Evaluation of TCP State Replication Methods for High-Availability Firewall Clusters

To provide the reliable connectivity between two endpoints over the Internet, a firewall cluster for stateful high availability removes the single-point failure by replicating and maintaining TCP connection states to a backup firewall node, at the expense of the costs of network and system resources. In this paper, through trace-based simulations on a prototype implementation, we evaluate the overheads of different state replication methods with a tunable time-triggering parameter. Our evaluation results show that the overheads of precise replication are very high, especially for short flows. We find that a compact data structure employing randomization, a small delay on the replication operations, and host-level aggregation yield significant overhead reductions. Typically, the policy of delayed replication reducing 50% and 74.4% of bandwidth costs only excludes 1.9% and 3.4% of the protection on the pass-through traffic, respectively. These schemes and policies are efficient for alleviating peak system load, reducing the replication bandwidth consumption and still protecting the majority of Internet traffic bytes.