Re: IP Header Rewriting with Pen (async. Routing) ?

From: Ulric Eriksson (ulric@siag.nu)
Date: Sat Sep 07 2002 - 11:38:18 CEST


On Wed, 4 Sep 2002, Markus Binder wrote:

> Hi,
> is there a possibility to tell pen to rewrite the source IP-Adddress
> of the TCP Packet it sends to the Webserver to the Source Address
> the packet of the original request came from ?
> To use pen only as a "One-Way-Man-in-the-Middle" Loadbalancer ?

No, it is not possible. To do so would require a major rewrite of most of
pen. And it would not be portable.

> (I know about the asynchronous TCP Connection, but think
> with HTTP and HTTPS it does not matter.)
>
>
> (CLIENT) ------request----> (PEN)
> . . . .
> . . . .
> . .. .
> .. . .
> (APACHE1) (APACHEn)

Then CLIENT would send IP packets to PEN, which would create a new packet
with the same source address and the same payload, but with APACHEx as
destination address. APACHEx would send packets back using APACHEx as
source address and CLIENT as destination address. It would be difficult
for CLIENT to figure out what TCP session those packets are supposed to be
part of.

This would work, however:

.--------.
| CLIENT |
`--------
    |
.--------.
| PEN |
`--------
    |
.--------.
| APACHE |
`--------

Here pen sits physically between the client and the server, so it sees
outgoing packets from apache regardless of the destination address. Apache
has pen as its default gateway. Pen must keep track of client/server
address combination and "sniff" the server network for packets that should
be rewritten.

This is all possible, and many commercial load balancers do indeed work
like that. But it is less portable (although it would probably work
wherever libnet and libpcap are supported) and places more restrictions on
the network design. And it doesn't really solve the logging problem, since
the server logs still need to be combined somehow.

Ulric



This archive was generated by hypermail 2.1.2 : Sat Sep 07 2002 - 11:39:38 CEST