1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
|
Network Working Group M. Tuexen
Request for Comments: 3237 Siemens AG
Category: Informational Q. Xie
Motorola
R. Stewart
M. Shore
Cisco
L. Ong
Ciena
J. Loughney
M. Stillman
Nokia
January 2002
Requirements for Reliable Server Pooling
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document defines a basic set of requirements for reliable server
pooling.
The goal of Reliable Server Pooling (RSerPool) is to develop an
architecture and protocols for the management and operation of server
pools supporting highly reliable applications, and for client access
mechanisms to a server pool.
1. Introduction
1.1. Overview
The Internet is always on. Many users expect services to be always
available; many businesses depend upon connectivity 24 hours a day, 7
days a week, 365 days a year. In order to fulfill this level of
performance, many proprietary solutions and operating system
dependent solutions have been developed to provide highly reliable
and highly available servers.
Tuexen, et al. Informational [Page 1]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
This document defines requirements for an architecture and protocols
enabling pooling of servers to support high reliability and
availability for applications.
The range of applications that can benefit from reliable server
pooling includes both mobile and real-time applications. Reliable
server pooling mechanisms will be designed to support functionality
for flexible pooling such as registration and deregistration, and
load balancing of traffic across the server pool. Mechanisms will
need to balance the needs of scalability, overhead traffic and
response time to changes in pool status, as discussed below.
1.2. Terminology
This document uses the following terms:
Operation scope:
The part of the network visible to pool users by a specific
instance of the reliable server pooling protocols.
Pool (or server pool):
A collection of servers providing the same application
functionality.
Pool handle (or pool name):
A logical pointer to a pool. Each server pool will be
identifiable in the operation scope of the system by a unique
pool handle or "name".
Pool element:
A server entity having registered to a pool.
Pool user:
A server pool user.
Pool element handle (or endpoint handle):
A logical pointer to a particular pool element in a pool,
consisting of the name of the pool and one or more destination
transport addresses for the pool element.
Name space:
A cohesive structure of pool names and relations that may be
queried by an internal or external agent.
Name server:
Entity which is responsible for managing and maintaining the
name space within the RSerPool operation scope.
Tuexen, et al. Informational [Page 2]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
RSerPool:
The architecture and protocols for reliable server pooling.
1.3. Abbreviations
PE: Pool element
PU: Pool user
SCTP: Stream Control Transmission Protocol
TCP: Transmission Control Protocol
2. Requirements
2.1. Robustness
The solution must allow itself to be implemented and deployed in such
a way that there is no single point of failure in the system.
2.2. Failover Support
The RSerPool architecture must be able to detect failure of pool
elements and name servers supporting the pool, and support failover
to available alternate resources.
2.3. Communication Model
The general architecture should support flexibility of the
communication model between pool users and pool elements, especially
allowing for a peer-to-peer relationship to support some
applications.
2.4. Processing Power
It should be possible to use the protocol stack in small devices,
like handheld wireless devices. The solution must scale to devices
with a differing range of processing power.
2.5. Transport Protocol
The protocols used for the pool handling should not cause network
congestion. This means that it should not generate heavy traffic,
even in case of failures, and has to use flow control and congestion
avoidance algorithms which are interoperable with currently deployed
techniques, especially the flow control of TCP [RFC793] and SCTP
[RFC2960] and must be compliant with [RFC2914].
Tuexen, et al. Informational [Page 3]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
The architecture should not rely on multicast capabilities of the
underlying layer. Nevertheless, it can make use of it if multicast
capabilities are available.
Network failures have to be handled and concealed from the
application layer as much as possible by the transport protocol.
This means that the underlying transport protocol must provide a
strong network failure handling capability on top of an acknowledged
error-free non-duplicated data delivery service. The failure of a
network element must be handled by the transport protocol in such a
way that the timing requirements are still fulfilled.
2.6. Support of RSerPool Unaware Clients
The architecture should allow for ease of interaction between pools
and non-RSerPool-aware clients. However, it is assumed that only
RSerPool-aware participants will receive maximum timing and
notification benefits the architecture offers.
2.7. Registering and Deregistering
Another important requirement is that servers should be able to
register to (become PEs) and deregister from a server pool
transparently without an interruption in service. This means that
after a PE has deregistered, it will continue to serve PUs which
started their connection before the deregistration of the PE. New
connections will be directed towards an alternative PE.
Servers should be able to register in multiple server pools which may
belong to different namespaces.
2.8. Naming
Server pools are identified by pool handles. These pool handles are
only valid inside the operation scope. Interoperability between
different namespaces has to be provided by other mechanisms.
2.9. Name Resolution
The name resolution should not result in a pool element which is not
operational. This might be important for fulfilling the timing
requirements described below.
2.10. Server Selection
The RSerPool mechanisms must be able to support different server
selection mechanisms. These are called server pool policies.
Tuexen, et al. Informational [Page 4]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
Examples of server pool policies are:
- Round Robin
- Least used
- Most used
The set of supported policies must be extensible in the sense that
new policies can be added as required. Non-stochastic and stochastic
policies can be supported.
There must be a way for the client to provide operational status
feedback to the name server about the pool elements.
The name server protocols must be extensible to allow more refined
server selection mechanisms to be implemented as they are developed
in the future.
For some applications it is important that a client repeatedly
connects to the same server in a pool if it is possible, i.e., if
that server is still alive. This feature should be supported through
the use of pool element handles.
2.11. Timing Requirements and Scaling
Handling of name resolution must be fast to support real-time
applications. Moreover, the name space should reflect pool
membership changes to the client application as rapidly as possible,
i.e., not waiting until the client application next reconnects.
The architecture should support control of timing parameters based on
specific needs, e.g., of an application or implementation.
In order to support more rapid and accurate response, the
requirements on scalability of the mechanism are limited to server
pools consisting of a suitably large but not Internet-wide number of
elements, as necessary to support bounded delay in handling real-time
name resolution.
Also, there is no requirement to support hierarchical organization of
name servers for scalability. Instead, it is envisioned that the set
of name servers supporting a particular pool is organized as a flat
space of equivalent servers. Accordingly, the impact of relatively
frequent updates to ensure accurate reflection of the status of pool
elements is limited to the set of name servers supporting a specific
pool.
Tuexen, et al. Informational [Page 5]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
2.12. Scalability
The RSerPool architecture should not require a limitation on the
number of server pools or on the number of pool users, although the
size of an individual pool may be limited by timing requirements as
defined above.
2.13. Security Requirements
2.13.1. General
- The scaling characteristics of the security architecture should be
compatible with those given previously.
- The security architecture should support hosts having a wide range
of processing powers.
2.13.2. Name Space Services
- It must not be possible for an attacker to falsely register as a
pool element with the name server either by masquerading as
another pool element or by registering in violation of local
authorization policy.
- It must not be possible for an attacker to deregister a server
which has successfully registered with the name server.
- It must not be possible for an attacker to spoof the response to a
query to the name server
- It must be possible to protect the privacy of queries to the name
server and responses to those queries from the name server.
- Communication among name servers must be afforded the same
protections as communication between clients and name servers.
2.13.3. Security State
The security context of an application is a subset of the overall
context, and context or state sharing is explicitly out-of-scope for
RSerPool. Because RSerPool does introduce new security
vulnerabilities to existing applications application designers
employing RSerPool should be aware of problems inherent in failing
over secured connections. Security services necessarily retain some
state and this state may have to be moved or re-established.
Examples of this state include authentication or retained ciphertext
Tuexen, et al. Informational [Page 6]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
for ciphers operating in cipher block chaining (CBC) or cipher
feedback (CFB) mode. These problems must be addressed by the
application or by future work on RSerPool.
3. Security Considerations
Security issues are discussed in section 2.13.
4. Acknowledgements
The authors would like to thank Bernard Aboba, Matt Holdrege, Eliot
Lear, Christopher Ross, Werner Vogels and many others for their
invaluable comments and suggestions.
5. References
[RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC959] Postel, J. and J. Reynolds, "File Transfer Protocol (FTP)",
STD 9, RFC 959, October 1985.
[RFC2026] Bradner, S., "The Internet Standards Process -- Revision
3", BCP 9, RFC 2026, October 1996.
[RFC2608] Guttman, E., Perkins, C., Veizades, J. and M. Day, "Service
Location Protocol, Version 2", RFC 2608, June 1999.
[RFC2719] Ong, L., Rytina, I., Garcia, M., Schwarzbauer, H., Coene,
L., Lin, H., Juhasz, I., Holdrege, M. and C. Sharp,
"Framework Architecture for Signaling Transport", RFC 2719,
October 1999.
[RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, RFC
2914, September 2000.
[RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C.,
Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., Zhang,
L. and V. Paxson, "Stream Control Transmission Protocol",
RFC 2960, November 2000.
Tuexen, et al. Informational [Page 7]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
6. Authors' Addresses
Michael Tuexen
Siemens AG
ICN WN CS SE 51
D-81359 Munich
Germany
Phone: +49 89 722 47210
EMail: Michael.Tuexen@icn.siemens.de
Qiaobing Xie
Motorola, Inc.
1501 W. Shure Drive, #2309
Arlington Heights, Il 60004
USA
Phone: +1 847 632 3028
EMail: qxie1@email.mot.com
Randall Stewart
Cisco Systems, Inc.
24 Burning Bush Trail
Crystal Lake, Il 60012
USA
Phone: +1 815 477 2127
EMail: rrs@cisco.com
Melinda Shore
Cisco Systems, Inc.
809 Hayts Rd
Ithaca, NY 14850
USA
Phone: +1 607 272 7512
EMail: mshore@cisco.com
Tuexen, et al. Informational [Page 8]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
Lyndon Ong
Ciena
10480 Ridgeview Court
Cupertino, CA 95014
USA
Phone: +1 408 366 3358
EMail: lyong@ciena.com
John Loughney
Nokia Research Center
PO Box 407
FIN-00045 Nokia Group
Finland
Phone: +358 50 483 6242
EMail: john.loughney@nokia.com
Maureen Stillman
Nokia
127 W. State Street
Ithaca, NY 14850
USA
Phone: +1 607 273 0724 62
EMail: maureen.stillman@nokia.com
Tuexen, et al. Informational [Page 9]
^L
RFC 3237 Requirements for Reliable Server Pooling January 2002
7. Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Tuexen, et al. Informational [Page 10]
^L
|