WO2004066579A1 - Stateless server cluster for internet traffic - Google Patents

Stateless server cluster for internet traffic Download PDF

Info

Publication number
WO2004066579A1
WO2004066579A1 PCT/FI2003/000956 FI0300956W WO2004066579A1 WO 2004066579 A1 WO2004066579 A1 WO 2004066579A1 FI 0300956 W FI0300956 W FI 0300956W WO 2004066579 A1 WO2004066579 A1 WO 2004066579A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
value
security
server cluster
packet
Prior art date
Application number
PCT/FI2003/000956
Other languages
French (fr)
Inventor
Ilkka PIETIKÄINEN
Original Assignee
Netseal Mobility Technologies - Nmt Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Netseal Mobility Technologies - Nmt Oy filed Critical Netseal Mobility Technologies - Nmt Oy
Priority to AU2003288291A priority Critical patent/AU2003288291A1/en
Priority to EP03780190A priority patent/EP1620989A1/en
Publication of WO2004066579A1 publication Critical patent/WO2004066579A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1014Server selection for load balancing based on the content of a request
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/10015Access to distributed or replicated servers, e.g. using brokers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • the present invention generally relates to efficiency and security aspects when a server cluster handles communication packets.
  • IPsec Internet Protocol security
  • SA security association
  • node and “entity” refer to a terminal, a server, a router, or some other type of equipment that participates in an SA.
  • An SA is created between the end nodes of a connection. There may be one SA per connection, but usually both communication directions have their own SA. It is also possible that different types of traffic for the same connection have been secured with their own SA.
  • IP packets In IPsec traffic, IP packets contain an Authentication Header (AH) or an Encapsulated Security Payload (ESP). These packets are termed IPsec packets.
  • AH Authentication Header
  • ESP Encapsulated Security Payload
  • FIG. 1A shows the authentication header (AH) 101. Two of its fields are discussed here, because they relate closely to the invention. Information about the rest of the AH fields can be found in prior art documents.
  • the Security Parameters Index (SPI) is a field 102 for storing an SPI number that identifies a security association.
  • the Sequence Number Field is a field 103 for storing a sequence number. The sequence number is incremented after each packet is sent.
  • FIG. 1 B shows a part of the encapsulated security payload (ESP) 104.
  • the ESP header includes the Security Parameters Index (SPI) field 105 for storing an SPI number identifying a security association.
  • the sequence number field 106 is for storing a sequence number.
  • an IP packet can be encapsulated using the AH or the ESP.
  • the encapsulation of an IP packet can be performed in the tunnel mode or the transport mode. Both modes are described in prior art documents.
  • IKE Internet Key Exchange
  • IPsec can be configured without IKE, but IKE en- hances the IPsec by providing certain additional features.
  • the operation of IKE is based on both: the key determination protocol termed "Oakley" and the Internet Security Association and Key Management Protocol (ISAKMP).
  • ISAKMP defines formats for the packet payload, the mechanics of implementing a key exchange protocol, and the negotiation of an SA.
  • IKE may automatically negotiate security associations (SAs) and thus enable IPsec traffic without manual configuration.
  • SAs security associations
  • FIG. 2 shows a part of the ISAKMP header 201.
  • an ISAKMP packet carries a variable number of payloads.
  • the Initiator Cookie field 202 of the ISAKMP header includes an identifier of an entity that has initiated the establishment, notification, or deletion of an SA.
  • the Responder Cookie field 203 includes an identifier of another entity that responds to the establishment, notification, or deletion of the SA.
  • a server cluster is generally composed of a set of servers.
  • clustering refers to the manner, whereby services are shared among the servers.
  • application services the objective is to increase the capacity of the application services.
  • the capacity requirements of a sen/ice are much higher in a server running the service than in another server handling the traffic of the service.
  • a server running a WWW search service may require high processing capacity.
  • clustering network services basically all the processing capacity is needed for processing the traffic of application services. Therefore, a server or server cluster should handle the traffic as efficient as possible.
  • each member must be able to receive all the packets sent to the server cluster. Thus, each member may need an expensive high-capacity link for receiving packets. Secondly, each member must discard packets intended for other members. When the volume of the received packets increases, discarding the packets requires more and more capacity.
  • a server cluster can be composed of a master server and slave servers so that the server cluster has one IP address and the said IP address is mapped to the master server.
  • the master receives all the packets and distributes them to the slaves via a network that connects the master and the slaves.
  • this solution suffers its own drawbacks.
  • the first drawback is that many prior art server clusters composed of a master and slaves contain a lot of shared information which must be continuously updated.
  • the said information includes security associations which must be evenly shared among the slaves. This sharing may cause a lot of internal message traffic in the server cluster.
  • the second drawback is that the prior art server cluster may fail to repel certain types of hacker attacks, such as replay attacks.
  • the applicant's former patent application FI20022102 describes a server cluster that can repel replay attacks.
  • the said server cluster has its own benefits and drawbacks.
  • One benefit is that the failure of one slave does not usually cut off a connection, because the connection is usually handled by at least two slaves of the said server cluster.
  • the drawbacks in comparison with the server cluster described in this patent application are as follows: 1) the space requirement of the slaves is higher and 2) the synchronization of the slaves' operation requires more work.
  • the invention is generally based on the idea that a sender of a communication packet places a piece of information in a certain header field of the communication packet. On the basis of the said piece of information, the master of the server cluster receiving the said communication packet can determine which slave is to handle the packet.
  • the server cluster may receive negotiation packets, such as ISAKMP packets, and security packets, such as IPsec packets.
  • the master of the server cluster obtains a negotiation packet with an initiator field and a responder field.
  • the initiator field contains a value identifying the negotiation initiator. If the responder field of the negotiation packet contains a dummy value, the master selects a slave server for a security association.
  • the master may select the slave having the lowest load.
  • a security association can be negotiated in two different ways.
  • the first way is that the master negotiates the security association on behalf of the selected slave. Then the master selects a handler value from the number space which is addressed to the selected slave.
  • the handler value may be a certain Security Parameters Index (SPI) value between a certain lower limit and a certain upper limit.
  • SPI Security Parameters Index
  • the second way is that the master transmits the negotiation packet to the selected slave, which selects the responder value itself and then negotiates the security association.
  • Both ways involve the placement of the responder value in a negotiation packet sent to the negotiation initiator.
  • the master receives the next negotiation packet from the negotiation initiator, said packet contains the responder value.
  • the master determines to which slave the packet should be transmitted.
  • SA security association
  • the said entity sends security packets belonging to the SA to the server cluster.
  • security packets may contain, for example, an SPI value.
  • the security packets contain a handler value. The handler value is selected from the number space addressed to the slave handling the security packets. On the basis of the handler value, the master determines to which slave the security packets should be transmitted.
  • FIG 1A shows the authentication header (AH)
  • FIG. 1B shows a part of the encapsulated security payload (ESP)
  • Figure 2 shows a part of the ISAKMP header
  • Figure 3 shows the main steps in the method
  • Figure 4 shows the steps of the method for negotiating a security association
  • Figure 5 shows an example of a server cluster.
  • the invention comprises a method for handling security packets and a server cluster using that method.
  • Each slave server has two number spaces which are termed a "handler number space” and a “responder number space” respectively.
  • a handler value is selected from the handler number space, and a responder value is selected from the responder number space. It is possible that the said number spaces are the same number space, i.e. that they include exactly the same numbers.
  • the number spaces of different slaves are separated, i.e. they do not include the same numbers.
  • Each number space may contain numbers from a certain minimum limit to a certain maximum limit.
  • the number space addressed to a first slave could contain the numbers from 0 to 32767 and the number space addressed to a second slave could contain the numbers from 32768 to 65535.
  • FIG. 3 shows the main steps of the method intended for handling security packets in a server cluster composed of a master server and at least one slave server.
  • the security packets may be IPsec packets.
  • the first step is receiving 301 at the master server a security packet which belongs to a security association (SA) between an entity and the server cluster.
  • SA security association
  • the SA may be created by a user. Alternatively, the entity and the server cluster have negotiated the SA using negotiation packets.
  • the security packet received includes a handler value originating from the server cluster. The handler value is selected during the SA negotiations. Alternatively, it is selected when a user creates the SA.
  • the second step is determining 302 the slave server with the handler number space that the said handler value belongs to and then transmitting 303 the security packet to the said slave server.
  • the number spaces of slaves are determined by using an appropriate function.
  • the function may be very simple. For example, it may divide a given number space into two number spaces so that the number space of one slave contains odd numbers and the number space of an- other slave contains even numbers. Any bit string can be considered as an integral number that can be used as an input of the function.
  • characters and character strings/bit strings can be represented as hexadecimal numbers. Therefore, a character string represent as a hexadecimal number may belong to a certain number space, which can be mapped to a certain slave server. Therefore, the character string is also a piece of information that can be used as a handler value.
  • the first way is that the master negotiates the SA on behalf of a slave and the second way is that a slave server negotiates the SA. Both ways are explained in the following figure.
  • FIG. 4 shows the steps for negotiating an SA.
  • the negotiation is performed using negotiation packets, such as ISAKMP packets.
  • the first step is receiving 401 a negotiation packet sent by the entity.
  • the second step is comparing 402 a predefined dummy value to the responder value included in the negotiation packet. If the responder value is the dummy value, the next step is selecting 403 a slave server of the server cluster. For example, the selection may be based on the load amounts so that the slave having the lowest load is selected.
  • the master may also operate as a slave. Thus, the master may select itself as a slave server and handle a part of the load.
  • the selected slave which may be the master, will handle security packets related to the SA.
  • the next step is selecting 404 a responder value which differs from the dummy value and which belongs to the responder number space addressed to the selected slave.
  • the responder value is preferably the same value used as a handler value in communication packets when the entity sends the said packets to the selected slave.
  • Step 404 is preferably performed by the selected slave. Then the said slave obtains the first negotiation packet from the master, and the said slave negotiates the SA. However, the master may also select the responder value on behalf of the slave, in which case the master negotiates the SA.
  • the next step is sending 405 a first "response" negotiation packet with the responder value to the entity in response to the negotiation packet received. If the selected slave negotiates the SA, the first response negotiation packet is sent by it.
  • the master negotiates the SA and sends the said negotiation packet. If the responder value differs from the dummy value, the step is determining 406 a slave server with the responder number space to which the responder value belongs. If the selected slave negotiates the SA, the master transmits the negotiation packet to it. The final step is sending 405 the first response negotiation packet with the responder value to the entity.
  • a handler value and a responder value may be the same value. In that case, there is no need for a mapping or for a transformation between the handler value and the responder value.
  • an entity can use the responder value received from a server cluster as a handler value when it sends security packets to the server cluster. Then the responder value and the handler value point to the same slave server in the server cluster.
  • the handler number space and the responder number space are the same number space, the same logic can be used to determine 1) which slave is to handle a negotiation packet and 2) which slave is to handle a security packet.
  • the Security Parameters Index (SPI) value can be used as a responder value.
  • the SPI value is a good choice, because the AH header as well as the ESP header include the SPI field.
  • the SPI value is be placed in the Responder Cookie field of the ISAKMP header during the SA negotiations, and when the SA negotiations are performed and the SA is available, the SPI value is placed in either the SPI field of the AH header or in the SPI field of the ESP. Because the Responder Cookie field is longer (64 bits) than the SPI field (32 bits), the SPI value fills only half of the Responder Cookie field.
  • a server cluster in accordance with the invention preferably operates as one network node in the IP network. Therefore, all members share the same public IP address.
  • Each member may have three network interfaces.
  • the first interface is intended for Internet communication, i.e. it is the public interface of the server cluster.
  • the second interface is intended for Intranet communication, thus it can be considered as a private interface.
  • the third interface is used for internal communication within the server cluster. Clustering may work without this, but it is better to have the third interface, because use of the private or public interface may lead to loss of clustering messages when the network load is high.
  • the third interface transmits only internal cluster messages, so it can never be full.
  • FIG. 5 shows an example of a server cluster 501 that is composed of three members 502-504.
  • Member 502 is a master, and the two other members are slaves.
  • the cluster members are connected by at least one network, and each cluster member is equipped with at least one network card.
  • Routers card Routers 505 and 506, which are termed "next hop routers", see only one IP address of the cluster.
  • the layer two address of the cluster is the master's address. If the master is changed, the next hop routers 505 and 506 must learn a new layer two address.
  • the routing of IP packets is based on Address Resolution Protocol (ARP).
  • ARP Address Resolution Protocol
  • an entity 507 uses a service 508 via the server cluster 501 so that there are one or more SAs between the entity and the server cluster.
  • ARP Address Resolution Protocol
  • a server cluster in accordance with the invention handles security packets. It is composed of a master server and at least one slave server. Preferably, the slave servers handle all the packets, but it is possible that also the master takes a part of the load and handles a part of the packets.
  • the server cluster is adapted to receive a security packet belonging to the security association between an entity and the server cluster.
  • the security packet includes a handler value originating from the server cluster.
  • the server cluster is also adapted to determine the slave server with the handler number space to which said handler value belongs, and to transmit the security packet to said slave server.
  • the security association may be created by a user. Alternatively, the security association is negotiated using negotiation packets.
  • the server cluster is adapted to receive a negotiation packet from the entity and to select a slave server.
  • the server cluster is adapted to select a responder value belonging to the responder number space addressed to the selected slave server.
  • the responder value may be selected by the master server. Then the master negotiates an SA and sends the first response negotiation packet to the entity. Alternatively, the selected slave server negotiates an SA. In that case, the master server transmits the negotiation packet to the selected slave which forms the first response negotiation and sends it to the entity. Thus, either the master or a slave may be responsible for the SA negotiation and send one or more negotiation packets to the entity.
  • the negotiation packet received contains a responder value selected by the server cluster.
  • the entity has read the responder value of the negotiation packet sent by the server cluster and the entity has placed the responder value in its negotiation packet.
  • the master is adapted to determine which slave server has the responder number space that the responder value belongs to. The master then transmits a second "response" negotiation packet to said slave server.

Abstract

The method is generally based on the idea that a sender of a communication packet places a piece of information in a certain header field of the communi-cation packet. On the basis of the said piece of information, the master of the server cluster receiving the communication packet can then determine which slave should handle the said packet. The same idea can be exploited during a security association (SA) negotiation. The SA negotiation may be per-formed using Internet Security Association and Key Management Protocol (ISAKMP) packets. When the SA is negotiated Internet Protocol security (IP-sec) packets are preferably used as communication packets.

Description

Stateless server cluster for Internet traffic
Field of the invention
The present invention generally relates to efficiency and security aspects when a server cluster handles communication packets.
Background of the invention
The Internet Protocol security (IPsec) is a security feature providing a robust authentication and encryption of IP packets. When using IPsec, an association between the sender and the receiver of the IP packets is termed "a security association" (SA). The terms "node" and "entity" refer to a terminal, a server, a router, or some other type of equipment that participates in an SA. An SA is created between the end nodes of a connection. There may be one SA per connection, but usually both communication directions have their own SA. It is also possible that different types of traffic for the same connection have been secured with their own SA.
In IPsec traffic, IP packets contain an Authentication Header (AH) or an Encapsulated Security Payload (ESP). These packets are termed IPsec packets.
FIG. 1A shows the authentication header (AH) 101. Two of its fields are discussed here, because they relate closely to the invention. Information about the rest of the AH fields can be found in prior art documents. The Security Parameters Index (SPI) is a field 102 for storing an SPI number that identifies a security association. The Sequence Number Field is a field 103 for storing a sequence number. The sequence number is incremented after each packet is sent.
FIG. 1 B shows a part of the encapsulated security payload (ESP) 104. Also the ESP header includes the Security Parameters Index (SPI) field 105 for storing an SPI number identifying a security association. Correspondingly, the sequence number field 106 is for storing a sequence number.
In IPsec traffic, an IP packet can be encapsulated using the AH or the ESP. The encapsulation of an IP packet can be performed in the tunnel mode or the transport mode. Both modes are described in prior art documents.
The Internet Key Exchange (IKE) protocol is the protocol standard for the key management. IPsec can be configured without IKE, but IKE en- hances the IPsec by providing certain additional features. The operation of IKE is based on both: the key determination protocol termed "Oakley" and the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP defines formats for the packet payload, the mechanics of implementing a key exchange protocol, and the negotiation of an SA. IKE may automatically negotiate security associations (SAs) and thus enable IPsec traffic without manual configuration.
FIG. 2 shows a part of the ISAKMP header 201. In addition to the ISAKMP header, an ISAKMP packet carries a variable number of payloads. The Initiator Cookie field 202 of the ISAKMP header includes an identifier of an entity that has initiated the establishment, notification, or deletion of an SA. The Responder Cookie field 203 includes an identifier of another entity that responds to the establishment, notification, or deletion of the SA.
A server cluster is generally composed of a set of servers. The term "clustering" refers to the manner, whereby services are shared among the servers. There are basically two types of services, application services and network services. When clustering application services, the objective is to increase the capacity of the application services. Typically, the capacity requirements of a sen/ice are much higher in a server running the service than in another server handling the traffic of the service. For example, a server running a WWW search service may require high processing capacity. When clustering network services, basically all the processing capacity is needed for processing the traffic of application services. Therefore, a server or server cluster should handle the traffic as efficient as possible.
Many clustering solutions for network services are based on broadcasting communication packets at layer two of the OSI model to all members of the server cluster (OSI is an acronym from the words "Open Systems Interconnection"). All the packets are distributed to all the members, and each member determines through the use of some prior art method whether it should process a broadcasted packet or not. This solution operates relatively well in most cases, but it may suffer from the following drawbacks.
First, each member must be able to receive all the packets sent to the server cluster. Thus, each member may need an expensive high-capacity link for receiving packets. Secondly, each member must discard packets intended for other members. When the volume of the received packets increases, discarding the packets requires more and more capacity.
Instead of broadcasting or multicasting all packets to all the server cluster members, a server cluster can be composed of a master server and slave servers so that the server cluster has one IP address and the said IP address is mapped to the master server. In this solution the master receives all the packets and distributes them to the slaves via a network that connects the master and the slaves. Of course, this solution suffers its own drawbacks.
The first drawback is that many prior art server clusters composed of a master and slaves contain a lot of shared information which must be continuously updated. The said information includes security associations which must be evenly shared among the slaves. This sharing may cause a lot of internal message traffic in the server cluster.
The second drawback is that the prior art server cluster may fail to repel certain types of hacker attacks, such as replay attacks.
The applicant's former patent application FI20022102 describes a server cluster that can repel replay attacks. The said server cluster has its own benefits and drawbacks. One benefit is that the failure of one slave does not usually cut off a connection, because the connection is usually handled by at least two slaves of the said server cluster. Correspondingly, the drawbacks in comparison with the server cluster described in this patent application are as follows: 1) the space requirement of the slaves is higher and 2) the synchronization of the slaves' operation requires more work.
Summary of the invention
The invention is generally based on the idea that a sender of a communication packet places a piece of information in a certain header field of the communication packet. On the basis of the said piece of information, the master of the server cluster receiving the said communication packet can determine which slave is to handle the packet.
The server cluster may receive negotiation packets, such as ISAKMP packets, and security packets, such as IPsec packets. The master of the server cluster obtains a negotiation packet with an initiator field and a responder field. The initiator field contains a value identifying the negotiation initiator. If the responder field of the negotiation packet contains a dummy value, the master selects a slave server for a security association.
For example, the master may select the slave having the lowest load. When a slave is selected, a security association can be negotiated in two different ways.
The first way is that the master negotiates the security association on behalf of the selected slave. Then the master selects a handler value from the number space which is addressed to the selected slave. For example, the handler value may be a certain Security Parameters Index (SPI) value between a certain lower limit and a certain upper limit.
The second way is that the master transmits the negotiation packet to the selected slave, which selects the responder value itself and then negotiates the security association.
Both ways involve the placement of the responder value in a negotiation packet sent to the negotiation initiator. When the master receives the next negotiation packet from the negotiation initiator, said packet contains the responder value. On the basis of the responder value, the master determines to which slave the packet should be transmitted.
It is also possible that a user creates a security association.
When a security association (SA) is negotiated between an entity and the server cluster, or the SA is created by a user during an SA setup, the said entity sends security packets belonging to the SA to the server cluster. If the security packets are IPsec packets, they may contain, for example, an SPI value. In any case, the security packets contain a handler value. The handler value is selected from the number space addressed to the slave handling the security packets. On the basis of the handler value, the master determines to which slave the security packets should be transmitted.
Brief description of the drawings
The invention is described more closely with reference to the accompanying drawings, in which
Figure 1A shows the authentication header (AH),
Figure 1B shows a part of the encapsulated security payload (ESP),
Figure 2 shows a part of the ISAKMP header,
Figure 3 shows the main steps in the method, Figure 4 shows the steps of the method for negotiating a security association, Figure 5 shows an example of a server cluster.
Detailed description of the invention
The invention comprises a method for handling security packets and a server cluster using that method.
Each slave server has two number spaces which are termed a "handler number space" and a "responder number space" respectively. A handler value is selected from the handler number space, and a responder value is selected from the responder number space. It is possible that the said number spaces are the same number space, i.e. that they include exactly the same numbers.
In any case, the number spaces of different slaves are separated, i.e. they do not include the same numbers. Each number space may contain numbers from a certain minimum limit to a certain maximum limit. For example, the number space addressed to a first slave could contain the numbers from 0 to 32767 and the number space addressed to a second slave could contain the numbers from 32768 to 65535.
FIG. 3 shows the main steps of the method intended for handling security packets in a server cluster composed of a master server and at least one slave server. The security packets may be IPsec packets. The first step is receiving 301 at the master server a security packet which belongs to a security association (SA) between an entity and the server cluster. The SA may be created by a user. Alternatively, the entity and the server cluster have negotiated the SA using negotiation packets. The security packet received includes a handler value originating from the server cluster. The handler value is selected during the SA negotiations. Alternatively, it is selected when a user creates the SA. The second step is determining 302 the slave server with the handler number space that the said handler value belongs to and then transmitting 303 the security packet to the said slave server.
Generally, the number spaces of slaves are determined by using an appropriate function. The function may be very simple. For example, it may divide a given number space into two number spaces so that the number space of one slave contains odd numbers and the number space of an- other slave contains even numbers. Any bit string can be considered as an integral number that can be used as an input of the function.
It should be noted that characters and character strings/bit strings can be represented as hexadecimal numbers. Therefore, a character string represent as a hexadecimal number may belong to a certain number space, which can be mapped to a certain slave server. Therefore, the character string is also a piece of information that can be used as a handler value.
Basically, there are two alternative ways to negotiate an SA between an entity and a server cluster. The first way is that the master negotiates the SA on behalf of a slave and the second way is that a slave server negotiates the SA. Both ways are explained in the following figure.
FIG. 4 shows the steps for negotiating an SA. The negotiation is performed using negotiation packets, such as ISAKMP packets. The first step is receiving 401 a negotiation packet sent by the entity. The second step is comparing 402 a predefined dummy value to the responder value included in the negotiation packet. If the responder value is the dummy value, the next step is selecting 403 a slave server of the server cluster. For example, the selection may be based on the load amounts so that the slave having the lowest load is selected. If required, the master may also operate as a slave. Thus, the master may select itself as a slave server and handle a part of the load. The selected slave, which may be the master, will handle security packets related to the SA. The next step is selecting 404 a responder value which differs from the dummy value and which belongs to the responder number space addressed to the selected slave. The responder value is preferably the same value used as a handler value in communication packets when the entity sends the said packets to the selected slave. Step 404 is preferably performed by the selected slave. Then the said slave obtains the first negotiation packet from the master, and the said slave negotiates the SA. However, the master may also select the responder value on behalf of the slave, in which case the master negotiates the SA. The next step is sending 405 a first "response" negotiation packet with the responder value to the entity in response to the negotiation packet received. If the selected slave negotiates the SA, the first response negotiation packet is sent by it. Otherwise, the master negotiates the SA and sends the said negotiation packet. If the responder value differs from the dummy value, the step is determining 406 a slave server with the responder number space to which the responder value belongs. If the selected slave negotiates the SA, the master transmits the negotiation packet to it. The final step is sending 405 the first response negotiation packet with the responder value to the entity.
As mentioned above, a handler value and a responder value may be the same value. In that case, there is no need for a mapping or for a transformation between the handler value and the responder value. In other words, an entity can use the responder value received from a server cluster as a handler value when it sends security packets to the server cluster. Then the responder value and the handler value point to the same slave server in the server cluster. In addition, if the handler number space and the responder number space are the same number space, the same logic can be used to determine 1) which slave is to handle a negotiation packet and 2) which slave is to handle a security packet. For example, the Security Parameters Index (SPI) value can be used as a responder value. The SPI value is a good choice, because the AH header as well as the ESP header include the SPI field. Thus, the SPI value is be placed in the Responder Cookie field of the ISAKMP header during the SA negotiations, and when the SA negotiations are performed and the SA is available, the SPI value is placed in either the SPI field of the AH header or in the SPI field of the ESP. Because the Responder Cookie field is longer (64 bits) than the SPI field (32 bits), the SPI value fills only half of the Responder Cookie field.
A server cluster in accordance with the invention preferably operates as one network node in the IP network. Therefore, all members share the same public IP address. Each member may have three network interfaces. The first interface is intended for Internet communication, i.e. it is the public interface of the server cluster. The second interface is intended for Intranet communication, thus it can be considered as a private interface. The third interface is used for internal communication within the server cluster. Clustering may work without this, but it is better to have the third interface, because use of the private or public interface may lead to loss of clustering messages when the network load is high. The third interface transmits only internal cluster messages, so it can never be full.
FIG. 5 shows an example of a server cluster 501 that is composed of three members 502-504. Member 502 is a master, and the two other members are slaves. The cluster members are connected by at least one network, and each cluster member is equipped with at least one network card. Routers card. Routers 505 and 506, which are termed "next hop routers", see only one IP address of the cluster. The layer two address of the cluster is the master's address. If the master is changed, the next hop routers 505 and 506 must learn a new layer two address. The routing of IP packets is based on Address Resolution Protocol (ARP). In this example, an entity 507 uses a service 508 via the server cluster 501 so that there are one or more SAs between the entity and the server cluster.
A server cluster in accordance with the invention handles security packets. It is composed of a master server and at least one slave server. Preferably, the slave servers handle all the packets, but it is possible that also the master takes a part of the load and handles a part of the packets. The server cluster is adapted to receive a security packet belonging to the security association between an entity and the server cluster. The security packet includes a handler value originating from the server cluster. The server cluster is also adapted to determine the slave server with the handler number space to which said handler value belongs, and to transmit the security packet to said slave server. The security association may be created by a user. Alternatively, the security association is negotiated using negotiation packets.
For a security association negotiation the server cluster is adapted to receive a negotiation packet from the entity and to select a slave server. When a responder value included in the negotiation packet is a dummy value, the server cluster is adapted to select a responder value belonging to the responder number space addressed to the selected slave server.
The responder value may be selected by the master server. Then the master negotiates an SA and sends the first response negotiation packet to the entity. Alternatively, the selected slave server negotiates an SA. In that case, the master server transmits the negotiation packet to the selected slave which forms the first response negotiation and sends it to the entity. Thus, either the master or a slave may be responsible for the SA negotiation and send one or more negotiation packets to the entity.
Generally speaking, when the server cluster receives a negotiation packet in response to the first response negotiation packet, the negotiation packet received contains a responder value selected by the server cluster. In other words, the entity has read the responder value of the negotiation packet sent by the server cluster and the entity has placed the responder value in its negotiation packet. The master is adapted to determine which slave server has the responder number space that the responder value belongs to. The master then transmits a second "response" negotiation packet to said slave server.
In addition to the examples and the implementation alternations described above, there are other examples and implementation alternations which a man skilled in the art can find by using the teachings of this patent application.

Claims

Claims
1. A method for handling security packets sent by an entity in a server cluster composed of a master server and at least one slave server, said security packets belonging to a security association between the entity and the server cluster, characterized by the steps of: receiving at said master server a security packet belonging to the security association, said security packet containing a handler value which is originated from the server cluster and which is placed in the security packet by the entity, determining a slave server of the server cluster whose handler number space said handler value belongs to, and transmitting the security packet to said slave server.
2. The method as described in claim ^characterized in that the handler value is selected taking into account the load of each slave server.
3. The method as described in claim ^characterized in that the handler value is an integral number.
4. The method as described in claim ^characterized in that the security association is created by a user.
5. The method as described in claim ^characterized in that the security association is negotiated using negotiation packets.
6. The method as described in claim 5, characterized in that the server cluster performs the further steps of: receiving a negotiation packet from the entity, and when a dummy value is included in the negotiation packet, selecting a slave server, selecting a responder value which differs from the dummy value and which belongs to a responder number space addressed to the slave server selected, and in response to the negotiation packet received, sending a first response negotiation packet with the responder value to the entity.
7. The method as described in claim 5, characterized, when the responder value included in the negotiation packet differs from the dummy value, by the further steps of: determining the slave server whose responder number space said responder value belongs to and sending a second response negotiation packet with the responder value to the entity.
8. The method as described in claim 1 and 6, characterized in that the handler value and the responder value are the same value.
9. The method as described in claim ^characterized in that the security packets are Internet Protocol security (IPsec) packets.
10. The method as described in claim 5, characterized in that the negotiation packets are Internet Security Association and Key Management Protocol (ISAKMP) packets.
11. The method as described in claim 8, 9, and 10, characterized in that the same value is placed in the Security Parameters Index (SPI) field of the security packet and in the Responder Cookie field of the negotiation packet.
12. The method as described in claim 1, characterized in that the master server operates as a slave server.
13. A server cluster for handling security packets sent by an entity in a server cluster composed of a master server and at least one slave server, said security packets belonging to a security association between the entity and the server cluster, characterized in that the server cluster is adapted to: receive at said master server a security packet belonging to the security association, said security packet containing a handler value which is originated from the server cluster and which is placed in the security packet by the entity, determine a slave server of the server cluster whose handler number space said handler value belongs to, and transmit the security packet to said slave server.
14. The method as described in claim 13, characterized in that the handler value is selected taking into account the load of each slave server.
15. The method as described in claim 13, characterized in that the handler value is an integral number.
16. The server cluster as described in claim 13, characterized in that the security association is created by a user.
17. The server cluster as described in claim 13, characterized in that the security association is negotiated using negotiation packets.
18. The server cluster as described in claim 17, characterized in that the server cluster is further adapted to: receive a negotiation packet from the entity, and when a dummy value is included in the negotiation packet, select a slave server, select a responder value which differs from the dummy value and which belongs to a responder number space addressed to the slave server selected, and in response to the negotiation packet, send a first response negotiation packet with the responder value to the entity.
19. The server cluster as described in claim 18, characterized in that the responder value is selected by the master server and the master server sends the first response negotiation packet to the entity.
20. The server cluster as described in claim 18, characterized in that when the slave server is selected, the server cluster is further adapted to: transmit the negotiation packet from the master server to the slave server selected.
21. The server cluster as described in claim 18, characterized in that the responder value is selected by the slave server and the slave server sends the first response negotiation packet to the entity.
22. The server cluster as described in claim 18, characterized in that the server cluster is further adapted to: receive at the master server another negotiation packet with the responder value selected by the server cluster.
23. The server cluster as described in claim 18, characterized in that the server cluster is further adapted to: determine the slave server with the responder number space to which said responder value belongs, and transmit the other negotiation packet to said slave server.
24. The server cluster as described in claim 13 and 18, characterized in that the handler value and the responder value are the same value.
25. The server cluster as described in claim 13, characterized in that the security packets are Internet Protocol security (IPsec) packets.
26. The server cluster as described in claim 17, characterized in that the negotiation packets are Internet Security Association and Key Management Protocol (ISAKMP) packets.
27. The method as described in claim 24, 25, and 26, characterized in that the same value is placed in the Security Parameters Index (SPI) field of the security packet and in the Responder Cookie field of the negotiation packet.
28. The method as described in claim 13, characterized in that the master server operates as a slave server.
PCT/FI2003/000956 2003-01-17 2003-12-15 Stateless server cluster for internet traffic WO2004066579A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2003288291A AU2003288291A1 (en) 2003-01-17 2003-12-15 Stateless server cluster for internet traffic
EP03780190A EP1620989A1 (en) 2003-01-17 2003-12-15 Stateless server cluster for internet traffic

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FI20030073 2003-01-17
FI20030073A FI117263B (en) 2003-01-17 2003-01-17 A stateless server cluster for Internet traffic

Publications (1)

Publication Number Publication Date
WO2004066579A1 true WO2004066579A1 (en) 2004-08-05

Family

ID=8565361

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2003/000956 WO2004066579A1 (en) 2003-01-17 2003-12-15 Stateless server cluster for internet traffic

Country Status (4)

Country Link
EP (1) EP1620989A1 (en)
AU (1) AU2003288291A1 (en)
FI (1) FI117263B (en)
WO (1) WO2004066579A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791098B (en) * 2004-12-13 2010-12-01 华为技术有限公司 Method for realizing safety coalition synchronization

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999030460A2 (en) * 1997-12-10 1999-06-17 Sun Microsystems, Inc. Highly-distributed servers for network applications
EP1189410A2 (en) * 2000-09-11 2002-03-20 Stonesoft Oy Processing of data packets within a network cluster
WO2002048823A2 (en) * 2000-12-14 2002-06-20 Flash Networks Ltd. A system and a method for load balancing
US20030023744A1 (en) * 2001-07-26 2003-01-30 Emek Sadot Secret session supporting load balancer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999030460A2 (en) * 1997-12-10 1999-06-17 Sun Microsystems, Inc. Highly-distributed servers for network applications
EP1189410A2 (en) * 2000-09-11 2002-03-20 Stonesoft Oy Processing of data packets within a network cluster
WO2002048823A2 (en) * 2000-12-14 2002-06-20 Flash Networks Ltd. A system and a method for load balancing
US20030023744A1 (en) * 2001-07-26 2003-01-30 Emek Sadot Secret session supporting load balancer

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1791098B (en) * 2004-12-13 2010-12-01 华为技术有限公司 Method for realizing safety coalition synchronization

Also Published As

Publication number Publication date
FI20030073A (en) 2004-07-18
FI20030073A0 (en) 2003-01-17
FI117263B (en) 2006-08-15
AU2003288291A1 (en) 2004-08-13
EP1620989A1 (en) 2006-02-01

Similar Documents

Publication Publication Date Title
US10616379B2 (en) Seamless mobility and session continuity with TCP mobility option
US10462054B2 (en) Overloading address space for improved routing, diagnostics, and content-relay network
EP1760971B1 (en) Processing communication flows in asymmetrically routed networks
EP3198822B1 (en) Computer network packet flow controller
US7917948B2 (en) Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
US6654792B1 (en) Method and architecture for logical aggregation of multiple servers
EP2400693B1 (en) Routing and service performance management in an application acceleration environment
US7885294B2 (en) Signaling compression information using routing protocols
CN107948076B (en) Method and device for forwarding message
US7596151B2 (en) System and method for discovering path MTU in ad hoc network
JPH1023072A (en) Ip network connecting method, ip network translator and network system using translator
CN101005355A (en) Secure communication system and method of IPV4/IPV6 integrated network system
US8355405B2 (en) Selective session interception method
US11153207B2 (en) Data link layer-based communication method, device, and system
EP1500243B1 (en) Internet protocol based system
US20040158706A1 (en) System, method, and device for facilitating multi-path cryptographic communication
CN104184646A (en) VPN data interaction method and system and VPN data interaction device
US6963568B2 (en) Method for transmitting data packets, method for receiving data packets, data packet transmitter device, data packet receiver device and network including such devices
CN100353711C (en) Communication system, communication apparatus, operation control method, and program
WO2004066579A1 (en) Stateless server cluster for internet traffic
EP1645071B1 (en) Secure indirect addressing
CN111131046B (en) Message forwarding method and multi-core system
JP2007074198A (en) Network communication system
EP1568184A1 (en) Scalable and secure packet server-cluster
Shiwani et al. IPv6 Upgradation-An Engineering Exercise or a Necessity?

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003780190

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003780190

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP