SRX

Hi

Is Data and Control traffic on HA encrypted or is it in clear text? Since IPSEC SAs are also exchanged as RTOs in HA it got me thinking whether these are in clear text or are they encrypted by some proprietary mechanism.

Regards,

Anand

Viewing debug logs on control links, I'm pretty sure control traffic isn't encrypted.  I've never seen a "decrypt" message in the log.

As far as the fabric port.... if the traffic comnes into the SRX encrypted, it transits the fabric port encrypted. Even if the traffic terminates on one node, but comes in another node, it has to remain encrypted for the correct SPC on the other node to decrypt it.

Hi Anand,

Control and Fab heartsbeats are Multicast packets. They are not encypted.

All session information , vpn details are exchanged  as RTO between 2 nodes.

To provide for session (or flow) redundancy, the data plane software synchronizes its state by sending special payload packets called runtime objects (RTOs) from one node to the other across the fabric data link.

Following Link will help with understanding HA

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/index.html?topic-43701.html

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Thank you Ben and Parthi for replying.

So if the data link were to be intercepted could session info and SA info be procured from the RTO? What I want to know is whether Juniper has a mechanism to encrypt Control and Data communication if we want to?

Regards,
Anand

Hi Anand,

RTO's are TNP Based packets and it is understood only by SRX device and even if you capture it , you will not see any understand anything with it.

only Node0 and node1 can understand these RTO messages and not any other users or devices.

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too