Imagine #2 (musings on the topic of proxies)

Eric Vyncke (evyncke) evyncke at cisco.com
Fri May 14 12:12:28 CEST 2010 

Andrew

The addition of anycast to a known & proven approach of the reverse proxy, is a nice addition.

I would be a little worried about having a anycast server for a stateful service though (just a feeling, no data point. 

Less concern about your other points.

-éric

> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Andrew Yourtchenko
> Sent: jeudi 13 mai 2010 23:59
> To: ipv6-ops at lists.cluenet.de
> Subject: Imagine #2 (musings on the topic of proxies)
> 
> Folks,
> 
> Yesterday I had this odd idea, which today due to the bank holiday in
> Belgium and the unsunny weather resulted in something very very
> experimental that you can toy around with
> (http://github.com/ayourtch/sxxis - I flipped the name of a wonderful
> service that is typically used in reverse way), and I thought to ask
> what's your opinion:
> 
> The use case scenario of it is as follows:
> 
> 1) Joe Sixpack hosts hosts the website www.foobar.example.com at
> FooHosters. He would like to experiment with making it available via
> IPv6, but FooHosters do not provide the IPv6 yet.
> 
> 2) The progressive thinkers of this world have installed a bunch of L7
> proxies, that listen on IPv6 and can go back to IPv4 world (that's the
> sxxis toy in the git url above).
> 
> 3) These proxies are listening on the same IPv6 address, which is
> anycasted similar to 6to4 one into the internet.Let's call this
> address <AP>
> 
> 4) Joe Sixpack creates a DNS record which points the
> ipv6.foobar.example.com towards <AP>, and
> real-target.ipv6.foobar.example.com which points to the address as
> www.foobar.example.com [ alternatlively, ipv6.foobar.example.com can
> also have an A-record that points to the real host]
> 
> 5) the users around the world, when they point their browser
> ipv6.foobar.example.com, would normally hit their closest proxy -
> therefore the impact of the two-legged topology is decreased.
> 
> The second use case is the one from the "Imagine" thread - put this
> kind of device onto an IPv6-only network and give it an IPv4 address,
> and mangle all the empty AAAA responses from the internet into the
> ones that point to the proxy. Everything besides the HTTP will be
> indeed broken, but this would be better than everything *and* HTTP
> broken...
> 
> Of course all of this has its problems:
> 
> 1) Same story as open proxies that allow CONNECT, this is quite a bit
> of a pain from the security/auditing point of view. How big of a pain
> is it ?
> Does the logging help solve it ?
> 
> 2) TCP with anycast address is, yes, thoroughly impure from the
> theoretical standpoint - however, my understanding is in practice i'd
> be hitting the same physical box at least on a 5 minute interval.
> Which is almost enough from the practical point of view.
> 
> 3) Heavy - maintaining 2 TCP states per one client connection. This
> might be solvable by using not just one <AP> but multiple, and using
> DNS to distribute the load.
> 
> Thoughts ?
> 
> cheers,
> andrew

More information about the ipv6-ops mailing list