EP1568184A1 - Scalable and secure packet server-cluster - Google Patents

Scalable and secure packet server-cluster

Info

Publication number
EP1568184A1
EP1568184A1 EP03811788A EP03811788A EP1568184A1 EP 1568184 A1 EP1568184 A1 EP 1568184A1 EP 03811788 A EP03811788 A EP 03811788A EP 03811788 A EP03811788 A EP 03811788A EP 1568184 A1 EP1568184 A1 EP 1568184A1
Authority
EP
European Patent Office
Prior art keywords
server
slave
packet
new
distribution function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP03811788A
Other languages
German (de)
French (fr)
Inventor
Antti Nuopponen
Sami Vaarala
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Netseal Mobility Technologies - NMT Oy
Original Assignee
Netseal Mobility Technologies - NMT Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netseal Mobility Technologies - NMT Oy filed Critical Netseal Mobility Technologies - NMT Oy
Publication of EP1568184A1 publication Critical patent/EP1568184A1/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1034Reaction to server failures by a load balancer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates generally to the load balancing and data security of a server cluster handling communication packets, such as Internet protocol packets (IP packets).
  • IP packets Internet protocol packets
  • a server cluster is composed of a set of computers that provide the same service or services.
  • the server cluster discussed in this patent application transmits IP packets between end nodes. For example, it may operate as a gateway between two communication networks or as a router inside a communication network.
  • the load of a single server of the server cluster should be an appropriate level considering the performance capacity of the said computer.
  • the load of the server cluster should be divided among the servers if one or more servers have failed.
  • Clustering can be implemented in different ways.
  • One technique is to use the same DNS name, i.e. a domain name, for all servers, each server having its own IP address.
  • the mapping between the DNS name and the IP address of a server is changed after each DNS query by the use of round robin.
  • the DNS queries addressed to a server cluster are divided evenly among the servers. This technique is termed the DNS technique. It works fine as long as no server of the cluster collapses, but after the server collapse, a user may have to re-log into the service he/she was using before.
  • Another technique is to map only one IP address to the cluster and dynamically decide which server of the cluster is to handle a certain packet. Then the collapse of one server does not usually call for the re-logging of a service.
  • This technique uses a master server that receives all the packets sent to the cluster and then forwards the packets to the slave servers of the cluster. One server of the cluster is elected as a master and the others are slaves. If a master collapses, a new master is elected.
  • IPsec Internet protocol security architecture
  • IETF Internet Engineering Task Force
  • the standard key exchange protocol for IPsec is the Internet Key Exchange (IKE) based on the Diffie-Hellman key exchange method, which allows for setting up of a shared secret over an insecure communication path. Because the Diffie-Hellman method is vulnerable to so-called man-in- the-middle attacks, the exchange of keys is authenticated using either pre- shared keys or public key methods like RSA.
  • IKE Internet Key Exchange
  • SA security association
  • IP packets i.e. in this case, IP packets
  • SA may also include encryption and authentication keys and information about encryption algorithms used, as well as a certain sequence number used in secured communication.
  • IPsec defines two alternative security protocols that are intended to protect IP packets. The first one uses the Authentication Header (AH) and the second one uses the Encapsulated Security Payload (ESP).
  • AH Authentication Header
  • ESP Encapsulated Security Payload
  • FIG. 1A shows the authentication header (AH) 101.
  • AH authentication header
  • SPI Security Parameters Index
  • Sequence Number Field is a field 103 for storing a sequence number. The sequence number is incremented after each packet is sent.
  • FIG. 1 B shows the encapsulated security payload (ESP) 104.
  • the ESP header includes the Security Parameters Index (SPI) field 105 for storing an SPI number identifying a security association.
  • the sequence number field 106 is for storing a sequence number.
  • the security protocols using AH or ESP can operate in two modes. The difference between these modes is how the encapsulation of an IP packet is performed. The first mode is termed tunnel mode, and the second one is termed transport mode.
  • FIG. 2A shows the encapsulation of an IP packet in the tunnel mode.
  • the IP packet 201 is placed in the payload of a new IP packet 202.
  • the new IP packet 202 includes a new IP header 203 and either the AH or ESP header 204.
  • FIG. 2B shows the encapsulation of an IP packet 205 in the transport mode. Either the AH or the ESP header 206 is placed between the IP header 207 and the payload data 208.
  • a replay attack is an unwanted action against a system such as a server cluster system.
  • a hacker re-sends authenticated packets. This may cause harm for the receiver of the packets.
  • a replay attack can be detected and repelled by using a receive window.
  • the receive window determines which packets are already received and which are not.
  • the receive window should contain at least 32 places for the sequence numbers of packets. The sequence numbers are in ascending order.
  • FIG. 3 shows an example of a receive window 301.
  • a cross 302 symbolizes that a sequence number has not yet been received by a server.
  • the server receives a packet and reads the sequence number of the packet, there are four different possibilities: 1) if the number is smaller than the leftmost number 303, the number is incorrect, 2) if the number is between the leftmost number 303 and the rightmost number 304 and the said number has not already been received, the number is correct and it is marked as received, 3) if the number is between the leftmost number 303 and the rightmost number 304, but the number has already received, the number is incorrect, and 4) if the number is larger than the rightmost number 304, the number is correct.
  • the receive window is updated as follows: the leftmost number 303 is omitted, the rest of the numbers are shifted to the left, and the number read from the packet is placed as the rightmost number of the receive window.
  • a server cluster When a server cluster uses the DNS technique for clustering, it implements IPsec so that a security association is bound to a slave server's IP address. Therefore, a new security association must be formed every time an IP ad- dress is changed in accordance with the DNS. This requires a computationally expensive key exchange between the user and the cluster.
  • the servers of the cluster must share information about how the current connections are secured. Sharing information becomes a problem, because security associations need to be updated packet-per-packet. If the security associations are not updated after each packet, there is a chance for replay attacks against the cluster. On the other hand, if the servers update each other after every packet, these updates may cause overload blocking the whole cluster.
  • the first drawback of the prior art is that the server clusters used in IP packet-based data communications fail to meet at least one of the following quality requirements: reliability, scalability, and security.
  • the second drawback of the prior art is that the update need of security association causes high load in a server cluster, which makes the server cluster inefficient.
  • a main objective of the invention is to specify and implement a server cluster that is at the same time reliable, scalable, efficient, and secure. This objective is achieved by means of an inventive packet-handling method.
  • the method is used in a server cluster composed of a master server and at least one slave server.
  • the master server receives a packet containing a sequence number related to a connection.
  • the master server reads bits from the sequence number and inputs the bits to a distribution function that results in the identifier of a slave server.
  • the distribution function is such that it normally distributes the packets of the same connection to at least two servers. Then the failure of one server does not usually break the connection. This makes the server cluster reliable.
  • the master transmits the packet received to the slave of which identifier the distribution function resulted in.
  • the slave authenticates the packet and checks whether the sequence number of the packet is correct by using a receive window. Instead of the receive window, the slave may use another appropriate data structure. If the authentication is successful and the sequence number is correct, the slave transmits the packet to the receiver of the packet.
  • the invention specifies a server cluster and a distribution function.
  • the distribution function always results in the same slave server identifier in response to the same bits read from a sequence number.
  • a second important feature is that receive windows are placed in the slave servers and the distribution function is such that the slaves always obtain sequence numbers belonging to a certain number space.
  • a third important feature is that the master has a counter for each connection/security association, wherein the counter stores the highest sequence number seen.
  • the counter values related to security association are needed if a server cluster enters into a transient state.
  • a fourth important feature is that the receive windows of slaves contain the highest authenticated sequence numbers. If a master server collapses, a new master is elected. The new master collects the highest authenticated numbers from the slaves and forms a new distribution function.
  • the third and the fourth feature are needed to avoid replay attacks when a server of the server cluster has failed.
  • FIG 1A shows the authentication header (AH)
  • FIG. 1B shows the encapsulated security payload (ESP)
  • Figure 2A shows the encapsulation of an IP packet in the tunnel mode
  • Figure 2B shows the encapsulation of an IP packet in the transport mode
  • Figure 3 shows a receive window
  • Figure 4 shows the method steps when a server cluster is in a stable state
  • Figure 5 shows an example of how a sequence number is used in load balancing
  • Figure 6 shows an example of a server cluster
  • Figure 7 shows an example of packet handling
  • Figure 8 shows the method steps when a server cluster is in a transient state.
  • the method assumes that at least one connection and security association are created between a client node and a server cluster and that the client node sets an ascending sequence number in each packet which it sends to the server cluster.
  • the sequence number is placed in the field 103 shown in FIG. 1A or the field 106 shown in FIG. 1 B.
  • FIG. 4 shows the method steps in a stable state.
  • the master server of a server cluster receives 401 a packet and reads 402 bits from a certain piece of information received with the packet, such as the sequence number.
  • the master does not necessarily read all the bits of the certain piece of information.
  • the master inputs 403 the said bits into a distribution function to obtain the identifier of a slave server.
  • the distribution function distributes the packets of the same connection to at least two servers.
  • the master may participate the packet handling, i.e. a master may also operate as a slave. In that case the distribution function distributes packets to the master, too. If the master does not participate the packet handling, the server cluster preferably includes at least two slave servers.
  • the master transmits 404 the packet received to the slave server. These four method steps can be considered as the main steps of the method. The rest of the method steps are performed in the slave server of which identifier the distribution function resulted in.
  • the slave server authenticates 405 the packet by using a prior art algorithm, such as HMAC-SHA1 or HMAC-MD5. If the authentication is unsuccessful, the packet is discarded 406. Otherwise, the slave then checks 407 the sequence number by using a receive window as described in FIG. 3. If the number is incorrect on account of the receive window, the packet is discarded 406. Otherwise, the packet is transmitted 408 from the slave to the receiver of the packet.
  • each slave server handles the packets whose sequences number belong to a certain number space. For example, slave Si could handle odd sequence numbers and slave S 2 even sequence numbers. However, the capacity of slaves may vary or a slave or master may collapse. Then a new distribution function is needed. Therefore, the formation of a new distribution function and the timing aspect related to the use of it are not that simple.
  • the master server can distribute packets to slaves.
  • a preferable way is to implement a distribution function as a data structure termed a distribution table.
  • the master receives a packet with a sequence number, it reads n bits from the end of the sequence number.
  • the master may read bits from a certain other field of the packet, for example, the Security Parameter Index (SPI) field.
  • SPI Security Parameter Index
  • the master uses these n bits as an index to the distribution table which is filled with the slave server identifiers.
  • the filling of the distribution table may be performed in such a way that p percent of the items of the distribution table are addressed to a slave having p percent of the (processing) capacity of the server cluster.
  • the distribution table is re-filled, when a slave collapses or a new slave is added to the server cluster, or for some other reason. This makes the method scalable.
  • FIG. 5 shows an example of the use of a sequence number in load balancing.
  • the server cluster is composed of a master server and three slave servers.
  • the master reads n bits from the end of a sequence number 501 , wherein n is four. Then the master uses the four bits 502 as an index to the distribution table 503 which contains 2 n items, i.e. in this case 16 items.
  • the distribution table is filled with server identifiers, for example, the identifier 504 of (slave) server 1.
  • the distribution table 503 contains the identifier 1 in eight items, identifier 2 in four items, and identifier 3 in four items.
  • server 1 has 50 % of the total processing capacity of the server cluster and server 2 and server 3 25 % each.
  • the distribution table should be filled with server identifiers at random.
  • the distribution table items are reallocated.
  • the distribution table items are filled with the identifiers of the rest of the slave servers.
  • the distribution table items are shared among the new slave and the original slaves.
  • the portion of a slave server identifier in the distribution table can be very easily changed to correspond to the changed capacity of the slave server.
  • a hash function can be formed in various ways. For example, the master server may use modulo 16 for sequence numbers in order to obtain an index for the distribution table shown in FIG. 5. However, reading n bits from the end of a sequence number and using the said bits as an index to the distribution table is an ideal choice, as this is computationally effective.
  • FIG. 6 shows one example of clustering.
  • the server cluster 601 is composed of four servers. One server operates as the master server 602, while the rest of the servers 603, 604, and 605 operate as slaves.
  • the all servers 602-605 share the same public IP address and the same private IP address. They have three network interfaces. The first interface, a public interface, is intended for communication within the Internet. The second interface, a private interface, is intended for intranet communication. The third interface is intended for internal communication within the server cluster. The third interface is such that each of the servers 602-605 has its own IP address.
  • the next hop routers 606 and 607 route packets to the master server. The routing is based on the Address Resolution Protocol (ARP).
  • ARP Address Resolution Protocol
  • the routers 606 and 607 route packets to a new master.
  • the new master is elected from among the slaves.
  • the server cluster starts up, joining a new server to the cluster, and the election of a new master can be performed by using the methods known in the prior art.
  • the master server distributes IP connections among the slaves on the basis of IPsec sequence numbers.
  • the sequence number field must be included in each IPsec packet, and the sender must add an ascending sequence number to the packets.
  • connection multiplexing can begin.
  • the multiplexing is performed using a distribution function:
  • s is the sequence number of a packet and id identifies uniquely the slave server which will receive the packet.
  • the distribution function reads s as an input parameter and results in id as an output.
  • a server cluster When a server cluster is in a stable state, there is usually only one distribution function in use. If the server cluster is in a transient state, there may be at least two distribution functions in use. In both the cases, slave servers need one receive window per security association.
  • the master monitors the load of its slaves and detects possible changes in their processing capacity or in other capacities.
  • the capacity may decrease, for example, because some background process has been started in a slave.
  • the highest seen sequence number is a sequence number seen by the master.
  • the highest authenticated sequence number is a sequence number authenticated by a slave. As mentioned above, there is always one security association per connection and one counter per security association. When the master is in operation, each counter stores the maximum of the highest seen sequence number and the highest authenticated sequence numbers.
  • Fi is the original distribution function and F 2 is the new one.
  • Many communication protocols, such as TCP support the re-transmission of packets when the receiver node of the packets detects that they are missing and informs the sender node about that.
  • a master sends a check message to each slave. Normally, each slave sends a reply message to the master. If some slave does not send a reply message to the master, the master concludes that the said slave has failed.
  • Each failed server preferably obtains a new identifier.
  • the same id should be used only as long as a server is in order. In this way certain security risks can be avoided.
  • the master may distribute packets among the slave servers using the distribution function F, wherein
  • F(s) F 3 (s), if 150 ⁇ s.
  • a distribution function is composed of at least one (distribution) function and one condition with a threshold value.
  • the distribution function F is composed of the functions F ⁇ , F 2 , and F 3 ⁇ of which function F 3 is the newest. It is used if the sequence number s is 151 or higher, i.e. in this case the condition is "if 150 ⁇ s" and the threshold value is 150. If the old master is in operation, the threshold value is the highest seen sequence number. Otherwise, the threshold value is the maximum of the highest authenticated sequence numbers.
  • the number of functions is limited by the size of a receive window. If the receive window size is, let us say, 64, there are usually less than three (distribution) functions in use.
  • the distribution function Fi is removed when the minimum of the highest authenticated sequence number of all the slaves is higher than the sum of the threshold value (100) and the receive window size (64). Let us assume that there are two slaves in a server cluster and one slave has authenticated the sequence number 166 and the other slave has authenticated the sequence number 200. Now the minimum of said numbers is 166 which is higher than the sum of 100 and 64. Thus, the distribution function F 1 would be removed.
  • function F 2 could be changed so as to result in the id value -1 when s is less than 150.
  • the value - 1 may indicate that a packet will be discarded by the master.
  • the received packets are discarded or buffered.
  • the discarding/buffering of the packets is performed because the server cluster is vulnerable until a new master is ready to distribute packets.
  • the new master is elected from among slaves.
  • the new master sends a check message to the slaves and receives reply messages from them in response to the check message sent. Because the new master is a former slave, it sends a check message to itself, too.
  • the new master sets values in its counters and forms a new distribution function in accordance with the counter values. Now the new master is ready to distribute packets to the slaves using the new distribution function.
  • a master periodically checks its counter values by polling its slaves, i.e. the master sends a check message to each slave in order to obtain the highest authenticated sequence numbers.
  • the reply message of a slave preferably includes all the highest authenticated sequence numbers (one number per security association).
  • the highest authenticated sequence number may be less than the highest seen sequence number, because some received packets may be fake packets carrying fake numbers.
  • the master passes through the security associations one by one and updates the counter values.
  • FIG. 7 shows an example of packet handling when a server cluster is composed of a master 701 and two slaves 702 and 703.
  • the master 701 receives 704 a packet containing the sequence number 10 and using the distribution function distributes 705 the packet to a slave 702.
  • the slave 702 ensures that the packet is correct and transmits 706 the packet to a receiver.
  • the master and the other slave 703 handle a packet 707 containing sequence number 11.
  • Another packet 708 containing the sequence number 50 is a faked packet.
  • the slave 703 discards the packet.
  • the master sends a check message 709 to both the slaves. In response to the check message the master receives a reply message 710 from the slave 702.
  • the master receives a packet 711 containing the sequence number 16. Now number 16 is the highest seen sequence number. Then the master receives a reply message 712 containing the number 14, which is the highest authenticated sequence number of the slave 703. Now the master has received all the reply messages from both its slaves. The maximum of the highest authenticated sequence numbers and the highest seen number is 16.
  • a server cluster can operate securely even if all the slave servers have collapsed. However, the server cluster cannot operate securely, if a master and at least slave collapse in the same time.
  • FIG. 8 shows the steps in the method when a server cluster is a transient state.
  • the steps concern cases when: 1) a new server is joined to the server cluster, 2) a server has failed, or 3) the capacity of a slave server is changed.
  • the reply messages contain the highest authenticated sequence numbers, one per SA (security association). If the master has failed, a new master is elected from among the slaves 803. Then the new master polls the slaves 804 including itself, since the new master is a former slave.
  • the new master selects 805 for each SA the maximum of the highest authenticated sequence numbers.
  • the old master is selecting 806 for each SA the maximum is the highest seen sequence number (i.e. as seen by the master).
  • the old/new master updates 807 the counter of each SA so that the new counter value is the above-mentioned maximum plus one.
  • the old/new master forms a new distribution function 808 on account of the reply messages received.
  • the master receives a packet, it compares 809 the sequence number of the packet to the counter value of the corresponding SA. If the counter value is reached, the master uses 810 the new distribution function for the packet. Otherwise, it is considered whether the master was failed 811. If not, the master uses an old distribution function 812.
  • the method is intended especially for handling IP traffic, wherein IP packets contain an authentication header (AH) or an encapsulated security payload (ESP) with an ascending sequence number.
  • AH authentication header
  • ESP encapsulated security payload
  • the method may be able to handle other types of packets/traffic.
  • a server cluster accordant to the invention is a server cluster that uses the above-described method in order to distribute the packets of the same connection to a certain set of slave servers.
  • the said server cluster is adapted to: 1) receive a packet in a master server, the packet to contain a sequence number for data communication purposes, 2) read bits from the sequence number, 3) input the bits in a distribution function which results in the identifier of a slave server, and 4) transmit the packet received from the master server to the slave server.
  • the server cluster is adapted to authenticate the packet in the slave server, and when the authentication is successful, the server cluster is adapted to check whether the sequence number of the packet is correct by using a receive window, and finally if it is correct, the server cluster is adapted to transmit the packet from the slave server to the receiver of the packet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A server cluster for handling IP packet-based data communications which is at the same time reliable, scalable, secure, and efficient. The master server distributes packets belonging to the same connection to a certain set of slave servers. The master receives a communication packet containing a sequence number in accordance with Internet protocol security architecture (IPsec). It reads bits from the sequence number, inputs the bits into a distribution func-tion in order to obtain the identifier of a slave server, and transmits the packet received to the slave server. A new distribution function is formed if the server cluster is in a transient state.

Description

Scalable and secure packet server-cluster
Field of the invention
The present invention relates generally to the load balancing and data security of a server cluster handling communication packets, such as Internet protocol packets (IP packets).
Background of the invention
A server cluster is composed of a set of computers that provide the same service or services. The server cluster discussed in this patent application transmits IP packets between end nodes. For example, it may operate as a gateway between two communication networks or as a router inside a communication network.
There are various aspects related to the load balancing of a server cluster. One aspect is that the load of a single server of the server cluster should be an appropriate level considering the performance capacity of the said computer. Another aspect is that the load of the server cluster should be divided among the servers if one or more servers have failed.
Clustering can be implemented in different ways. One technique is to use the same DNS name, i.e. a domain name, for all servers, each server having its own IP address. The mapping between the DNS name and the IP address of a server is changed after each DNS query by the use of round robin. Thus, the DNS queries addressed to a server cluster are divided evenly among the servers. This technique is termed the DNS technique. It works fine as long as no server of the cluster collapses, but after the server collapse, a user may have to re-log into the service he/she was using before.
Another technique is to map only one IP address to the cluster and dynamically decide which server of the cluster is to handle a certain packet. Then the collapse of one server does not usually call for the re-logging of a service. This technique uses a master server that receives all the packets sent to the cluster and then forwards the packets to the slave servers of the cluster. One server of the cluster is elected as a master and the others are slaves. If a master collapses, a new master is elected.
However, the load balancing is just one detail when specifying and implementing a server cluster. A server cluster should also be scalable and secure against various hacker attacks. The insecure nature of the Internet has speeded the development of security protocols. One of the protocols is the Internet protocol security architecture (IPsec) developed by the Internet Engineering Task Force (IETF). When a server cluster transmits an IP packet, it may use IPsec to ensure secure data communications between end nodes. IPsec operates on a packet-by-packet basis, providing security at the IP protocol layer. Packets are encrypted and authenticated as they go through the IP stack. The encryption of packets is based on symmetric encryption algorithms such as 3DES. IPsec uses keyed message digest algorithms like HMAC-SHA1 and HMAC-MD5 for the authentication of packets.
The standard key exchange protocol for IPsec is the Internet Key Exchange (IKE) based on the Diffie-Hellman key exchange method, which allows for setting up of a shared secret over an insecure communication path. Because the Diffie-Hellman method is vulnerable to so-called man-in- the-middle attacks, the exchange of keys is authenticated using either pre- shared keys or public key methods like RSA.
A security association (SA) is a set of parameters defining how communication packets, i.e. in this case, IP packets, must be secured. SA may also include encryption and authentication keys and information about encryption algorithms used, as well as a certain sequence number used in secured communication.
IPsec defines two alternative security protocols that are intended to protect IP packets. The first one uses the Authentication Header (AH) and the second one uses the Encapsulated Security Payload (ESP).
FIG. 1A shows the authentication header (AH) 101. Two of its fields are discussed here, because they relate closely to the invention. Information about the rest of the AH fields can be found in the prior art documents. Security Parameters Index (SPI) is a field 102 for storing an SPI number that identifies a security association. Sequence Number Field is a field 103 for storing a sequence number. The sequence number is incremented after each packet is sent.
FIG. 1 B shows the encapsulated security payload (ESP) 104. Also the ESP header includes the Security Parameters Index (SPI) field 105 for storing an SPI number identifying a security association. Correspondingly, the sequence number field 106 is for storing a sequence number. The security protocols using AH or ESP can operate in two modes. The difference between these modes is how the encapsulation of an IP packet is performed. The first mode is termed tunnel mode, and the second one is termed transport mode.
FIG. 2A shows the encapsulation of an IP packet in the tunnel mode. The IP packet 201 is placed in the payload of a new IP packet 202. The new IP packet 202 includes a new IP header 203 and either the AH or ESP header 204.
FIG. 2B shows the encapsulation of an IP packet 205 in the transport mode. Either the AH or the ESP header 206 is placed between the IP header 207 and the payload data 208.
A replay attack is an unwanted action against a system such as a server cluster system. In a replay attack a hacker re-sends authenticated packets. This may cause harm for the receiver of the packets.
A replay attack can be detected and repelled by using a receive window. The receive window determines which packets are already received and which are not. The receive window should contain at least 32 places for the sequence numbers of packets. The sequence numbers are in ascending order.
FIG. 3 shows an example of a receive window 301. A cross 302 symbolizes that a sequence number has not yet been received by a server. When the server receives a packet and reads the sequence number of the packet, there are four different possibilities: 1) if the number is smaller than the leftmost number 303, the number is incorrect, 2) if the number is between the leftmost number 303 and the rightmost number 304 and the said number has not already been received, the number is correct and it is marked as received, 3) if the number is between the leftmost number 303 and the rightmost number 304, but the number has already received, the number is incorrect, and 4) if the number is larger than the rightmost number 304, the number is correct. In the last case the receive window is updated as follows: the leftmost number 303 is omitted, the rest of the numbers are shifted to the left, and the number read from the packet is placed as the rightmost number of the receive window.
When a server cluster uses the DNS technique for clustering, it implements IPsec so that a security association is bound to a slave server's IP address. Therefore, a new security association must be formed every time an IP ad- dress is changed in accordance with the DNS. This requires a computationally expensive key exchange between the user and the cluster. In addition, the servers of the cluster must share information about how the current connections are secured. Sharing information becomes a problem, because security associations need to be updated packet-per-packet. If the security associations are not updated after each packet, there is a chance for replay attacks against the cluster. On the other hand, if the servers update each other after every packet, these updates may cause overload blocking the whole cluster.
The first drawback of the prior art is that the server clusters used in IP packet-based data communications fail to meet at least one of the following quality requirements: reliability, scalability, and security.
The second drawback of the prior art is that the update need of security association causes high load in a server cluster, which makes the server cluster inefficient.
Summary of the invention
A main objective of the invention is to specify and implement a server cluster that is at the same time reliable, scalable, efficient, and secure. This objective is achieved by means of an inventive packet-handling method.
The method is used in a server cluster composed of a master server and at least one slave server. The master server receives a packet containing a sequence number related to a connection. The master server reads bits from the sequence number and inputs the bits to a distribution function that results in the identifier of a slave server. The distribution function is such that it normally distributes the packets of the same connection to at least two servers. Then the failure of one server does not usually break the connection. This makes the server cluster reliable.
The master transmits the packet received to the slave of which identifier the distribution function resulted in. The slave authenticates the packet and checks whether the sequence number of the packet is correct by using a receive window. Instead of the receive window, the slave may use another appropriate data structure. If the authentication is successful and the sequence number is correct, the slave transmits the packet to the receiver of the packet.
In addition to the method, the invention specifies a server cluster and a distribution function. One important feature is that the distribution function always results in the same slave server identifier in response to the same bits read from a sequence number.
A second important feature is that receive windows are placed in the slave servers and the distribution function is such that the slaves always obtain sequence numbers belonging to a certain number space.
These two features are needed to repel replay attacks when no server of the server cluster has collapsed or failed by another way.
A third important feature is that the master has a counter for each connection/security association, wherein the counter stores the highest sequence number seen. The counter values related to security association are needed if a server cluster enters into a transient state.
A fourth important feature is that the receive windows of slaves contain the highest authenticated sequence numbers. If a master server collapses, a new master is elected. The new master collects the highest authenticated numbers from the slaves and forms a new distribution function.
The third and the fourth feature are needed to avoid replay attacks when a server of the server cluster has failed.
Brief description of the drawings
The invention is described more closely with reference to the accompanying drawings, in which
Figure 1A shows the authentication header (AH),
Figure 1B shows the encapsulated security payload (ESP),
Figure 2A shows the encapsulation of an IP packet in the tunnel mode,
Figure 2B shows the encapsulation of an IP packet in the transport mode,
Figure 3 shows a receive window,
Figure 4 shows the method steps when a server cluster is in a stable state,
Figure 5 shows an example of how a sequence number is used in load balancing, Figure 6 shows an example of a server cluster, Figure 7 shows an example of packet handling, Figure 8 shows the method steps when a server cluster is in a transient state. Detailed description of the invention
The method assumes that at least one connection and security association are created between a client node and a server cluster and that the client node sets an ascending sequence number in each packet which it sends to the server cluster. The sequence number is placed in the field 103 shown in FIG. 1A or the field 106 shown in FIG. 1 B.
FIG. 4 shows the method steps in a stable state. The master server of a server cluster receives 401 a packet and reads 402 bits from a certain piece of information received with the packet, such as the sequence number. The master does not necessarily read all the bits of the certain piece of information. The master inputs 403 the said bits into a distribution function to obtain the identifier of a slave server. The distribution function distributes the packets of the same connection to at least two servers. The master may participate the packet handling, i.e. a master may also operate as a slave. In that case the distribution function distributes packets to the master, too. If the master does not participate the packet handling, the server cluster preferably includes at least two slave servers. To ensure security the distribution function results in the identifier of a slave server in such away that the same bits always result in the same identifier. The master transmits 404 the packet received to the slave server. These four method steps can be considered as the main steps of the method. The rest of the method steps are performed in the slave server of which identifier the distribution function resulted in. The slave server authenticates 405 the packet by using a prior art algorithm, such as HMAC-SHA1 or HMAC-MD5. If the authentication is unsuccessful, the packet is discarded 406. Otherwise, the slave then checks 407 the sequence number by using a receive window as described in FIG. 3. If the number is incorrect on account of the receive window, the packet is discarded 406. Otherwise, the packet is transmitted 408 from the slave to the receiver of the packet.
It is important that the distribution function used determines which sequence numbers are checked by examining the receive window. Then each slave server handles the packets whose sequences number belong to a certain number space. For example, slave Si could handle odd sequence numbers and slave S2 even sequence numbers. However, the capacity of slaves may vary or a slave or master may collapse. Then a new distribution function is needed. Therefore, the formation of a new distribution function and the timing aspect related to the use of it are not that simple.
There are various ways whereby the master server can distribute packets to slaves. A preferable way is to implement a distribution function as a data structure termed a distribution table. When the master receives a packet with a sequence number, it reads n bits from the end of the sequence number. Alternatively, the master may read bits from a certain other field of the packet, for example, the Security Parameter Index (SPI) field. In any case, the master uses these n bits as an index to the distribution table which is filled with the slave server identifiers. The filling of the distribution table may be performed in such a way that p percent of the items of the distribution table are addressed to a slave having p percent of the (processing) capacity of the server cluster. The distribution table is re-filled, when a slave collapses or a new slave is added to the server cluster, or for some other reason. This makes the method scalable.
FIG. 5 shows an example of the use of a sequence number in load balancing. In this example, the server cluster is composed of a master server and three slave servers. The master reads n bits from the end of a sequence number 501 , wherein n is four. Then the master uses the four bits 502 as an index to the distribution table 503 which contains 2n items, i.e. in this case 16 items. The distribution table is filled with server identifiers, for example, the identifier 504 of (slave) server 1. The distribution table 503 contains the identifier 1 in eight items, identifier 2 in four items, and identifier 3 in four items. Those numbers indicate that server 1 has 50 % of the total processing capacity of the server cluster and server 2 and server 3 25 % each. To avoid overloading some servers if packets are sent in bursts, the distribution table should be filled with server identifiers at random.
Whenever a slave collapses, the distribution table items are reallocated. In more detail, the distribution table items are filled with the identifiers of the rest of the slave servers. Correspondingly, if a new slave is joined to the server cluster, the distribution table items are shared among the new slave and the original slaves. The portion of a slave server identifier in the distribution table can be very easily changed to correspond to the changed capacity of the slave server. it is also possible to omit the distribution table and use a hash function. A hash function can be formed in various ways. For example, the master server may use modulo 16 for sequence numbers in order to obtain an index for the distribution table shown in FIG. 5. However, reading n bits from the end of a sequence number and using the said bits as an index to the distribution table is an ideal choice, as this is computationally effective.
FIG. 6 shows one example of clustering. The server cluster 601 is composed of four servers. One server operates as the master server 602, while the rest of the servers 603, 604, and 605 operate as slaves. The all servers 602-605 share the same public IP address and the same private IP address. They have three network interfaces. The first interface, a public interface, is intended for communication within the Internet. The second interface, a private interface, is intended for intranet communication. The third interface is intended for internal communication within the server cluster. The third interface is such that each of the servers 602-605 has its own IP address. The next hop routers 606 and 607 route packets to the master server. The routing is based on the Address Resolution Protocol (ARP). If there is a need to change the master, the routers 606 and 607 route packets to a new master. The new master is elected from among the slaves. The server cluster starts up, joining a new server to the cluster, and the election of a new master can be performed by using the methods known in the prior art.
The master server distributes IP connections among the slaves on the basis of IPsec sequence numbers. Thus, the sequence number field must be included in each IPsec packet, and the sender must add an ascending sequence number to the packets.
When there is at least one service association between an IPsec client and a server cluster, and the server cluster is set up and in a stable state, the connection multiplexing can begin. The multiplexing is performed using a distribution function:
F(s) = id,
wherein s is the sequence number of a packet and id identifies uniquely the slave server which will receive the packet. Thus, the distribution function reads s as an input parameter and results in id as an output.
When a server cluster is in a stable state, there is usually only one distribution function in use. If the server cluster is in a transient state, there may be at least two distribution functions in use. In both the cases, slave servers need one receive window per security association.
In the following situations a server cluster is in a transient state:
1) a new server is joined to the server cluster,
2) a server has failed (it may be collapsed or it is out-of-order), or
3) the capacity of a slave server has changed.
The master monitors the load of its slaves and detects possible changes in their processing capacity or in other capacities. The capacity may decrease, for example, because some background process has been started in a slave.
In order to implement the load balancing of slave servers in the best way, the following two requirements should be filled:
1) If a server cluster is in a transient state, a new distribution function is needed.
2) The same input of a distribution function must always result in the same output or in a value which indicates that a packet can be discarded.
The filling of the said requirements assures that replay attacks can be detected and repelled.
"The highest seen sequence number" is a sequence number seen by the master. "The highest authenticated sequence number" is a sequence number authenticated by a slave. As mentioned above, there is always one security association per connection and one counter per security association. When the master is in operation, each counter stores the maximum of the highest seen sequence number and the highest authenticated sequence numbers.
When a server cluster is in a transient state, a new distribution function is needed. Let us assume that a slave has failed and that the highest seen sequence number is 100. The master then distributes packets among the slaves applying the distribution function F, wherein
F(s) = Fι(s), if s <= 100, otherwise F(s) = F2(s).
Here Fi is the original distribution function and F2 is the new one. It should be noticed that the master may send packets to the failed slave when s <= 100. Those packets will vanish, but the connection related to the security association may remain, because the vanishing of few packets does not necessarily break the connection. Many communication protocols, such as TCP support the re-transmission of packets when the receiver node of the packets detects that they are missing and informs the sender node about that.
In order to obtain the current highest authenticated sequence numbers, a master sends a check message to each slave. Normally, each slave sends a reply message to the master. If some slave does not send a reply message to the master, the master concludes that the said slave has failed.
Each failed server preferably obtains a new identifier. In other words, the same id should be used only as long as a server is in order. In this way certain security risks can be avoided.
Let us assume that a failed slave is again in operation and ready to receive packets at the point in time when the highest seen sequence number is 150. Now the master may distribute packets among the slave servers using the distribution function F, wherein
F(s) = Fι(s), if s <= 100,
F(s) = F2(s), if 100 < s <= 150,
F(s) = F3(s), if 150 < s.
We may consider that a distribution function is composed of at least one (distribution) function and one condition with a threshold value. In the above example, the distribution function F is composed of the functions Fι, F2, and F of which function F3 is the newest. It is used if the sequence number s is 151 or higher, i.e. in this case the condition is "if 150 < s" and the threshold value is 150. If the old master is in operation, the threshold value is the highest seen sequence number. Otherwise, the threshold value is the maximum of the highest authenticated sequence numbers.
The number of functions is limited by the size of a receive window. If the receive window size is, let us say, 64, there are usually less than three (distribution) functions in use.
In the above example, the distribution function Fi is removed when the minimum of the highest authenticated sequence number of all the slaves is higher than the sum of the threshold value (100) and the receive window size (64). Let us assume that there are two slaves in a server cluster and one slave has authenticated the sequence number 166 and the other slave has authenticated the sequence number 200. Now the minimum of said numbers is 166 which is higher than the sum of 100 and 64. Thus, the distribution function F1 would be removed.
In addition, function F2 could be changed so as to result in the id value -1 when s is less than 150. The value - 1 may indicate that a packet will be discarded by the master.
If a master collapses, the received packets are discarded or buffered. The discarding/buffering of the packets is performed because the server cluster is vulnerable until a new master is ready to distribute packets. The new master is elected from among slaves. The new master sends a check message to the slaves and receives reply messages from them in response to the check message sent. Because the new master is a former slave, it sends a check message to itself, too. Then the new master sets values in its counters and forms a new distribution function in accordance with the counter values. Now the new master is ready to distribute packets to the slaves using the new distribution function.
A master periodically checks its counter values by polling its slaves, i.e. the master sends a check message to each slave in order to obtain the highest authenticated sequence numbers. The reply message of a slave preferably includes all the highest authenticated sequence numbers (one number per security association). The highest authenticated sequence number may be less than the highest seen sequence number, because some received packets may be fake packets carrying fake numbers.
The master passes through the security associations one by one and updates the counter values.
FIG. 7 shows an example of packet handling when a server cluster is composed of a master 701 and two slaves 702 and 703. The master 701 receives 704 a packet containing the sequence number 10 and using the distribution function distributes 705 the packet to a slave 702. The slave 702 ensures that the packet is correct and transmits 706 the packet to a receiver. In a corresponding manner the master and the other slave 703 handle a packet 707 containing sequence number 11. Another packet 708 containing the sequence number 50 is a faked packet. Thus, the slave 703 discards the packet. The master sends a check message 709 to both the slaves. In response to the check message the master receives a reply message 710 from the slave 702. It contains the number 13, which is the highest authenticated sequence number of the slave 702. The master receives a packet 711 containing the sequence number 16. Now number 16 is the highest seen sequence number. Then the master receives a reply message 712 containing the number 14, which is the highest authenticated sequence number of the slave 703. Now the master has received all the reply messages from both its slaves. The maximum of the highest authenticated sequence numbers and the highest seen number is 16.
A server cluster can operate securely even if all the slave servers have collapsed. However, the server cluster cannot operate securely, if a master and at least slave collapse in the same time.
FIG. 8 shows the steps in the method when a server cluster is a transient state. The steps concern cases when: 1) a new server is joined to the server cluster, 2) a server has failed, or 3) the capacity of a slave server is changed. First a check is made as to whether the master has failed or not 801. If not, the master polls the slaves 802, i.e. it sends a check message to the slaves and receives reply messages from them. The reply messages contain the highest authenticated sequence numbers, one per SA (security association). If the master has failed, a new master is elected from among the slaves 803. Then the new master polls the slaves 804 including itself, since the new master is a former slave. The new master selects 805 for each SA the maximum of the highest authenticated sequence numbers. In the other branch of the flowchart, the old master is selecting 806 for each SA the maximum is the highest seen sequence number (i.e. as seen by the master). The old/new master updates 807 the counter of each SA so that the new counter value is the above-mentioned maximum plus one. The old/new master forms a new distribution function 808 on account of the reply messages received. When the master receives a packet, it compares 809 the sequence number of the packet to the counter value of the corresponding SA. If the counter value is reached, the master uses 810 the new distribution function for the packet. Otherwise, it is considered whether the master was failed 811. If not, the master uses an old distribution function 812. Otherwise, the master did indeed collapse, after which the new master was elected, and now the packet is discarded 813. The method is intended especially for handling IP traffic, wherein IP packets contain an authentication header (AH) or an encapsulated security payload (ESP) with an ascending sequence number. However, the method may be able to handle other types of packets/traffic.
A server cluster accordant to the invention is a server cluster that uses the above-described method in order to distribute the packets of the same connection to a certain set of slave servers. The said server cluster is adapted to: 1) receive a packet in a master server, the packet to contain a sequence number for data communication purposes, 2) read bits from the sequence number, 3) input the bits in a distribution function which results in the identifier of a slave server, and 4) transmit the packet received from the master server to the slave server. After that the server cluster is adapted to authenticate the packet in the slave server, and when the authentication is successful, the server cluster is adapted to check whether the sequence number of the packet is correct by using a receive window, and finally if it is correct, the server cluster is adapted to transmit the packet from the slave server to the receiver of the packet.

Claims

claims
1. A method for handling data communication packets in a server cluster composed of a master server and at least one slave server, characterized in that packets belonging to the same data connection and the same secure association established between the server cluster and a client are distributed to a certain set of servers of the server cluster as follows: receiving a packet belonging to said secure association in the master server (401), reading bits from a sequence number received with the packet (402), inputting said bits into a distribution function (403) resulting in the identifier of a slave server of the certain set, the distribution function having been adapted to result in the same identifier in response to the same bits, transmitting the packet received to the slave server (404), and authenticating the packet transmitted in the slave server (405).
2. The method as described in claims 1, characterized in that instead of reading bits from the sequence number, the bits are read from a certain other piece information received with the packet.
3. The method as described in claim ^characterized in that when the authentication performed is successful, checking in the slave server whether the sequence number of the packet is correct by using a receive window (407), and when said sequence number is correct, transmitting the packet from the slave server to the receiver of the packet (408).
4. The method as described in claim ^characterized in that the master server contains one counter per each security association handled by the server cluster, said counter to be for storing the highest seen sequence number.
5. The method as described in claim ^characterized in that receive windows being located in the servers contain the highest authenticated sequence numbers, one number per each security association.
6. The method as described in claim ^characterized in that the server cluster enters into a transient state when one of the following events happens: a new server joins the server cluster, a server collapses, or the capacity of a slave server changes.
7. The method as described in claims 4-6, characterized in that when the server cluster is in the transient state and the master server is in operation the following steps are performed: sending a check message from the master server to the servers of the certain set, receiving a set of response messages from said servers in response to the check message sent, said response messages to contain at least the highest authenticated sequence numbers, after which in the master server, forming a new distribution function on the basis of the set of response messages received.
8. The method as described in claim 7, characterized in that when the master server receives a new packet with a sequence number and said sequence number exceeds a certain threshold value related to the new distribution function, the following steps are performed in the master server: using the new distribution function for the new packet by inputting a certain number of bits from said sequence number into the new distribution function, resulting in the identifier of a slave server, and transmitting the new packet to said slave server.
9. The method as described in claims 4-6, characterized in that when the server cluster is in the transient state and the master server has failed, the following steps are performed: electing a new master server from among the slave servers of the server cluster, sending a check message from the new master server to the slave servers, and receiving a set of response messages from said slave servers in response to the check message sent, said response messages to contain at least the highest authenticated sequence numbers, after which in the new master server, and forming a new distribution function on the basis of the set of response messages received.
10. The method as described in claim 9, characterized in that when the new master server receives a new packet with a sequence number and said sequence number exceeds a certain threshold value related to the new distribution function, the new master uses the new distribution function to transmit the new packet to a slave server.
11. The method as described in claim 1, characterized in that the data communication packets handled by the server cluster are Internet protocol packets in accordance with the Internet protocol security architecture.
12. A server cluster for handling data communication packets, the server cluster being composed of a master server and at least one slave server, characterized in that in order to distribute packets belonging to the same data connection to at least two servers of the server cluster, the server cluster is adapted to: receive a packet in the master server (401), the packet belonging to said data connection and a secure association established between the server cluster and a client, read bits from a sequence number received with the packet (402), input said bits into a distribution function (403) resulting in the identifier of a slave server, the distribution function being such that it result in the same identifier in response to the same bits, transmit the packet received to the slave server (404), and authenticate the transmitted packet in the slave server (405).
13. The server cluster as described in claims 12, characterized in that instead of reading bits from the sequence number, the bits are read from a certain other piece of information received with the packet.
14. The server cluster as described in claim 12, characterized in that the server cluster is further adapted to: check in the slave server whether the sequence number of the packet is correct by using a receive window (407), and when said sequence number is correct, transmit the packet from the slave server to the receiver of the packet (408).
15. The server cluster as described in claim 12, characterized in that the master server contains one counter per each security association handled by the server cluster, said counter to be for storing the highest seen sequence number.
16. The server cluster as described in claim 12, characterized in that receive windows being located in the slave servers contain the highest authenticated sequence numbers, one sequence number per each security association.
17. The server cluster as described in claim 12, characterized in that the server cluster enters into a transient state when one of the following events happens: a new server joins the server cluster, a server collapses, or the capacity of a slave server changes.
18. The server cluster as described in claims 15-17, characterized in that whenever the server cluster is in the transient state and the master server is in operation, the server cluster is adapted to: send a check message from the master server to the slave servers of the server cluster, receive at the master server a set of response messages from said slave servers in response to the check message sent, said response messages containing at least the highest authenticated sequence numbers, form a new distribution function on the basis of the set of response messages received.
19. The server cluster as described in claim 18, characterized in that when the master server receives a new packet with a sequence number and said sequence number exceeds a certain threshold value related to the new distribution function, the master server of the server cluster is adapted to: use the new distribution function for the new packet by inputting a certain number of bits from said sequence number into the new distribution function, resulting in the identifier of some slave server, and transmit the new packet to said slave server.
20. The server cluster as described in claims 15-17, characterized in that when the server cluster is in the transient state and the master server has failed, the server cluster is adapted to: elect a new master server from among the slave servers of the server cluster, send a check message from the new master server to the slave servers, receive at the master server a set of response messages from said slave servers, said response messages containing at least the highest authenticated sequence numbers, and form a new distribution function on the basis of the set of response messages received.
21. The server cluster as described in claim 20, characterized in that when the new master server receives a new packet with a sequence number and said sequence number exceeds a certain threshold value related to the operation of the new master uses the new distribution function to transmit the new packet to a slave server.
22. The server cluster as described in claim 12, characterize in that the data communication packets handled by the server cluster are Internet protocol packets in accordance with the Internet protocol security architecture.
23. A distribution function for distributing data communication packets of a security association to a set of slave servers of a server cluster, a master server of the server cluster receiving (401) a data communication packet belonging to the security association, characterized in that in response to bits read (402) from a sequence number of the data communication packet, the distribution function results in an identifier of a slave server (403) of the server cluster so that:
1) a certain function of the distribution function is used when the sequence number exceeds a threshold value, the threshold value being the highest seen sequence number, as seen by the master server, and
2) the identifier is always the same when the read bits are the same.
24. The distribution function as described in claims 23, characterized in that instead of reading bits from the sequence number, the bits are read from a certain other piece of information received with the packet.
25. The distribution function as described in claim 23, characterized in that the distribution function further determines which sequence numbers are checked by examining which receive windows, said receive windows being located in the slave servers and said receive windows containing the highest authenticated sequence numbers.
26. The distribution function as described in claim 23, characterized in that when the master server has failed, the threshold value is the maximum of the highest authenticated sequence numbers which the slave servers belonging to the certain set have authenticated.
27. The distribution function as described in claims 23, characterized in that when the server cluster enters into a transient state because of one of the following events: a new server joins the server cluster, a server collapses, or the capacity of a slave server changes, a new distribution function is formed and the new distributing function is used when a sequence number of a data communication packet exceeds a threshold value related to the new distribution function.
28. The distribution function as described in claim 23, characterized in that the distribution function is composed of a set of distribution tables each of which is filled with identifiers, wherein a portion of an identifier in a distribution table essentially determines what percent of the data communication packets is distributed to a slave server having said identifier.
29. The distribution function as described in claims 28, characterized in that when the capacity of the slave server changes, the portion of the identifier in the distribution table is changed to correspond a change in the capacity.
30. The distribution function as described in claim 23, characterized in that the data communication packets are Internet protocol packets in accordance with the Internet protocol security architecture.
EP03811788A 2002-11-27 2003-11-26 Scalable and secure packet server-cluster Withdrawn EP1568184A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FI20022102 2002-11-27
FI20022102A FI115432B (en) 2002-11-27 2002-11-27 Scalable and secure server cluster for IP traffic
PCT/FI2003/000907 WO2004049656A1 (en) 2002-11-27 2003-11-26 Scalable and secure packet server-cluster

Publications (1)

Publication Number Publication Date
EP1568184A1 true EP1568184A1 (en) 2005-08-31

Family

ID=8564998

Family Applications (1)

Application Number Title Priority Date Filing Date
EP03811788A Withdrawn EP1568184A1 (en) 2002-11-27 2003-11-26 Scalable and secure packet server-cluster

Country Status (4)

Country Link
EP (1) EP1568184A1 (en)
AU (1) AU2003302345A1 (en)
FI (1) FI115432B (en)
WO (1) WO2004049656A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791098B (en) * 2004-12-13 2010-12-01 华为技术有限公司 Method for realizing safety coalition synchronization
EP1744515B1 (en) 2005-07-12 2011-07-13 Fujitsu Siemens Computers, Inc. Method, cluster system and computer-readable medium for distributing data packets
CN109995842B (en) * 2018-01-02 2022-12-02 北京奇虎科技有限公司 Grouping method and device for distributed server cluster

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6449734B1 (en) * 1998-04-17 2002-09-10 Microsoft Corporation Method and system for discarding locally committed transactions to ensure consistency in a server cluster
EP1744520B1 (en) * 2000-04-07 2010-06-09 Network Appliance, Inc. Method and apparatus for selecting a group leader
US7136881B2 (en) * 2000-12-15 2006-11-14 International Business Machines Corporation Method and system for processing directory events
US20020133601A1 (en) * 2001-03-16 2002-09-19 Kennamer Walter J. Failover of servers over which data is partitioned

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2004049656A1 *

Also Published As

Publication number Publication date
WO2004049656A1 (en) 2004-06-10
AU2003302345A1 (en) 2004-06-18
FI115432B (en) 2005-04-29
FI20022102A (en) 2004-05-28
FI20022102A0 (en) 2002-11-27

Similar Documents

Publication Publication Date Title
US9838362B2 (en) Method and system for sending a message through a secure connection
Kaufman et al. Internet key exchange protocol version 2 (IKEv2)
US9461975B2 (en) Method and system for traffic engineering in secured networks
Maughan et al. Internet security association and key management protocol (ISAKMP)
Bruschi et al. S-ARP: a secure address resolution protocol
EP2346205B1 (en) A method and device for preventing network attack
US7086086B2 (en) System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment
US7280540B2 (en) Processing of data packets within a network element cluster
US6240513B1 (en) Network security device
US20040240669A1 (en) Securing neighbor discovery using address based keys
US20060161667A1 (en) Server apparatus, communication control method and program
Calhoun et al. RFC3588: Diameter Base Protocol
US20040268123A1 (en) Security for protocol traversal
Richardson et al. Opportunistic encryption using the internet key exchange (ike)
US8688077B2 (en) Communication system and method for providing a mobile communications service
Farinacci et al. Locator/ID Separation Protocol (LISP) Control-Plane
Vučinić et al. Constrained join protocol (CoJP) for 6TiSCH
EP1568184A1 (en) Scalable and secure packet server-cluster
EP1189410B1 (en) Processing of data packets within a network cluster
JP3841417B2 (en) Communication connection method, server computer, and program
Hong et al. PBS: Signaling architecture for network traffic authorization
Vučinić et al. RFC9031: Constrained Join Protocol (CoJP) for 6TiSCH
Simon et al. RFC 9031: Constrained Join Protocol (CoJP) for 6TiSCH
Ansari et al. STEM: seamless transport endpoint mobility
Jennings et al. Rfc 6940: Resource Location and Discovery (Reload) Base Protocol

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20050623

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL LT LV MK

DAX Request for extension of the european patent (deleted)
RIN1 Information on inventor provided before grant (corrected)

Inventor name: VAARALA, SAMI

Inventor name: NUOPPONEN, ANTTI

17Q First examination report despatched

Effective date: 20090902

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20110601