[dns-operations] ECN & Juniper load balancing breaks TCP queries
Mark Andrews
marka at isc.org
Fri Sep 1 00:11:29 UTC 2017
In message <CADE=H6D+V7YmrUHkAg12gn7AconK2jdDhS5gJdV=91Am7tamEA at mail.gmail.com>, Doug Porter wri
tes:
> On Thu, Aug 31, 2017 at 2:30 AM, O'Hara, Ben <Ben.O'Hara at team.neustar> wrote:
> >
> > We are using Juniper routers in-front of our anycast dns nodes in some
> > locations.
> >
> > Noticed if the client set the ECN flags in a TCP query the router sends the
> > threeway handshake to one node, but the data to a second node which
> > correctly sends a RESET.
>
> Some of my coworkers debugged and fixed this recently at Facebook.
> Remove type of service/traffic class from your hash key.
>
> <https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/en
> hanced-hash-key-edit-forwarding-options.html>
Additionally source and destination ports should also be removed
as using them breaks fragmented traffic. Yes, TCP segments can be
over fragmented IP packets.
Also if the load balancer doesn't look inside the ICMP/ICMPv6 packet
payload to workout where to send it, take it out of the rack and
run over it with a steamroller. There is way too much garbage out
there.
> --
> dsp
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list