From owner-freebsd-isp  Fri Jul  7  9:59:38 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from alpha.root-servers.ch (alpha.root-servers.ch [195.49.62.125])
	by hub.freebsd.org (Postfix) with SMTP id AF88B37B96E
	for <isp@FreeBSD.ORG>; Fri,  7 Jul 2000 09:59:25 -0700 (PDT)
	(envelope-from gabriel_ambuehl@buz.ch)
Received: (qmail 14934 invoked from network); 7 Jul 2000 16:59:24 -0000
Received: from client99-59.hispeed.ch (62.2.99.59)
  by ns1.root-servers.ch with SMTP; 7 Jul 2000 16:59:24 -0000
Date: Fri, 7 Jul 2000 19:00:01 +0200
From: Gabriel Ambuehl <gabriel_ambuehl@buz.ch>
X-Mailer: The Bat! (v1.44) UNREG / CD5BF9353B3B7091
Organization: BUZ Internet Services
X-Priority: 3 (Normal)
Message-ID: <11591545084.20000707190001@buz.ch>
To: Jason Fesler <jfesler@gigo.com>
Cc: Luigi Rizzo <luigi@info.iet.unipi.it>,
	Chris Shenton <cshenton@uucom.com>, Alan Batie <batie@rdrop.com>,
	<isp@FreeBSD.ORG>
Subject: Re[4]: load balancing
In-reply-To: <Pine.BSF.4.21.0007070948320.69269-100000@heaven.gigo.com>
References: <Pine.BSF.4.21.0007070948320.69269-100000@heaven.gigo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Simple, don't advertise to the world the *real* IP addresses.
> Use IP aliases.

I would have done that anyway as I want to have the boxes available
for remote fixing.


> If the box is faulty but still pingable with the IP alias, 
> log into the box, shutdown the alias.  Next, turn the alias
> on, on the other box.

What if it's pingable, but ssh failed? And how do you solve the
problems of needing root access to kill the alias? I don't want to
supply an attacker with the root passwords for the another box if he
cracks one of a pair... RSA authentication isn't better for that
matter.

> This implies that there will be something that can
>  1: babysit and monitor

Clear. Easy enough.


>  2: capable of logging in and running ifconfig

Hard. See above.

>  
>  3: Advertise to your clients, the IP alias to connect to.
>     this leaves you free to move that alias to any box
>     on the same network.

Nothing to worry about. Just give the boxes other 'native' IPs than
the ones you use in your DNS to point to the production ones (s.a.)


> Note that this method is low tech, and doesn't cover geographical
> diversity, etc.

For that one, go to http://www.eddieware.org. It looks quite
impressive but I couldn't afford the time to test it yet. Plus I still
don't know how they realize their IP takeover for the frontend boxes.





Best regards,
 Gabriel




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message