Network Complexity Compromises Redundancy
There is a critical need in today's business environment for networking devices to maintain constant
up-time. Corporations depend on the constant availability of network services; minutes of downtime can cost
millions of lost dollars. No room exists for hardware failure, even for a planned upgrade or move. Since no
single electronic component can be guaranteed absolutely faultless, reliability needs to be assured through
the deployment of redundant devices. Yet, as networking devices are tasked with increasingly more stateful
operations, transparent distribution of load between redundant devices becomes problematic. Load
distribution can readily be achieved for classic packet forwarding or routing. But when stateful operations
are performed in network devices, like tunneling, encryption, certain types of packet filtering, compression
or authentication, this degree of transparent redundancy becomes virtually impossible. This new class of
stateful network functionality, necessary for performing certain operations has, until now, lacked effective
redundancy.
The CryptoCluster™Solution
Nokia has developed a patented, unique and revolutionary technology that optimizes the handling of
network traffic such that multiple devices can process packets in unison. This technology, called "IP
Clustering", allows several devices to act as a single network entity, sharing IP addresses and
identity. These devices, or nodes, can distribute IP packet processing equally among all of the nodes in the
cluster. Using this technology, several nodes can be clustered together to create a distributed and fully
redundant architecture for supporting networking functions. Each of these nodes continually maintains state
for all of the activities occurring on each of the other nodes in the cluster, so that failure of any one
device has no perceived effect on network functionality. The ability of CryptoCluster VPN gateways to load
share processing of traffic and maintain transparent fault tolerance is unprecedented. And the processing
power of this networking solution can be scaled dramatically as requirements grow through simply booting
more nodes into the cluster.
Active Session Failover
The Nokia CryptoCluster architecture makes Active Session Failover possible. This unique feature
provides for flow work load to be instantaneously assumed by other nodes within the cluster, should any node
become unavailable for any reason. Within a cluster, work is assigned via a unique allocation mechanism. An
elected "master" constantly keeps track of the state of all the nodes in the cluster and is able
to allocate and reallocate workloads such that the load at any one time is as evenly distributed as
possible, even factoring in the differing CPU power of each device. If a node should become unavailable for
any reason, planned or unplanned, or if the workload needs to be re-balanced throughout the cluster, the
work assignments are reallocated to other nodes. All session state is maintained and flow processing is
seamlessly migrated to other nodes. Thus, TCP sessions and IPSec security associations can actually move
from one node to another in a manner completely transparent to the other endpoint of the session. Never
before has any networking product offered the kind of transparent fault tolerance and scalability required
for mission critical corporate connectivity.
VPN Solution
The concept of distributing IP packet processing among devices is so logical that some may wonder why it
hasn't been implemented until now. In fact, the development of this technology required an extensive, highly
focused effort. In the early stages of development, the obvious question arose, "What is the best
application for this innovative IP technology?" The answer came by asking another question, "What
is the greatest challenge facing network environments today?"
The three-part answer:
Together, these elements define the key shortcomings in other currently available VPN products.
Thus, the first application to which Nokia has applied this IP clustering technology is the VPN. Until now,
the tunneling technologies used in VPNs have not been reliable or scalable enough for enterprise customers
to deploy them for production applications. Nokia offers an integrated line of gateways optimized to scale
tunneling technologies, thereby aiding network administrators in building truly reliable, fault-tolerant,
scaleable VPN solutions. Nokia also provides, free of charge, an IPSec client that allows remote users the
ability to communicate securely with the CryptoCluster gateways. Finally, the management of these systems is
achieved through the use of the CryptoConsole™ management software, a Java application, which makes
administration and monitoring of the products exceedingly simple.
The AlchemyOS™ Operating System
All the elements in the product line take advantage of a customized kernel and operating system, which
have been specifically designed to utilize the unique and proprietary clustering technology and to serve the
needs of the tunneling protocols incorporated into Nokia products. Currently supported tunneling
technologies include L2TP, PPTP and IPSec. The AlchemyOS is completely dedicated to cluster activities. The
most apparent benefit of this system design is that the operating system only spends time doing those
activities needed to keep the intra-VPN communications secure, reliable and as rapid as possible. Each of
the processes that the operating system runs have been optimized so that the utmost performance is achieved
for all networking and cluster activity. AlchemyOS has APIs to allow the various functions supported by the
CryptoCluster VPN gateway to communicate state transition across the entire cluster. It was built from the
ground up by a group of experienced internetworking engineers, dedicated to providing the highest possible
quality. For example, as an added measure of security, each AlchemyOS kernel is cryptographically signed to
ensure that it came from Nokia and that no tampering has occurred.
Cluster Details
IP clusters can be configured to work in one of three modes: unicast, multicast and forwarding. Each
mode has certain advantages and is best used in particular situations. For instance, limitations introduced
by certain Ethernet switches might require that a certain mode be employed.
Of these three modes, there are two that allow all cluster nodes to receive all traffic addressed to the
cluster-shared IP address. Unicast allows for a unicast Ethernet MAC address to be shared by all cluster
members. Multicast is often used if the Ethernet switch prefers not to see the same MAC address on multiple
ports. In this mode, a multicast Ethernet MAC address is mapped to the unicast cluster IP address.
Alternately, a forwarding mode can be utilized, in which the cluster master receives the packets at its own
MAC address and then forwards allocated traffic to the other nodes via their individual node unicast
addresses. Since clustering is performed at the IP layer, the unlikely loss of a single packet would not be
a problem.
Balancing Workload
IP clustering is achieved through the master assigning workloads to each cluster member. An evaluation
function is performed on various parts of an IP packet, depending on the protocol being processed. Each
member node listens for its current workload assignment from the master and handles the packets that have
been assigned to it. The master also listens to keepalives from each cluster node in order to ensure all
traffic is being processed. Cluster nodes each send updated state information relevant to their assigned
flows to all other members to ensure transparent migration of IP processing, TCP sessions and IPSec security
associations. Thus the loss of the master or any node is transparent to flows being processed. If a node is
lost, failover to a new node occurs within 250 to 500 milliseconds.
Now, with this tremendous leap in technology, it is no longer necessary to depend on stand-by devices or
redundant paths to distribute traffic processing. The Nokia IP clustering technology sets a new standard of
performance among devices designed to serve the networking requirements of the enterprise.
"Fork-lift" upgrades with their necessitated outage windows are a thing of the past. Now totally
transparent migration is available (from one box to two, to three, and back to one, etc.). Unheard of in the
industry until now, this clustering revolution, available only from Nokia, finally gives birth to network
infrastructures that can scale up to handle the emerging, ever more CPU-intensive and stateful needs of the
networking industry.
Features Supported in the AlchemyOS Today:
Cluster capabilities: IP flow based work assignments, including: IPSec Security Association (SA) failover,
PPTP TCP session and user session failover, and L2TP session failover.
Protocols:
IPSec: RFCs 2401-2410. Tunnel and transport AH & ESP, IKE, pre-shared keys & X.509v3 certs., DES,
3DES, Blowfish, RC5, CAST-128, HMAC SHA-1, HMAC-MD5, RIPEMD-160, IKE public key authentication, IKE public
key encryption with certificates.
PPTP: MPPC, MPPE, PAP, CHAP, MS-CHAP, RADIUS.
L2TP: current draft compliance, PAP, CHAP, MS-CHAP, RADIUS.
SNMPv1 MIB and SNMPv2C.
Much has been done to address the reliability and scalability of network applications (e.g. mirroring) and much has been done to address the reliability and scalability of the Internet "cloud" (the technology Outside a company's own network infrastructure). The remaining point of vulnerability lies in the infrastructure at the edge of a company's own intranet. This alone is the barrier for end-to-end reliability and scalability.
The Problem:
Infrastructure weakness holds back Internet potential
Nokia believes the only
way to address this weak link is to collapse the functionality of distinct, IP-aware devices, such as
firewalls, routers and VPN gateways, etc., into a smaller number of devices, and group these new devices as
nodes in a "cluster." The nodes work together with their peers as a single network entity, with
one IP address. Even if a node fails or requires maintenance for upgrades, the cluster, acting as a single
network device, continues to operate. The users of the network notice no disruption in functionality. Nokia
makes this possible through the use of unique patented technologies called Clustered IP and Active Session
Failover™.The market for Clustered IP solutions:
If a company's various edge devices could all be made 99.999% available and could all be designed to
easily scale with the rest of the firm's growing network architecture, then the full potential of
Internet-based e-business and e-commerce is realized. The number of possible non-stop infrastructure
applications for Clustered IP technology is legion.
Architecture:
The Nokia product lines of Clustered IP solutions use Intel-based platforms and off-the-shelf hardware
components. Each device runs on Nokia's own operating system, AlchemyOS™, which has been optimized
specifically to provide network-clustering services. Unlike devices running general-purpose operating
systems, our products can achieve much higher levels of performance based solely on the fact that there is
no unnecessary overhead in the code. These dramatic increases in performance are significant in themselves,
but the most important feature of AlchemyOS is the fact that it allows for the joining of multiple
homogeneous network devices in a cluster.
The essence of a clustering design is its ability to efficiently distribute work among multiple devices. When Clustered IP-enabled devices are joined together in a cluster, one is elected "master" and has the responsibility for distributing the workload across all the other nodes-even as the master itself is providing services like any other node. In the case of our Clustered IP architecture, this load balancing is done dynamically; meaning that at any given point, work may be re-assigned in order to provide the highest possible efficiency. This process is completely transparent to the end user; it is done without interrupting any sessions currently in progress. In fact, the process is completely transparent to the network as well, because a Nokia cluster appears as a single IP address.
A cluster may even be expanded, while in service, by simply adding additional devices and turning them on. Once again, this dynamic load balancing automatically assigns workload to the new members based upon their capacity without any interruption to current operations. This ability to add live, incremental devices means that a cluster's capacity can be upgraded at any time, without having to bring the system off-line.
By way of illustration, in a Clustered IP device such as a Virtual Private Network (VPN) gateway, every node, is fully aware of all of the session states and security associations being handled by every other cluster node. Every time a new node comes on to the system, this information is immediately propagated across the cluster. This allows the system to provide active session failover, meaning that if any member or members become unavailable, for any reason, another member will instantly assume the workload with no interruption to the end users. Even if the master becomes unavailable, another node takes on the role of master without any loss of service.
This new technology, available only from Nokia, has a profound effect on the level and quality of service that our products provide.
Additional Clustered IP applications:
Nokia has first applied its Clustered IP technology to enterprise-ready VPN solutions. Having proven the
merits of this technology in the VPN market as evidenced by our steadily growing list of Fortune 500
customers, Nokia is now applying the non-stop infrastructure benefits of Clustered IP to a number of other
network devices.
