[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Ipsec load balancing devices - UDP-ESP impact
Jayrant,
Am quite interested in your layer3 solution, do you have any tech info
available? But so far I consider L2 solution a better approach, some
comments in below...
Qiang
-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net]
Sent: Saturday, August 25, 2001 11:50 AM
To: Marc Solsona-Palomar; Dan Harkins
Cc: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari Huttunen
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
Your solution is based on sharing SAs and
session keys between node, right?! I thought
that was a big no no.
=>the participating nodes in the cluster can remain as a close set,
though sharing
keys/SAs can potentially expose it to any security threat, it is not
necessary
true I think. would you further detail on the threat models on the
cluster?
Secondly, what I gather from the one paragraph
blurb that I found on IP-clustering on your web
site is that it is a layer-2 solution. You use
Ethernet multicast, unicast, and forwarding.
In unicast same Ethernet address is used by
all ports according to the article. That means
all nodes get the same packet. The situation
is same in multicast and all nodes receive all
packets. So every node is processing the
packet?! Doesn't seem like this is what one
should be doing.
=>This architecture can have a few benefits, i.e. same IP identity for
all nodes,
"hot swap" so there is no interrupt, easier convergence if there is
failure.
Every node is processing the packet to some extent, but based on a good
port/filtering
rules, early drop can be deployed, similiar in handling a DoS attack :)
The last case, is forwarding. Here only one
node gets the packet. This is real load balancing.
However, a layer 2 solution is something that
I find hard to digest.
=> Why not if it has advantage, do you have any technical info regarding
the layer 3 approach? I am quite interested as well
Another question, when you have to debug/maintain
a node, won't you have to disconnect it from the cluster
as all nodes are sharing the same IP address?
=>This is not true, i guess the cluster should be able to allow you
disconnect any one of
the node and still have the sessions be offloaded to available others
----- Original Message -----
From: "Marc Solsona-Palomar" <marc@iprg.nokia.com>
To: "Dan Harkins" <dharkins@lounge.org>
Cc: "Jay Ratford" <Jratford@netscreen.com>; "'jshukla'"
<jshukla@earthlink.net>; "'William Dixon'"
<wdixon@windows.microsoft.com>;
<ipsec@lists.tislabs.com>; "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
Sent: Friday, August 24, 2001 1:23 PM
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
>
> You can have a look at Nokia VPN products, you'll see clustering,
fail
over and
> such. I know we shouldn't be using IETF groups for advertising, but
I'm
answering
> a question guys!
>
> http://www.nokia.com/vpn/nokiavpn.html
>
> marc.
>
> Dan Harkins wrote:
>
> > Actually you're not. There's another vendor out there that does
> > dynamic load balancing and active session failover of IPsec and IKE
SAs--
> > fully meshed if so configured-- as well as PPTP and L2TP tunnels
and
BGP,
> > OSPF, and RIP. (It was a great day when I failed the box who was
currently
> > assigned the workload of sucking down a full Internet routing table
via
> > BGP and watched the entire session-- including all the routing
state and
> > the TCP state-- failover to another node without a hitch). It's
subsecond
> > failover too and beat the crap out of the competition in a trade
rag's
> > head-to-head comparison. And it's not just between "2 active
devices",
> > the size of the cluster can be 2, 3, 4 or more and adding nodes
gives
you
> > a non-linear increase in performance (that eventually tapers off).
> >
> > This vendor has had this capability for around three years. I
won't
> > mention who it is because for some strange reason they don't
advertise
> > this expertise.
> >
> > Dan.
> >
> > On Fri, 24 Aug 2001 09:54:51 PDT you wrote
> > > It doesn't support fail-over, unless your using something like
our
device
> > > which maintains "state" between two active vpn gateways. As far
as I
know
> > > where the only vendors doing this: Fully Meshed, Active Active
with
> > > session&sa mirroring between 2 active devices for statefull
failover.
> > >
> > > -----Original Message-----
> > > From: jshukla [mailto:jshukla@earthlink.net]
> > > Sent: Friday, August 24, 2001 9:21 AM
> > > To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari
Huttunen
> > > Subject: Re: Ipsec load balancing devices - UDP-ESP impact
> > >
> > >
> > > how does the load balancing work when one of
> > > the VPN gateways dies?
> > >
> > > regards,
> > > Jayant
> > >
> > > ----- Original Message -----
> > > From: "Jay Ratford" <Jratford@netscreen.com>
> > > To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
> > > <jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari
Huttunen"
> > > <Ari.Huttunen@F-Secure.com>
> > > Sent: Friday, August 24, 2001 8:32 AM
> > > Subject: RE: Ipsec load balancing devices - UDP-ESP impact
> > >
> > >
> > > > Alteon (now Nortel) devices perform NAT and NAPT, but not in
default
> > > > configurations. They also have a "VPN Load-Balancing" solution
to
load
> > > > balance your VPN Gateway's - It does keep some kind of state,
specifically
> > > > how i'm not sure.
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: William Dixon [mailto:wdixon@windows.microsoft.com]
> > > > Sent: Thursday, August 23, 2001 8:11 PM
> > > > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
> > > > Subject: Ipsec load balancing devices - UDP-ESP impact
> > > >
> > > >
> > > > Jayant, I've checked around on the popular load balancing
product
web
> > > > sites. But the details are often not avail, or buried in
technical
docs
> > > > that require a customer account to access.
> > > >
> > > > Does anyone know of any products that do NAT or "VLAN"
translation
and
> > > > specifically provide mapping support for IPSec "sessions", that
is,
> > > > devices that aren't already IPSec gateways and terminating
IPSec
before
> > > > they do NAT ?
> > > >
> > > > I'd like to know if they do something more than maintain source
IP-based
> > > > mappings, like cookie-pair-SPI tracking or something.
> > > >
> > > > In any case, combining IKE & ESP in the same UDP port 500
encapsulation
> > > > makes the take easier by having to track only one UDP src/dst
pair -
vs.
> > > > IPSec ESP inbound and outbound SPIs, in addition to the IKE
traffic,
or
> > > > in addition to another critically related UDP src/dst port pair
carrying
> > > > ESP.
> > > >
> > > > Wm
> > > > William Dixon
> > > > Program Manager - Network Security, IPSec
> > > > Windows Networking
> > > >
> > > > -----Original Message-----
> > > > From: jshukla [mailto:jshukla@earthlink.net]
> > > > Sent: Saturday, August 18, 2001 5:10 PM
> > > > To: ipsec@lists.tislabs.com; Ari Huttunen
> > > > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap,
32bits
> > > > of , i-cookie=0
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
> > > > >
> > > > > At the Helsinki bakeoff there were seven implementations of
the
latest
> > > > drafts,
> > > > > including us. Additional three had implementations of some
earlier
> > > > > draft. This would be a good time for someone to provide
really
solid
> > > > > arguments against using just one port, if such arguments
exist.
Like,
> > > > > statistical calculations of actual overhead. The
firewall-argument
> > > > > doesn't cut it, it
> > > >
> > > > Have you guys considered how network based load-balancing
> > > > will work in your approach? This is a general question
regarding
your
> > > > approach, not using IKE port for ESP will not exactly help.
> > > >
> > > > regards,
> > > > Jayant
>