Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Outbound source IP address in multi-homed hosts

 
a_schafs
Occasional Visitor

Outbound source IP address in multi-homed hosts

Hi,

We're trying to cluster an application with minimal remote firewall changes. I wanted to know if there was any change in HP-UX's behaviour with respect to source IPs in multi-homed hosts (e.g. ServiceGuard), that is:

-Well-designed cluster applications will run bind() to specify the outbound source IP as the virtual IP
-For TCP connections established from the remote host, the server replies with the same source IP that the connection was initiated to.
-For outbound connections where the source IP was not explicitly bound, the physical IP of the interface with the virtual IP is often used (since it usually is first in the routing table).

Is my understanding correct?

On Solaris, this is resolved by using "deprecated" on the physical interfaces - is there anything similar for HP-UX? Any other ways around this issue?

Thanks in advance.

Regards,
Andrew
4 REPLIES 4
Highlighted
MaSa_3
Advisor

Re: Outbound source IP address in multi-homed hosts

Hi,
as far as I know there is no simple solution dealing with that issue.
But here is a good paper addressing that topic and gives suggestion how deal with "unbind application" on HP-UX hosts

http://mayoxide.com/presentations/Understanding_hpux_routing.pdf

Olivier Masse
Honored Contributor

Re: Outbound source IP address in multi-homed hosts

Yeah I was going to quote that paper as well but MaSa beat me to it. :)

First of all, applications that are bound to an interface don't pose any problems. This is the best way to go.

But when dealing with unbound applications, the easiest solution is usually to authorize in your firewall all possible source IPs that it can have.

Example: you have Host A at 192.168.0.10, Host B at 192.168.0.11, and your floating IP at 192.168.0.12. Your firewall will have to authorize 10, 11, and 12. This works well byt can cause problems if you have ACLs in an uncontrolled remote application that will allow just ONE ip address as the source.

There are tricks using static routes that can go over this limitation, they're mentioned in the paper. I use them personally, and it has worked well for a while. But they're not officially supported by HP.

If you can, also avoid multi-homing on different routable networks or you'll run into problems unless using the strong ES model and this can become messy quickly.

Good luck
a_schafs
Occasional Visitor

Re: Outbound source IP address in multi-homed hosts

Ok, thanks for the responses. I had actually read that paper before (and agree it's a great doc for anyone not familiar with the issue). I would as a general rule also put both physicals and virtuals in my firewall config. It's just in this case, there's only one IP and it's a hub-and-spoke model with ~20 remote firewalls.

I guess I was just wondering if there was any recent developments in this.

We'll probably see how we go with making the changes using static routing or binding the application (if that's possible) until the firewall changes can be made.

Thanks,
Andrew
rick jones
Honored Contributor

Re: Outbound source IP address in multi-homed hosts

If one knows the application well-enough, and can do a bit of programming, writing a library one can LD_PRELOAD into the application to intercept one or more system calls can be one way to take an application which does not make explicit bind() calls into one which does.
there is no rest for the wicked yet the virtuous have no pillows