DTLS Load Balancing

[Simon Bernard]

Hi,

   There is a draft[1] at the IETF about connection ID for DTLS . This 
is a way to identify a "DTLS connection" by an ID instead of the 
classical Ip address/port tuple. The objective is to reduce the need of 
DTLS full handshake when client address/port change.

    I would like to know if it make sense to make load balancing based 
on this connection ID.

    Here is the use case:
    You have a cluster of servers behind a unique IP address.
    You do load balancing using IP address.
    You use UDP/DTLS.
    Some clients are behind NAT and so theirs IP/port can change.
    DTLS connection states are store in each server and so are not shared.


    So if clients use same address/port, there is no issue as traffic 
will be redirect always on the same server. Server has already a 
connection for this peer, no need to full-handshake.
    If address/port change, 2 possibilities:
      - by chance load balancer, send traffic to the same server and 
thanks to CID the server can reuse its connection, no-need to full-handshake
      - bad luck, traffic is redirect on server which does not know this 
peer so it will need to do a full-handshake.

    It seems to me that doing load balancing on this connection ID could 
solve the problem. [2]

    Does it make sense to you ? Is it a way to create kind of 3rd party 
module for nginx ?

Thx

Simon

[1]https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00
[2]https://www.ietf.org/mail-archive/web/tls/current/msg24619.html
<https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20171019/7fbc5546/attachment.html>