The present invention relates generally to providing network services such as load balancing, packet filtering or Network Address Translation (NAT). More specifically, network services are provided using one or more service managers that send instructions to forwarding agents that are integrated into a routing infrastructure. The forwarding agents execute instructions received from service managers according to a service priority hierarchy specified in instructions received from the service managers.
As the IP protocol has continued to be in widespread use, a plethora of network service appliances have evolved for the purpose of providing certain network services not included in the protocol and therefore not provided by standard IP routers. Such services include NAT, statistics gathering, load balancing, proxying, intrusion detection, and numerous other security services. In general, such service appliances must be inserted in a network at a physical location where the appliance will intercept all flows of interest for the purpose of making its service available.
FIG. 1 is a block diagram illustrating a prior art system for providing a network service. A group of clients 101, 102, and 103 are connected by a network 110 to a group of servers 121, 122, 123, and 124. A network service appliance 130 is physically located in the path between the clients and the servers. Network service appliance 130 provides a service by filtering packets, sending packets to specific destinations, or, in some cases, modifying the contents of packets. An example of such modification would be modifying the packet header by changing the source or destination IP address and the source or destination port number.
Network service appliance 130 provides a network service such as load balancing, caching, or security services. In providing security services, network service appliance 130 may function as a proxy, a firewall, or an intrusion detection device. For purposes of this specification, a network service appliance that acts as a load balancer will be described in detail. It should be noted that the architecture and methods described are equally applicable to a network service appliance that is functioning as one of the other above described devices.
Network service appliance 130 is physically located between the group of servers and the clients that they serve. There are several disadvantages to this arrangement. First, it is difficult to add additional network service appliances when the first network service appliance becomes overloaded because the physical connections of the network must be rerouted. Likewise, it is difficult to replace the network service appliance with a back up network service appliance when it fails. Since all packets pass through the network service appliance on the way to the servers, the failure of the network service appliance may prevent any packets from reaching the servers and any packets from being sent by the servers. Such a single point of failure is undesirable. Furthermore, as networks and internetworks have become increasingly complex, multiple services may be required for a single network and inserting a large number of network service appliances into a network in places where they can intercept all relevant packet flows may be impractical.
The servers may also be referred to as hosts and the group of servers may also be referred to as a cluster of hosts. If the group of servers has a common IP address, that IP address may be referred to as a virtual IP address (VIPA) or a cluster address. Also, it should be noted that the terms client and server are used herein in a general sense to refer to devices that generally request information or services (clients) and devices that generally provide services or information (servers). In each example given it should be noted that the roles of client and server may be reversed if desired for a particular application.
A system that addresses the scalability issues that are faced by network service appliances (load balancers, firewalls, etc.) is needed. It would be useful to distribute functions that are traditionally performed by a single network element and so that as much function as possible can be performed by multiple network elements. A method of coordinating work between the distributed functions with a minimum of overhead is needed.
Although network service appliances have facilitated the development of scalable server architectures, the problem of scaling network service appliances themselves and distributing their functionality across multiple platforms has been largely ignored. Network service appliances traditionally have been implemented on a single platform that must be physically located at a specific point in the network for its service to be provided.
For example, clustering of servers has been practiced in this manner. Clustering has achieved scalability for servers. Traditional multiprocessor systems have relatively low scalability limits due to contention for shared memory and I/O. Clustered machines, on the other hand, can scale farther in that the workload for any particular user is bound to a particular machine and far less sharing is needed. Clustering has also facilitated non-disruptive growth. When workloads grow beyond the capacity of a single machine, the traditional approach is to replace it with a larger machine or, if possible, add additional processors within the machine. In either case, this requires downtime for the entire machine. With clustering, machines can be added to the cluster without disrupting work that is executing on the other machines. When the new machine comes online, new work can start to migrate to that machine, thus reducing the load on the pre-existing machines.
Clustering has also provided load balancing among servers. Spreading users across multiple independent systems can result in wasted capacity on some systems while others are overloaded. By employing load balancing within a cluster of systems the users are spread to available:systems based on the load on each system. Clustering also has been used to enable systems to be continuously available. Individual application instances or machines can fail (or be taken down for maintenance) without shutting down service to end-users. Users on the failed system reconnect and should not be aware that they are using an alternate image. Users on the other systems are completely unaffected except for the additional load caused by services provided to some portion of the users that were formerly on the failed system.
In order to take full advantage of these features, the network access must likewise be scalable and highly available. Network service appliances (load-balancing appliances being one such example) must be able to function without introducing their own scaling limitations that would restrict the throughput of the cluster. A new method of providing network services using a distributed architecture is needed to achieve this.
It is often necessary or useful to provide several different types of network services to a network. For example, load balancing, proxying, and firewall functions may all need to be provided. Other security services may be provided as well. In such instances, it may be impractical to insert a device for each such service at an appropriate location in the network for the service to be provided. It would be desirable if a system could be developed that could provide multiple network services from a single device. Furthermore, it would be useful if a multiple network services could be managed using a single architecture and service management scheme.
A system and method are disclosed wherein service managers provide multiple services using forwarding agents. The services provided may be managed by a single service manager that is able to provide management for more than one service or the services may be managed by multiple service managers that are each specially configured to provide a specific service. For each service provided, a service manager sends instructions that include a service priority to the forwarding agents. The service priority is used to indicate the order in which services are to be performed. Forwarding agents use the service priority to determine which service to provide when a packet is received either on the network interface of the forwarding agent or on the service manager interface.
It should be appreciated that the present invention can be implemented in numerous ways, including as a process, an apparatus, a system, a device, a method, or a computer readable medium such as a computer readable storage medium or a computer network wherein program instructions are sent over optical or electronic communication links. Several inventive embodiments of the present invention are described below.
In one embodiment, a method of providing a plurality of network services includes receiving at a forwarding agent a plurality of matching instructions corresponding to a specified flow from one or more service managers and storing the plurality of matching instructions on the forwarding agent having a forwarding agent network interface. A packet for the specified flow at the forwarding agent is received on the forwarding agent network interface. A highest service priority matching instruction stored on the forwarding agent is determined. The packet is processed according to the highest priority matching instruction. A next highest service priority matching instruction stored on the forwarding agent is determined and the packet is processed according to the next highest service priority matching instruction.
In another embodiment, a forwarding agent includes an instruction receiving interface configured to receive a plurality of matching instructions corresponding to a specified flow from one or more service managers and a memory configured to store the plurality of matching instructions on the forwarding agent having a forwarding agent network interface. A packet receiving interface is configured to receive a packet for the specified flow at the forwarding agent. A processor is configured to determine a highest service priority matching instruction stored on the forwarding agent and to process the packet according to the highest priority matching instruction and to determine a next highest service priority matching instruction stored on the forwarding agent and to process the packet according to the next highest service priority matching instruction.
In another embodiment, a method of providing a plurality of network services includes receiving at a forwarding agent a plurality of matching instructions corresponding to a specified flow from one or more service managers and storing the plurality of matching instructions on the forwarding agent having a service manager interface. A packet for the specified flow at the forwarding agent is received on the service manager interface. The packet is encapsulated along with a service priority identifier the service priority identifier specifies a next service priority for a stage of packet processing to be executed by the forwarding agent. A matching instruction is determined that corresponds to an eligible service priority wherein the eligible service priority is the same level as or a lower level than the next service priority and the packet is processed according to the matching instruction that corresponds to the eligible service priority.
In another embodiment, a method of providing a plurality of network services includes receiving at a forwarding agent a plurality of matching instructions corresponding to a specified flow from one or more service managers and storing the plurality of matching instructions on the forwarding agent having a forwarding agent network interface. A packet for the specified flow is received at the forwarding agent.
A first service priority matching instruction stored on the forwarding agent is retrieved. The first service priority matching instruction stored on the forwarding agent specifies that the packet is to be sent from the forwarding agent over the forwarding agent network interface. A second service priority matching instruction stored on the forwarding agent is retrieved. The second service priority matching instruction stored on the forwarding has a lower priority than the first service priority matching instruction stored on the forwarding agent. It is noted that the second service priority matching instruction stored on the forwarding agent has been preempted by the first service priority matching instruction stored on the forwarding agent.
In another embodiment, a service manager is configured to send an instruction to a forwarding agent. The instruction includes a flow identifier and a service precedence for the instruction. The instruction also includes an action to be executed by the forwarding agent for packets that are part of flows corresponding to the flow identifier.
In another embodiment, a method of managing a forwarding agent includes sending an instruction that includes a flow identifier, a service precedence for the instruction, and an action to be executed by the forwarding agent for packets that are part of flows corresponding to the flow identifier.
These and other features and advantages of the present invention will be presented in more detail in the following detailed description and the accompanying figures which illustrate by way of example the principles of the invention.