Re: [IPsec] IPsec HA problem statement
Martin Willi <martin@strongswan.org> Wed, 12 May 2010 07:46 UTC
Return-Path: <martin@strongswan.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADB0C28C18F for <ipsec@core3.amsl.com>; Wed, 12 May 2010 00:46:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.612
X-Spam-Level:
X-Spam-Status: No, score=0.612 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_MISMATCH_ORG=0.611]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hALtGRvVUHxX for <ipsec@core3.amsl.com>; Wed, 12 May 2010 00:45:59 -0700 (PDT)
Received: from strongswan.org (sitav-80024.hsr.ch [152.96.80.24]) by core3.amsl.com (Postfix) with ESMTP id 7ACB928C103 for <ipsec@ietf.org>; Wed, 12 May 2010 00:45:59 -0700 (PDT)
Received: from 224-92.105-92.cust.bluewin.ch ([92.105.92.224] helo=[192.168.1.36]) by strongswan.org with esmtpsa (SSLv3:AES256-SHA:256) (Exim 4.63) (envelope-from <martin@strongswan.org>) id 1OC6c5-0007GN-Nz; Wed, 12 May 2010 09:44:17 +0200
From: Martin Willi <martin@strongswan.org>
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <655B076B-CB0F-4CCA-BC1E-951821DFF66C@checkpoint.com>
References: <p06240801c803e16cd7e8@[10.20.30.158]> <655B076B-CB0F-4CCA-BC1E-951821DFF66C@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 12 May 2010 09:45:43 +0200
Message-ID: <1273650343.1792.86.camel@martin>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org
Subject: Re: [IPsec] IPsec HA problem statement
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2010 07:46:00 -0000
Hi Yoav, > I have noticed that StrongSwan is [not] implementing clustering. Starting with the recently released 4.4.0, we provide an experimental clustering feature. Using the terms from the draft, it is a "Tight Completely Transparent Load Sharing Cluster". Most work has been done before the HA discussion started on the list, more details are available at [1]. > Have you had a chance to read it? Yes. > If so, I would very much appreciate it, if you could send a short > review to the list. The terminology is very useful. I used the term "node" for a single box in the cluster, but "member" is even better. For "Outbound SA Counters", we use an approach to "count, but not encrypt" the packets on the passive members. And our "Inbound SA Counters" are updated by verifying a packet from time to time. This approach has some requirements to the cluster setup and some problems not trivial to handle. So I'm not sure if we should mention it in the draft. > Mainly, they want to know if the document is ready, or whether there > are some issues that are not yet covered there. I think the draft is good to go. It provides a good overview and states the problems that need to be addressed. Best regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
- [IPsec] IPsec HA draft Yaron Sheffer
- Re: [IPsec] IPsec HA problem statement Yaron Sheffer
- Re: [IPsec] IPsec HA problem statement Paul Hoffman
- Re: [IPsec] IPsec HA problem statement Yoav Nir
- Re: [IPsec] IPsec HA problem statement Yoav Nir
- Re: [IPsec] IPsec HA problem statement Yoav Nir
- Re: [IPsec] IPsec HA problem statement Martin Willi