RSS
 

Archive for the ‘internet’ Category

Detecting browser bandwidth (in perl)

10 Aug

If your website has file downloads in megabytes, it can take multiple minutes to download from far away places. Detecting user’s bandwidth and predicting the time it might take might become essential to help your customers understand why its taking so long. Detecting bandwidth of a client could be as simple as timing a downloading of a simple file. But there are a few problems with this.

To begin with, most browsers can open multiple download threads to the same destination (IE uses 2, Firefox uses 4). This is not a problem, but its good to know. Then there is a TCP start/stop overhead, impact of which can be minimized by using large files and enabling keepalive. The biggest problem however is caching intelligence within the browser which can trick detection logic to think that it has a superfast network connectivity. The same problem can also confuse multiple browsers behind a caching proxy server.

The solution to all of these problems are relatively simple. First of all use multiple file downloads to maximize the usage of all the browser threads to the server. Enable Keepalives on the server to minimize TCP restart overheads. Use relatively large files for sampling and finally use random numbers as URL parameters to force the cache to discard previous version of the file from cache “?randomnumbers”

 
Comments Off

Posted in internet, perl, programming

 

Javascript and firefox extensions

03 Aug

I have been hacking around with Firefox and extensions and realized that window.close() doesn’t work on Firefox tabs. Aparently there is a hack available for this. I was also surprised that there is actually a firefox extension wizard available to created Firefox extensions. I don’t think such a thing exists for IE. But if you know please let me know.

 
Comments Off

Posted in internet

 

Internet Health monitoring Reports

09 Jul

I was looking for worldwide internet health statistics and found some interesting links.

General Connectivity Reports

BGP and DNS Reports

 
Comments Off

Posted in internet, networking

 

Where is my root dns server ?

09 Jul

I’m sure you have heard that there are 13 root servers in the world. This cache file (root hint) provided by internic/IANA http://www.internic.net/zones/named.root should confirm that. So how does these 13 servers brave a DDOS attack.

Aparently 6 of the 13 root servers are mirrored using Anycast routing to loadbalance between multiple servers. The F Root server itself has about 37 mirrors in the world. Anycast routing is implemented using BGP by simultaneously announcing the same destination IP range from many different places on the internet. So even though an IP might be registered for a location here in US, if someone announces that a route to the same IP block in Tokyo, hosts in or around that country will try to pick the cheapest route to get to a DNS server. DDOS attacks against root dns servers have happened in the past, and will continue to happen in future. Anycast routing is probably why these “13″ DNS servers are still alive today.

The next question some might ask is why we can’t have more than 13 IP addresses for root servers… or why can’t we just have a large root hint (cache). The answer is simple. For DNS to work using UDP protocol (which is stateless) there is a recommended upper limit on the size of a DNS packet (512 bytes). TCP/IP, which is much more expensive because of its overhead, is the recommended protocol for queries/replies beyond that packet size. The root server administrators understand this very well (who else will know better) and decided to restrict the total number of servers to 13 which can easily be embedded as a list of IPs inside a 512 byte UDP packet if required.

Here is a map of the 13 registered root servers on the global map. A complete list of root servers are listed at http://www.root-servers.org/.

 
Comments Off

Posted in interesting, internet, networking

 

Skype PBX is here : Good or bad ?

09 Mar

Recently I wrote about skype invading the cellphone market. While this might be a few years away, something more interesting might happen much earlier.

A few companies at CEBit are showing off Skype to PBX gateways. [ Vosky , Spintronics , Zipcom ] Imagine how easy it would be communicate between two branches using VOIP protocols but without the expense of costly VOIP hardware.

I think this is a bag of good and bad news.

The good news is that skype will break down the artificial communication barrier between people and companies which live in different parts of the world. Up until recently we assumed that its ok to charge more if you want to talk with someone very far away. Its almost like we assume that travel fares are directly proposional to the distance. With the “national plan” going into effect most voice carriers provided a means for us to communicate with anyone in the country for the same fare. Unfortunately such a plan doesn’t exist internationally because unlike in US, voice carriers here don’t have agreements with all the countries in the world. Internet as per design broke down such barriers very early in its evolution. I’m very excited that skype is leading the way in making voice comm cheaper, which will go a long way in moving us towards a truely global economy.

Skype is a wonderful product, its free to use, has allowed other products to be built around it using its API. Its growth might almost be viral in nature. The bad news, however, is that we might be seeing a birth of another monopoly which is building its business around security through obscurity. I recommend reading a very fascinating presentation “Silver Needle in the Skype” by two gentlemen Philippe and Fabrice. They talk about how hard skype has been trying to keep its protocol closed. Even its installation binaries are rigged with obsfucated code and anti-debugging/anti-reverse_engineering mechanisms.

Skype is openning up holes in the network faster than most of us realize. What if someone finds a hole in skype software or protocol after it becomes a critical part of global communication infrastructure ? Are we setting up ourselves for a global catastrophe ?

Even though I personally like Skype, security through obscurity should be discouraged and I’ll try my best to look for alternatives unless skype opens up the protocol further.

 
1 Comment

Posted in internet, voip

 

Detecting Phishing sites

02 Mar

wikipedia [ "phishing is a form of criminal activity utilizing social engineering fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords." ]

According to Anti-Phishing.org there were 5490 more phishing sites reported in the month of December 2005 as compared to a year ago. And if you run a business which involves any kind of monetary (or identity) transactions, its just a matter of time before you become a victim.
A lot of companies today are working together to solve this problem, which is at least as hard, if not more, than shutting email-spam. The underlying reason why phishing is still a good business model is because the users aren’t technical enough to identify a phishing attack. As an example, one of the most common misconception among the users is that a secure website (running over ssl) with a valid ssl certificate is completely trust worthy. Unfortunately most users don’t know that getting a certificate is almost as simple as buying apples from a store. SSL certificates does help in encrypting traffic to a target server but it can’t tell you that you are going to https://www.ebey.com instead of https://www.ebay.com.

Help is on the way though. Some organizations are working on building visual tool (or a plugins) for the browsers which can intelligently identify and visually alert the user about a possible phishing attack. IE7, which is still in beta, aparently will have this tool built-into the browser itself. The sad part, however, is that most of these mechanisms still depend on the user to download and install, which may not happen overnight.

Most organizations which deal with sensitive data, are aware of the phishing problem and have a very reactive security team to identify and shutdown such websites. A few even take time to train its users. The lag between a phising website going operational to the point when its shutdown is still significantly long.

The technology behind such a detection engine for phishing attacks is not very different from that of a spam filter. They both rely on some kind of signature which have their share of false-positives and false-negatives. And just like spammers have been managing to get through our spam sensors, its just a matter or time before phising attacks will become more sophisticated.
For websites which have a more urgent need of anti-phishing intelligence, and cant wait for IE7 deployed everywhere, are resorting to a other interesting ideas. One which I have personally witnessed and appreciate is something called PassMark, which uses a two-way authentication mechanism instead of the standard two-factor authentication. In two way authentication, the server authenticates to the user before the user authenticates to the server. One example is where you select an image from a random set of images on the banking site. Before you enter your password to login, the banking website will show you the image you had previously selected. Since its easier to identify a change in image than detecting a minor variation in URL, this mechanism works well with technically-challenged users as well.

For a Phishing website to be setup by an attacker, the attacker has to mirror the real website. This is another area where security experts can setup their alerting agents. Unlike most search engines, attackers who want to mirror websites might download pages and images using automated tools which could behave differently than how a human operated browser will. Detecting such patterns might give the website sufficient heads-up to analyze and disable the offending website before the attack is launched.

But if the attacker succeeds to copy the content to setup a replica and moves to a different subnet, it might be hard to track and shutdown such websites. In order to maximize the number of victims caught in the trap (maximize profit) Phishing websites try their best to minimize service disruption for the users. Some websites will transfer users to the actual website almost as soon as username and password are types. One of the way to detect such attacks would be to analyze apache/www logs to look for “Referrer urls”. Since Referrer urls are reported by the browser for every HTTP request, there is a good chance that the Phishing site will leave a trace of its existence. If the server side application could detect “Referrer urls” coming from an un-authorized site it could proactively warn the user and shut the session down.

As I said before there are a lot of companies trying to solve this problem. I heard about one at CodeCon 2006 and I them fascinating. I hope we have some of these implemented very soon so that we IT folks can stop worrying about training the users and get down to do some real work.

 
2 Comments

Posted in hacking, internet, phishing, security

 

Weekly updates 26 Feb 2006

26 Feb
  • Google Pages is here for everyone. I’ve heard people comparing it with what geocities (now owned by yahoo) used to do long time back. Google pages allows users to create pages with the help of AJAX. However, what stood out, was the hint that Google pages might be group editable, making it easy to create and manage like a wiki server.
  • My Page Rank is an interesting service which allows you to put page rank on your website. Nothing new about it, but its there and does the dirty work of converting stats into an image.
  • Zillow.com has got a lot of traction in the media lately. Zillow does one thing and does it very well. It tries to predict home prices based on the past and present price change trends. It takes into account the amenities available to the home which is used to predict its next sale price. With the house prices tanking in some places, the importance of zillow to understand trends will be of great value.
  • Google Finance might be on the way. Search engine journal has some interesting observactions.
  • An other interesting but useless site I found is Toogle
 
Comments Off

Posted in interesting, internet

 

Wireless Skype handsets (802.11)

25 Feb

Those of you who never talk to anyone outside this (US) island you live on, chances are that you have never used skype. For others who can’t buy unlimited minutes to other parts of the world, thank skype for trying to change the world.

But skype world is not perfect yet. You still have to use your computer to make and receive calls. There are some skype-phone gateways available, but most of them are just hacks at best. A few companies have big plans for skype in the near future and here are some interesting details I gathered over the last few weeks.

To begin with there are 4 classes of skype devices currently out there.

  • Traditional headphone and microphones devices, using speaker/mic-in connections on the computer
  • Intelligent wired USB devices which can interact with Skype software on the computer and make/receive calls. Some even have a lcd display on the handset.
  • Intelligent USB devices which can do whatever the wired devices can do, but you have the flexibility of moving around without the wires. The catch is that there is a base module which is always attached to the USB port of the computer. And your computer has to on for it to work.
  • Skype on handheld devices which requires you to buy expensive PDAs to make free/cheap phone calls

Most of these hardware are available on ebay, froogle and skype.

A few days ago, a friend showed me some interesting news about FON on Om Maliks Blog. Fon is a interesting community project which promotes wireless access sharing by promissing connectivity to its large network of POPs around the world. The catch is that if you want to access thier POPs, you have to set one FON wireless gateway yourself. Aha.. if you know how bittorrent works, u will try to draw some similarities here.

Anyway, so I heard that Google and Skype are two of the investors in Fon. Google, who have been heavily investing in the last mile connectivity (free wireless in cities like mountain view) have a lot to gain by monitoring user activity. But what I couldn’t understand was the reason skype getting into it.

Until I figured out that skype heavily depends on internet availability to allow customers to make phone calls, and without this network being available, every one of its customers will continue to depend on traditional means of wireless communication which bites into thier revenue.

If skype could provide internet connectivity over 802.11, skype users might think about just using skype for thier calls. But who on earth wants to cary their seven pound laptops around with them ? I’m glad you asked.

There are a few vendors out there who have been very busy building 802.11 based Skype phones which don’t need any USB at all. There are a few others who are building 802.11 into the regular cellular phones such that customers have a choice about which network to use when there is a 802.11 network available. Interesting. So who are these guys ?

I recently bought free.1 phone which is a wired USB device to use it with my skype account on my powerbook. Though it worked beautifully (as expected) , I’ll probably recommend everyone out there to wait for the 802.11 devices to come out if you can. Also, even though I mentioned about FON, I personally would never set it up without putting it behind a firewall of some kind. So in other words I’ll probably end up paying FON/Skype instead of me setting up the FON wireless device on my network.

 
2 Comments

Posted in internet, voip

 

The pain of Load balancing applications

18 Feb

Introduction

Loadbalancing may mean many different things to different people but its all about distributing load. For me its an architecture of how some network services can be scaled by adding multiple servers performing the same tasks.

If you had a popular website with static content, and if your server couldn’t keep up with the request, all you had to do was setup multiple web servers and use round-robin DNS entries to divide the load into multiple servers. For dynamic web applications like search engines this plays a significant role because the number of users per node can support is much lower.
Over time, as applications grew more complex and as web companies found customers outside US they found out the hardware that the only way to optimize network performance was by going local. Loadbalancing POP (points of presence) around the world provide a snappy user experience which has been important and drawing more customers.

While, static content on web servers can easily be replicated to servers around the world, some web applications were required to maintain state of user actions. The loadbalancer have been trying to attack this particular problem for the last few years. Among the many odd ways of doing this, one was by associating source-IP to a web server. Unfortunately  some ISPs switch source-IP in between sessions which proved to be disastrous for some applications. Others used cookies and session identifiers in URL to solve the problem.
Loadbalancing is rocket sciences, but its not the the faint of heart either. This article is collection of my past and present thoughts on loadbalancing architectures which I’ve worked with or read about.

Under the hood

Though loadbalancers sound simple, under the hood they are a complicated beast. Todays loadbalancers have so many features that it sometimes overshadows the complexities of application its supposed to loadbalance. Its also important to note that loadbalancers are not just designed for web applications anymore. Its an ideal hardware to use loadbalance databases, ldap servers, terminal servers and other custom behind the scene custom applications.

Firewalls and Application Gateways

The internal design and implementation of a modern Loadbalancer is very close to a basic firewall. While the firewall is designed to block all illegal traffic, it also does limited Network and Port address translations. A good firewall is more than a packet filter in the sense that it actually keeps state of whats going on between a user and the client. From the moment a session is initiated, assuming that its allowed by the acls (access control lists), it creates session record where it logs the traffic protocol, source and target addresses and port numbers. Subsequent packets are tagged and allowed through or rejected based on what sessions are valid.

HTTP is a relatively trivial protocol when compared to more complex protocols like FTP and SNMP. UDP and ICMP in particular are complicated beasts because they were never designed to be “stateless”, which is one of the basic requirements for it to be firewalled and tracked easily. UDP, ICMP and other complex communication protocols have forced firewall vendors to come out with custom hacks to deal with the different problems.

Depending on whom you talk to, a firewall which can talk to two different networks, inspect and validate sessions using “deep packet inspection” could be called an “application gateway”, because they probably have sufficient intelligence to understand, and create responses and respond to requests for that application protocol. Most modern firewalls can be called an HTTP gateway because they can understand and respond to HTTP requests.

TCP/IP basics

To understand what an “application gateway” does its important to understand how TCP/IP works.

  • Resolve the address
    Address resolution is the first step for every successful TCP/IP connection. A client/server cannot communicate with just a name.
  • SYN
    Next step for the client is to send the the first TCP/IP packet with “SYN” flag set. This is like a “hello” packet telling the server that the client is interested to talk. One more information in this packet which the server needs to know is the port number on which the client is interested to talk on. For most web requests its set to 80 or 443.
  • SYN-ACK
    If the server wants to talk on that port, and if it has resources it will reply back with a packet in which “SYN” and “ACK” is set. When the client gets this packet it means that the server is alive and the service is running on that particular port.
  • ACK
    The client at this point can “ACK” the previous packet which the server sent and can, if it wants, send data too.

An “HTTP Gateway” does two important things with this knowledge. First it talks the the browser and does the TCP/IP handshake to understand where the user wants to go. This is important to understand, because even though the browser assumes it is connected to web server, its actually being terminated on the firewall. Once the gateway decodes the HTTP request and knows where it has to go to (and whether that request is allowed) it will initiate a second TCP/IP connection with the webserver at the backend server using a second set of handshake packets. Thats the point when the browser is really connected to the server.
A loadbalancing appliance, for the most part, works just like this. The only thing significantly different with the loadbalancer is its ability to send traffic to multiple servers without the user knowing about it.

Basic Loadbalancing terminologies

Terminologies I will use in the rest of the documentation are based on my experience with Cisco CSS and Radware WSD/CT100s. I’ve noticed that the vendors take great liberties at creating new terminologies which can easily confuse the admin.

  • Service endpoint
    A “service” in CSS is defined to be an endpoint which can provide service. An example of such a endpoint would be a server with IP 192.168.1.4 running a TCP service on port 80. If you want to loadbalance a couple of read-only oracle servers you might have them providing service on port 1531 instead. In most cases a client won’t ever directly connect to this endpoint. The only exception is when the loadbalancer is doing a DNS based loadbalancing in which case the client will directly connect to the service end point.
    This terminology is a little fudgy in Radware WSD. By default WSD assumes one wants to loadbalance all available services on all ports of the servers and doesn’t force the user to select a port number on which service is running. This might be a good thing when you have multiple servers providing multiple services, but I personally avoid this for reasons which I’ll explain later.
  • Content Rule end point
    A “content rule” in CSS is defined to be an endpoint to which an actual user would connect to. In case of TCP/IP based service, it would probably include IP and port number of the where the requests should come to. If this is a DNS based loadbalancer, it probably would be running a DNS server on port 53 using UDP/TCP.
  • Session persistence
    The feature which allows the LB to track users sessions to direct them to the same server for subsequent requests is what I call “session persistence”. Again, there are many different ways of doing this depending on what application server and loadbalancer you use.
  • Timeouts
    This is one of the most critical parameter which will play a big role in how your application works. While timeouts allow clients and application/server/networking components to understand when to give up, they also play a big role in freeing up critical resources which can otherwise slowdown the application. But setting it too low or setting up different timeouts in different parts of network and application components can break your application in unexpected ways.
  • Keepalives
    The work keepalive has different mean in different context. If you are a networking guru you would know that keepalive can be used in some protocols to keep connections alive through firewalls which would otherwise shutdown the connection due to inactivity. If you are a web guru, you would be thinking about the keepalives in HTTP protocol which allows browser to send multiple requests to the server without renegotiating TCP/IP all over again. Unfortunately Cisco CSS also uses this terminology to check service availability.
  • Layer 4 loadbalancing
    Most of the early loadbalancers did loadbalancing and session persistence based on the source IP and port number. In a perfect world where every user has his or her own IP which doesn’t change with time this is a perfect solution. However for our world, where ISPs like AOL change proxy server without telling the user and where 100 to 1000 users can be NATing with the same source IP, this solution doesn’t work.
  • Layer 7 loadbalancing
    This is what most loadbalancing applications use to persist and distribute sessions to multiple servers. This requires the loadbalancer to inspect the HTTP packet to look at the various HTTP header parameters to make a decision. Common HTTP parameters which get inspected are the HOST string, the REQUEST_URI and Cookies.
  • Load distribution Algorithms
    One of the trickiest problems for a loadbalancer is finding the most optimal server a new user should go to. Unlike round robin DNS, which gives the same weightage to each of the servers, some algorithms have the capability to send more traffic to some servers if they are faster/newer than others, or send less traffic to some nodes if they are very busy or have a lot of active online sessions. Some of the common algorithms I’ve come across are
  • Round Robin
  • Weighted Round Robin
  • Least Users
  • Weighted Least Users
  • Least Traffic
  • Weighted Least Traffic
  • DNS based loadbalancing
    The mechanism of distributing load at DNS query time is called DNS Round Robin. The loadbalancing appliance usually does some kind of check to see which web servers are available. Based on the Load distribution algorithm it will send a list of available nodes in the order of priority as part of the DNS query response to the customer.
  • Global Loadbalancing
    This terminology is generally reserved for appliances which trying to loadbalance customers to various different points of presence around the world/country. The appliance does some kind of polling to find out which POP is closest and most responsive to the customer before it sends the client to that POP. The implementation of how Global Loadbalancing is done may vary, but DNS is one of the popular mechanisms for directing users.

    Design Recommendations

    • N, N+1 or 2*N Configuration
      Whenever resources are procured and deployed, always plan for one extra. This is the only way you can provide continuous service without degrading quality. You don’t have to keep it running, but just have it available as a standby. Loadbalancing solutions which understand the significance of standby server and know when to use it could reduce the number of annoying phone alerts at 3am on Sunday morning.
    • Health Monitoring
      Almost all loadbalancers will claim to have some mechanism of detecting web server failure. But if you have a complex web application which relies on a host of other components to service customer requests, then make sure that the health monitoring module can accurately poll node health. For example, there are time when requesting a “/index.html” page may come back with “200 OK”, but “/login.aspx?username=xyz&pass=xyz” might throw a stack trace because LDAP was not available. Also remember that the frequency of health checks can degrade your applications response time as well.
    • Maintaining State
      Applications which maintain state information within session-memory are very picky about session persistence. Most loadbalancers can be configured to extract session identifiers from URL or from Cookies. If you know how your application sends session identifiers to the end user, make sure the Loadbalancer supports it.Unfortunately though cookies are simple to implement on the application server, they can sometime become a complicated beast for networking devices. Here are the problems I’ve dealt with in the past

      • Cookies need to be enabled
        Applications which maintain session require Cookies to be enabled in the browser. URL rewriting is another way to send session identifier, however its considered less secure because most proxy servers log GET/POST requests which will include the session identifier. If you are using SSL this is not a problem, however bookmarks can get ugly
      • Cookie size is limited
        If you have a lot of cookies, or forget to delete cookies from users browsers, then they will add up to the point after which cookies cannot be part of the HTTP header. Whats more tricky is the fact that some Loadbalancers don’t even read the complete cookie header. Which means that if the session cookie is at the end of a long list of cookies, some loadbalancers might actually ignore it.
      • Cookies+Java over SSL
        If your application uses HTTPS and have Java applets communicating over SSL, this is one bug to look out for. We have seen instances where Java applets insert the HTTP cookie headers into HTTPS header section instead of HTTP header. The work around is do the HTTP->HTTPS packet encapsulation yourself. If this bug does show up in your network, the responsibility of extracting cookie from HTTPS packet and inserting it into HTTP packet belongs to the SSL engine you are using. For us Radware seems to do the trick so we were never able to break the application in-house. However, some clients outside our company were using proxy servers which were remove extra information in SSL header which broke our application
      • Set-Cookie bug
        One of the very early session persistence bugs we noticed in a couple of loadbalancers I tested in late 2000 was the one where the “Set-Cookie” HTTP header from the server was ignored by the loadbalancer. This meant that the there was a very good possibility that the first HTTP request the client sent with the Cookie set, would be different from the original server which sent a Set-Cookie request to the client.
      • Keep-alive bug
        Keep-alives are designed to optimize network throughput by allowing clients to send multiple HTTP requests over the same TCP channel. Unfortunately some loadbalancers ignore all Cookies except the one in the first HTTP request. The logic of this implementation is simple. Once a client is connected to the servers, there is no reason to check the cookies anymore. The problem however shows up when the client is using a proxy server. Some “intelligent” proxy servers can multiplex multiple client requests in the same Keepalive channel which can play havoc with the sessions if the loadbalancer doesn’t decode them.
    • Inactivity Timeouts
      Inactivity timeout of an established TCP/IP connection can be a problem if delays over a minute are normal with your web application. We have faced a number of timeout related issues in our network. Six of the most common components which can timeout your TCP connection early are..

      • Proxy servers
      • Firewalls
      • Loadbalancers
      • SSL Accelerators
      • Web server
      • Application server
    • Session Timeouts
      Session timeouts also are important. In most cases these are the only two components which actually worry about “sessions” over multiple TCP connections.

      • Loadbalancers
      • Application server
    • Recommended Optimizations
      • Use Multiple domains
        If you have a site with lot of images, CSS files or Javascripts embedded in them, I strongly recommend you to distribute your files over multiple “hosts”. The reason is simple. There is a limitation on how many objects can be downloaded per host for both IE and Firefox. If you spread your files over 2 hosts, your browser will open twice the number of threads to download. For most customers who don’t have too many images, this is not a problem. But a website heavy on AJAX should consider this.
      • Latency
        Every request has a latency associated with it. If you are have an option of setting up multiple datacenters, look for latency instead of distance from the customers location. If buying a leased pipe from customers location to your data center is possible, that would be closest to the perfect solution you can achieve for. The only thing greater than that is moving the data center to customers location.
        If you can’t do either of these, think about using services like Akamai who cache and serve the object from a server nearest to the customer.
      • Caching
        Caching is a great feature. If a customer already has an image file, there aren’t many good reasons why that image should be requested for again and again. Setup caching on your web server. On Apache it can be done using mod_expires. If you have a dynamic web application, try to set it up such that dymanic content is not negatively affected due to the caching feature.
      • Compression
        Many of you are not even aware that many websites (if not most) already do data compression on the fly. If you have application which are bandwidth intensive, enabling compression can probably speed up the the UE(User Experience) and save you a bunch of money at the same time. However remember that there is a computational expense at the server end to compress content on the fly. If the servers are very loaded, think about deploying a cluster of SSL accelerators which can take over the load.
      • Keepalives
      • Browser threads
    • SSL Accelerators
      • Compatibility
        If your application might require SSL acceleration at somepoint, design your architecture assuming that you need one rightaway. SSL is a CPU intensive process which is usually not done by the loadbalancer. However there are a few which do.The decision to buy a loadbalancer with or without SSL within it purely depends on the traffic one is expecting over time. Because the throughput of a Loadbalancer is usually much higher than that of a SSL accelerator, a solution were Loadbalancer and SSL are in the same box might be more expensive to scale than a solution where SSL and LB are different components in the network.If you plan to seperate your LB and SSL infrastructure one addtional issue you would have to deal with is thier compatiblity. The devices we initially selected for LB and SSL did work together very well, untill we switched on VRRP when all hell broke lose. Unless you have a lot of time and resources it might be better off to go with combination of solutions which have been implemented before instead of picking a new pair of vendors.
      • One-Arm or In-Line configuration
        When you design the network diagram, another question you will be asking yourself is whether you want to deploy SSL in “One-Arm” or “In-Line” configuration. The “In-Line” configuration is a configuration where all requests go through SSL loadbalancer before they hit the Loadbalancer. The “One-Arm” configuration is where all traffic hit the Loadbalancer which then makes the decision on whether to send the traffic to the SSL box. If you are a financial site which does all its work over SSL, you might like to investigate “In-Line” configuration, but for the rest of us “One-Arm” might be more suitable.

    technorati tags:

    •  
    Comments Off

    Posted in http, internet, loadbalancer

     

    Root servers

    11 Dec

    Some of you probably know what a Root Server is. But did you know that they had a site dedicated to it. Ofcourse internet won’t exist without it, but I thought this information would be burried under one of the sites like ICANN or the US MIL site. You can download the latest named.root file from this location.

     
    Comments Off

    Posted in internet

     
    « Older Entries
    Newer Entries »