High availability support for the design of stateful networking equipments

The availability of some critical equipment like gateways, firewalls and proxies must be guaranteed in operational networks. In early equipments, the routing and filtering decisions were based on the packet information, nowadays this static approach is not longer safe. Existing high availability (HA) solutions do not cover all the aspects to ensure availability of advanced settings that are being deployed these days. Some important issues like the reduction of the downtime and the need for failure detection in such scenarios must be studied. This paper describes the implementation of high available stateful network equipments: these systems apply policies based on the state of the connections, such information is gathered in runtime by means of packet inspection. This work specifically focuses on Linux systems and firewalls because the IT industry trusts more and more OpenSource solutions to deploy critical services because of its quality and the access to the source code. We propose the SNE library (stateful network equipment), which is an add-on to current HA protocols, to solve the existing limitations. In this paper, we describe the proposed architecture and we detail a set problematic scenarios supported by our library, as well as first experiments and the evaluation.