[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC in High Availability scenarios

To: <ipsec@lists.tislabs.com>
Subject: RE: IPSEC in High Availability scenarios
From: "Jesse Alpert" <jalpert@CheckPoint.com>
Date: Tue, 6 May 2003 12:29:16 +0300
Cc: "'suren'" <suren@intotoinc.com>
Importance: Normal
In-Reply-To: <5.0.2.1.0.20030502151347.00afea68@10.1.5.10>
Sender: owner-ipsec@lists.tislabs.com

Hi Suren,

The problem you described can be solved using the existing standards, if you
consider the fact that an IPsec peer should be willing to accept (large)
forward leaps in the replay counter value. The backup GW can start it's
replay counter sequence from some larger value.

Note however that for Load Sharing scenarios (as apposed to the High
Availability scenario you described) the solution may not be as simple.

Jesse

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of suren
Sent: Saturday, May 03, 2003 1:32 AM
To: ipsec@lists.tislabs.com
Subject: IPSEC in High Availability scenarios


Hi,

   Small introduction:
   We find the IPSEC is being used in critical applications and
   high availability is one of requirements of customers. Typically
   two SGs are used - one acting as Master and other acting as
   backup device. VRRP like kind of utilities are used to detect
   the aliveness of master SG. Backup SG inherits the same IP
   address. In these cases, the remote peers don't know that
   that there are two SGs and control is transferred from master
   to backup device.

   Problem:
   Due to critical timing nature of applications run on IPSEC tunnels,
   customers are increasingly asking for SA transfer between master and
backup
   so that backup can take over tunnel when master fails (To avoid new
tunnel establishment).
   There is a problem when anti-replay is enabled on SAs, which is MUST in
   most of the cases. Transferring this change of sequence number
   information between master and backup device,might have performance
   implications and some times not practical.

   Solution:
   Today, we have proprietary mechanism to solve this problem, but
   it works between same kind of implementations. We are trying to
   see if there is any inter-operable solution for this problem. We feel
that
   backup device can send notification message (when tunnels in backup
   device get activated) indicating to the peer that it can accept the
   packets with some specific sequence number. Basically, synchronizing
   the sequence numbers in the tunnel.
   What do others think of this solution: Having SYNCH-SEQUENCE
   notification message. We can force that this has to be protected message.
   Also, we can have sequence number information for detecting replaying
   of this notification message.

   Do you see any problem with this approach? Or Is there any inter-operable
   solution already defined?

Thank you for you time.
Suren
Intoto Inc.
3160, De La Cruz Blvd #100
Santa Clara, CA
www.intotoinc.com

Follow-Ups:
- Re: IPSEC in High Availability scenarios
  - From: "Wei-Jen Yeh" <weijyeh@nortelnetworks.com>

References:
- IPSEC in High Availability scenarios
  - From: suren <suren@intotoinc.com>

Prev by Date: RE: IPSEC in High Availability scenarios
Next by Date: Re: IPSEC in High Availability scenarios
Prev by thread: RE: IPSEC in High Availability scenarios
Next by thread: Re: IPSEC in High Availability scenarios
Index(es):
- Date
- Thread