Secure gslb – Brocade Virtual ADX Global Server Load Balancing Guide (Supporting ADX v03.1.00) User Manual

Brocade Virtual ADX Global Server Load Balancing Guide

51

53-1003245-01

Secure GSLB

1

When the Brocade Virtual ADX compares the FlashBack speeds, it compares the Layer 7
(application-level) FlashBack speeds first, if applicable. If the application has a Layer 7 health
check and if the FlashBack speeds are not equal, the Brocade Virtual ADX is through comparing the
FlashBack speeds. However, if only the Layer 4 health check applies to the application, or if further
tie-breaking is needed, the Brocade Virtual ADX then compares the Layer 4 FlashBack speeds.

To change the tolerances for the response times of TCP and application health checks, when used
as a metric for selecting a site, enter commands such as the following.

Virtual ADX(config)#gslb policy

Virtual ADX(config-gslb-policy)#flashback application tolerance 30

Virtual ADX(config-gslb-policy)#flashback tcp tolerance 50

Syntax: [no] flashback application | tcp tolerance num

The application | tcp parameter specifies whether you are modifying the tolerance for the Layer 4
TCP health check or the Layer 7 application health checks. You can change one or both and the
values do not need to be the same. For each, you can specify from 0 – 100. The default for each is
10.

Secure GSLB

Secure GSLB uses industry standard algorithms and mechanisms to authenticate and encrypt
Global Server Load Balancing (GSLB) protocol communication between the GSLB controller and
site ADX devices.

GSLB controllers and site ADX devices communicate and exchange information using the Brocade
proprietary GSLB protocol. This protocol comprises a set of messages for exchanging information,
and each message type has a unique format.

Secure GSLB communication provides the following benefits:

•

Peer authentication: Each network device must be authenticated before it can connect to the
GSLB network. This check ensures that any peer a GSLB device communicates with is the
legitimate peer. Peer authentication is provided by using the Rivest-Shamir-Adleman (RSA)
public key technology. The key length is 1024 bits.

•

Data Encryption: Converts plaintext into cipher text (encrypted data). Only the designated
receiver can decrypt and retrieve the information. Encryption of the GSLB protocol message
data will deny unauthorized access to the GSLB protocol data. All GSLB protocol messages
between the controller and site ADX device are encrypted using the Blowfish Cipher Block
Chaining (CBC) algorithm. The key length is 256 bits (standard 16 rounds).

•

Data integrity: Reassures the recipient the message has not been altered after it was
generated and transmitted by a legitimate source. Data integrity is ensured by using Hashed
Message Authentication Codes (HMAC) with SHA1. The key length is 20 bytes. The digest
length is 20 bytes.
A MAC is included with each GSLB protocol packet. The MAC is computed using the
authentication key, packet sequence number, and the contents of the packet:

mac = MAC(key, sequence-number || unencrypted-packet)