Topics

Blogs

Forums

Samples

Media

Labs

Resources
 




DevCentral > Weblogs > Lori MacVittie - Two Different Socks
 The Disadvantages of DSR (Direct Server Return)
posted on Thursday, July 03, 2008 4:29 AM

I read a very nice blog post yesterday discussing some of the traditional pros and cons of load-balancing configurations. The author comes to the conclusion that if you can use direct server return, you should.

I agree with the author's list of pros and cons; DSR is the least intrusive method of deploying a load-balancer in terms of network configuration. But there are quite a few disadvantages missing from the author's list.

Author's List of Disadvantages of DSR

The disadvantages of Direct Routing are:

  • Backend server must respond to both its own IP (for health checks) and the virtual IP (for load balanced traffic)
  • Port translation or cookie insertion cannot be implemented.
  • The backend server must not reply to ARP requests for the VIP (otherwise it will steal all the traffic from the load balancer)
  • Prior to Windows Server 2008  some odd routing behavior could occur in <2% of Windows Server installation.
  • In some situations either the application or the operating system cannot be modified to utilse Direct Routing.

Some additional disadvantages:

  1. Protocol sanitization can't be performed.
    This means vulnerabilities introduced due to manipulation of lax enforcement of RFCs and protocol specifications can't be addressed.
  2. Application acceleration can't be applied.
    Even the simplest of acceleration techniques, e.g. compression, can't be applied because the traffic is bypassing the load-balancer (a.k.a. application delivery controller).
  3. Implementing caching solutions become more complex.
    With a DSR configuration the routing that makes it so easy to implement requires that caching solutions be deployed elsewhere, such as via WCCP on the router. This requires additional configuration and changes to the routing infrastructure, and introduces another point of failure as well as an additional hop, increasing latency.
  4. Error/Exception/SOAP fault handling can't be implemented.
    In order to address failures in applications such as missing files (404) and SOAP Faults (500) it is necessary for the load-balancer to inspect outbound messages. Using a DSR configuration this ability is lost, which means errors are passed directly back to the user without the ability to retry a request, write an entry in the log, or notify an administrator.
  5. Data Leak Prevention can't be accomplished.
    Without the ability to inspect outbound messages, you can't prevent sensitive data (SSN, credit card numbers) from leaving the building.
  6. Connection Optimization functionality is lost.
    TCP multiplexing can't be accomplished in a DSR configuration because it relies on separating client connections from server connections. This reduces the efficiency of your servers and minimizes the value added to your network by a load balancer.

There are more disadvantages than you're likely willing to read, so I'll stop there. Suffice to say that the problem with the suggestion to use DSR whenever possible is that if you're an application-aware network administrator you know that most of the time, DSR isn't the right solution because it restricts the ability of the load-balancer (application delivery controller) to perform additional functions that improve the security, performance, and availability of the applications it is delivering.

DSR is well-suited, and always has been, to UDP-based streaming applications such as audio and video delivered via RTSP. However, in the increasingly sensitive environment that is application infrastructure, it is necessary to do more than just "load balancing" to improve the performance and reliability of applications. Additional application delivery techniques are an integral component to a well-performing, efficient application infrastructure.

DSR may be easier to implement and, in some cases, may be the right solution. But in most cases, it's going to leave you simply serving applications, instead of delivering them.

Just because you can, doesn't mean you should.

Follow me on Twitter View Lori's profile on SlideShare



 
      

Feedback

7/24/2008 4:49 AM
Gravatar Interesting post. Please excuse my ignorance but couldnt you avoid those disadvantages by implementing many of those things in a transparent proxy?
Paul
7/24/2008 4:57 AM
Gravatar @Paul,

I assume by transparent proxy you mean that traffic flows through the load balancer (which acts as a forwarding switch) even though it is deployed in a DSR configuration.

This would be similar to an L4 or L7 delayed binding scenario. Once the connection to the server is made, it simply forwards all requests/responses appropriately, but does not inspect the packets as they flow through the device. Because it is essentially acting as a bridging switch after the initial connection, all of the disadvantages apply.

If it's acting as a true (full) proxy, then you can avoid the disadvantages, but you can't deploy the load balancer in a DSR configuration because the connections are coming from the load balancer (it becomes the client as far as the server is concerned) and must return to the load balancer.

So I guess the short answer is "no", I'm not seeing a way to deploy DSR without incurring the disadvantages. :-)
Lori MacVittie
9/11/2008 1:09 PM
Gravatar All good points, I love DSR because it works well with well designed applications that cluster easily, scale horizontally, can handle their own session state, compression and acceleration easily and only need load balancing rather than a full application delivery controller.

Alas a lot of applications don't handle the above points well so a powerful ADC such as F5 is a necessity in a lot of real world situations.
Malcolm Turnbull
12/25/2008 9:09 AM
Gravatar I don't know why compression can't be applied in DSR mode.

A application related compression such as gzip in http is transparent to tcp/ip and of couse link layer.
surfchen
1/9/2009 10:58 AM
Gravatar For well-designed distributed systems almost all of the "disadvantages" of DSR are just not applicable.
In this case your distributed system just have multiple entry points, and you should just take care about maintaining security invariants at each of the entry points, instead of having centralized point (which is also single point of failure and performance bottleneck).
For distributed systems like this DSR just optimizes performance therefore makes system more scalable. Period.

If you need centralized router/cache/proxy, you just don't need DSR :)
halt
4/23/2009 8:41 AM
Gravatar Regarding healt-checks, with DSR and PIP the health check process is using load-balancer ip address. Does it mean that if I disable DSR it will use PIP for health checks ?

Thank you
snofrar
4/24/2009 3:51 AM
Gravatar @snofrar

Can you define what you mean by "PIP" in this context? The term is frequently used in a variety of ways and we're trying to make sure we understand how you're using it so we can answer your question correctly.

Thanks!
Lori MacVittie
2/10/2010 10:33 AM
Gravatar The author of this article clearly is a noob at performance based web applications. DSR uses the switch and mac address swapping as it's payload for doing it's job making it smoking fast. Most of the claimed issues have been resolved that the article talks about, and it's just a retarded article in my opinion.

My guess is maybe the author of this article was smoking crack while writing such things as "But in most cases, it's going to leave you simply serving applications, instead of delivering them." Like what does that mean?

Have you ever setup a modern day load balancer?

-- luv tom :)
tom johnson
2/23/2010 8:42 PM
Gravatar I disagree completely with the OP. All of the supplementary disadvantages listed assume you would want to implement these features in the load-balancer - something which I would completely avoid anyway.

This is expected though when every vendor, F5 included, is trying today to provide Swiss Army knife devices. The short answer is that none of the disadvantages are relevant because they are better addressed with dedicated devices elsewhere in the request-response stream or, as in the case of compression, on the origin server.

The one obvious omission though was:

* load balancer can't use load-adaptive feedback balancing algorithms because it can't deduce origin state other than by heuristics

But this is not a marketing point of difference I suppose.

Dave
Dave
2/24/2010 4:08 AM
Gravatar @dave

You assertion that: "load balancer can't use load-adaptive feedback balancing algorithms because it can't deduce origin state other than by heuristics" is incorrect. Modern load balancers are capable of integrating with servers and applications and subsequently leveraging their state in dynamic load balancing algorithms.

As far as compression on the origin server, it's inefficient and uses excessive CPU cycles. See: this post and included references re: CPU utilization, RAM, and impact on the origin server.

Lori

macvittie
 Leave Feedback
Title  
Name  
Email
Url
Comments   
Please add 6 and 6 and type the answer here:

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use