Draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update.

Slides:

Advertisements

Similar presentations

COGNITIVE PACKET NETWORKS

Advertisements

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

Network Localized Mobility Management using DHCP

(4.4) Internet Protocols Layered approach to Internet Software 1.

1 Routing and Scheduling in Web Server Clusters. 2 Reference The State of the Art in Locally Distributed Web-server Systems Valeria Cardellini, Emiliano.

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

MOBILITY SUPPORT IN IPv6

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.

Implementing ISA Server Caching. Caching Overview ISA Server supports caching as a way to improve the speed of retrieving information from the Internet.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

CS335 Networking & Network Administration Tuesday, April 20, 2010.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

Load Sharing and Balancing - Saravanan Mathialagan Masters in Computer Science Georgia State University.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Internet Basics.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Network Address Translation (NAT) CS-480b Dick Steflik.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies.

27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

Introduction to Network Address Translation

Platform Manager Simple, Secure, Remote Application Management.

1 Distributed Systems : Server Load Balancing Dr. Sunny Jeong. Mr. Colin Zhang With Thanks to Prof. G. Coulouris,

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

Scalable Web Server on Heterogeneous Cluster CHEN Ge.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

Web Cache Redirection using a Layer-4 switch: Architecture, issues, tradeoffs, and trends Shirish Sathaye Vice-President of Engineering.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Addressing Issues David Conrad Internet Software Consortium.

Module 10: How Middleboxes Impact Performance

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

IETF-90 (Toronto) DHC WG Meeting Wednesday, July 23, GMT IETF-90 DHC WG1 Last Updated: 07/21/ :10 EDT.

+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

1/13 draft-carpenter-nvo3-addressing-00 Brian Carpenter Sheng Jiang IETF 84 Jul/Aug 2012 Layer 3 Addressing Considerations for Network Virtualization Overlays.

4343 X2 – The Transport Layer Tanenbaum Ch.6.

1 IETF-70 draft-akhter-bmwg-mpls-meth MPLS Benchmarking Methodology draft-akhter-bmwg-mpls-meth-03 IETF 70 Aamer Akhter / Rajiv Asati /

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

Computer Network Architecture Lecture 7: OSI Model Layers Examples II 1 26/12/2012.

Multiprotocol Label Switching (MPLS) Routing algorithms provide support for performance goals – Distributed and dynamic React to congestion Load balance.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj

WWW and HTTP King Fahd University of Petroleum & Minerals

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

Network Address Translation (NAT)

Location SIP Servers –RFC 3261

Network Address Translation

Running Multiple PLATs in 464XLAT

Internet Networking recitation #12

Cabrillo College Building Cisco Remote Access Network

Chapter 11: Network Address Translation for IPv4

Protocol Application TCP/IP Layer Model

INFORMATION FLOW ACROSS THE INTERNET

Network Address Translation (NAT)

Presentation transcript:

draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update

Why V6OPS Should Care Every serious content provider runs load balancers. IPv6 support in load balancers has been a delaying factor for IPv6 deployment. The flow label may enhance load balancer efficiency, and even act as an incentive for IPv6 adoption No protocol changes – this is implementation and deployment only 2/9

Updated Scenario Diagram 3/9 IPv6 Clients in the Internet HTTP server L3/L4 balancer HTTP proxy Ingress router TLS proxyHTTP proxyTLS proxy L3/L4 balancer HTTP server DNS-based ←load splitting→ … … … … Ingress router Possible flow label use

Use Flow Label to Reduce Work on L3/L4 Load Balancers A new flow is directed to a server according to a L7 load balancing algorithm. The flow label doesn’t help there. In subsequent packets, the flow label is immediately available regardless of extension headers – more efficient for ASICs. The 3-tuple {source address, destination address, flow label} would be sufficient to identify a transport flow, replacing the traditional 5-tuple It can be reduced to 2 tuple {source address, flow label} since destination address is always the same 4/9

Clarification: Who Sets The Label? According to RFC 6437, the flow label SHOULD be set to a suitable (uniformly distributed) value at the source Until that becomes general practice, a site using it for server load balancing has two choices when the incoming label is zero:  Set the label, per RFC 6437, in an ingress router, thus reducing L3/L4 balancer load except for the first packet.  Use the full 5-tuple (as today). 5/9

Use Flow Label to Reduce Work on L7 Load Balancers LBs need to maintain session persistence (i.e. always pick the same server) when a transaction includes several transport flows (even different source addresses)  Passive-mode FTP picks a new port number.  Sessions mix HTTP and HTTPS.  Clients behind a web proxy with a dynamic address pool. If applications used the same flow label for all parts of a transaction, LBs could maintain persistence without DPI or session cookies.  One flow label per transaction, which may involve multiple transport connections, some of them may from different source addresses.  [RFC6437] a flow is not necessarily 1:1 mapped to a transport connection 6/9

New Security Considerations Using a flow label as a transaction handle would require some precautions. An unguessable flow label will help in avoiding DDOS attacks on a single server, by making it hard to fool the LB algorithm. The LB will store the association between a given flow label value and a given server. This will improve session recovery after a server failure, and also makes it harder for an attacker to target a single server, because this association is not known externally. 7/9

Possible Benefits Assuming that 80-90% of users will reach the net without a proxy, large sites will be able to off-load most of their load balancing into ASIC- based LBs or even switches.  Ingress router sets flow label if zero The remaining 10-20% of sessions will have persistence issues (multiple ports or source addresses) and will follow the normal route via the L7 LBs.  Unless we deploy the extended role (same flow label for all parts of a transaction), newly proposed in this document 8/9

Questions? Does the WG want to take on this topic? Thanks 9/9