Re: [ga] Anycast
Hugh Dierker wrote: I have read several articles regarding the job that anycast has been doing.
As for pros/cons: Pros: - Multiple instances of each root server provides for both better response (load is shared, and people tend to use the instance that is closest to them thus reducing packet travel time.) - Much better immunity to attack because the to hit more the instance local to the attacker the attacker must either spread his/her attack sources (which is already done with a bot army) or be very creative about source routing his/her packets. - If one anycast instance goes off line and if routing information about it then ceases to be announced, the routing system of the net will converge (after a time, in units of minutes or longer) so that to its former clients an alternative instance of the anycast server group will pop-up and become reachable. Cons: - It is possible (the probability may often be rather low) that on a TCP based DNS connection to an anycast instance that the some of the packets will go to different servers in the anycast group thus breaking the TCP connection from continuation (or preventing its formation in the first place.) - A bit harder to manage because there are now several instances that need to be kept in sync. But each anycast servers does have its own alternate unique IP address, so each one can be addressed directly (this also serves as a possible backdoor for attack.) - It's harder to notice and diagnose network and machine troubles because an outage or problem may be visible only from certain points in the topology of the net. Anycast is created using the controlled propagation of routing information about each anycast server in the group. It's not a new idea - its been around since at least the early 1990's. And the biological form is pheromones - kind of the wafting of localized attractors advertising fungible resources. The anycast groups are not closed - if you control the local routing in your own network you can create your own servers on the anycast addresses and cause DNS queries to go there. But your server would not be actively coordinated with the other instances of the anycast root - you'd have to keep it up to date yourself rather than letting the person controlling the anycast group to do it. Nevertheless I have heard that several providers do do this in order to give their customers the appearance of a local root server. In the late 1990's, when I was at Cisco, I remember talking with folks about the possibility (and desireability of anycasting dns servers.) When I got to ICANN one of my first to discussion points with the board was whether ICANN should explore anycast (the other point was whether ICANN should establish DNS monitoring stations - but nobody on the board cared about anything except trademarks and contract terms about DNS registration practices. The fact that we have anycast and its benefits is the direct result of experiments and deployment by the root server operators who acted independenly of ICANN and, in fact, did not even tell ICANN, much less ask permission, before they went ahead. --karl--
|