[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ipsec load balancing devices - UDP-ESP impact

To: jshukla <jshukla@earthlink.net>
Subject: Re: Ipsec load balancing devices - UDP-ESP impact
From: mckenna <mckenna@cips.nokia.com>
Date: Mon, 27 Aug 2001 10:02:12 -0700
CC: Marc Solsona-Palomar <marc@iprg.nokia.com>, Dan Harkins <dharkins@lounge.org>, Jay Ratford <Jratford@netscreen.com>, "'William Dixon'" <wdixon@windows.microsoft.com>, ipsec@lists.tislabs.com, Ari Huttunen <Ari.Huttunen@F-Secure.com>
References: <200108241959.f7OJwtF00872@dharkins@lounge.orgatty.lounge.org> <3B86B7CF.847A8ADF@iprg.nokia.com> <000601c12d86$06119e10$3cb12304@ffb5b>
Sender: owner-ipsec@lists.tislabs.com

Hi,

My apologies if this has already been answered.  Comments in line below.

---Dave

jshukla wrote:
 > 
 > Your solution is based on sharing SAs and
 > session keys between node, right?! I thought
 > that was a big no no.

Yes all nodes in a cluster will share the keys.  Why is this a no no? 
The cluster, regardless of the number of nodes, acts as one tunnel
endpoint to the outside world.  To maintain the traffic and not force a
costly rekey requires that the session keys be shared.  Of course,
precautions must be made to share them amongst themselves securely.

 > 
 > Secondly, what I gather from the one paragraph
 > blurb that I found on IP-clustering on your web
 > site is that it is a layer-2 solution. You use
 > Ethernet multicast, unicast, and forwarding.
 > In unicast same Ethernet address is used by
 > all ports according to the article. That means
 > all nodes get the same packet. The situation
 > is same in multicast and all nodes receive all
 > packets. So every node is processing the
 > packet?! Doesn't seem like this is what one
 > should be doing.

Probably those web pages are inadequate.  Every node sees every packet
in unicast or multicast mode.  The one node that needs to process the
particular packet sends it up the stack.  The other nodes silently drop
it.  There is a dynamic algorithm to distribute this changing load
amongst cluster members. The ability to drop a packet is done fairly
quickly compared to encryption/decryption and doesn't create much load
on a member. Thus, these modes are in most circumstances faster than
forwarding mode and transparent to other IP devices. 

I would consider our failover and load balancing a layer 3 solution. 
All nodes share a layer 3 address and IPSec peers deal with that
address.  The different modes deal with internal cluster business and is
not a concern of any external device, except the connecting switch.


 > 
 > The last case, is forwarding. Here only one
 > node gets the packet. This is real load balancing.
 > However, a layer 2 solution is something that
 > I find hard to digest.
 > 
 > Another question, when you have to debug/maintain
 > a node, won't you have to disconnect it from the cluster
 > as all nodes are sharing the same IP address?


Each node has a unique individual set of IPs (for each interface) and a
common set common cluster IPs (an external an internal IP).  One can do
most debugging without disconnecting the node from the cluster.


 > 
 > In case I have misunderstood your solution,
 > please accept my apologies.
 > 
 > regards,
 > Jayant
 > 
 > p.s.: we have an all IP layer based load balancing
 > solution for IPsec coming up.
 > 
 > ----- Original Message -----
 > From: "Marc Solsona-Palomar" <marc@iprg.nokia.com>
 > To: "Dan Harkins" <dharkins@lounge.org>
 > Cc: "Jay Ratford" <Jratford@netscreen.com>; "'jshukla'"
 > <jshukla@earthlink.net>; "'William Dixon'" <wdixon@windows.microsoft.com>;
 > <ipsec@lists.tislabs.com>; "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
 > Sent: Friday, August 24, 2001 1:23 PM
 > Subject: Re: Ipsec load balancing devices - UDP-ESP impact
 > 
 >  >
 >  > You can have a look at Nokia VPN products, you'll see clustering, fail
 > over and
 >  > such. I know we shouldn't be using IETF groups for advertising, but I'm
 > answering
 >  > a question guys!
 >  >
 >  > http://www.nokia.com/vpn/nokiavpn.html
 >  >
 >  > marc.
 >  >
 >  > Dan Harkins wrote:
 >  >
 >  > >   Actually you're not. There's another vendor out there that does
 >  > > dynamic load balancing and active session failover of IPsec and IKE
 > SAs--
 >  > > fully meshed if so configured-- as well as PPTP and L2TP tunnels and
 > BGP,
 >  > > OSPF, and RIP. (It was a great day when I failed the box who was
 > currently
 >  > > assigned the workload of sucking down a full Internet routing table via
 >  > > BGP and watched the entire session-- including all the routing state and
 >  > > the TCP state-- failover to another node without a hitch). It's
 > subsecond
 >  > > failover too and beat the crap out of the competition in a trade rag's
 >  > > head-to-head comparison. And it's not just between "2 active devices",
 >  > > the size of the cluster can be 2, 3, 4 or more and adding nodes gives
 > you
 >  > > a non-linear increase in performance (that eventually tapers off).
 >  > >
 >  > >   This vendor has had this capability for around three years. I won't
 >  > > mention who it is because for some strange reason they don't advertise
 >  > > this expertise.
 >  > >
 >  > >   Dan.
 >  > >
 >  > > On Fri, 24 Aug 2001 09:54:51 PDT you wrote
 >  > > > It doesn't support fail-over, unless your using something like our
 > device
 >  > > > which maintains "state" between two active vpn gateways. As far as I
 > know
 >  > > > where the only vendors doing this: Fully Meshed, Active Active with
 >  > > > session&sa mirroring between 2 active devices for statefull failover.
 >  > > >
 >  > > > -----Original Message-----
 >  > > > From: jshukla [mailto:jshukla@earthlink.net]
 >  > > > Sent: Friday, August 24, 2001 9:21 AM
 >  > > > To: Jay Ratford; 'William Dixon'; ipsec@lists.tislabs.com; Ari
 > Huttunen
 >  > > > Subject: Re: Ipsec load balancing devices - UDP-ESP impact
 >  > > >
 >  > > >
 >  > > > how does the load balancing work when one of
 >  > > > the VPN gateways dies?
 >  > > >
 >  > > > regards,
 >  > > > Jayant
 >  > > >
 >  > > > ----- Original Message -----
 >  > > > From: "Jay Ratford" <Jratford@netscreen.com>
 >  > > > To: "'William Dixon'" <wdixon@windows.microsoft.com>; "jshukla"
 >  > > > <jshukla@earthlink.net>; <ipsec@lists.tislabs.com>; "Ari Huttunen"
 >  > > > <Ari.Huttunen@F-Secure.com>
 >  > > > Sent: Friday, August 24, 2001 8:32 AM
 >  > > > Subject: RE: Ipsec load balancing devices - UDP-ESP impact
 >  > > >
 >  > > >
 >  > > > > Alteon (now Nortel) devices perform NAT and NAPT, but not in default
 >  > > > > configurations.  They also have a "VPN Load-Balancing" solution to
 > load
 >  > > > > balance your VPN Gateway's - It does keep some kind of state,
 > specifically
 >  > > > > how i'm not sure.
 >  > > > >
 >  > > > >
 >  > > > >
 >  > > > > -----Original Message-----
 >  > > > > From: William Dixon [mailto:wdixon@windows.microsoft.com]
 >  > > > > Sent: Thursday, August 23, 2001 8:11 PM
 >  > > > > To: jshukla; ipsec@lists.tislabs.com; Ari Huttunen
 >  > > > > Subject: Ipsec load balancing devices - UDP-ESP impact
 >  > > > >
 >  > > > >
 >  > > > > Jayant, I've checked around on the popular load balancing product
 > web
 >  > > > > sites.  But the details are often not avail, or buried in technical
 > docs
 >  > > > > that require a customer account to access.
 >  > > > >
 >  > > > > Does anyone know of any products that do NAT or "VLAN" translation
 > and
 >  > > > > specifically provide mapping support for IPSec "sessions", that is,
 >  > > > > devices that aren't already IPSec gateways and terminating IPSec
 > before
 >  > > > > they do NAT ?
 >  > > > >
 >  > > > > I'd like to know if they do something more than maintain source
 > IP-based
 >  > > > > mappings, like cookie-pair-SPI tracking or something.
 >  > > > >
 >  > > > > In any case, combining IKE & ESP in the same UDP port 500
 > encapsulation
 >  > > > > makes the take easier by having to track only one UDP src/dst pair -
 > vs.
 >  > > > > IPSec ESP inbound and outbound SPIs, in addition to the IKE traffic,
 > or
 >  > > > > in addition to another critically related UDP src/dst port pair
 > carrying
 >  > > > > ESP.
 >  > > > >
 >  > > > > Wm
 >  > > > > William Dixon
 >  > > > > Program Manager - Network Security, IPSec
 >  > > > > Windows Networking
 >  > > > >
 >  > > > > -----Original Message-----
 >  > > > > From: jshukla [mailto:jshukla@earthlink.net]
 >  > > > > Sent: Saturday, August 18, 2001 5:10 PM
 >  > > > > To: ipsec@lists.tislabs.com; Ari Huttunen
 >  > > > > Subject: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap,
 > 32bits
 >  > > > > of , i-cookie=0
 >  > > > >
 >  > > > >
 >  > > > >
 >  > > > > ----- Original Message -----
 >  > > > > From: "Ari Huttunen" <Ari.Huttunen@F-Secure.com>
 >  > > > > >
 >  > > > > > At the Helsinki bakeoff there were seven implementations of the
 > latest
 >  > > > > drafts,
 >  > > > > > including us. Additional three had implementations of some earlier
 >  > > > > > draft. This would be a good time for someone to provide really
 > solid
 >  > > > > > arguments against using just one port, if such arguments exist.
 > Like,
 >  > > > > > statistical calculations of actual overhead. The firewall-argument
 >  > > > > > doesn't cut it, it
 >  > > > >
 >  > > > > Have you guys considered how network based load-balancing
 >  > > > > will work in your approach? This is a general question regarding
 > your
 >  > > > > approach, not using IKE port for ESP will not exactly help.
 >  > > > >
 >  > > > > regards,
 >  > > > > Jayant
 >  >

References:

Re: Ipsec load balancing devices - UDP-ESP impact

From: Dan Harkins <dharkins@lounge.org>

Re: Ipsec load balancing devices - UDP-ESP impact

From: Marc Solsona-Palomar <marc@iprg.nokia.com>

Re: Ipsec load balancing devices - UDP-ESP impact

From: "jshukla" <jshukla@earthlink.net>

Prev by Date: Re: question on SPI
Next by Date: inbound vs outbound?
Prev by thread: Re: Ipsec load balancing devices - UDP-ESP impact
Next by thread: RE: Ipsec load balancing devices - UDP-ESP impact
Index(es):
- Main
- Thread