Watson Ladd <[email protected]> wrote: > > Another problem is with anycast. Ordinarily failover is completely > transparent to users: the packets go somewhere else, and get responded to. > I don't see how this works with TLS, unless you do fancy stateful failover > tricks.
It is worth looking at what the anycast web providers do, e.g. https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/ There's no attempt to keep TCP connections working in the event of failover. TLS session IDs are only distributed within a POP so if anycast failover happens the client will have to do a full 2RTT handshake. TLS session tickets are encrypted with globally-distributed keys, so these sessions can survive anycast failover. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Trafalgar: South or southwest 4 or 5, occasionally 6. Moderate or rough. Rain or showers. Moderate or good. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
