V6OPS | B. E. Carpenter |
Internet-Draft | Univ. of Auckland |
Intended status: Informational | S. Jiang |
Expires: April 15, 2012 | Huawei Technologies Co., Ltd |
October 13, 2011 |
Using the IPv6 Flow Label for Server Load Balancing
draft-carpenter-v6ops-label-balance-00
This document describes how the IPv6 flow label can be used in support of layer 3/4 load balancing for large server farms.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 15, 2012.
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The IPv6 flow label has been redefined [I-D.ietf-6man-flow-3697bis] and its use for load balancing in multipath routing has been specified [I-D.ietf-6man-flow-ecmp]. Another scenario in which the flow label could be used is in load balancing for large server farms. This document starts with a brief introduction to load balancing techniques and then describes how the flow label can be used to enhance layer 3/4 flow balancers in particular.
Load balancing for server farms is achieved by a variety of methods, often used in combination [Tarreau]. The flow label is not relevant to all of them. Also, the actual load balancing algorithm (the choice of server for a new client session) is irrelevant to this discussion.
The following diagram, inspired by [Tarreau], shows a maximum layout.
___________________________________________ ( ) ( Clients in the Internet ) (___________________________________________) | ------------ | Ingress | | router | ------------ ____________|_____________ | | |DNS-based load splitting| | | ------------ ------------ |L3/L4 ASIC| |L3/L4 ASIC| | balancer | | balancer | ------------ ------------ | load | | spreading | __________|________________________|___________ | | | | ------------ ------------ -------- -------- |HTTP proxy|...|HTTP proxy| | SSL |...| SSL | | balancer | | balancer | | proxy| | proxy| ------------ ------------ -------- -------- ____|_____________|_____________|_________|_____ | | | | | -------- -------- -------- -------- -------- |HTTP | |HTTP | |HTTP | |HTTP | |HTTP | |server| |server| |server| |server| |server| -------- -------- -------- -------- --------
From the previous paragraphs, we can identify several points in this diagram where the flow label may be relevant:
The IPv6 flow label is included in every IPv6 header [RFC2460] and it is defined in [I-D.ietf-6man-flow-3697bis]. According to this definition, it should be set to a constant value for a given traffic flow (such as an HTTP connection), but until the standard is widely implemented it will often be set to the default value of zero. Any device that has access to the IPv6 header has access to the flow label, and it is at a fixed position in every IPv6 packet. In contrast, transport layer information, such as the port numbers, is not always in a fixed position, since it follows any IPv6 extension headers that may be present. Therefore, within the lifetime of a given transport layer connection, the flow label can be a more convenient "handle" than the port number for identifying that particular connection.
According to [I-D.ietf-6man-flow-3697bis], source hosts should set the flow label, but if they do not (i.e. its value is zero), forwarding nodes may do so instead. In both cases, the flow label value must be constant for a given transport session, normally identified by the IPv6 and Transport header 5-tuple. The flow label should be calculated by a stateless algorithm. The value should form part of a statistically uniform distribution, making it suitable as part of a hash function used for load distribution. Because of using a stateless algorithm to calculate the label, there is a very low (but non-zero) probability that two simultaneous flows from the same source to the same destination have the same flow label value despite having different transport protocol port numbers.
The suggested model for using the flow label in a load balancing mechanism is as follows.
Note that in the unlikely event of two simultaneous flows from the same source having the same flow label value, the two flows would end up assigned to the same server, where they would be distinguished as normal by their port numbers. Since this would be a statistically rare event, it would not damage the overall load balancing effect.
Security aspects of the flow label are discussed in [I-D.ietf-6man-flow-3697bis]. As noted there, a malicious source or man-in-the-middle could disturb load balancing by manipulating flow labels.
Specifically, [I-D.ietf-6man-flow-3697bis] states that "stateless classifiers should not use the flow label alone to control load distribution, and stateful classifiers should include explicit methods to detect and ignore suspect flow label values." The former point is answered by also using the source address. The latter point is more complex. If the risk is considered serious, the ingress router mentioned above should verify incoming flows with non-zero flow label values. If a flow from a given source address and port number does not have a constant flow label value, it is suspect and should be dropped.
This document requests no action by IANA.
Valuable comments and contributions were made by
This document was produced using the xml2rfc tool [RFC2629].
draft-carpenter-v6ops-label-balance-00: original version, 2011-10-13.
[RFC2460] | Deering, S.E. and R.M. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. |
[I-D.ietf-6man-flow-3697bis] | Amante, S, Carpenter, B, Jiang, S and J Rajahalme, "IPv6 Flow Label Specification", Internet-Draft draft-ietf-6man-flow-3697bis-07, July 2011. |
[RFC2629] | Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. |
[I-D.ietf-6man-flow-ecmp] | Carpenter, B and S Amante, "Using the IPv6 flow label for equal cost multipath routing and link aggregation in tunnels", Internet-Draft draft-ietf-6man-flow-ecmp-05, July 2011. |
[Tarreau] | Tarreau, W. , "Making applications scalable with load balancing", 2006. |