Multi-Stage Transparent Server Load Balancing

This document specifies Multi-Stage Transparent Server Load Balancing (MSLB) specification. MSLB provides server load balancing function over Layer3 network without packet header change at client and server. MSLB works with any protocol and protocol with payload encryption such as IPsec ESP, SSL/TLS.

There are several load-balancing techniques, such as round-robin DNS, IP Anycasting and destination address translation. shows a load-balancing system with a typical server load balancer with destination address translation technique.

It is well-known that Network address translators break the internet transparency and have an application dependency characteristic. Some server load balancers use application data, so with IPsec ESP, SSL/TLS, these mechanisms may not work well.

Load balancing is the technique that distributes packets to multiple servers. For packet distribution, the destination address translation technique is useful, however, this technique itself breaks internet transparency. After distribution, if writing back to the original destination address may be possible, it is possible to recover transparency. This is the basic idea and architecture of MSLB. shows the architecture of MSLB.

This method processes only the destination address of the IP header. This method can be applied to both IPv4 and IPv6.

shows a basic server load balancing system with MSLB. This case two-stage configuration with one MSLB-F and one-stage many MSLB-Bs.

MSLB-F is a front function of MSLB and translates the destination address to one of the addresses of MSLB-B. BSLB-B is the backend function of MSLB and translates the destination address to the original server address, i.e. address of MSLB-F. The IP address of MSLB-F and all servers are the same value. MSLB-F may multi-stage configuration. shows a three-stage configuration with two-stage MSLB-F and one-stage many MSLB-Bs.

shows one arm configuration of the server load balancing system with MSLB.

MSLB-F is a front function of MSLB and translates the destination address to one of the addresses of MSLB-B. BSLB-B is a backend function of MSLB and translates the destination address to the original server address, i.e. address of MSLB-F. The IP address of MSLB-F and all servers are the same value. In this configuration, MSLB-F connects to the network with a single link, that is one arm configuration. In this case, the return packet, i.e.packet from server to client does not pass through the MSLB-F.

MSLB has two modes, one is address translation mode, and the other is encapsulation mode.

This mode uses an address translation technique. Figure shows packet processing with address translation mode.

: --------------------> : ------------> src = IP_C1 : src = IP_C1 : src = IP_C1 dst = IP_S : dst = IP_B1 : dst = IP_S : : +------+----+ : +------+----+ :+------+----+ | data | IP | : | data | IP | :| data | IP | +------+----+ : +------+----+ :+------+----+ <--------------------- -: <-------------------- : <------------ src = IP_S : src = IP_S : src = IP_S dst = IP_C1 : dst = IP_C1 : dst = IP_C1 : : ]]> In this figure, to the client, the IP address is allocated IP_C1, IP_C2, and the server IP address is IP_S. In this case, IP_S is also allocated to all servers and MSLB-F. And to the MSLB-B, IP_B1, IP_B2, IP_B3 is allocated. This allocation is shown in the upper part of . The lower part of shows packet transfered between client and server. From the client to the server, only the destination address is translated, MSLB-F translates from IP_S to IP_B1, and MSLB-B translate from IP_B1 to IP_S. Then the destination address of the packet sent to the client and the destination address of the packet that receives the server are the same. That means transparency remains. Return packet, i.e., from the server to the client is not translated, it just forwarded. On the Internet, the client IP address and server IP address must Global IP address, however, the IP address of MSLB-B may private IP address.

shows the MSLB table. MSLB has this table and translates the destination address using this table value. MSLB-F checks the source IP address and translates the destination address with this table. Using IPv4-IPv6 translation may be possible, i.e., IPv4 packet translated to IPv6, then translate to IPv4 or IPv6 packet translate to IPv4, then translate IPv6 may possible shows possible combination of IPv4 and IPv6. These IPv4-IPv6 translation cases will be defined in the future.

: <-- IPv4 --> : <-- IPv4 --> : : (2) <-- IPv6 --> : <-- IPv6 --> : <-- IPv6 --> : : (3) <-- IPv4 --> : <-- IPv6 --> : <-- IPv4 --> : : (4) <-- IPv6 --> : <-- IPv4 --> : <-- IPv6 --> : : ]]>

This mode uses an encapsulation technique. Figure shows packet processing with encapsulation mode.

: --------------------> : ------------> src = IP_C : Inner header : src = IP_C dst = IP_S : src = IP_C : dst = IP_S : dst = IP_S : : Outer header : : src = IP_S : : dst = IP_B1 : : : : : : : +------+----+ : +------+----+ :+------+----+ | data | IP | : | data | IP | :| data | IP | +------+----+ : +------+----+ :+------+----+ <--------------------- -: <-------------------- : <------------ src = IP_S : src = IP_S : src = IP_S dst = IP_C : dst = IP_C : dst = IP_C : : ]]> In this figure, to the client, the IP address is allocated IP_C1, IP_C2, and the server IP address is IP_S. In this case, IP_S is also allocated to all servers and MSLB-F. And to the MSLB-B, IP_B1, IP_B2, IP_B3 is allocated. This allocation is shown in the upper part of . The lower part of shows packet transfered between client and server. From the client to the server, MSLB-F encapsulates the original IP packet and sends it to MSLB-B. MSLB-B decapsulates the outer IP header and forwards it to the server. The inner IP packet does not change, which means, transparency is remained. With encapsulation mode, packet size is increased, so fragmentation is needed if the encapsulated packet size exceeds MTU or Path MTU. MSLB-F MUST support tunnel MTU discovery. Fragmentation and Path MTU discovery issue will be described in the future. Return packet, i.e., from the server to the client is not encapsulated, just forwarded. On the Internet, the client IP address and the server IP address must Global IP address, however, the IP address of MSLB-B may private IP address.

shows the MSLB table. MSLB has this table and encapsulates and generates an outer header with the destination address using this table value. MSLB-F checks the source IP address and generates the destination address of the outer header with this table. Using IPv4 over IPv6 encapsulation or IPv6 over IPv4 encapsulation may be possible, i.e., IPv4 packet encapsulated to IPv6, then decapsulate to IPv4 or IPv6 packet encapsulated to IPv4, then de-encapsulated IPv6 may be possible. shows the possible combination of IPv4 and IPv6. These IPv4-IPv6 encapsulation cases will be defined in the future.

: <-- IPv4 over IPv4 --> : <-- IPv4 --> : : (2) <-- IPv6 --> : <-- IPv6 over IPv6 --> : <-- IPv6 --> : : (3) <-- IPv4 --> : <-- IPv4 over IPv6 --> : <-- IPv4 --> : : (4) <-- IPv6 --> : <-- IPv6 over IPv4 --> : <-- IPv6 --> : : ]]>

describes ingress filtering for defending against DoS attacks that employ IP source address spoofing. Depending on the location of the MSLB-F and MSLB-B, packets from the server to the client may be discarded by ingress filtering. In such a case, encapsulating the packet from server to client might resolve. shows such a solution.

MSLB has the following characteristics. Layer 3 Load balancer Support NAT unfriendly applications such as FTP Work with any application layer protocol (maybe) Work with encryption (IPsec ESP, SSL/TLS) Work over Layer 3 network May enforce policy with static configuration

This document does not request IANA. Note to RFC Editor: this section may be removed on publication as an RFC.

Security consideration is not discussed in this memo.