<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p> There is a draft[1] at the IETF about connection ID for DTLS .
This is a way to identify a "DTLS connection" by an ID instead of
the classical Ip address/port tuple. The objective is to reduce
the need of DTLS full handshake when client address/port change.<br>
</p>
<p> I would like to know if it make sense to make load balancing
based on this connection ID.</p>
<p> Here is the use case:<br>
You have a cluster of servers behind a unique IP address.<br>
You do load balancing using IP address.<br>
You use UDP/DTLS.<br>
Some clients are behind NAT and so theirs IP/port can change.<br>
DTLS connection states are store in each server and so are not
shared.<br>
</p>
<p> <br>
So if clients use same address/port, there is no issue as
traffic will be redirect always on the same server. Server has
already a connection for this peer, no need to full-handshake.<br>
If address/port change, 2 possibilities:<br>
- by chance load balancer, send traffic to the same server
and thanks to CID the server can reuse its connection, no-need to
full-handshake<br>
- bad luck, traffic is redirect on server which does not know
this peer so it will need to do a full-handshake.</p>
<p> It seems to me that doing load balancing on this connection ID
could solve the problem. [2]<br>
</p>
<p> Does it make sense to you ? Is it a way to create kind of 3rd
party module for nginx ?</p>
<p>Thx</p>
<p>Simon<br>
</p>
<p>[1]<a
href="https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00">https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00</a>
<br>
[2]<a
href="https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00">https://www.ietf.org/mail-archive/web/tls/current/msg24619.html<br>
</a></p>
</body>
</html>