Internet vulnerabilities

Fri Jul 5 13:49:36 UTC 2002

Uhm it seems to me people are trying to make this whole AS112-thing sound more 
complex than it really is...

We use the BGP anycast-method in our backbone, and have been doing so for a 
long time. Basically, we have multiple caching DNS-servers scattered around 
our network, but all of them use the same IP-adress (well, actually two - 
since customers expect to configure a primary and a secondary DNS on their 
computers). The DNS resolvers all run zebra and identify themselves as a 
private AS, announcing two single host routes (the two DNS resolver-IP's) to 
the border-router they are connected to.

Our customers' DNS queries will be routed to the nearest available server, by 
the same mechanisms as any other hot-potato routing setup (i.e. MEDs). This 
works beautifully since we are only dealing with DNS UDP packets. (The 
servers do also have a unique IP adress for management traffic etc, and these 
are normally routed in the IGP - but they do not respond to DNS traffic on 
this IP). That way, we have both "load-balancing" (customer queries are 
spread out to the servers who are closest to the customer) and redundancy - 
if one resolver fails, BGP will use the next available route to get to this 
prefix. The only difference with the AS112 setup is the fact that you are 
doing it across several AS'es instead of just inside a single one, but the 
principle is the same - and just as simple.

This is an extremely simple anycast setup for DNS servers, and potentially 
other simple UDP-based services, we have been using it for a couple of years, 
and it works beautifully. No new protocols, no complex setups, just normal 
BGP operation. I even think someone wrote a very good paper on setting up DNS 
resolvers this way once, though I can't remember where I saw it.

--Lars Erik

On Friday 05 July 2002 15:05, Marshall Eubanks wrote:
> On Fri, 5 Jul 2002 13:36:49 +0100 (BST)
>
>  "Stephen J. Wilcox" <steve at opaltelecom.co.uk> wrote:
> > Doesnt announcing the same routing prefix into BGP from multiple
> > locations do the same thing without needing a new range or enhancement in
> > IGMP etc ?
> >
> > We do this in IGP currently..
> >
> > Steve
>
> As I see it, the problems with doing this in BGP are
>
> - it's static - no failover. If AS 701 and AS 1239 are both
> announcing a route to foo, and your preferred route is "through" AS701,
> and the AS701 foo goes down, then you do not
> automatically switch over to the AS1239 foo, even if you could reach it.
>
> - there is no way to have multiple anycast addresses within an AS
>
> - load balancing is tough
>
> These may all be solved, though... it's hard to tell without a protocol
> description.
>
> Regards
> Marshall Eubanks
>
> > On Fri, 5 Jul 2002, Barry Raveendran Greene wrote:
> > > FYI - for those scratching their heads on "anycast" .....
> > >
> > > I just pushed out a paper on anycast by Chris Metz. Good foundation
> > > material.
> > >
> > > http://www.cisco.com/public/cons/isp/essentials/ip-anycast-cmetz-03.pdf
> > >
> > > > -----Original Message-----
> > > > From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf
> > > > Of Bill Woodcock
> > > > Sent: Friday, July 05, 2002 4:56 AM
> > > > To: Marshall Eubanks
> > > > Cc: nanog at merit.edu
> > > > Subject: Re: Internet vulnerabilities
> > > >
> > > >     > But the only IPv4 anycast
> > > >     > that I know of does use MSDP :
> > > >
> > > > http://www.ietf.org/internet-drafts/draft-ietf-mboned-anycast-rp-08.t
> > > >xt
> > > >
> > > >     > Is there a different proposal ? What's the RFC / I-D name ?
> > > >
> > > > You seem to be confusing anycast with something complicated.  It's
> > > > not a protocol, it's a method of assigning and routing addresses.
> > > >
> > > >                                 -Bill