Internet vulnerabilities
Lars Erik Gullerud
lerik at nolink.net
Fri Jul 5 13:49:36 UTC 2002
Uhm it seems to me people are trying to make this whole AS112-thing sound more
complex than it really is...
We use the BGP anycast-method in our backbone, and have been doing so for a
long time. Basically, we have multiple caching DNS-servers scattered around
our network, but all of them use the same IP-adress (well, actually two -
since customers expect to configure a primary and a secondary DNS on their
computers). The DNS resolvers all run zebra and identify themselves as a
private AS, announcing two single host routes (the two DNS resolver-IP's) to
the border-router they are connected to.
Our customers' DNS queries will be routed to the nearest available server, by
the same mechanisms as any other hot-potato routing setup (i.e. MEDs). This
works beautifully since we are only dealing with DNS UDP packets. (The
servers do also have a unique IP adress for management traffic etc, and these
are normally routed in the IGP - but they do not respond to DNS traffic on
this IP). That way, we have both "load-balancing" (customer queries are
spread out to the servers who are closest to the customer) and redundancy -
if one resolver fails, BGP will use the next available route to get to this
prefix. The only difference with the AS112 setup is the fact that you are
doing it across several AS'es instead of just inside a single one, but the
principle is the same - and just as simple.
This is an extremely simple anycast setup for DNS servers, and potentially
other simple UDP-based services, we have been using it for a couple of years,
and it works beautifully. No new protocols, no complex setups, just normal
BGP operation. I even think someone wrote a very good paper on setting up DNS
resolvers this way once, though I can't remember where I saw it.
--Lars Erik
On Friday 05 July 2002 15:05, Marshall Eubanks wrote:
> On Fri, 5 Jul 2002 13:36:49 +0100 (BST)
>
> "Stephen J. Wilcox" <steve at opaltelecom.co.uk> wrote:
> > Doesnt announcing the same routing prefix into BGP from multiple
> > locations do the same thing without needing a new range or enhancement in
> > IGMP etc ?
> >
> > We do this in IGP currently..
> >
> > Steve
>
> As I see it, the problems with doing this in BGP are
>
> - it's static - no failover. If AS 701 and AS 1239 are both
> announcing a route to foo, and your preferred route is "through" AS701,
> and the AS701 foo goes down, then you do not
> automatically switch over to the AS1239 foo, even if you could reach it.
>
> - there is no way to have multiple anycast addresses within an AS
>
> - load balancing is tough
>
> These may all be solved, though... it's hard to tell without a protocol
> description.
>
> Regards
> Marshall Eubanks
>
> > On Fri, 5 Jul 2002, Barry Raveendran Greene wrote:
> > > FYI - for those scratching their heads on "anycast" .....
> > >
> > > I just pushed out a paper on anycast by Chris Metz. Good foundation
> > > material.
> > >
> > > http://www.cisco.com/public/cons/isp/essentials/ip-anycast-cmetz-03.pdf
> > >
> > > > -----Original Message-----
> > > > From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf
> > > > Of Bill Woodcock
> > > > Sent: Friday, July 05, 2002 4:56 AM
> > > > To: Marshall Eubanks
> > > > Cc: nanog at merit.edu
> > > > Subject: Re: Internet vulnerabilities
> > > >
> > > > > But the only IPv4 anycast
> > > > > that I know of does use MSDP :
> > > >
> > > > http://www.ietf.org/internet-drafts/draft-ietf-mboned-anycast-rp-08.t
> > > >xt
> > > >
> > > > > Is there a different proposal ? What's the RFC / I-D name ?
> > > >
> > > > You seem to be confusing anycast with something complicated. It's
> > > > not a protocol, it's a method of assigning and routing addresses.
> > > >
> > > > -Bill
More information about the NANOG
mailing list