A tunnel is a network communications channel between two endpoints in a network and is used to transport data by encapsulation of its packets. Internet Protocol (IP) tunnels are often used for connecting two disjoint IP networks that do not have a native routing path to each other, via an underlying routable protocol across an intermediate transport network.
In conjunction with an encryption protocol, such as the IP Security (IPsec) protocol or other known or proprietary encryption protocols, tunnels may be used to create a virtual private network between two or more private networks across a public network such as the Internet.
Accordingly, an encapsulation node and a decapsulation node are provided. The encapsulation node is used to encapsulate data to facilitate communication over the network and is often implemented at a client. The decapsulation node is used to decapsulate the data received from the encapsulation node and is implemented at point in the network that is connected to a next hop destination of the encapsulated data. Thus the decapsulation node can be implemented at a server or at a router within the network. If the decapsulation node is not a target destination server for the data, the decapsulation node further transmits the data to the target destination server via a private or public network, such as the Internet.
Communication between the encapsulation node and the decapsulation node may include one or more authentication sessions, encryption-algorithm negotiations, or other configuration steps before they are ready to transfer data.
The client needs the decapsulation node to remain active in order to be able to communicate with the target destination server. Accordingly, a number of different failover solutions have been implemented. Failover refers to the capability of a computing device to automatically switch to a redundant device upon the failure of the device being used.
Approaches that utilize a stateless transport layer, either directly using IP or wrapping a payload in User Datagram Protocol (UDP), can potentially utilize existing IP-redundancy protocols such as Hot Standby Router Protocol (HSRP) or Virtual Routing Redundacy Protocol (VRRP). In such an environment, two decapsulation nodes are configured to share a single IP address, with the primary decapsulation node receiving all traffic and the standby configured to take over should the primary fail.
However, it is only possible for a single decapsulation node to be the primary server for a specific IP address. Load balancing across HSRP or VRRP requires multiple IP addresses configured on the cluster with each decapsulation node assigned as primary to one of the addresses. This complicates configurations with more than a single decapsulation node because it is necessary to load balance clients across the IP addresses exposed by the system.
Further, the IP-redundancy techiques described above do not work with systems that utilize a stateful transport layer. There is no widely supported mechanism to migrate the state of a Transmission Control Protocol (TCP) connection between operating-system instances. To allow TCP connections to be migrated between independent operating system instances, Fault-Tolerant TCP (FT-TCP) was introduced. FT-TCP combines traditional IP failover protocols with a new component that sits both above and below the existing TCP stack to intercept all packets being send and received using TCP. Thus a redundant decapsulation node can be provided that is maintained in the same state as the primary server. However, supporting this protocol requires tight coupling between the primary decapsulation node and the redundant decapsulation node. Further, it requires a dedicated redundant decapsulation node, which tends not to scale in an efficient manner.
Thus, the solutions currently available for decapsulation node failover are limited in that they do not scale well and require tight control, which often leads to custom equipment requirements, thereby increasing the costs and complexity. Accordingly, it is an object of the present invention to obviate or mitigate at least some of these disadvantages.