North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Internet vulnerabilities

  • From: Marshall Eubanks
  • Date: Fri Jul 05 12:30:58 2002 
Dear Rodney;

   Thanks for the info.

Rodney Joffe wrote:


Marshall,

First, I hope you don't mind that I cut all the additional cc's. I don't
think any of the folks really needed extra copies ;-)

Now...

Marshall Eubanks wrote:


On Fri, 5 Jul 2002 13:36:49 +0100 (BST)
"Stephen J. Wilcox" <[email protected]> wrote:


Doesnt announcing the same routing prefix into BGP from multiple locations do
the same thing without needing a new range or enhancement in IGMP etc ?

We do this in IGP currently..


Well, this doesn't need anything to change with normal BGP. It really
has very little to do with IGMP per se. The anycast routing prefix is
announced into many different networks, and as the end user, you will
see many paths, hopefully. If you only see one because of your IBGP,
then that's the path you'll take. If you see many, you'll take the one
that *your* ospf or isis setup prefers.



As I see it, the problems with doing this in BGP are

- it's static - no failover. If AS 701 and AS 1239 are both
announcing a route to foo, and your preferred route is "through" AS701,
and the AS701 foo goes down, then you do not
automatically switch over to the AS1239 foo, even if you could reach it.


No. Its not static. You may have misunderstood. Anycast is not just
multiple routes. It is also multiple machines in different places. So

That's the point :)



there is really no single "foo". There are many "foos". Each one may
have more than one connection to the net. The announcements appear
behind many ASs. When your system sees many paths to "foo", it does not
know that in fact, each path goes to a different machine entirely, on a
different network even, in a different physical location. There's
another part that goes with anycast use, and dns; when any particular
foo goes down, or fails in any way, not just by physically failing, it
stops announcing itself (the router or routing software it uses
withdraws the route) and it is no longer one of the paths your network
will see. So if you were seeing it from 701, and 1239, and if anycast is
Let's go through this a little.

Let's say that you and I are running the foo service in anycast. You announce the foo IP address (say in a /24) behind your AS, I announce the same /24 behind my AS. Now, if my foo server goes down, how do my routers know to withdraw the announcements ? If they don't, why wouldn't people "closer" to me still try and get the foo service from me, alas, without success. That's what I meant.

Or, are you saying that an anycast host has to be a router running BGP ? So if it goes down, so would the service and the announcements? This works for DNS, but not for the things I would like to anycast.


truly being used, you'll actually see the route being withdrawn from the
network(s) that has the foo that went bad. Unless, of course, there are
multiple foos in that network. In which case you will see no change and
you will still get to foo via the original route you preferred, just not
the foo you had used previously. And it makes no difference to you,
because in almost all of the cases, the query is answered in a single
packet, so persistence is irrelevant.



- there is no way to have multiple anycast addresses within an AS


Huh? What in the world do you mean here?


Sorry, too early in the AM. Withdrawn.





- load balancing is tough




Yes, which is why the load balancing services in the world are sold at a
premium. And it is not all that tough. ;-) With anycast, it is not
tough, at all, until you have to deal with the subject that brought this
thread up, ddos attacks. In which case it need real engineering.





These may all be solved, though... it's hard to tell without a protocol
description.




If you're talking about anycast and the way we're all using is in the
dns, there is no protocol as such. It uses existing mechanisms. All the
same protocols. You're currently making use of dns that uses anycast,
but you didn't have to modify anything, or download any new software, or
make any changes, did you?




Nope. Thanks for the info.

Marshall







   > But the only IPv4 anycast
   > that I know of does use MSDP :
You seem to be confusing anycast with something complicated.  It's not a
protocol, it's a method of assigning and routing addresses.

                               -Bill




You really do seem to be fixated on multicast still. anycast /=
multicast.

HTH





--
                                 Regards
                                 Marshall Eubanks

This e-mail may contain confidential and proprietary information of
Multicast Technologies, Inc, subject to Non-Disclosure Agreements


T.M. Eubanks
Multicast Technologies, Inc
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624       Fax     : 703-293-9609
e-mail : t[email protected]
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
 Status of Multicast on the Web  :
 http://www.multicasttech.com/status/index.html