Internet
The Internet is a global network of computers and computers networks (the “Net”). The Internet connects computers that use a variety of different operating systems or languages, including UNIX, DOS, Windows, Macintosh, and others. To facilitate and allow the communication among these various systems and languages, the Internet uses a language referred to as TCP/IP (“Transmission Control Protocol/Internet Protocol”). TCP/IP protocol supports three basic applications on the Internet:                transmitting and receiving electronic mail (“SMTP” or “Simple Mail Transfer Protocol”),        logging into remote computers (“Telnet”), and        transferring files and programs from one computer to another (“FTP” or “File Transfer Protocol”),        transmitting and receiving “HTTP” (“HyperText Transfer Protocol”) pages.TCP/IP        
The TCP/IP protocol suite is named for two of the most important protocols:                a Transmission Control Protocol (TCP), and        an Internet Protocol (IP).        
Another name for it is the Internet Protocol Suite. The more common term TCP/IP is used to refer to the entire protocol suite. The first design goal of TCP/IP is to build an interconnection of networks that provide universal communication services: an internetwork, or internet Each physical network has its own technology dependent communication interface, in the form of a programming interface that provides basic communication functions running between the physical network and the user applications. The architecture of the physical networks is hidden from the user. The second goal of TCP/IP is to interconnect different physical networks to form what appears to the user to be one large network.
TCP is a transport layer protocol providing end to end data transfer. It is responsible for providing a reliable exchange of information between 2 computer systems. Multiple applications can be supported simultaneously over one TCP connection between two computer systems.
IP is an internetwork layer protocol hiding the physical network architecture bellow it. Part of the communicating messages between computers is a routing function that ensures that messages will be correctly directed within the network to be delivered to their destination. IP provides this routing function. An IP message is called an IP Datagram.
Application Level protocols are used on top of TCP/IP to transfer user and application data from one origin computer system to one destination computer system. Such Application Level protocols are for instance File Transfer Protocol (FTP), Telnet, Gopher, Hyper Text Transfer Protocol (HTTP).
Uniform Resource Locators
A resource of the Internet is unambiguously identified by a Uniform Resource Locator (URL), which is a pointer to a particular resource at a particular location. An URL specifies the protocol used to access a server (e.g. HTTP, FTP, . . . ), the name of the server, and the location of a file on that server.
Clients and S rvers
TCP/IP is a peer-to-peer, connection oriented protocol. There are no master/slave relations. The applications, however use a client/server model for communications. A server is an application that offers a service to internet users; a client is a requester of service. An application consists of both a server and a client part which can run on the same or on different computer systems.
Users usually invoke the client part of the application, which builds a request for a particular service and sends it to the server part of the application using TCP/IP as transport vehicle.
The server is a program that receives a request, performs the required service and sends back the result in a reply. A server can usually deal with multiple requests (multiple clients) at the same time.
IP Router
A “Router” is a computer that interconnects two networks and forwards messages from one network to the other. Routers are able to select the best transmission path between networks. The basic routing function is implemented in the IP layer of the TCP/IP protocol stack, so any host (or computer) or workstation running TCP/IP over more than one interface could, in theory, forward messages between networks. Because IP implements the basic routing functions, the term “IP Router” is often used. However, dedicated network hardware devices called “Routers” can provide more sophisticated routing functions than the minimum functions implemented in IP.
Intranet
Some companies use the same mechanism as the Internet to communicate inside their own corporation. In this case, this mechanism is called an “Intranet”. These companies use the same networking/transport protocols and locally based computers to provide access to vast amount of corporate information in a cohesive fashion. As this data may be private to the corporation, and because the members of the company still need to have access to public Internet information, to avoid that people not belonging to the company can access to this private Intranet coming from the public Internet, they protect the access to their network by using a special equipment called a Firewall.
Firewall
A Firewall protects one or more computers with Internet connections from access by external computers connected to the Internet. A Firewall is a network configuration, usually created by hardware and software, that forms a boundary between networked computers within the Firewall from those outside the Firewall. The computers within the Firewall form a secure sub-network with internal access capabilities and shared resources not available from the outside computers.
Often, the access to both internal and external computers is controlled by a single machine, said machine comprising the Firewall. Since the computer, on which the Firewall is, directly interacts with the Internet, strict security measures against unwanted access from external computers are required.
A Firewall is commonly used to protect information such as electronic mail and data files within a physical building or organization site. A Firewall reduces the risk of intrusion by unauthorized people from the Internet. The same security measures can limit or require special software for people inside the Firewall who wish to access information on the outside. Depending on the requirements, a Firewall can be configured using one or more of the following components:                Datagram-filtering router;        Application Level Gateway (“Proxy” or “Socks”) for controlling the access to information from each side of the Firewall;        Circuit Level Gateway for relaying TCP and UDP (user datagram protocol) connections.IP Addressing        
IP addresses are used by the IP protocol to uniquely identify a host on the Internet. Strictly speaking, an IP address identifies an interface that is capable of sending and receiving IP datagrams. Each IP datagram (the basic data datagrams that are exchanged between hosts) comprises a source IP address and a destination IP address. IP addresses are represented by a 32-bit unsigned binary value which is usually expressed in a dotted decimal format. For example, 9.167.5.8 is a valid Internet address. An IP address is divided between a network and a host part, the first bits of the IP address specifying how the rest of the address is divided. The mapping between the IP address and an easier-to-read symbolic name, for example myhost.ibm.com, is done by the “Domain Name System” (DNS).
Internet Assigned Numbers Authority (IANA)
In order to be assured of any to any communication between servers in the Internet, all IP addresses have to be officially assigned by the Internet Assigned Numbers Authority (IANA). Many organizations use locally assigned IP addresses, basically comprised within reserved ranges of addresses for private Internets to avoid colliding with officially assigned IP addresses. These IP addresses cannot be routed on the Internet.
IP Subnets
Due to the explosive growth of the Internet, the principle of assigned IP addresses became too inflexible to allow easy changes to local network configurations. These changes might occur when:                A new type of physical network is installed at a location.        Growth of the number of hosts requires splitting the local network into two or more separate networks.        Growing distances require splitting a network into smaller networks with gateways between them.        
To avoid requesting additional IP network addresses in case of changes, the concept of subnets has been introduced. The assignment of subnet can be done locally, as the whole network still appears to be one IP network to the outside world. The host number part of the IP address is subdivided into a network number and a host number. This second network is called “subnetwork” or “subnet”. The subnetting is implemented in a way that is transparent to remote networks.
Private IP Addresses
An approach for the conservation of the IP address space, is the use of private IP addresses. This approach relaxes the rule that IP addresses are globally unique by reserving part of the address space for networks that are used exclusively within a single organization and that do not require IP connectivity to the Internet. Any organization can use addresses in particular ranges without reference to any other organization. However, because theses addresses are not globally unique, they cannot be referenced by hosts in another organization and they are not defined to any other external routers. Routers in network not using private addresses are expecting to discard all routing information regarding these addresses. Routers in an organization using private addresses are expected to limit all references to private addresses to internal links; they should neither advertise routes to private addresses to external routers nor forward IP datagrams comprising private addresses to external routers. Hosts having only a private IP address do not have IP layer connectivity to the Internet. All connectivity to external Internet hosts must be provided with “Application Level Gateways”, often referred to as a “Proxy”.
Network Address Translation
Network Address Translation (NAT) is based on the fact that only a small part of the hosts in a private network are communicating outside that network. If each host is assigned an IP address from the public IP address pool only when they need to communicate, then only a small number of public IP addresses are required. NAT is a solution for networks that have private IP address ranges and want to communicate with hosts on the Internet. In fact, most of the time, this can also be achieved by implementing a Firewall. Hence, clients that communicate with the Internet by using a Proxy or Socks server do not expose their addresses to the Internet, so their addresses do not have to be translated anyway. However, for any reason, when Proxy and Socks are not available or do not meet specific requirements, NAT can be used to manage the traffic between the internal and external network without advertising the internal host addresses.
Load Balancing
The concepts of scaling, balancing and availability are particularly important when looking for effective ways of dealing with the ever increasing amount of network and server load. The concept of “balancing” refers to sharing, or distributing, a load among multiple devices within a server or a network, or both, to facilitate traffic flows.
Assigning applications with client connections to a specific network server may overload the capacity of this network server, while other network servers with fewer connection requests to other applications may waste free capacity. To reach the goal for an equal level of load of all network servers, these network servers are organized in a clustered server group. All network servers in this cluster can provide information about their workload to a load balancer. This load balancer is responsible for distributing connection requests from clients to the network servers, based on workload information. Clients are not aware of such clusters. They try to connect to a service, assuming it is running in the machine of the load balancer. The load balancer forwards the connection request to the real service provider based on the current workload of the network servers in the cluster. The information about the state of the workload can be provided by a function, such as a workload manager residing in every destination network server. In case there is no workload information from destination network servers, the network load manager, can use distribution rules, such as:                a simple round-robin distribution,        number of distributed connections.Dispatcher        
There are may vendors currently offering load balancing hardware or software. The techniques used vary widely, and have advantages and disadvantages.
Early solutions to address load balancing were often located at the point where host names are translated into actual IP addresses: the Domain Name System. By rotating through a table of alternate IP addresses for a specific service, some degree of load balancing is achieved. This method is often called round-robin DNS. The advantages of this approach are that it is protocol compliant and transparent both to the client and the destination host. Unfortunately, this approach is sometimes defeated by the fact that intermediate name servers and client software cache the IP addresses returned by DNS service, and ignore an expressly specified time-to-live value particularly if the time-to-live is short or zero. As a result the balancing function provided by the DNS is bypassed, because the client continues to use a cached IP address instead of resolving again.
A Dispatcher uses a fundamentally different approach to load balancing. The Dispatcher does not use DNS in any way, although normal static DNS will still usually be used in front of the Dispatcher. Once installed and configured, the Dispatcher actually becomes the site IP address to which clients send all datagrams. This externally advertised address is referred to as the cluster address. The ports that should be supported inside each cluster can be configured, and then the actual network servers that will provide the service on each of those ports. Optionally, the real IP addresses of the network servers in the cluster can be concealed from the clients by filtering them at the gateway router.
The Dispatcher examines only the header of each datagram and decides whether the datagram belongs to an existing connection, or represents a new connection request. It uses a simple connection table stored in memory to achieve this. Note that the connection is never actually set up on the Dispatcher machine (it is between the client and the network server, just as it would be if the Dispatcher were not installed) but the connection table records its existence and the address of the network server to which the connection was sent.
If the connection already exists, which means it has an existing entry in the in-memory connection table, then the datagram is rapidly forwarded to the same network server chosen on the initial connection request without further processing. Since most of the datagrams that flow are of this type, the overhead of the whole load balancing process is kept to a minimum.
If the datagram is a new connection request, the Dispatcher looks at the configuration to see which network servers can support a request on the port requested by the client on the requested cluster address. Then it uses stored weights for each such network server to determine the right network server to which the connection will be forwarded. An entry mentioning this network server is made in the connection table, ensuring that subsequent datagrams for this connection are correctly forwarded to the chosen network server.
Note that the right network server is not always the best network server, since it is desirable for all eligible network servers to process their share of the load. Even the worst network server needs to shoulder some of the burden. If traffic is only ever forwarded to the best network server, it can be guaranteed that it will rapidly cease to be the best.
The Dispatcher does not modify the client's IP datagram when forwarding it. Because the Dispatcher is on the same subnet as its clustered network servers, it simply forwards the datagram explicitly to the IP address of the chosen network server, just like any ordinary IP datagram. The Dispatcher's TCP/IP stack modifies only the datagram's MAC (Medium Access Control) address in the operating system approved manner and sends the datagram to the chosen network server.
To allow the TCP/IP stack on that network server to accept the unmodified datagram from the Dispatcher and pass it to the chosen port for normal application processing, the IP address of the Dispatcher machine is also installed as a non-advertising alias on each of the clustered network servers. This is achieved by configuring the alias on the loopback interface.
The network server's TCP then establishes the server-to-client half of the connection according to standard TCP semantics, by simply swapping the source and destination addresses as supplied by the client, rather than determining them from its own basic configuration. This means that it replies to the client with the IP address of the Dispatcher. As a direct result, the balancing function is invisible both to the client and the clustered network servers.
A key performance and scaleability benefit of the Dispatcher is that the application server returns the response to the client's request directly to the client without passing back through the Dispatcher. Indeed, there is no need even to return using the original physical path; a separate high-bandwidth connection can be used. In many cases, the volume of outbound server-to-client traffic is substantially greater than the inbound traffic. For example, Web page HTML and imbedded images sent from the network server are typically at least 10 times the size of the client URLs that request them.
Because the Dispatcher is a truly generic TCP/IP application, its functions can be applied not only to HTTP (Hypertext Transfer Protocol) or FTP (File Transfer Protocol) traffic, but also to other standards-compliant types of TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) traffic.
NAT Based Load Balancing
What follows is a consideration of the NAT-based load balancing mechanism in comparison to the approach used by the Dispatcher.
The only solution to communicate between a private network based on private IP addresses and a public network (as the Internet) using an application protocol for which there is no application gateway, is to establish a connectivity at the IP level between hosts in the private network and host on the Internet. Since the routers in the Internet don't know how to route IP datagrams back to a private IP address, it is not possible to send IP datagrams with private IP addresses as source IP addresses through a router into the Internet.
The NAT transparently translates the private IP addresses of a private network to public IP addresses so that IP datagrams can be routed on the Internet. The NAT dynamically translates the private IP address of outgoing datagrams to a public IP address. For incoming datagrams, the NAT translates the public IP address to a private IP address. For the point of two hosts that exchange IP datagrams between each other, one host being connected to a secure network (the private network) and the other one being connected to a non secure network (the Internet), the Network Address Translator (NAT) looks like a standard IP router that forwards IP datagrams between two networks interfaces.
Since the TCP/IP stack that implements NAT looks like a normal IP router, there is a need to create an appropriate IP network design for connecting two or more IP networks or subnets through a router. The NAT IP addresses need to come from separate networks or subnets, and the addresses need to be unambiguous with respect to other networks or subnets in the non-secure network. If the non-secure network is the Internet, the NAT addresses need to come from a public network or subnet, in other words, the NAT addresses need to be assigned by IANA (Internet Assigned Numbers Authority).
The non-secure addresses (official addresses) should be reserved in a pool, in order to use them when needed. If connections are established from the secure network, NAT can just pick the next free public address in the NAT pool and assign that to the requesting secure host. NAT keeps track of which secure IP addresses are mapped to which non-secure IP addresses at any given point in time, so it will be able to map a response it receives from the non-secure network into the corresponding secure IP address.
The NAT-based load balancing system works by modifying the source and destination IP addresses in the inbound client-to-server datagrams and by restoring the IP addresses to their original values in the outbound server-to-client datagrams. Note that if NAT is to be transparent to the network server, eliminating the need for specialized agent code on the network server, then all datagrams sent back to the client must pass back through the NAT-based load balancing system in order to restore the IP addresses originally used by the client in comparison to the previously discussed mode of the Dispatcher. This is a significant overhead which will have a varying impact on the NAT-based load balancing system and the network servers whose resources it manages. This added overhead and latency can mean network delay, and queuing in the NAT-based load balancing system itself. This in turn drastically limits the potential scaleability of NAT solutions. To overcome such delays, the capacity of a NAT-based load balancing system must not only be sufficient to handle both inbound and outbound datagrams, but it must also be able to cope with the disproportionately higher volume of the outbound traffic. This is completely different to previous approach where the Dispatcher does not modify datagrams and only sees the inbound flows.
NAT-based load balancing offerings sometimes enforce the need to see both inbound and outbound requests by obliging the customer to install the NAT device as a bridge without permitting bridges of any other kind. This forces to put the network servers on to what is essentially a private segment, which can complicate installation since it requires significant physical change to existing network infrastructure. All traffic for those network servers must pass through the NAT-based load balancing system whether the traffic is to be load-balanced or not. This means that if the application uses, for instance, a back-end SQL database, which might be running on a mainframe in a corporate data center, it also must be logically inside this “padded cell” from a TCP/IP networking point of view. The only alternative is to have all of the SQL query traffic and responses to the queries pass in and out through the NAT device, adding to the overhead.
Conversely the Dispatcher can be quickly and easily installed without disruption to the existing network infrastructure. For instance, there are no restrictions as to where the SQL database needs to be located. The configuration is simpler and a complete subnet layer is eliminated. The configuration offered by the Dispatcher is also more flexible.
The one advantage of NAT as originally conceived (the ability to forward datagrams to remote destinations across a wide area network) cannot be usefully deployed since the wide area network connection is behind the bridge and, therefore, can only be within the site's private network. Additionally, the same NAT device must still be the only exit from the wide area network link. Dispatcher's wide area support does not suffer from this limitation.
To attempt to overcome these limitations, some NAT solutions add to the overhead that is fundamental to NAT by providing unnecessary add-ons. For example, the capability to map one port address to another. This is implicitly at odds with the standards for well-known ports. This is often touted as an advantage for NAT-based solutions, but the so-called advantages of port mapping are of marginal value, and the same functionality can be deployed in other ways that are more standards-compliant.
To check if a server is up, NAT-based load balancing solutions need to sacrifice an actual client request, and so a server outage is typically perceived only as a result of a timeout of one of these real client requests. The use by a Dispatcher without NAT of specialized advisors is less disruptive and reacts more quickly to a failure.
NAT Devices often only map affinity or stickiness based on the client's IP address, and not at the port level. This means that once a client has contacted a server, then all traffic from that client that is intended for other applications is forwarded to the same network server. This drastically restricts configuration flexibility, in many cases rendering the sticky capability unusable in the real world.
More explanations about the technical field presented in the above sections can be found in the following publications incorporated herewith by reference: “TCP/IP Tutorial and Technical Overview” by Martin W. Murhammer, Orcun Atakan, Stefan Bretz, Larry R. Pugh, Kazunari Suzuki, David H. Wood, International Technical Support Organization, October 1998, GG24-3376-05.