Re: [ga] Anycast

[Hugh Dierker <hdierker2204@xxxxxxxxx>]

Karl,
   
  first of all thank you.  
  Secondly - so was this "attack" probably a man-in-the-middle or a blackhole method?
  Thirdly - Are there other instances of the root server folks doing something of such importance without the ICANN goodhouse keeping seal of approval.
   
  It kind of gives me greater confidence in everything to do with the net that these folks act in our best interest and their own without waiting for the bureaucracy to inch forward.
   
  And this may be a dumb question but; Is this being implemented along with the IPv6 or is it getting bogged down.
   
  Eric

Karl Auerbach <karl@xxxxxxxxxxxx> wrote:
  Hugh Dierker wrote:
> I have read several articles regarding the job that anycast has been doing.
> Could someone please provide some insight, as in pros and cons and who 
> regarding Anycast. (you know kind of in layman's term with a socio/econo 
> bent)

Anycast is described in a wikipedia entry:
http://en.wikipedia.org/wiki/Anycast

As for pros/cons:

Pros:
- Multiple instances of each root server provides for both better 
response (load is shared, and people tend to use the instance that is 
closest to them thus reducing packet travel time.)

- Much better immunity to attack because the to hit more the instance 
local to the attacker the attacker must either spread his/her attack 
sources (which is already done with a bot army) or be very creative 
about source routing his/her packets.

- If one anycast instance goes off line and if routing information 
about it then ceases to be announced, the routing system of the net will 
converge (after a time, in units of minutes or longer) so that to its 
former clients an alternative instance of the anycast server group will 
pop-up and become reachable.

Cons:
- It is possible (the probability may often be rather low) that on a 
TCP based DNS connection to an anycast instance that the some of the 
packets will go to different servers in the anycast group thus breaking 
the TCP connection from continuation (or preventing its formation in the 
first place.)

- A bit harder to manage because there are now several instances that 
need to be kept in sync. But each anycast servers does have its own 
alternate unique IP address, so each one can be addressed directly (this 
also serves as a possible backdoor for attack.)

- It's harder to notice and diagnose network and machine troubles 
because an outage or problem may be visible only from certain points in 
the topology of the net.

Anycast is created using the controlled propagation of routing 
information about each anycast server in the group. It's not a new idea 
- its been around since at least the early 1990's. And the biological 
form is pheromones - kind of the wafting of localized attractors 
advertising fungible resources.

The anycast groups are not closed - if you control the local routing in 
your own network you can create your own servers on the anycast 
addresses and cause DNS queries to go there. But your server would not 
be actively coordinated with the other instances of the anycast root - 
you'd have to keep it up to date yourself rather than letting the person 
controlling the anycast group to do it. Nevertheless I have heard that 
several providers do do this in order to give their customers the 
appearance of a local root server.

In the late 1990's, when I was at Cisco, I remember talking with folks 
about the possibility (and desireability of anycasting dns servers.)

When I got to ICANN one of my first to discussion points with the board 
was whether ICANN should explore anycast (the other point was whether 
ICANN should establish DNS monitoring stations - but nobody on the board 
cared about anything except trademarks and contract terms about DNS 
registration practices.

The fact that we have anycast and its benefits is the direct result of 
experiments and deployment by the root server operators who acted 
independenly of ICANN and, in fact, did not even tell ICANN, much less 
ask permission, before they went ahead.

--karl--


 
---------------------------------
The fish are biting.
 Get more visitors on your site using Yahoo! Search Marketing.