Browse Prior Art Database

FLOW BASED LOAD BALANCING OF ENCRYPTED TUNNEL PACKETS

IP.com Disclosure Number: IPCOM000241272D
Publication Date: 2015-Apr-10
Document File: 4 page(s) / 83K

Publishing Venue

The IP.com Prior Art Database

Related People

Praveen Bhagwatula: AUTHOR [+4]

Abstract

Presented herein are techniques to use the Identification (ID) field in the tunnel Internet Protocol (IP) header of the encrypted packets to carry the flow hash information for packets that will not get fragmented. This ID field is proposed to be used by intermediate network elements for Equal Cost Multi Path (ECMP) load balancing, and by the server hosting the application (physical or virtual) that is the endpoint of these encrypted packets for multi-core distribution of the frames within a single encrypted tunnel. This improves the throughput of a single encrypted tunnel without having to define and manage multiple tunnels between the same endpoints in the network.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 01 of 4

FLOW BASED LOAD BALANCING OF ENCRYPTED TUNNEL PACKETS

  AUTHORS: Praveen Bhagwatula Brahma Golla Srinivas Davuluri

Vanitha B.S.

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein are techniques to use the Identification (ID) field in the tunnel Internet Protocol (IP) header of the encrypted packets to carry the flow hash information for packets that will not get fragmented. This ID field is proposed to be used by intermediate network elements for Equal Cost Multi Path (ECMP) load balancing, and by the server hosting the application (physical or virtual) that is the endpoint of these encrypted packets for multi-core distribution of the frames within a single encrypted tunnel. This improves the throughput of a single encrypted tunnel without having to define and manage multiple tunnels between the same endpoints in the network.

DETAILED DESCRIPTION

     Efficient load balancing of packets encapsulated in a tunnel is a critical requirement of any good network design. Several techniques such as PseudoWire flow label, Internet Protocol-User Datagram Protocol (IP-UDP) based tunnel encapsulations are used currently, where the flow hash of the original packet is reflected as a label or Layer 4 (L4) port so that intermediate network elements can load balance the traffic within the tunnel based on the flow hash of the packet that it is carrying.

    With the advent of Network Function Virtualization (NFV), similar load balancing requirements exist in multi-core server platforms with high bandwidth interfaces running several virtual appliances. Traffic incoming into 10G or higher Media Access Controls (MACs) need to be load balanced across multiple cores of the server in order to support higher throughput. Several intelligent MACs now support the use of IP and Transport Control Protocol (TCP)/UDP fields for this load balancing purpose.

Copyright 2015 Cisco Systems, Inc.

1


Page 02 of 4

    These mechanisms described above cannot be applied for all IP-based tunnels such as Generic Routing Encapsulation (GRE) and IP-in-IP as there is no distinguishing field in the tunnel header that the intermediate network elements or the MACs on the servers can use for load balancing.

    Most of the IPSec tunnel solutions are based on GRE or IP-in-IP tunnels. When an IP packet is encrypted and encapsulated in a GRE or IP-in-IP tunnel, the Encapsulating Security Payload (ESP) header is placed right after the outer IP header. This places a constraint that all the traffic within an encrypted tunnel takes a single path through the network and if the destination of this traffic is towards a multi-core server running a virtual appliance, all the traffic of a given tunnel ends up on a single core.

    Accordingly, it is proposed to use the 16-bit Identification (ID) field in the tunnel IP header to carry the flow hash value of the original packet computed at the tunnel source and using this information on the intermediate network elements as well as on the multi-core servers to load balance...