Rackspace public/private IP and encryption

[Jens Braeuer]

Hi everyone,

I wonder if any of you had some advice/tutorial/howto regarding public
vs. private IP and encryption on Rackspace.

To give you some background:
On Rackspace every server has 2 network interfaces. A public (eth0) and
a private (eth1). Network over the private interface is free, you get
charged for the public one. The assumption is that I have a couple of
frontends (app-servers) and backends (MySQL), that talk to each other.
However I have a complete list of IPs involved.

Now my idea is to use a combination of iptables DNAT and IPSec/Racoon to
reduce cost and enhance privacy at the same time.

First of all one could use iptables DNAT to rewrite the public IP to the
internal one. So the application can still use a DNS name (which
resolves to the public IP). Under the hood, traffic would get
"rewritten" to use the internal (free of cost) IP.

In addition I'd use IPSec+Racoon to encrypt traffic on a IP level.
Cheapest solution here is to use a pre-shared key. No X.509
complications. Racoon looks appealing.

Anybody out there, who has some experience in this area? Comments,
suggestions, everything is welcome....

Cheers,
Jens

[Falko Zurell]

Hi Jens,

i haven't fully understand your problem yet. Which traffic would you like to send over the private interfaces and which you want to encrypt?

Thanks and best regards

Falko

--
Falko Zurell
falko....@gmail.com
skype: zero_data

[Jens Braeuer]

Hi Falko,

so every server has a private and a public IP. DNS names resolve to public IPs. What I'd like to accomplish is to rewrite traffic to use the private IPs using iptables. So the application can continue to use the hostname. And example would be be:

iptables -t nat -A PREROUTING -d 8.8.8.8 -j DNAT --to-destination 10.0.0.1

This could be combined with IPSec, were I require all traffic to/from 10.0.0.1 to be encrypted. A setkey-example would be:

spdadd $myip 10.0.0.1  any -P in ipsec esp/transport//require;

The question was whether any of you run this in this combination, have some advice, etc. Or if this works at all, right now this is only an idea. When it would work, it would enable the application to use straight dns names. Under the hood (if it works), traffic would be routed via the private IP (=cost saving) and be encrypted.

Cheers,
Jens

[Falko Zurell]

Mmh, what about puppet managed /etc/host entries for the private IPs?

Seems much easier to achieve. Or run your own DNS with different views on the zone that would resolve to internal IPs when queried from inside. 

 best regards 

Sent from my bicycle

[Jens Braeuer]

I want do avoid running my own DNS, as its one more component to configure, monitor, etc. But entries in /etc/hosts are the somewhat more straight forward. I'll give this a try.

Thanks!

[Tim Kersten]

DNSMasq might be of use (it will serve DNS requests which in reads from /etc/hosts, and if it doen't find them there, it forwards to your upstream DNS provider), if you don't want to manage /etc/hosts for all your hosts.

Tim ^,^

[till]

Hey,

on EC2 – you get a 'public' DNS-name for each instance, but: From the outside this DNS-name resolves to the public IP and from the inside to the private IP. So the best solution (unless you do what you do) is to use that DNS-name and it will automatically take the shortest route.

Is there no equivalent on Rackspace?

Till

[Jens Braeuer]

Hi Till,

no, sadly there is no such thing on Rackspace. You even "get" two
network interfaces, eth0 with public IP and eth1 with a private on. :-/

Jens