LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] implement IPsec in a cluster

To: "Gagandeep bajaj" <gagandeep_bajaj@xxxxxxxxxxxxxx>, "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] implement IPsec in a cluster
From: "Sandy Harris" <sandyinchina@xxxxxxxxx>
Date: Thu, 28 Feb 2008 20:48:04 +0800
Gagandeep bajaj <gagandeep_bajaj@xxxxxxxxxxxxxx> wrote:

>  Here is my problem :
>
>  Client
>  (40.x.x.x)                 Cluster ---> Director ( 50.x.x.x + 10.x.x.x)
>                                         Real server1 (IPsec,10.x.x.x)
>                                         Real server2 (IPsec,                  
>                     10.x.x.x)
>
>  I am working on IMS P-CSCF, so will be having around 1 million IPsec 
> connections at
>  one single time, and that too ESP and in transport mode. What the 
> requirement is to
> distribute these IPsec connections on real servers ...

How fast is your connection? Handling a million connections on any link is going
to be a problem with multimedia stuff. Bandwidth looks really problematic to me,
even without IPsec.

What is your threat model? End-to-end IPsec -- encryption all the way from real
server to client -- is required if there are threats on your local LAN. IPsec is
easily broken if one of the endpoint machines is compromised, so if there are
local treats you have much more to worry about than just IPsec.

If threats out on the wild and woolly Internet are the only ones that matter,
(or if you can build internal firewalls to protect everything on the LVS LAN
from possible EvilDoers elsewhere at your site), then you can use IPsec
in tunnel mode, making the director the IPsec gateway or, more likely for
heavy loads, put one or more IPsec gateways between the director and
the Internet.

IPsec is designed for that. The basic design is:

       netA---gwA---------------------------gwB---netB

Here we have two gateways protecting two subnets. With the usual
tunnel setup, any host on netA can send to any on netB and all
data will be automatically encrypted at gwA and decrypted at
gwB. Between them, it is secure.

One or both of nets A and B can be using non-routable addresses;
that causes no problem as long as they don't both try to use the
same ones.

One reason I asked about threat models is that, while the data
between the gateways is protected, this provides no defense
against an attacker behind the gateways. For example, if I
have unrestricted access to netB, I can sniff incoming data
on that net after gwB decrypts it and outgoing data before
it reaches the gateway and gets encrypted.

There are any number of variations. Either subnet might be a single
machine acting as its own gateway. If they both are, you get
transport mode.

>  What should be the configuration, and which one should i use--> LVS-NAT or 
> LVS-DR ...and

ESP includes packet authentication. Don't turn it off! Bellovin showed that the
encryption is not secure without the authentication. The authentication works
from gateway to gateway, so if a NAT box is between the gateways rewriting
packets, IPsec rejects them.

This works fine:

      netA---gwA---------------------------gwB-NAT--netB

(gateway and NAT are often the same machine, but conceptually it works as above)

This basically does not:

    netA---gwA---------------------------NAT--gwB---netB

There are hacks to get around that, but it is almost certainly
better to avoid the problem if you can.

So what I think you need is:

   clients--------------IPsec--NAT--director---real servers

For some situations, IPsec and NAT or NAT and director, or even all three
could be done on a single machine, but probably not with the loads you
mention.

Expanding this to include additional IPsec gateways for load sharing
is straightforward. Last I heard, there was no way to handle gateway
failure at all gracefully, but I have not worked with this stuff in several
years, so maybe that has been fixed.

The FreeS/WAN IPsec for Linux project ended in 2002, but there
are two groups I know of continuing to build from that base:
http://www.openswan.org/
http://www.strongswan.org/


-- 
Sandy Harris,
Nanjing, China


<Prev in Thread] Current Thread [Next in Thread>