The Disadvantages of DSR (Direct Server Return)

posted on Thursday, July 03, 2008 4:29 AM

I read a very nice blog post yesterday discussing some of the traditional pros and cons of load-balancing configurations. The author comes to the conclusion that if you can use direct server return, you should.

I agree with the author's list of pros and cons; DSR is the least intrusive method of deploying a load-balancer in terms of network configuration. But there are quite a few disadvantages missing from the author's list.

Author's List of Disadvantages of DSR

The disadvantages of Direct Routing are:

Backend server must respond to both its own IP (for health checks) and the virtual IP (for load balanced traffic)
Port translation or cookie insertion cannot be implemented.
The backend server must not reply to ARP requests for the VIP (otherwise it will steal all the traffic from the load balancer)
Prior to Windows Server 2008 some odd routing behavior could occur in <2% of Windows Server installation.
In some situations either the application or the operating system cannot be modified to utilse Direct Routing.

Some additional disadvantages:

Protocol sanitization can't be performed.
This means vulnerabilities introduced due to manipulation of lax enforcement of RFCs and protocol specifications can't be addressed.
Application acceleration can't be applied.
Even the simplest of acceleration techniques, e.g. compression, can't be applied because the traffic is bypassing the load-balancer (a.k.a. application delivery controller).
Implementing caching solutions become more complex.
With a DSR configuration the routing that makes it so easy to implement requires that caching solutions be deployed elsewhere, such as via WCCP on the router. This requires additional configuration and changes to the routing infrastructure, and introduces another point of failure as well as an additional hop, increasing latency.
Error/Exception/SOAP fault handling can't be implemented.
In order to address failures in applications such as missing files (404) and SOAP Faults (500) it is necessary for the load-balancer to inspect outbound messages. Using a DSR configuration this ability is lost, which means errors are passed directly back to the user without the ability to retry a request, write an entry in the log, or notify an administrator.
Data Leak Prevention can't be accomplished.
Without the ability to inspect outbound messages, you can't prevent sensitive data (SSN, credit card numbers) from leaving the building.
Connection Optimization functionality is lost.
TCP multiplexing can't be accomplished in a DSR configuration because it relies on separating client connections from server connections. This reduces the efficiency of your servers and minimizes the value added to your network by a load balancer.

There are more disadvantages than you're likely willing to read, so I'll stop there. Suffice to say that the problem with the suggestion to use DSR whenever possible is that if you're an application-aware network administrator you know that most of the time, DSR isn't the right solution because it restricts the ability of the load-balancer (application delivery controller) to perform additional functions that improve the security, performance, and availability of the applications it is delivering.

DSR is well-suited, and always has been, to UDP-based streaming applications such as audio and video delivered via RTSP. However, in the increasingly sensitive environment that is application infrastructure, it is necessary to do more than just "load balancing" to improve the performance and reliability of applications. Additional application delivery techniques are an integral component to a well-performing, efficient application infrastructure.

DSR may be easier to implement and, in some cases, may be the right solution. But in most cases, it's going to leave you simply serving applications, instead of delivering them.

Just because you can, doesn't mean you should.

Technorati Tags: MacVittie,F5,BIG-IP,application delivery,application acceleration,load-balancing,web,http,internet,server,IP,TCP,optimization

Posted In: Security, Development and General, Performance,

13 Comments

Feedback

7/24/2008 4:49 AM
		Interesting post. Please excuse my ignorance but couldnt you avoid those disadvantages by implementing many of those things in a transparent proxy?
Paul

7/24/2008 4:57 AM
		@Paul, I assume by transparent proxy you mean that traffic flows through the load balancer (which acts as a forwarding switch) even though it is deployed in a DSR configuration. This would be similar to an L4 or L7 delayed binding scenario. Once the connection to the server is made, it simply forwards all requests/responses appropriately, but does not inspect the packets as they flow through the device. Because it is essentially acting as a bridging switch after the initial connection, all of the disadvantages apply. If it's acting as a true (full) proxy, then you can avoid the disadvantages, but you can't deploy the load balancer in a DSR configuration because the connections are coming from the load balancer (it becomes the client as far as the server is concerned) and must return to the load balancer. So I guess the short answer is "no", I'm not seeing a way to deploy DSR without incurring the disadvantages. :-)
Lori MacVittie

9/11/2008 1:09 PM
		All good points, I love DSR because it works well with well designed applications that cluster easily, scale horizontally, can handle their own session state, compression and acceleration easily and only need load balancing rather than a full application delivery controller. Alas a lot of applications don't handle the above points well so a powerful ADC such as F5 is a necessity in a lot of real world situations.
Malcolm Turnbull

12/25/2008 9:09 AM
		I don't know why compression can't be applied in DSR mode. A application related compression such as gzip in http is transparent to tcp/ip and of couse link layer.
surfchen

1/9/2009 10:58 AM
		For well-designed distributed systems almost all of the "disadvantages" of DSR are just not applicable. In this case your distributed system just have multiple entry points, and you should just take care about maintaining security invariants at each of the entry points, instead of having centralized point (which is also single point of failure and performance bottleneck). For distributed systems like this DSR just optimizes performance therefore makes system more scalable. Period. If you need centralized router/cache/proxy, you just don't need DSR :)
halt

4/23/2009 8:41 AM
		Regarding healt-checks, with DSR and PIP the health check process is using load-balancer ip address. Does it mean that if I disable DSR it will use PIP for health checks ? Thank you
snofrar

4/24/2009 3:51 AM
		@snofrar Can you define what you mean by "PIP" in this context? The term is frequently used in a variety of ways and we're trying to make sure we understand how you're using it so we can answer your question correctly. Thanks!
Lori MacVittie

2/10/2010 10:33 AM
		The author of this article clearly is a noob at performance based web applications. DSR uses the switch and mac address swapping as it's payload for doing it's job making it smoking fast. Most of the claimed issues have been resolved that the article talks about, and it's just a retarded article in my opinion. My guess is maybe the author of this article was smoking crack while writing such things as "But in most cases, it's going to leave you simply serving applications, instead of delivering them." Like what does that mean? Have you ever setup a modern day load balancer? -- luv tom :)
tom johnson

2/23/2010 8:42 PM
		I disagree completely with the OP. All of the supplementary disadvantages listed assume you would want to implement these features in the load-balancer - something which I would completely avoid anyway. This is expected though when every vendor, F5 included, is trying today to provide Swiss Army knife devices. The short answer is that none of the disadvantages are relevant because they are better addressed with dedicated devices elsewhere in the request-response stream or, as in the case of compression, on the origin server. The one obvious omission though was: * load balancer can't use load-adaptive feedback balancing algorithms because it can't deduce origin state other than by heuristics But this is not a marketing point of difference I suppose. Dave
Dave

2/24/2010 4:08 AM
		@dave You assertion that: "load balancer can't use load-adaptive feedback balancing algorithms because it can't deduce origin state other than by heuristics" is incorrect. Modern load balancers are capable of integrating with servers and applications and subsequently leveraging their state in dynamic load balancing algorithms. As far as compression on the origin server, it's inefficient and uses excessive CPU cycles. See: this post and included references re: CPU utilization, RAM, and impact on the origin server. Lori
macvittie

9/1/2010 2:05 AM
		"Just because you can, doesn't mean you should" - Love it!! I'm always having to trot that one out as people DO want to use the F5 as a swiss army knife. Good article and very valid points. I think some of the nay-sayers (to your comments here) are showing their lack of understanding of the role of a modern-day load-balancer as an ADC.
AussieJo

1/9/2011 12:44 AM
		To answer the disadvantages: 1) Shouldn't be done by a load balancer 2) Really shouldn't be done by a load balancer 3) Should really be built into the application 4) Self-testing application nodes or an external testing system solve this easily 5) WTF!? Seriously? Why would you rely on your load balancer to double check that you really didn't send nuclear launch codes to your client? That is number 2 on the checklist. Does the page fail to render? Does it include nuclear launch codes? 6) See #1 A load balancer should 1) balance the load of incoming requests and 2) shut up and stay out of the way. Sure a lot of people want a load balancer that does it all for them, that is why they are dumb enough to buy expensive appliances. Here is why a load balancer should do NONE of that. The load balancer is the entry node to your application, thus it is a potential bottleneck. If your load balancer does nothing but balance load it is relatively resource light and a low-end machine can do a lot of work. If everything else is accomplished by application servers you can more easily scale horizontally. If your load balancer does everything you will eventually need another, and another, soon you will be load balancing load balancers. This adds complexity and increases cost. With the application servers doing all the grunt work you can just add a few more, inexpensive machines, and handle the load.
Justin Giorgi

8/15/2011 2:08 AM
		Re-writing/re-routing TCP packets for load balancing - Admins Goodies
Pingback/TrackBack

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 3 and 8 and type the answer here:

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0
		F5 Friday
		Data Center Feng Shui
		Dynamic Infrastructure
		Load balancing
		Service Providers
		1024 Words
		v10.2.2
		v11
		JSON
		HTML5
		Mobile
		iApp
		Availability
		Storage
		DDoS
		AppSec
		TradSec

		February, 2012 (2)
		January, 2012 (13)
		December, 2011 (9)
		November, 2011 (12)
		October, 2011 (14)
		September, 2011 (14)
		August, 2011 (16)
		July, 2011 (12)
		June, 2011 (14)
		May, 2011 (12)
		April, 2011 (16)
		March, 2011 (16)
		February, 2011 (12)
		January, 2011 (14)
		December, 2010 (12)
		November, 2010 (14)
		October, 2010 (14)
		September, 2010 (13)
		August, 2010 (13)
		July, 2010 (18)
		June, 2010 (22)
		May, 2010 (22)
		April, 2010 (19)
		March, 2010 (23)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)