[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC in High Availability scenarios

To: suren <suren@intotoinc.com>, ipsec@lists.tislabs.com
Subject: Re: IPSEC in High Availability scenarios
From: Stephen Kent <kent@bbn.com>
Date: Mon, 5 May 2003 18:24:55 -0400
In-Reply-To: <5.0.2.1.0.20030502151347.00afea68@10.1.5.10>
References: <5.0.2.1.0.20030502151347.00afea68@10.1.5.10>
Sender: owner-ipsec@lists.tislabs.com

At 3:31 PM -0700 5/2/03, suren wrote:
>Hi,
>
>   Small introduction:
>   We find the IPSEC is being used in critical applications and
>   high availability is one of requirements of customers. Typically
>   two SGs are used - one acting as Master and other acting as
>   backup device. VRRP like kind of utilities are used to detect
>   the aliveness of master SG. Backup SG inherits the same IP
>   address. In these cases, the remote peers don't know that
>   that there are two SGs and control is transferred from master
>   to backup device.

Perhaps this is not a good model. The backup SG, in order to be able 
to take over the SAs from the primary SG must have access to all the 
keys in use, and the movement of keys between the two may create 
security assurance problems.  For example, are any of the 
implementations that support this approach evaluated under FIPS 
140-1/2 at level 3 or 4?

An alternative would be to have backup SAs created at the same time 
as the primary SAs, but homed to the backup SG, at its own address, 
and then move the traffic to the existing, backup SAs, which would 
avoid the sequence number problem you noted.

>
>   Problem:
>   Due to critical timing nature of applications run on IPSEC tunnels,
>   customers are increasingly asking for SA transfer between master and backup
>   so that backup can take over tunnel when master fails (To avoid 
>new tunnel establishment).
>   There is a problem when anti-replay is enabled on SAs, which is MUST in
>   most of the cases. Transferring this change of sequence number
>   information between master and backup device,might have performance
>   implications and some times not practical.
>
>   Solution:
>   Today, we have proprietary mechanism to solve this problem, but
>   it works between same kind of implementations. We are trying to
>   see if there is any inter-operable solution for this problem. We feel that
>   backup device can send notification message (when tunnels in backup
>   device get activated) indicating to the peer that it can accept the
>   packets with some specific sequence number. Basically, synchronizing
>   the sequence numbers in the tunnel.
>   What do others think of this solution: Having SYNCH-SEQUENCE
>   notification message. We can force that this has to be protected message.
>   Also, we can have sequence number information for detecting replaying
>   of this notification message.
>
>   Do you see any problem with this approach? Or Is there any inter-operable
>   solution already defined?

I'm not saying this can't be done securely, but you have no provided 
sufficient detail to know. For example, is this new message sent over 
the IKE SA or over the subscriber SA?  If via IKE, then there may be 
problems matching the SYNCH-SEQUENCE to the data path sequence 
numbers. If via the subscriber SA, then how is this message accepted 
out of order? Also, is this proprietary mechanism patented?

Steve

Follow-Ups:
- Re: IPSEC in High Availability scenarios
  - From: suren <suren@intotoinc.com>

References:
- IPSEC in High Availability scenarios
  - From: suren <suren@intotoinc.com>

Prev by Date: Re: Confirm decision on identity handling.
Next by Date: Re: IPSEC in High Availability scenarios
Prev by thread: Re: IPSEC in High Availability scenarios
Next by thread: Re: IPSEC in High Availability scenarios
Index(es):
- Date
- Thread