[strongSwan-dev] HA resync issue
Martin Willi
martin at strongswan.org
Thu Aug 28 12:51:39 CEST 2014
Hi Emeric,
> I did not test using 1K or even 10K+ tunnels but the UDP based solution
> seems to be unable to provide the significant reliability needed for
> these cases.
I agree. For the setups I have used, a dedicated fast link was
sufficient to have packet drops at an acceptable level. But certainly
that could be very different on other setups, especially if the number
of connections increases.
> I understand switching to a TCP based sync would require a significant
> work but it seems to be quite unavoidable.
Yes, HA definitely should have a reliable transport for sync messages.
Not sure if TCP is the correct choice. At least for the heartbeat
messages, we need controllable timeouts, which is difficult to implement
with TCP.
So we either would have to separate heartbeat and synchronization
functionality, or extend the UDP based protocol by message throttling
and/or acknowledges/retransmissions. The latter could be achieved by
extending the ha_cache class that already stores some messages for
re-synchronization.
Regards
Martin
More information about the Dev
mailing list