FI117263B - A stateless server cluster for Internet traffic - Google Patents

Abstract

The method is generally based on the idea that a sender of a communication packet places a piece of information in a certain header field of the communi-cation packet. On the basis of the said piece of information, the master of the server cluster receiving the communication packet can then determine which slave should handle the said packet. The same idea can be exploited during a security association (SA) negotiation. The SA negotiation may be per-formed using Internet Security Association and Key Management Protocol (ISAKMP) packets. When the SA is negotiated Internet Protocol security (IP-sec) packets are preferably used as communication packets.

Description

FIELD OF THE INVENTION Field of the Invention

The invention relates generally to efficiency and security aspects when a pal-5 cluster is handling communications packets.

Background of the Invention IPsec (Internet Protocol security) is a security feature that provides robust IP packet authentication and encryption. When using IPsecr, the association between the sender and the recipient of IP-10 packets is called a security association (SA). The terms "node" and "entity" refer to a terminal, server, router, or other type of hardware participating in a SA. A connection is established between the end nodes. There may be one SA per connection, but usually each of the 15 communication directions has its own SA. It is also possible that different types of traffic on the same connection are protected by their own SA.

In IPsec traffic, IP packets include an Authentication Header (AH) or Encapsulated Security Payload (ESP). These packets are called IPsec packets.

FIG. 1A shows an identification header section (AH) 101. Two fields thereof will be discussed below as they are closely related to the invention.

• V Information from the remaining AH fields can be found in prior art documents. The SPI (Security Parameters Index) is a field 102 for storing the SPI number of a security connection identifier: ***: Sequence Number Field (Sequence Num- * ». ·· *. 25 ber Field) is a field for storing 103 sequence numbers. Sequence number: v. Incremented after each transmitted packet.

• «| ···. FIGURE 1B shows a portion of the encapsulated payload (ESP) 104.

Also, the ESP header includes an SPI field 105 to store a # SPI number identifying the security connection. Correspondingly, the sequence number field 106 is a sequence for storing the sequence number.

: ···: In IPsec traffic, the IP packet can be encapsulated using AH or ESP. The IP packet can be encapsulated in tunnel mode (tunnel •. · * ·. Mode) or transport mode. Both modes are described in the Embodiment. · \ Documents in the art.

• «· 35 The Internet Key Exchange Protocol (IKE) is a protocol standard for key management. IPsec can be configured without IKE, but 2 117263 IKE improves IPsec by providing certain additional features. IKE operates on the basis of both the OakleyN Key Conclusion Protocol and the ISAKMP (Internet Security Association and Key Management Protocol). ISAKMP defines formats for packet payload, mechanism key exchange proto-5 implementation, and SA negotiation. IKE may automatically negotiate security connections (SAs) and thus enable IPsec traffic without manual configuration.

FIG. 2 shows a portion of the ISAKMP header portion 201. In addition to the ISAKMP header portion, the ISAKMP packet contains a variable amount of payloads. 10 The "Initiator Cookie" field 202 of the ISAKMP header contains the identifier of the entity that initiated the creation, notification, or destruction of the SA. The "Responder Cookie" field 203 contains the identifier of the entity responsible for establishing, reporting, or destroying the SA.

A server cluster is generally made up of a plurality of servers. The term 15 "clustering refers to the way services are shared between servers. There are basically two types of services: application services and network services. The purpose of clustering application services is to increase the capacity of the application services. Typically, the service capacity requirements are much higher than For example, a server running a web lookup service may require a high processing capacity.In Kluste-I V, when running web services, basically all processing capacity is required to process application service traffic.So, the server or server cluster should handle traffic as efficiently as possible. clustering solutions are based on: v broadcasting packet communications to all server cluster members on layer two of OSI (OSI is k and "Open Systems Inter- *" connection "). All packages are distributed to all members and determined by each member. whether or not it has to be processed by a generic packet transmitted or not by any prior art method. This solution works relatively well in most cases, but may be burdened by the following disadvantages.

First, each member must be able to receive all. ***: packets sent by the server cluster. Thus, each member may need expensive / *. high capacity link for receiving packets.

«« E ♦ M • * ** · • ♦ • · · 3 117263

Second, each member must reject packages for other members. As the volume of received packets increases, the rejection of packets requires more and more capacity.

Instead of broadcasting or multicasting all packets to all members of a server cluster, the server cluster may be formed from a host server and slave servers such that the server cluster has one IP address and said IP address is associated with the host server. In this solution, the host receives all packets and distributes them to the event via a host-slave network. Of course, this solution is burdened by its own disadvantages.

A first disadvantage is that many prior art service clusters consisting of host and slaves contain a large amount of shared information that needs to be constantly updated. Said information includes security links that need to be evenly distributed between the slings. This sharing can cause a lot of internal messaging within the server cluster.

Another disadvantage is that the prior art server cluster may fail to prevent certain types of hacker attacks such as replay attacks.

Applicant's earlier patent application FI20022102 contains a server cluster capable of countering repetitive attacks. Said server cluster 20 has its own advantages and disadvantages. One advantage is that the failure of a single slave does not usually break the connection, because usually at least two slaves of the said server cluster handle the same connection. Similarly, the drawbacks compared to the server cluster described in this patent application are: 1) the slave space requirements are higher and 2) the sling function; 25 nan synchronization requires more work.

• ** * · »• i« «* I ·· *, Brief Summary of the Invention * ·

The invention is generally based on the idea that a telecommunication packet is transmitted. the user places the information in a particular field of the communication packet. Based on said information, the server receiving the communication packet: ···: The cluster host is able to determine which slave to handle the packet.

The server cluster may receive conference packets such as - ··. ISAKMP packets and security packets such as IPsec packets. In the server cluster / *, the host receives the negotiation packet with the initiator field and the responder * * *; ./ 35 field (the responder field). The Originator field contains a value that identifies * · • * · 4 117263 controls the originator of the conference. If the negotiation packet's voicemail field contains a blank / on, the host selects a slave server for a secure connection.

For example, the host may select the slave with the lowest load. Once a slave is selected, there are two ways to negotiate a security connection.

5 The first way is for the host to negotiate the security connection on behalf of the selected host. The host then selects a handler value from the number space assigned to the selected rings. For example, the handler value may be a particular SPI value between a certain lower and upper limit.

Another way is for the host to forward the negotiation packet to the selected 10 rings, which themselves choose the voicemail value and then negotiate the security connection.

Both methods involve placing the voicemail value in the negotiation authorization package, which is sent to the initiator of the negotiation. When the host receives the next negotiation packet from the negotiator, said packet contains a voicemail value. Based on the voicemail value, the host deduces which 15 slots the package should pass to.

It is also possible for the user to establish a security connection.

When the security connection (SA) is negotiated between the entity and the server cluster, or when the SA is created by the user during the SA installation, said entity sends the security packets belonging to the SA to the pafvel cluster. If the security packets are IPsec packets, they may include, for example, an SPI value. In any case, security packages contain a handler value. Handler ar: V * vo is selected from the number space of the slave that handles security packets.

Based on the handler value, the host determines which rings the security packages should be passed to.

O 25

Pattern List * »! · * ·. In the following, the invention will be described in more detail with reference to the following diagrams, of which * * · · ;;; Fig. 1A shows an identification header part (AH), '·; · * Fig. 1B shows a part of the encapsulated payload (ESP), Γ \. Figure 2 shows a part of the ISAKMP header section, * * "* · Figure 3 shows the main steps of the method,

Figure 4 shows the steps to lose to negotiate a security connection, • · · ”Figure 5 shows an example of a server cluster.

«4 ft ft ft ft 5 117263

DETAILED DESCRIPTION OF THE INVENTION

The invention comprises a method for handling packets and a server cluster using said method.

Each slave server has two number spaces called "handler number space" and "responder number space". The handler value is selected from the handler number space and the responder value is selected from the handler number space. It is possible that the number spaces mentioned are the same number space, ie they contain exactly the same numbers.

In any case, the number spaces of the different rings are distinct, ie they do not contain the same numbers. Each number space may contain numbers starting from a certain minimum limit and ending with a certain maximum limit. For example, the number space assigned to the first ring may contain numbers from zero to 32767 and the number space assigned to the second ring may contain numbers from 32768 to 65535.

FIG. 3 shows the main steps of a method for processing security packets, the server cluster consisting of a host server and at least one slave server. Security packets may be IPsec packets. In a first step, a security packet belonging to the security connection (SA) between the entity and the server cluster is received by 301 host servers. SA may be user-created. Alternatively, the entity and the server cluster have negotiated with SA using the negotiation packages. The received security packet contains a * · ·: V handler value from the server cluster. The handler value is selected during SA negotiations. Alternatively, it is selected when the user creates:, e's SA. In a second step, 302 slave servers are inferred from their handler number; **. 253, and then forwarding a security packet to said slave server.

] · · ·. Generally speaking, the number spaces of the slings are determined using a · · suitable function. The function may be very simple. It may pre-. divides the given number space into two number spaces by * * «• Hl 30 such that one slave number space contains odd numbers and the other * ·; ·: the slave number space contains even numbers. Any bit string can be viewed as an integer that can be used as a function input.

Note that characters and strings / bit strings can be replaced by hexadecimal numbers. Thus, the character-35 string represented as a hexadecimal number may belong to a specific number space that is attached to a specific • · ··· 6 117263 f server. Thus, the string is also information that can be used as a handler value.

There are basically two alternative ways to negotiate between an SA entity and a server cluster. The first way is for the host to negotiate on behalf of the SA slave and the second way is for the slave server to negotiate the SA. Both methods are illustrated in the following figure.

FIG. 4 illustrates the steps for negotiating an SA. Negotiation is performed using negotiation packages, such as ISAKMP packages. In a first step, a negotiation packet transmitted by the entity 401 is received, and in a second step 402 a predetermined null value is compared with the voicemail value included in the negotiation packet. If the voicemail value is a null value, the slave server of the 403 server cluster is selected in the next step. For example, the selection may be based on load numbers such that the slave with the lowest load is selected. If necessary, the host can also act as a slave. Thus, the host 15 may select itself as a slave server and handle some of the load. The selected slave, which may be the host, will handle SA-related security kits. In the next step, a voicemail value 404 that is different from the null value and belongs to the voicemail space assigned to the selected rings is selected. Preferably, the voicemail value is the same value that was used as the handler value in the information-20 traffic packets when the entity sent said packets to the selected rings. Step 404 is preferably performed on selected rings. In this case, said slave receives the first negotiation packet from the host and said slave negotiates the SA.

Γ \. However, the host may also select a voicemail value on behalf of the slave, whereby the host: ***: negotiates the SA. The next step 405 is to send the first "answer negotiation * * *. ***. 25 packet" with the voicemail value to the entity in response to the received negotiation packet. If the selected slave negotiates with SA, it will send • • [»'*. the quickest answer conference package. Otherwise, the host will negotiate with SA and send said negotiation packet. If the voicemail value is different from the null value,. specifying 406 the slave server whose voicemail space the voicemail · · · 30 value belongs to. If the selected slave negotiates the SA, the host forwards the negotiation packet to it. In the final step, the first response negotiation packet 405 is transmitted with the response value to the entity.

As mentioned above, the handler value and the responder value may /. have the same value. In this case, there is no need for an interconnect or> 11 35 conversion between the handler value and the responder value. In other words, the entity may use the responder value received from the server cluster as a handler value when it sends security packets to the server cluster. In this case, the responder value and the handler value point to the same slave server in the server cluster. In addition, if the handler number key and the answering machine number space are the same number space, the same logic can be used to decide 1) which 5 slaves to handle the negotiation packet and 2) which slave to handle the security free packet. For example, the SPI value can be used as a responder value. The SPI value is a good choice because the AH header section as well as the ESP header section contains an SPI field. Thus, the SPI value is placed in the "Responder Cookie" field of the ISAKMP header during SA negotiations, and when the SA negotiation is completed and the SA is available, the SPI value is placed either in the AH header SPI field or In the ESP SPI field. Because the "Responder Cookie" field is longer (64 bits) than the SPI field (32 bits), the SPI value fills only half of the "Responder Cookie" field.

The server cluster according to the invention preferably functions as a single network node in the IP network 15. This will allow all members to share the same public IP address. Each member may have three network interfaces. The first interface is for Internet communication, ie it is the public interface of a server cluster. The second interface is intended for intranet communications and can therefore be considered as a private interface. The third interface 20 is used for internal communication within the server cluster. Clustering may work without it, but it is better to have a third interface because: V Using a private or public interface may lead to the loss of clustering messages Γ1 .. when the network load is high. The third interface only transmits internal cluster messages, so it can never become clogged.

11:25 FIG. 5 shows an example of a server cluster 501 consisting of three members 502-504. 502 is the host and 2 other members! ···. are slings. At least one network connects cluster members, and each cluster • is • equipped with at least one network card. Routers 505 and 506 by. called "next hop" routers, see only one cluster · ;;; 30 to the address. Cluster level two addresses are the host address. If the host changes, the next-hop routers 505 and 506 must learn a new level two address. IP packet routing is based on ARP (Address Resolution Pro-tocol). In this example, entity 507 is using service 508 for the server cluster .1. 501 such that there is one or more 35 SAs between the entity and the server cluster.

• · »117263 δ

The server cluster according to the invention handles security packets. It consists of a host server and at least one slave server. Slave servers advantageously handle all packets, but it is possible that the host also takes some of the load and processes some of the packets. The Pafvelinklus-5 blade is adapted to receive a security packet belonging to a security connection between an entity and a server cluster. The security package contains a handler value from the server cluster. The server cluster is also adapted to deduce the slave server and the handler number space to which said handler slip belongs and to forward a security packet to said slave server. The security connection 10 may be user-created. Alternatively, the security connection has been negotiated using negotiation packages.

For negotiating a security connection, the server cluster is adapted to receive a negotiation packet from the entity and select a slave server. When the voicemail value included in the negotiation packet is a null value, the server-15 cluster is adapted to select the voicemail value that belongs to the voicemail number space assigned to the selected rings.

The voicemail value may be chosen by the host server. The host then negotiates the SA and sends the first negotiation packet to the entity. Alternatively, the selected slave server advises the SA. In this case, the host server forwards the negotiation packet to the selected ring, which generates the first response and sends it to the entity. Therefore, either the host or; the slave is responsible for the SA negotiation and sends one or more negotiation packets to the entity.

In general, when a server cluster receives a conference packet ···· 25 t in response to the first conference negotiation packet, the received negotiation packet contains the server cluster’s selected voicemail value. Unlike sa-] ···. the noe entity has read the voicemail value from the negotiation packet sent by the server cluster and the entity has placed the voicemail value in its own negotiation package. in its package. The host is adapted to deduce which slave the server has · · · · ”” 30 accessory space to which the voicemail value belongs. The host then passes another: ···: “Answer Negotiation Package” to said slave server.

In addition to the examples and implementation alternatives described above, there is. ***. other examples and embodiments that can be found by one skilled in the art using the teachings of this patent application.

• · · ·· “35 ··· 1 ♦

Claims (28)

A method for processing the security packets sent by the entity into a server cluster consisting of a host server and at least one slave server, said security packet belonging to the security connection between the entity and the server cluster, characterized by receiving in the host server (301) a security packet belonging to the security connection between the entity and the server cluster, wherein said security packet contains an administrator value derived from the server cluster, which administrator value has been set on the security package at the initiative of the entity, the slave server's master server, and (303) transmits the security packet to said slave server. Method according to claim 1, characterized in that the handler value is selected taking into account the load of each slave server. Method according to Claim 1, characterized in that the processing value is a staple number. 4. A method according to claim 1, characterized in that the security connection is created by the user. 20 5. A method according to claim 1, characterized in that said. The Witchhound connection has been negotiated using negotiated packages. in. Method according to claim 5, characterized in that the φ * \ server cluster performs the following additional steps: a negotiation packet is received from the entity and where the negotiation packet contains an empty value, in V the slave server is selected, the response value which is different from the empty value is selected. which belongs to the answer number space addressed to the slave server, and in response to the receipt of the negotiation packet. *** 30, the first answer negotiation packet with the answer value is sent to the unit. f »·: V 7. A method according to claim 5, characterized in that the • M response value contained in the negotiation packet differs from the blank value, the slave server is determined to whose answer number space the said reply value belongs, and • * 117263 a second reply negotiation packet is sent to the answer value - the tide. Method according to claims 1 and 6, characterized in that the handler value and the response value are the same value. 5 9. A method according to claim 1, characterized in that the security package is Internet Protocol Security Packets (IPsec). Method according to claim 5, characterized in, the negotiation packages are ISAKMP packages (Internet Security Association and Key Management Protocol). 10 Method according to claims 8, 9 and 10, characterized in that the same value has been placed in the security package's SPI field (Security Parameters Index field) and in the negotiation package "response cookie" field (Responder Cookie field). Method according to claim 1, characterized in that the host server functions as a slave server. Server clusters for processing security packets sent by an entity, wherein said server cluster is a host server and at least one slave server and wherein said security packets belong to a security connection between the entity and the server cluster, characterized by the server cluster being adapted: to receive (301) in the host server a security package that belongs to the security. * * the security connection between the entity and the server cluster, wherein said security package contains an administrator value derived from the server cluster, which administrator value has been set on the security package on the initiative of the entity, * * # 25 to determine (302) the server cluster's slave server, to whose handler number space the said handler value belongs, and convey (303) the security packet to said slave server. Server cluster according to claim 13, characterized in that • the handler value is selected taking into account the load of each slave! * ·% 30 server. • m Server cluster according to claim 13, characterized in: V that the handler value is an integer number. Server cluster according to claim 13, characterized by,; y. that the security connection is created by the user. • * * »» • * • · 117263 Server cluster according to claim 13, characterized in that the security connection has been negotiated using the negotiation package. Server cluster according to claim 17, characterized in that the server cluster has also been adapted: to receive a negotiation packet from the entity and then the negotiation packet contains an empty value, to select a slave server, to select a response value which deviates from the empty value and which belongs. to the answer number space addressed to the selected slave server, and in response to the negotiation packet, to send a first answer negotiation packet with the answer value to the entity. Server cluster according to claim 18, characterized in that the response value is selected by the host server and the host server sends the first response negotiation packet to the entity. The server cluster of claim 18, characterized in that when the slave server is selected, the host server is further adapted to convey the negotiation packet from the host server to the selected slave server. A server cluster according to claim 18, characterized by, ... that the response value is selected by the slave server and the slave server sends the first * * * !. '* The response negotiation package to the entity. * * The server cluster according to claim 18, characterized in that the server cluster is further adapted to receive in the host server a second negotiation packet with a response value selected by the server cluster. Server cluster according to claim 18, characterized in that the server cluster is further adapted: to determine the slave server with the answer number space to which:. said response value is heard, and. ···. Conveying the second negotiation packet to said slave server, 24. Server clusters according to claims 13 and 18, characterized in that the handler value and the response value are the same value. Server cluster according to claim 13, characterized in that the security packets are Internet Protocol security packets (IPsec), * 9 »» »• 9 * f *« * 117263 26. Server clusters according to claim 17, characterized in that the negotiation packages are ISAKMP packages (Internet Security Association and Key Management Protocol packages). 27. Server clusters according to claims 24, 25 and 26, characterized in that the same value has been placed in the security package's SPI field (Security Parameters Index field) and in the conference package "response cookie" field (Responder Cookie field). Server cluster according to claim 13, characterized in that the host server functions as a slave server. »« · * · · • «•« • m 9 9 9 * • 99 9 9 9 9 • 9 9 9 99 9 9 9 9 999 99 · • · · • * * 9 9 99 9 9 9 9 999 9 9 9 9 9 9 9 9 999 9 • a * * · «· 999 9 99 9 9 9 9 9 9 9 9 999 9 9 9 9 999 9 9 9 9 9 9 9 9 9 9 9 9 99 9 9 • · 999