Good morning,
after a (brief) discussion with Alan and rusty, I decided to take this here.
Problem: In a HA setting, you want two routers (at least) with a private
heartbeat link to eliminate SPOFs.
Routing alone is quite easy - if one box fails, take over the IP addresses and
continue. (which reminds me we still need VRRP ;)
On the other hand, dynamic NAT (masquerading, the LinuxVirtualServer etc) and
stateful packet filtering aren't that easy. The firewalls need to share state
one way or the other. Alan pointed out that two basic methods exist:
1. share data by passing it around.
If you establish a connection, send a notice to the other box to permit it
there too etc. (This would best be done from userspace)
2. "share" data by computing it from the connection parameters in a
deterministic way.
For example: Hashing (src port, src ip, dest port, dest ip) into the port
number for n:1 NAT and so on.
Basically, 2. has many advantages: it is much faster, robust in case of
corrupt data passed around and basically requires no state at all, making DoS
attacks more difficult.
However. You _can't_ do that in all cases. Corrupt protocols like FTP screw
you up, complex load balancing decisions not only based on the IP hdr data may
do so as well, other cases can be constructed.
I also do not think that passing the data around creates a DoS attack on the
private link between the two systems, as long as this link is at least the
bandwidth of the external links.
I understand 1. gets exceptionally more complex if you allow both systems to
be active at the same time. This may not be desirable at the beginning, it may
be easier to just have one of the systems as a hot standby, but not passing
packets around.
a) Take the above, tear it down, and lets have a useful discussion on how this
may be done ;)
b) Has anyone already started working on such?
Sincerely,
Lars Marowsky-Brée
--
|