Egress of multiple machines through one IP
Simon Huggins
huggie at earth.li
Fri Sep 10 16:02:49 CEST 2010
It's been a few years since I used IPv6 for real but new work are about
to look at it. Previously, I was part of an ISP that provided ADSL,
dialup, colo and some of our own services over v6 so I have been helping
give them some ideas for our v6 deployment.
I do have one problem that has me stumped though.
We run lots of web proxies with multiple nodes. We should be able to do
the ingress load balancing in a similar way to v4 though I'm a little
unclear on the implications of neighbour discovery here.
But I have an issue with egrees.
We proxy web traffic so we want every outgoing request to come from the
same IP. We know from experience that some websites that are security
conscious will reject sessions that don't continue to come from the same
IP to prevent session stealing.
In v4 this is easy; we just have a nat pool and everything comes from
the egress IP we've assigned to that group of servers.
In v6 I... can't think of a way we can do it without introducing some
sort of application proxy between our servers and the websites which
would be the single point of failure we were trying to avoid.
We could try with different public addresses on each server but there's
no guarantee at the moment that a users' browser will keep going through
the same server (it might be taken out of service for upgrades or be
overloaded or die etc). I'm fairly sure we'd hit the "session from
different IP is bogus" issue.
Noone does do v6 NAT for this (possibly edge) use case do they?
Anyone any other good ideas?
Simon.
--
oOoOo "The Abbots... charming couple" - Basil "Yes. All three of oOoOo
oOoOo them." - Sybil, Fawlty Towers. oOoOo
oOoOo oOoOo
htag.pl 0.0.24 ::::::: http://www.earth.li/~huggie/
More information about the ipv6-ops
mailing list