Tobi Waves

a presentation by Marco Pfatschbacher

Normally a load-balancer is a physical box sitting in front of the nodes doing the actual work. In this setup the load-balancer becomes a single point of failure. To have high reliability, we need a second load-balancer with fail-over.

Marco presented a method to setup a group of hosts with load sharing/balacing functionality. Instead of using a dedicated load-balancer, the worker nodes are sitting on the same Ethernet segment and each node receives all traffic and just consumes the traffic it is supposed to use.

In order to receive all traffic, all nodes setup a virtual interface with the same Ethernet address and ip number. Simple repeaters have no problems with this, but switches are normally not happy when they do see the same mac address on several ports. The trick to solve this problem, is to configure the physical interfaces to respond with proxy ARP responses telling the switch the Ethernet address of the virtual interface. This will make the switch to always flood the network with traffic destined for the IP address of the virtual interface.

The nodes now use a distributed filtering approach (nms.lcs.mit.edu ...) to decide for each incoming TCP connection which node is going to handle it.

High-Availability is implemented through a small daemon ifstated and CARP (www.newsforge.com ...) to redistribute incoming connections appropriately if one node becomes unavailable.

Known Limitations and further work: Load-Sharing is static and stateful packet filtering (PF) can not be used.

A talk by Sjoera Nas

Bits of Freedom is an Dutch NGO funded by private parties. Their topics are privacy, freedom of speech, spam, e-voting and copyright. In September 2004 they did a test how simple it was to get Dutch ISPs to take down a web page which contains an obviously public domain text.

7 out of 10 providers acted swiftly by taking down the alleged violating document.

The full paper: (www.bof.nl ...)