The present invention relates generally to proxied connections. More specifically, a distributed method and apparatus for proxying a connection and reducing the overhead on such a proxied connection is disclosed.
As the IP protocol has continued to be in widespread use, a plethora of network service appliances have evolved for the purpose of providing certain network services not included in the protocol and therefore not provided by standard IP routers. Such services include NAT, statistics gathering, load balancing, proxying, intrusion detection, and numerous other security services. In general, such service appliances must be inserted in a network at a physical location where the appliance will intercept all flows of interest for the purpose of making its service available.
FIG. 1 is a block diagram illustrating a prior art system for providing a network service. A group of clients 101, 102, and 103 are connected by a network 110 to a group of servers 121, 122, 123, and 124. A network service appliance 130 is physically located in the path between the clients and the servers. Network service appliance 130 provides a service by filtering packets, sending packets to specific destinations, or, in some cases, modifying the contents of packets. An example of such modification would be modifying the packet header by changing the source or destination IP address and the source or destination port number.
Network service appliance 130 provides a network service such as load balancing, caching, or security services. In providing security services, network service appliance 130 may function as a proxy, a firewall, or an intrusion detection device. For purposes of this specification, a network service appliance that acts as a load balancer will be described in detail. It should be noted that the architecture and methods described are equally applicable to a network service appliance that is functioning as one of the other above described devices.
Network service appliance 130 is physically located between the group of servers and the clients that they serve. There are several disadvantages to this arrangement. First, it is difficult to add additional network service appliances when the first network service appliance becomes overloaded because the physical connections of the network must be rerouted. Likewise, it is difficult to replace the network service appliance with a back up network service appliance when it fails. Since all packets pass through the network service appliance on the way to the servers, the failure of the network service appliance may prevent any packets from reaching the servers and any packets from being sent by the servers. Such a single point of failure is undesirable. Furthermore, as networks and internetworks have become increasingly complex, multiple services may be required for a single network and inserting a large number of network service appliances into a network in places where they can intercept all relevant packet flows may be impractical.
The servers may also be referred to as hosts and the group of servers may also be referred to as a cluster of hosts. If the group of servers has a common IP address, that IP address may be referred to as a virtual IP address (VIPA) or a cluster address. Also, it should be noted that the terms client and server are used herein in a general sense to refer to devices that generally request information or services (clients) and devices that generally provide services or information (servers). In each example given it should be noted that the roles of client and server may be reversed if desired for a particular application.
A system that addresses the scalability issues that are faced by network service appliances (load balancers, firewalls, etc.) is needed. It would be useful to distribute functions that are traditionally performed by a single network element and so that as much function as possible can be performed by multiple network elements. A method of coordinating work between the distributed functions with a minimum of overhead is needed.
Although network service appliances have facilitated the development of scalable server architectures, the problem of scaling network service appliances themselves and distributing their functionality across multiple platforms has been largely ignored. Network service appliances traditionally have been implemented on a single platform that must be physically located at a specific point in the network for its service to be provided.
For example, clustering of servers has been practiced in this manner. Clustering has achieved scalability for servers. Traditional multiprocessor systems have relatively low scalability limits due to contention for shared memory and I/O. Clustered machines, on the other hand, can scale farther in that the workload for any particular user is bound to a particular machine and far less sharing is needed. Clustering has also facilitated nondisruptive growth. When workloads grow beyond the capacity of a single machine, the traditional approach is to replace it with a larger machine or, if possible, add additional processors within the machine. In either case, this requires downtime for the entire machine. With clustering, machines can be added to the cluster without disrupting work that is executing on the other machines. When the new machine comes online, new work can start to migrate to that machine, thus reducing the load on the pre-existing machines.
Clustering has also provided load balancing among servers. Spreading users across multiple independent systems can result in wasted capacity on some systems while others are overloaded. By employing load balancing within a cluster of systems the users are spread to available systems based on the load on each system. Clustering also has been used to enable systems to be continuously available. Individual application instances or machines can fail (or be taken down for maintenance) without shutting down service to end-users. Users on the failed system reconnect and should not be aware that they are using an alternate image. Users on the other systems are completely unaffected except for the additional load caused by services provided to some portion of the users that were formerly on the failed system.
In order to take full advantage of these features, the network access must likewise be scalable and highly available. Network service appliances (load-balancing appliances being one such example) must be able to function without introducing their own scaling limitations that would restrict the throughput of the cluster. A new method of providing network services using a distributed architecture is needed to achieve this.
In many network applications, it is often desirable or necessary to prevent a user from making a connection to a first machine at one IP address that has information that the user needs and instead service the user""s information request with a proxy machine at a different IP address. For example, it is often desired from a security standpoint not to allow a connection to a machine that stores sensitive information. Instead, it may be required that a connection first be made to a proxy that has various security features such as user authentication and possibly encryption. The user requests the information from the proxy and the proxy establishes a connection with the machine that is being protected and obtains the information. If the proxy determines that the user is authorized to receive the information, the proxy can then relay the information to the user that requested it. The proxy thus stands in for the machine that stores the sensitive information. The user is prevented from making a direct connection to the protected machine. Instead, the user must first request the information from the proxy and only the proxy connects with the protected machine. The protected machine is insulated from potentially dangerous outside contact.
In a proxy arrangement that is used for security, the proxy generally first identifies and authenticates the user who is requesting information from a protected machine at a target IP address. In the discussion that follows, the user requesting information will be referred to as the client and the protected machine that is providing information will be referred to as the server. It should be noted that in certain situations the client and server designations may be reversed. The machine that is protected (in the example above, the server) is referred to as the proxied machine at the proxied address. The proxied machine is also referred to as the target machine at the target address because it is the machine that the client or user actually intends to access and obtain data or some other service. The user does not generally desire to retrieve information from or contact the proxy other than for the purpose of authenticating itself or otherwise preparing for the desired connection with the target machine. The machine that acts as a proxy is called the proxy machine at the proxy address. The user making the connection is referred to as the user or the client. When a proxy is used, the user connects to the proxy machine at the proxy IP address and never actually makes a connection to the proxied machine at the proxied IP address.
Another example of a situation in which a proxy may be desirable is a web cache. A web cache is not necessarily implemented for the purpose of protecting another machine. It may be desirable to store certain information that is available from a primary web site at a first IP address at a web cache located at another IP address. In this situation, the user is directed to the IP address of the web cache for the information. If the information requested is not found in the cache, then the web cache connects to the primary web site, obtains the information, and then transfers it to the user.
IT WOULD BE DESIRABLE IF A PROXY COULD BE IMPLEMENTED USING DISTRIBUTED FORWARDING AGENTS. A LARGE AMOUNT OF OVERHEAD IS ASSOCIATED WITH ESTABLISHING A FIRST CONNECTION FROM THE PROXY TO THE CLIENT AND A SECOND CONNECTION FROM THE PROXY TO THE SERVER. IN A DISTRIBUTED ARCHITECTURE, FORWARDING ALL PACKETS FOR A PROXIED CONNECTION TO A SERVICE MANAGER ACTING AS A PROXY WOULD CREATE A LARGE AMOUNT OF EXTRA TRAFFIC. IT WOULD THEREFORE BE VERY USEFUL IN SUCH A SYSTEM TO LIMIT THE AMOUNT OF TRAFFIC GENERATED AND TO REDUCE THE OVERHEAD ASSOCIATED WITH EACH PROXIED CONNECTION.
A system and method for proxying a connection using a distributed architecture is disclosed. A service manager attracts from forwarding agents packets that are sent by clients attempting to set up connections that are to be proxied. For each proxied connection, the service manager establishes a connection with an appropriate server and transfers data between the server and the client. At some point, the service manager may determine that the connection has reached a state in which it is appropriate to no longer proxy the connection and to allow packets to flow directly between the client and the server. At that point, the service manager sends instructions to the forwarding agents for adjusting packet sequence numbers so that packets may be forwarded between the client and the server.
It should be appreciated that the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links. Several inventive embodiments of the present invention are described below.
In one embodiment, a method of controlling access to a server includes sending instructions to a forwarding agent that instruct the forwarding agent to forward packets to a service manager from clients attempting to establish a client connection to the server. A client connection is established with the client. A server connection is established from the service manager to the server and data is transferred from the server connection to the client connection.
In one embodiment, a service manager configured to control access to a server includes a forwarding agent interface configured to send instructions to a forwarding agent that instruct the forwarding agent to forward packets to the service manager from clients attempting to establish a client connection to the server. A client interface is configured to establish the client connection with the client. A server interface is configured to establish a server connection from the service manager to the server. A processor is configured to transfer data from the server connection to the client connection.
In one embodiment, a forwarding agent configured to control access to a server includes a packet interface configured to send and receive packets on a network. A service manager interface is configured to receive instructions from a service manager to adjust sequence and acknowledgment numbers in selected packets. A processor is configured to adjust the sequence and acknowledgment numbers in the selected packets.
These and other features and advantages of the present invention will be presented in more detail in the following detailed description and the accompanying figures which illustrate by way of example the principles of the invention.