Darren J Moffat wrote: > Thejaswini Singarajipura wrote: >> >> >> Darren J Moffat wrote: >>> I'm missing the bigger picture here, or failing to see where it is >>> covered in the materials. >>> >>> Can someone draw me a simple picture of a multi node cluster using >>> this showing which IKE the client connects to originally and where >>> and how the SADB's are passed between the nodes. >> >> Attached below is a diagram of a 2-node cluster and a brief >> description of how the client connections are handled. >>> >>> I think I understand how the failover happens with the switch from >>> IDLE to MATURE. The part I'm missing is how all the SC nodes get >>> the SADB entries in the first place and how that is done securely. >> >> The SADB is synchronized over SC private interconnects, which is a >> private LAN and is detached from all other network. >> Hence I do not think we add any more vulnerability by this project. > > I thought that SC could be deployed in such away that the nodes were > physically quite far away from each other. How is that private > interconnect protected in that case ? While this might sound like > I'm asking about existing architecture of SC I don't believe that > today highly sensitive key material is passed over this "private" SC > interconnect. Yes, the existing SC deployment do have key data being transferred over the private interconnect. The example being the in-memory data transfer from one instance of Oracle RAC to another RAC instance. > > How do customers *really* deploy this ? Is it always true that only > cluster nodes are connected ? Are all the switches etc completely > private or can VLANing be used to support multiple clusters or make a > "private" interconnect over existing infrastructure ?
AFAIK it is always the cluster nodes that are supported in the private network. SC supports VLANing. But does not allow sharing of public and private network. SC requires minimum of two private interconnects. So customers use VLANing to reduce the hardware requirement for private interconnects. SC also supports IPsec for SC private interconnects. So if it is a requirement IPsec can be enabled to keep the traffic secure. Regards, Thejaswini
