On Wed, 2003-01-29 at 19:52, Brian Haberman wrote:
> > I'm just wondering if this holds true for load balancers. For
> > transaction type application one might want to send each connection to a
> > different server.
>
> The load balancer that I am aware of would actually use the source
> address of the incoming packet as part of the algorithm to determine
> which server to send the packet to. So, for a short period of time,
> packets with the anycast destination address and the same unicast
> source address would be sent to the same server.
>
> Now, I can't say that scenario is the common way to implement load
> balancers.
Well, I don't know either.
> > Susceptibility to DoS attacks is another consideration that needs some
> > attention, I think. The RR mechanim in MIPv6 is designed to require no
> > state in CN, but in the anycast RR mechanisms the roles are reversed:
> > here the anycast server is the one holding state.
>
> Is that really true? What about the Binding Cache?
> To me, with this anycast approach, the anycast server is the mobile
> node and the client is the correspondent node. The mobile node
> and the anycast server both hold state that identifies the home
> address (anycast address) and the care-of address (unicast address).
In MIPv6 the binding cache entry is created only after the binding is
authenticated. The CN holds no state during the RR procedure. Only MN
does. Since only authenticated bindings go into the cache, you can't
flood it very easily.
However, you could flood the anycast server with RR state simply by
sending a lot of SYN packets with different forged source addresses.
MikaL
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
