On Mar 22, 2010, at 6:44 PM, <sh...@arsc.edu> <sh...@arsc.edu> wrote:
> This is probably a small thing, but in general the term "cluster" > implies at least some degree of shared state among cluster members. > I understand that there's some suggestion of that in saying that > a cluster protects the same domain but there's really quite a bit > more to it than that - it's going to things like the SADB or a subset > of the SADB. It needn't be in real-time or near real-time, but it > has to be there for it to be considered a cluster (rather than, say, > multi-homing). > > I don't think including that in the definition requires that the > wg take on state synchronization among cluster members. > > Melinda The current definition in the draft is as follows: "Cluster" is a set of two or more gateways, implementing the same security policy, and protecting the same domain. Clusters exist to provide both high availability through redundancy, and scalability through load sharing. There are some cases to be made for a cluster with no shared state. For example a "cold standby" configuration has the standby member coming "alive" when the "active" fails, but it's similar to crash recovery -- all the SAs need to be recreated from scratch (or through session resumption). In that case the SPD and the session encryption key are all that needs to be synchronized, and this may be done manually. Would changing the definition as follows be acceptable to everyone? "Cluster" is a set of two or more gateways, implementing the same security policy, and protecting the same domain. Clusters exist to provide both high availability through redundancy, and scalability through load sharing. Clusters typically have some state that is shared among members, either manually or through a Synch channel (see below). _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec