Egress of multiple machines through one IP
Ben Jencks
ben at bjencks.net
Fri Sep 24 17:42:54 CEST 2010
On Fri, Sep 10, 2010 at 10:02, Simon Huggins <huggie at earth.li> wrote:
> It's been a few years since I used IPv6 for real but new work are about
> to look at it. Previously, I was part of an ISP that provided ADSL,
> dialup, colo and some of our own services over v6 so I have been helping
> give them some ideas for our v6 deployment.
>
> I do have one problem that has me stumped though.
>
> We run lots of web proxies with multiple nodes. We should be able to do
> the ingress load balancing in a similar way to v4 though I'm a little
> unclear on the implications of neighbour discovery here.
> But I have an issue with egrees.
>
> We proxy web traffic so we want every outgoing request to come from the
> same IP. We know from experience that some websites that are security
> conscious will reject sessions that don't continue to come from the same
> IP to prevent session stealing.
>
> In v4 this is easy; we just have a nat pool and everything comes from
> the egress IP we've assigned to that group of servers.
>
> In v6 I... can't think of a way we can do it without introducing some
> sort of application proxy between our servers and the websites which
> would be the single point of failure we were trying to avoid.
v4 nat is stateful, that's a SPOF too. Presumably you're doing some
sort of failover on the nat boxes; do the same thing on the
application proxy boxes. I don't know of any implementations that
synchronize TCP state to the secondary box the way some higher-end nat
implementations do, but there's no reason it's not possible. Or you
could just have the "originating" applications retry if the proxy
fails over.
For the proxy to operate at the tcp level, it could even be a
middlebox and take the dest address from the original packet... then
it starts to look a lot like a NAT, but maybe people will be less
scared if it's presented as a lightweight TCP proxy.
-Ben
More information about the ipv6-ops
mailing list