[zorp] Clustering Zorp with LVS

Sheldon Hearn zorp@lists.balabit.hu
Wed, 14 Apr 2004 01:17:31 +0200 

Hi folks,

I finally have a working lab setup that uses LVS-DR to load balance
across two zorp proxies.

The lab configuration is inspired by the load balanced configuration
presented on page 10 of the Zorp Professional 2 Product Description at
http://www.balabit.com/dl/zorp2.pdf, and a diagram of my implementation
is available at http://starjuice.net/zorp/lab_implementation.png [1].

I'm using Linux LVS-DR with fwmarks for both front and back load
balancers; birdy (the front load balancer) uses the SH (source hash)
balancing algorithm, while wormy (the back load balancer) uses DH
(destination hash).  This works okay, but the algorithm doesn't balance
very well, and doesn't cope well[2] with node addition and removal of
nodes (realservers in LVS jargon).

Ideally, what the back load balancer for a Zorp cluster needs to do is
this:

1) When a SYN comes in from a Zorp host, create a new connection table
entry, including the Layer 2 (Ethernet) address of the packet in the
entry.

2) When a packet comes back from the servers and is associated with a
connection table entry based on Layer 3 and 4 features, route the packet
via the Layer 2 address stored in the entry.
 
I've contacted 3 vendors and an open source group looking for a solution
like this.  Here are the responses:

1) Cisco say their 650x with Content Switching Module support
transparent proxy firewalls, and a friend of mine at Cisco confirms
this.

2) Enterasys engineering have confirmed that they have no device that
can do this.

3) Alcatel have confirmed that they have no device that can do this.

4) The folks on the LVS mailing list can't think of anything better than
the SH/DH approach.

Now a Cisco 650x w/ CSM costs more than USD 70,000.  That's a lot of
money to spend on a load balancer for 4 Zorp boxes!

So my question is, has anyone solved the Zorp clustering problem in an
affordable way, or is the Product Description just describing a
theoretical possibility for marketing purposes?

Ciao,
Sheldon.

[1] Beware of 
[1] In a simple test of 200 packets with randomly generated IP
addresses, zorp01 got 44% and zorp02 got 56%.