[128553] in North American Network Operators' Group
IPv6 Server Load Balancing - DSR
daemon@ATHENA.MIT.EDU (Leland Vandervort)
Thu Aug 12 08:32:35 2010
From: Leland Vandervort <leland@taranta.discpro.org>
Date: Thu, 12 Aug 2010 14:32:25 +0200
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Dear Colleagues,=20
I've been scratching my head over this for the past couple of months and =
have come up with blanks, and several weeks of scouring various =
resources on the net have not yielded anything more fruitful.
I'm looking at server load balancing for IPv6 and specifically need DSR =
(direct server return). Additionally, I need to support both TCP and =
UDP.
I have evaluated a number of different load balancing solutions =
purporting to support IPv6 with varying results (and costs)...=20
a few examples:
F5 : according to marketing blurb supposedly supports IPv6 in NAT and =
DSR mode, both UDP and TCP. Their documentation, however, has no =
mention of IPv6 capability. Other disadvantage =3D cost...=20
Brocade/Foundry: Similar situation to F5
Zeus: IPv6 in NAT only, and even more expensive than F5.
Exceliance Aloha: IPv6 in NAT only, and ONLY in TCP (no UDP)
A few others also tested... including LVM/HAProxy (same situation as =
Exceliance Aloha), and others...=20
Finally in the end, only OpenSolaris ILB seems to put all the checks in =
the right boxes for my requirements. But there is still a problem.
1. IPv4 TCP and UDP work fine in NAT, Half-NAT, and DSR
2. IPv6 I've managed to get working, complete with healthchecks, in TCP =
and UDP in NAT only although the documentation stipulates that DSR is =
also possible (but not HalfNAT for the moment).
The problem with #2:
Using the same server farm behind, but in dual-stack, and configuring =
ILB for TCP and UDP services using NAT, everything is fine. If I =
configure it for DSR, immediately it fails (both with and without =
healthchecks). Although from the ILB host itself, I can certainly do a =
manual heathcheck.. (e.g. telnet <server_real_ipv6_addr> 80 and do GET =
/ or HEAD / with no problems. Using ARP poisoning from the shell I can =
also perform the healthcheck on the real server via telnet using the =
virtual ip.
The servers are configured normally for DSR.. with the virtual IP =
attached to a local dummy or loopback interface, and with IPv4 DSR works =
fine.
Nevertheless, I've been unable to get DSR working with ILB -- and have =
found absolutely nothing around the net with working examples of IPv6 =
SLB with DSR. NAT mode works fine, but the real server loses visibility =
of the end user's IP as the requests come from the internal IP of the =
ILB host, and with a system that uses client IP address as part of the =
various criteria for session tracking, it creates a few problems...=20
I am suspecting that the issue may be related to ND, as the behaviour is =
similar to the old story with doing DSR on real-servers using older =
linux distributions that do not by default disable proxy-ARP replies by =
the server for IP addresses on dummy or loopback interfaces, and of =
course the proxy ARP causes confusion to the load balancer and breaks =
the whole thing. But the real servers are recent Debian distributions, =
and both ipv4 ARP and ipv6 ND is disabled on the dummy interfaces, as is =
proxy ARP.
Would anyone happen to have any useful pointers, tips, or other on how =
to resolve the issue?
Many thanks in advance.
Leland
