Internet vulnerabilities
Rodney Joffe
rjoffe at centergate.com
Fri Jul 5 15:21:10 UTC 2002
Marshall,
First, I hope you don't mind that I cut all the additional cc's. I don't
think any of the folks really needed extra copies ;-)
Now...
Marshall Eubanks wrote:
>
> On Fri, 5 Jul 2002 13:36:49 +0100 (BST)
> "Stephen J. Wilcox" <steve at opaltelecom.co.uk> wrote:
> >
> > Doesnt announcing the same routing prefix into BGP from multiple locations do
> > the same thing without needing a new range or enhancement in IGMP etc ?
> >
> > We do this in IGP currently..
Well, this doesn't need anything to change with normal BGP. It really
has very little to do with IGMP per se. The anycast routing prefix is
announced into many different networks, and as the end user, you will
see many paths, hopefully. If you only see one because of your IBGP,
then that's the path you'll take. If you see many, you'll take the one
that *your* ospf or isis setup prefers.
> As I see it, the problems with doing this in BGP are
>
> - it's static - no failover. If AS 701 and AS 1239 are both
> announcing a route to foo, and your preferred route is "through" AS701,
> and the AS701 foo goes down, then you do not
> automatically switch over to the AS1239 foo, even if you could reach it.
No. Its not static. You may have misunderstood. Anycast is not just
multiple routes. It is also multiple machines in different places. So
there is really no single "foo". There are many "foos". Each one may
have more than one connection to the net. The announcements appear
behind many ASs. When your system sees many paths to "foo", it does not
know that in fact, each path goes to a different machine entirely, on a
different network even, in a different physical location. There's
another part that goes with anycast use, and dns; when any particular
foo goes down, or fails in any way, not just by physically failing, it
stops announcing itself (the router or routing software it uses
withdraws the route) and it is no longer one of the paths your network
will see. So if you were seeing it from 701, and 1239, and if anycast is
truly being used, you'll actually see the route being withdrawn from the
network(s) that has the foo that went bad. Unless, of course, there are
multiple foos in that network. In which case you will see no change and
you will still get to foo via the original route you preferred, just not
the foo you had used previously. And it makes no difference to you,
because in almost all of the cases, the query is answered in a single
packet, so persistence is irrelevant.
>
> - there is no way to have multiple anycast addresses within an AS
Huh? What in the world do you mean here?
>
> - load balancing is tough
Yes, which is why the load balancing services in the world are sold at a
premium. And it is not all that tough. ;-) With anycast, it is not
tough, at all, until you have to deal with the subject that brought this
thread up, ddos attacks. In which case it need real engineering.
>
> These may all be solved, though... it's hard to tell without a protocol
> description.
If you're talking about anycast and the way we're all using is in the
dns, there is no protocol as such. It uses existing mechanisms. All the
same protocols. You're currently making use of dns that uses anycast,
but you didn't have to modify anything, or download any new software, or
make any changes, did you?
> > > >
> > > > > But the only IPv4 anycast
> > > > > that I know of does use MSDP :
> > > > You seem to be confusing anycast with something complicated. It's not a
> > > > protocol, it's a method of assigning and routing addresses.
> > > >
> > > > -Bill
You really do seem to be fixated on multicast still. anycast /=
multicast.
HTH
--
Rodney Joffe
CenterGate Research Group, LLC.
http://www.centergate.com
"Technology so advanced, even we don't understand it!"(R)
More information about the NANOG
mailing list