Dana Hudes wrote:
Products like the Nortel Accelar 700 do layer 7 redirect. http://www.nortelnetworks.com/products/02/datasheets/3377.html
you should read that datasheet more closely. When handling multiple sites, this product does something questionable, just as the F5 and other brands do. In the case of this Nortel product, it pings the original user's DNS server:
From this data sheet:
"The Accelar 790 Server Switch can offer such services because it uses standard DNS and OSPF protocols. Here's how it works: When the client initially requests a URL, his or her browser sends a resolution request to the local DNS server - the typical scenario. But with the Accelar 790, the DNS tree does not contain the physical IP address of the URL server. Instead, the DNS tree is populated with the IP address of a master Accelar 790 Server Switch. This Accelar IP address bears a flag to indicate that it is the DNS server that can resolve the URL IP address. The client's local DNS server will then submit the DNS request to the master Accelar 790. The master will forward the client IP address and requested URL to all other Accelar 790 Server Switches that are providing points of presence for the requested URL. Each Accelar 790 will ping the client's DNS server and return the router hop count and latency as well as their local server load for the URL. The master 790 will choose the best response time and forward that IP address to the client's DNS server. The client's browser will cache that IP address and use it for the remainder of the session." So, provided you permit ICMP traffic to your DNS servers, and provided that traffic is routed through various providers' networks along the same paths as the DNS and web traffic, this approach might work. What is also inherent in this product is a packet amplification. Every time a DNS request comes to one of these boxes, a set of ping packets is fired at the source IP address of the DNS request, not to mention the site-to-site traffic generated. This can be accomplished using a single UDP packet. If such packet is spoofed... Looks to me like this product is capable of resulting in a denial of service against the site running the boxes, and being used to cause a DoS against other sites.
----- Original Message ----- From: "Peter A. van Oene" <vantech@sympatico.ca> To: <nanog@merit.edu> Sent: Sunday, March 12, 2000 4:44 PM Subject: Re: Alternative to BGP-4 for multihoming?
This is great feedback / moderate flaming. However, consider the following.
I have only moderate experience with the F5 3DNS & similar products however I am familiar with BGP routing. My client base are high traffic e-commerce style (for lack of a better over used marketing term) web sites. They sit on /28's and smaller in some cases. I'm certainly not going to be successful in acquiring ASN's for these people to do proper load balancing between multiple ISP's and most major ISP's see little benefit in modifying route tables to include our small netblock. Its these cases I'm concerned with. In my mind, irrespective of the comments on the functionality of DNS for this purpose, I see little other choice.
As a direct FYI, the 3DNS can make fairly intelligent decisions about where to direct traffic beyond simply gauging TCP/53 handshake times. These is quite a detailed, informatative interaction that can take place between the 3DNS and F5's local load distributor, the BIG-IP.
That being said, if anyone has better ideas on how to provide for high availability to millions of web sites worldwide, please let me know.
Pete
*********** REPLY SEPARATOR ***********
On 3/12/00 at 1:32 PM Chris Brenton wrote:
"Peter A. van Oene" wrote:
Essentially, the 3DNS box assumes the DNS entry for the site for which
the
customer requires multihoming and it intelligently balances traffic amongst any geographically disparate sites. This allows for high availability.
If I'm not mistaken, it accomplishes this in a somewhat obtrusive manner. The box attempts an xfer back to TCP/53 on the querying DNS server. Based on response time, a proper route is chosen. I've seen a lot of posts to Intrusion & GIAC from people who assumed someone was trying enumeration in preparation for an attack, only to find out it was one of these boxes.
I also seem to remember a post on GIAC showing Snort traces of one of these boxes actually performing a full xfer if the box was not locked down. Do you use one of these boxes? If so, any idea what happens to the xfer data?
Ignoring the argument as to whether its appropriate to attempt xfers on unsuspecting networks, I also see this as being pretty inefficient. A good quantity of sites are now running split DNS so the querying server is not even reachable. This means a fair percentage of the time the load balance attempt will outright fail.
Don't see this replacing BGP anytime soon. ;)
Chris -- ************************************** cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
------- Peter Van Oene Senior Systems Engineer UNIS LUMIN Inc. www.unislumin.com
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com