LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] would this configuration work for lvs-dr?

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] would this configuration work for lvs-dr?
From: Graeme Fowler <graeme@xxxxxxxxxxx>
Date: Sun, 06 Jan 2008 21:01:28 +0000
On Sun, 2008-01-06 at 10:30 -0500, William Ottley wrote:
> Thanks for your time Graeme,

No problem.

> if i'm correct, then what you're saying is IP spoofing?

No, it isn't. But it could be seen that way in certain contexts. It's
spoofing if and only if the source IP address has no right to be inbound
on a router (or other device) interface. If you control the LAN, or you
have an ISP which will agree to let these packets pass, it isn't
spoofing.
You may however have issues with URPF (unicast reverse path forwarding)
verification on A Certain Vendor's kit; it's not too hard to turn off on
a given LAN but has wider consequences that should be understood. It
should always be applied with appropriate ACLs anyway, so turning it off
with the right router ACL in place simply means more load on the ACL
(URPF verification often runs in hardware).

> I thought I read that since the real server is sending the VIP
> address, this is considered IP spoofing, and some ISP's block that
> traffic? or is it something completely different?

If you're doing DR, then you probably have everything in the same (or
adjacent) netblocks, or netblocks from the same provider, so it isn't
such a problem. If you choose to use TUN, then you need to make sure
that either you control all relevant client-facing networks which might
egress the packets, or have a decent ISP who will allow you to do it.
There are more complex issues at play here anyway, since TUN only works
generally speaking if all the peers of the egress ISP will accept the
VIP as a source - if it's from a different AS, you have problems before
you start.

Like I said - strip back to something simple. Once you know you can make
that work, scale up and out.

Graeme



<Prev in Thread] Current Thread [Next in Thread>