RE: Transport support in LVS

To:	Hans Schillstrom <hans.schillstrom@xxxxxxxxxxxx>
Subject:	RE: Transport support in LVS
Cc:	"lvs-devel@xxxxxxxxxxxxxxx" <lvs-devel@xxxxxxxxxxxxxxx>
From:	Abhijit Chaudhary <achaudhary@xxxxxxxxxxxx>
Date:	Tue, 3 Apr 2012 07:12:21 +0000

Thanks Hans.
My requirement for IPSEC is little different, I want to offload the IPSEC or 
reassembly processing in the LVS node itself.
I plan to use a VIP address in the LVS node and do the IPSEC decryption/IP 
reassembly on the VIP address before the LVS load-balancing as I may use 
L4-ports to load-balance.
Is this possible in the current LVS.

-----Original Message-----
From: Hans Schillstrom [mailto:hans.schillstrom@xxxxxxxxxxxx] 
Sent: Tuesday, April 03, 2012 12:14 PM
To: Abhijit Chaudhary
Cc: lvs-devel@xxxxxxxxxxxxxxx
Subject: Re: Transport support in LVS

Hello
On Tuesday 03 April 2012 07:45:03 Abhijit Chaudhary wrote:
> Hi,
> I am new to LVS and wanted to understand its transport-level support. Am 
> using RHEL 6.2 (kernel 2.6.32-220) and had couple of questions on it:
> Did not find support for SCTP as a LVS transport protocol (no 
> ip_vs_protocol). But LVS website mentions about SCTP support in ipvsadm-1.26. 
> Am I missing something, was SCTP supported in older kernel release?

SCTP was introduced in 2.6.34 

> 
> Other question is whether LVS supports load-balancing of IPSEC-packet (for 
> ESP in transport mode with authentication and encryption enabled).  
> My understanding:  ip_vs_in() is hooked to NF_INET_LOCAL_IN. But, 
> ip_local_deliver() calls NF_INET_LOCAL_IN before decryption (esp_input). 
> So, IPSEC with encryption enabled should not be load-balanced unless there is 
> a repeat call to ip_local_deliver() after decryption.
> My knowledge on xfrm framework and IPSEC is not good, so I may be missing 
> something.

If you don't have the VIP address in your LVS node (just force the VIP to 
loopback by routing),
then you should be able to send the ESP (or AH) packets through IPVS to a RS 
for decryption.

> 
> Thanks,
> -Abhijit
> --
> To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Regards
Hans Schillstrom <hans.schillstrom@xxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

<Prev in Thread]	Current Thread	[Next in Thread>
Transport support in LVS, Abhijit Chaudhary Re: Transport support in LVS, Hans Schillstrom RE: Transport support in LVS, Abhijit Chaudhary <= Re: Transport support in LVS, Hans Schillstrom

Previous by Date:	Re: Transport support in LVS, Hans Schillstrom
Next by Date:	Re: Transport support in LVS, Hans Schillstrom
Previous by Thread:	Re: Transport support in LVS, Hans Schillstrom
Next by Thread:	Re: Transport support in LVS, Hans Schillstrom
Indexes:	[Date] [Thread] [Top] [All Lists]