Split Share Link

Link Splitting Load Sharing Performance Detriment

by

Link Splitting Load Sharing Performance Detriment

Slow performance at a client’s office is suspected as being caused by link-splitting / load-sharing across parallel active links. What possibly gives a speed boost in some instances may be causing all kinds of havoc in other cases. Considerations are below.

Understanding Fios ‘Link Splitting’ in Firewalls

“Link Splitting” refers to the practice of distributing packets from a single network connection over multiple internet paths (e.g., different ISPs or network interfaces) to optimize performance, enhance redundancy, and improve load balancing. Some advanced firewalls and WAN optimization devices employ this technique, but it can introduce unintended side effects.

How Link Splitting Works

  • A firewall or load balancer with multiple network uplinks (e.g., Verizon Fios, enterprise firewalls) can split outgoing packets across two or more internet connections.
  • The goal is to increase bandwidth utilization, prevent congestion, and maintain connection redundancy.
  • Each outbound request may exit through different network paths, meaning the destination server sees multiple IP addresses originating from the same client.

How NetSuite (Oracle) Handles Link Splitting

NetSuite, as a cloud-based ERP system under Oracle, heavily relies on session-based authentication and IP reputation tracking for security. This means:

  • Each user session is tracked based on a combination of cookies, authentication tokens, and IP addresses.
  • Oracle Cloud and NetSuite utilize WAFs (Web Application Firewalls), CDNs, and session stickiness to ensure users do not experience session drops.

However, when Link Splitting occurs:

  1. Session packets may arrive from different IPs (e.g., one packet from ISP1 and another from ISP2).
  2. NetSuite’s security layer interprets this as suspicious (potential session hijacking or bot activity).
  3. Multi-factor authentication (MFA) and CAPTCHAs trigger frequently because session continuity appears broken.
  4. Load balancing within Oracle’s infrastructure can fail because the system expects a stable client IP.
  5. Delays in processing arise due to extra security checks, re-authentications, and re-routing.

How Link Splitting Confuses Websites

Many modern websites use session-based authentication, which involves:

  • Cookies and tokens tied to a single IP address.
  • Rate-limiting mechanisms to prevent abuse.
  • Geolocation-based fraud detection.

When a user’s requests come from different IPs due to link splitting:

  • The website detects inconsistency and may force re-authentication.
  • Certain content delivery networks (CDNs) cache pages per IP, meaning users might receive errors when switching between IPs.
  • Shopping carts, login pages, and online banking sessions often break due to mismatched security checks.

For example:

  • If Google detects a login attempt from two IPs at the same time, it might trigger a security alert.
  • Financial institutions may block transactions if session continuity is lost.

Problems with Authentication and Security

Link splitting can cause authentication failures due to:

  1. Session hijacking prevention
    • Many websites enforce IP stickiness, meaning once logged in, a user must retain the same IP.
    • Link splitting breaks this rule, leading to repeated logouts.
  2. MFA Triggers & CAPTCHAs
    • Websites suspect bot activity when requests alternate between IP addresses.
    • Oracle NetSuite locks accounts or enforces re-authentication more often.
  3. Firewall Conflicts
    • Enterprise firewalls (Palo Alto, Fortinet, Cisco) might misclassify split traffic as a MITM (Man-in-the-Middle) attack.
    • Network intrusion detection systems (IDS/IPS) may block traffic due to inconsistency.

How Link Splitting Slows Down Services

Ironically, instead of speeding up network traffic, link splitting often degrades performance:

  1. Session Restarts and Retransmissions
    • If packets arrive out of order (from different ISPs), TCP can resend packets unnecessarily.
    • Websites may take longer to load due to session renegotiation.
  2. Increased Latency
    • DNS resolution, SSL handshakes, and session authentication happen more frequently, adding delays.
    • Oracle Cloud’s global infrastructure may direct users to different data centers, worsening response times.
  3. Cloud & API Rate-Limiting Issues
    • Many APIs enforce rate limits per IP.
    • If a single API call originates from multiple IPs, Oracle NetSuite or other SaaS platforms may interpret it as abuse and throttle access.

Solutions to Avoid Problems

  • Disable Link Splitting for session-based applications like Oracle NetSuite, banking, or authentication-heavy services.
  • Use Sticky IP Routing so that all packets from a single session use the same WAN link.
  • Whitelist Corporate IPs in NetSuite to prevent re-authentication loops.
  • Employ VPNs or SD-WAN solutions that maintain a single external IP address per session.

Final Thoughts

While Link Splitting theoretically improves network speeds, it often causes more harm than good in cloud-based (or traditional single end-point) environments. For services like Oracle NetSuite, banking portals, and other SaaS applications, it confuses authentication systems, increases latency, and degrades session stability—ultimately inverting its intended purpose of speed enhancement.

Link Splitting Load Sharing Performance Detriment

The article titled “Link Splitting Load Sharing Performance Detriment,” published on February 11, 2025, by Michael on wp.brenden.com, delves into the concept of “Link Splitting” in network firewalls and its unintended negative effects on performance and security.

Understanding Link Splitting:

Link Splitting involves distributing packets from a single network connection across multiple internet paths, such as different ISPs or network interfaces, to optimize performance, enhance redundancy, and improve load balancing. Advanced firewalls and WAN optimization devices often employ this technique.

Potential Issues with Link Splitting:

  1. Session-Based Authentication Conflicts:
  • Many modern websites and cloud services, like NetSuite (Oracle), rely on session-based authentication tied to a user’s IP address.
  • When Link Splitting causes packets to originate from multiple IP addresses, these services may interpret the activity as suspicious, leading to frequent multi-factor authentication (MFA) prompts, CAPTCHAs, or even session terminations.
  1. Website Functionality Disruptions:
  • Websites utilizing cookies and tokens for session management may force users to re-authenticate if requests come from varying IPs due to Link Splitting.
  • Content delivery networks (CDNs) that cache pages per IP might serve errors when IPs switch, affecting functionalities like shopping carts, login sessions, and online banking.
  1. Authentication and Security Challenges:
  • Link Splitting can trigger security mechanisms designed to prevent session hijacking, as many platforms enforce IP stickiness post-login.
  • Alternating IP addresses can lead to increased MFA triggers and CAPTCHAs, with services like Oracle NetSuite potentially locking accounts or requiring frequent re-authentication.
  • Enterprise firewalls and intrusion detection systems may misclassify split traffic as potential attacks, leading to blocked connections.
  1. Performance Degradation:
  • Instead of enhancing speed, Link Splitting can cause session restarts and packet retransmissions if packets arrive out of order from different ISPs.
  • Increased latency may result from repeated DNS resolutions, SSL handshakes, and session authentications.
  • APIs with rate-limiting mechanisms might misinterpret the traffic pattern, leading to throttling or access issues.

Recommendations:

To mitigate these issues, it’s advisable to:

  • Disable Link Splitting: Ensure that session-based applications maintain a consistent IP address throughout the session.
  • Implement Session Persistence: Configure network devices to maintain session persistence, directing all packets of a session through the same path.
  • Monitor Network Performance: Regularly assess network performance and security logs to identify and address issues arising from Link Splitting.

By understanding and addressing the challenges associated with Link Splitting, organizations can maintain optimal network performance and security.

Leave a Comment