Re: [IPsec] Issue #177. (was: HA/LS terminology)

Tero Kivinen <> Thu, 25 March 2010 22:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B91E63A67EF for <>; Thu, 25 Mar 2010 15:59:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WIFv-1NxpcYS for <>; Thu, 25 Mar 2010 15:59:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7E5423A67E4 for <>; Thu, 25 Mar 2010 15:59:37 -0700 (PDT)
Received: from (localhost []) by (8.14.3/8.14.3) with ESMTP id o2PMxW3F003708 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 26 Mar 2010 00:59:32 +0200 (EET)
Received: (from kivinen@localhost) by (8.14.3/8.12.11) id o2PMxV4S006874; Fri, 26 Mar 2010 00:59:31 +0200 (EET)
X-Authentication-Warning: kivinen set sender to using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Fri, 26 Mar 2010 00:59:31 +0200
From: Tero Kivinen <>
To: Yoav Nir <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 6 min
Cc: Rodney Van Meter <>, "" <>, Melinda Shore <>, Dan Harkins <>
Subject: Re: [IPsec] Issue #177. (was: HA/LS terminology)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Mar 2010 22:59:38 -0000

Yoav Nir writes:
> I am not trying to create a complete taxonomy of cluster types.

I think it is worth adding more defined terms, just to show which we
are not talking about too. 

> I should also note that we don't really have a term for a single
> "thing" that does IKE and IPsec. Our documents use terms like
> "gateway" and "peer", but "gateway" does not encompass VPN clients
> and hosts, and "peer" is not just any implementation, it's the
> *other* implementation. "Implementation" is a little too long.

I would use host, or implementation, and I do not think implementation
is too long... 

> Anyway, draft-ietf-ipsecme-ipsec-ha is not out to make a complete
> taxonomy of clusters. We only define what we need to discuss the
> problems. All the clusters that are of interest to us provide the
> ability for another member to take over the work of a failed member.

I do not think that was clear from the terminology section. For
example the "load sharing cluster" and "cluster" does not really say

If we add terms that describe different cluster types better, then we
can more clearly describe what we are really talking about.

One of the problems we have when talking about the ipsec-ha is that
people use different terms and they interpret them meaning different
things. Thats why I think it would be needed for this document to
define good and extensive terminology for this area and use those
terms consitently inside the document. 

> Since this is common to all the clusters that we are considering, we
> don't need to define this specially.

How can someone know that this is generic for all clusters, if you do
not define it?

> The only difference that matters is whether or not more than one
> member is handling traffic with the same peer at the same time.
> So the only terminology that we need, the only taxonomy that we
> need, is for these two mutually-exclusive types of cluster:

I disagree. We do need much more extensive terminology to explain
also things we are not talking about, just to clarify that we do not
mean them.