Hi,

  There is a draft[1] at the IETF about connection ID for DTLS . This
is a way to identify a "DTLS connection" by an ID instead of the
classical Ip address/port tuple. The objective is to reduce the need of
DTLS full handshake when client address/port change.

   I would like to know if it make sense to make load balancing based
on this connection ID.

   Here is the use case:
   You have a cluster of servers behind a unique IP address.
   You do load balancing using IP address.
   You use UDP/DTLS.
   Some clients are behind NAT and so theirs IP/port can change.
   DTLS connection states are store in each server and so are not shared.


   So if clients use same address/port, there is no issue as traffic
will be redirect always on the same server. Server has already a
connection for this peer, no need to full-handshake.
   If address/port change, 2 possibilities:
     - by chance load balancer, send traffic to the same server and
thanks to CID the server can reuse its connection, no-need to full-handshake
     - bad luck, traffic is redirect on server which does not know this
peer so it will need to do a full-handshake.

   It seems to me that doing load balancing on this connection ID could
solve the problem. [2]

   Does it make sense to you ? Is it a way to create kind of 3rd party
module for nginx ?

Thx

Simon

[1]https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00
[2]https://www.ietf.org/mail-archive/web/tls/current/msg24619.html
https://tools.ietf.org/html/draft-rescorla-tls-dtls-connection-id-00

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx