 > marc.
 >
 > Dan Harkins wrote:
 >
 > >   Actually you're not. There's another vendor out there that does
 > > dynamic load balancing and active session failover of IPsec and IKE
SAs--
 > > fully meshed if so configured-- as well as PPTP and L2TP tunnels and
BGP,
 > > OSPF, and RIP. (It was a great day when I failed the box who was
currently
 > > assigned the workload of sucking down a full Internet routing table via
 > > BGP and watched the entire session-- including all the routing state and
 > > the TCP state-- failover to another node without a hitch). It's
subsecond
 > > failover too and beat the crap out of the competition in a trade rag's
 > > head-to-head comparison. And it's not just between "2 active devices",
 > > the size of the cluster can be 2, 3, 4 or more and adding nodes gives
you
 > > a non-linear increase in performance (that eventually tapers off).
 > >
 > >   This vendor has had this capability for around three years. I won't
 > > mention who it is because for some strange reason they don't advertise
 > > this expertise.
 > >
 > >   Dan.
 > >
 > > On Fri, 24 Aug 2001 09:54:51 PDT you wrote
 > > > It doesn't support fail-over, unless your using something like our
device
 > > > which maintains "state" between two active vpn gateways. As far as I
know
 > > > where the only vendors doing this: Fully Meshed, Active Active with
 > > > session&sa mirroring between 2 active devices for statefull failover.
 > > >
 > > > -----Original Message-----
 > > > From: jshukla [mailto:jshukla@earthlink.net]
 > > > Sent: Friday, August 24, 2001 9:21 AM
 > > > To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari
Huttunen
 > > > Subject: Re: Ipsec load balancing devices - UDP-ESP impact
 > > >
 > > >
 > > > how does the load balancing work when one of
 > > > the VPN gateways dies?
 > > >
 > > > regards,
 > > > Jayant
 > > >
 > > > ----- Original Message -----
 > > > From: "Jay Ratford" <Jratford@netscreen.com>
 > > > To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
 > > > <jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen"
 > > > <Ari.Huttunen@F-Secure.com>
 > > > Sent: Friday, August 24, 2001 8:32 AM
 > > > Subject: RE: Ipsec load balancing devices - UDP-ESP impact
 > > >
 > > >
 > > > > Alteon (now Nortel) devices perform NAT and NAPT, but not in default
 > > > > configurations.  They also have a "VPN Load-Balancing" solution to
load
 > > > > balance your VPN Gateway's - It does keep some kind of state,
specifically
 > > > > how i'm not sure.
 > > > >
 > > > >
 > > > >
 > > > > -----Original Message-----
 > > > > From: William Dixon [mailto:wdixon@windows.microsoft.com]
 > > > > Sent: Thursday, August 23, 2001 8:11 PM
 > > > > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
 > > > > Subject: Ipsec load balancing devices - UDP-ESP impact
 > > > >
 > > > >
 > > > > Jayant, I've checked around on the popular load balancing product
web
 > > > > sites.  But the details are often not avail, or buried in technical
docs
 > > > > that require a customer account to access.
 > > > >
 > > > > Does anyone know of any products that do NAT or "VLAN" translation
and
 > > > > specifically provide mapping support for IPSec "sessions", that is,
 > > > > devices that aren't already IPSec gateways and terminating IPSec
before
 > > > > they do NAT ?
 > > > >
 > > > > I'd like to know if they do something more than maintain source
IP-based
 > > > > mappings, like cookie-pair-SPI tracking or something.
 > > > >
 > > > > In any case, combining IKE & ESP in the same UDP port 500
encapsulation
 > > > > makes the take easier by having to track only one UDP src/dst pair -
vs.
 > > > > IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic,
or
 > > > > in addition to another critically related UDP src/dst port pair
carrying
 > > > > ESP.
 > > > >
 > > > > Wm
 > > > > William Dixon
 > > > > Program Manager - Network Security, IPSec
 > > > > Windows Networking
 > > > >
 > > > > -----Original Message-----
 > > > > From: jshukla [mailto:jshukla@earthlink.net]
 > > > > Sent: Saturday, August 18, 2001 5:10 PM
 > > > > To: ipsec@lists.tislabs.com; Ari Huttunen
 > > > > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap,
32bits
 > > > > of , i-cookie=0
 > > > >
 > > > >
 > > > >
 > > > > ----- Original Message -----
 > > > > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
 > > > > >
 > > > > > At the Helsinki bakeoff there were seven implementations of the
latest
 > > > > drafts,
 > > > > > including us. Additional three had implementations of some earlier
 > > > > > draft. This would be a good time for someone to provide really
solid
 > > > > > arguments against using just one port, if such arguments exist.
Like,
 > > > > > statistical calculations of actual overhead. The firewall-argument
 > > > > > doesn't cut it, it
 > > > >
 > > > > Have you guys considered how network based load-balancing
 > > > > will work in your approach? This is a general question regarding
your
 > > > > approach, not using IKE port for ESP will not exactly help.
 > > > >
 > > > > regards,
 > > > > Jayant
 >

Follow-Ups:

Re: Ipsec load balancing devices - UDP-ESP impact

From: mckenna <mckenna@cips.nokia.com>

References:

Re: Ipsec load balancing devices - UDP-ESP impact

From: Dan Harkins <dharkins@lounge.org>

Re: Ipsec load balancing devices - UDP-ESP impact

From: Marc Solsona-Palomar <marc@iprg.nokia.com>

Prev by Date: Re: Ipsec load balancing devices - UDP-ESP impact
Next by Date: Preshared key bound to peer IP address in main mode
Prev by thread: Re: Ipsec load balancing devices - UDP-ESP impact
Next by thread: Re: Ipsec load balancing devices - UDP-ESP impact
Index(es):
- Main
- Thread