Browse Prior Art Database

VPN LOAD-BALANCING USING A PEER CHALLENGE MECHANISM

IP.com Disclosure Number: IPCOM000247279D
Publication Date: 2016-Aug-18
Document File: 5 page(s) / 62K

Publishing Venue

The IP.com Prior Art Database

Related People

David Silverman: AUTHOR [+3]

Abstract

Presented herein are techniques for using existing challenge mechanisms to provide a virtual private network (VPN) load-balancing mechanism. More specifically, the techniques presented herein provide a way for an initial VPN server to communicate load information to a load balancer. The load information (e.g., a decision about how a VPN connection will ultimately be performed) is included with data that is typically sent to a client when initializing a connection (e.g., data included in a peer challenge). Among other benefits, using an existing mechanism allows the currently implemented protocols to be utilized without being enhanced. For example, when utilizing peer challenge mechanisms, the existing peers do not have to be upgraded.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 32% of the total text.

Page 01 of 5

VPN LOAD-BALANCING USING A PEER CHALLENGE MECHANISM

 AUTHORS: David Silverman Animesh Patel Dave Ojemann

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein are techniques for using existing challenge mechanisms to provide a virtual private network (VPN) load-balancing mechanism. More specifically, the techniques presented herein provide a way for an initial VPN server to communicate load information to a load balancer. The load information (e.g., a decision about how a VPN connection will ultimately be performed) is included with data that is typically sent to a client when initializing a connection (e.g., data included in a peer challenge). Among other benefits, using an existing mechanism allows the currently implemented protocols to be utilized without being enhanced. For example, when utilizing peer challenge mechanisms, the existing peers do not have to be upgraded.

DETAILED DESCRIPTION

    Virtual Private Network (VPN) load-balancing is used to improve performance and scalability. The current VPN load-balancing protocol relies on redirecting a peer to an address of a least loaded member. Consequently, each device (member) is required to have a unique Internet Protocol (IP) address. This is typically referred to as a Layer-3 load-balancing cluster. Unfortunately, this approach does not work for VPN Layer 2 (L2) load-balancing deployments because there is only a single IP address for the pool of VPN gateways (e.g., each member does not have a unique IP address). Since there is only a single address, the current VPN protocol redirect mechanisms cannot be used to redirect the peer to the least loaded member.

    The solution presented herein uniquely leverages peer challenge mechanisms to provide load information to intermediate load-balancers. Peer challenge mechanisms already exist in some VPN protocols for protection against denial-of-service attacks. A

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 5

peer challenge is typically sent in response to the initial connect. Sending a peer challenge usually consists of sending opaque data to a peer. The peer does not interpret the data and must send back the data unaltered. Since the peer does not interpret the data, the peer does not need to be upgraded if the content within the data changes. By leveraging peer challenge mechanisms, the techniques presented herein are able to provide the load-balancer with additional information to make a more informed load- balancing decision.

    Generally, the role of a load-balancer is to distribute connections across a pool of devices (members). The load-balancer does not typically know about the actual VPN load or capacity for each member in the pool. As a result, the distribution of the VPN connections may not make full use of the capacity of the combined pool of devices. The solution presented herein shares load information between member devices so that load information can be included within the peer challenge data. For example, an identifier for the le...