2008/523 IPsec session failover
Thejaswini Singarajipura
Thejaswini.Singarajipura at sun.com
Sun Aug 17 22:57:25 PDT 2008
Darren J Moffat wrote:
> I'm missing the bigger picture here, or failing to see where it is
> covered in the materials.
>
> Can someone draw me a simple picture of a multi node cluster using
> this showing which IKE the client connects to originally and where and
> how the SADB's are passed between the nodes.
Attached below is a diagram of a 2-node cluster and a brief description
of how the client connections are handled.
>
> I think I understand how the failover happens with the switch from
> IDLE to MATURE. The part I'm missing is how all the SC nodes get the
> SADB entries in the first place and how that is done securely.
The SADB is synchronized over SC private interconnects, which is a
private LAN and is detached from all other network.
Hence I do not think we add any more vulnerability by this project.
>
> I assume the IKE DPD functionality is generally useful for non SC
> deployments but is required by this case.
Yes.
Regards,
Thejaswini
>
> --
> Darren J Moffat
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cluster_overview.pdf
Type: application/pdf
Size: 53507 bytes
Desc: not available
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080818/33a6c890/attachment.pdf>
More information about the opensolaris-arc
mailing list