[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC in High Availability scenarios
Hi,
Small introduction:
We find the IPSEC is being used in critical applications and
high availability is one of requirements of customers. Typically
two SGs are used - one acting as Master and other acting as
backup device. VRRP like kind of utilities are used to detect
the aliveness of master SG. Backup SG inherits the same IP
address. In these cases, the remote peers don't know that
that there are two SGs and control is transferred from master
to backup device.
Problem:
Due to critical timing nature of applications run on IPSEC tunnels,
customers are increasingly asking for SA transfer between master and backup
so that backup can take over tunnel when master fails (To avoid new
tunnel establishment).
There is a problem when anti-replay is enabled on SAs, which is MUST in
most of the cases. Transferring this change of sequence number
information between master and backup device,might have performance
implications and some times not practical.
Solution:
Today, we have proprietary mechanism to solve this problem, but
it works between same kind of implementations. We are trying to
see if there is any inter-operable solution for this problem. We feel that
backup device can send notification message (when tunnels in backup
device get activated) indicating to the peer that it can accept the
packets with some specific sequence number. Basically, synchronizing
the sequence numbers in the tunnel.
What do others think of this solution: Having SYNCH-SEQUENCE
notification message. We can force that this has to be protected message.
Also, we can have sequence number information for detecting replaying
of this notification message.
Do you see any problem with this approach? Or Is there any inter-operable
solution already defined?
Thank you for you time.
Suren
Intoto Inc.
3160, De La Cruz Blvd #100
Santa Clara, CA
www.intotoinc.com