Internet vulnerabilities

Marshall Eubanks tme at multicasttech.com
Fri Jul 5 16:28:46 UTC 2002


Dear Rodney;

    Thanks for the info.

Rodney Joffe wrote:

> Marshall,
> 
> First, I hope you don't mind that I cut all the additional cc's. I don't
> think any of the folks really needed extra copies ;-)
> 
> Now...
> 
> Marshall Eubanks wrote:
> 
>>On Fri, 5 Jul 2002 13:36:49 +0100 (BST)
>> "Stephen J. Wilcox" <steve at opaltelecom.co.uk> wrote:
>>
>>>Doesnt announcing the same routing prefix into BGP from multiple locations do
>>>the same thing without needing a new range or enhancement in IGMP etc ?
>>>
>>>We do this in IGP currently..
>>>
> 
> Well, this doesn't need anything to change with normal BGP. It really
> has very little to do with IGMP per se. The anycast routing prefix is
> announced into many different networks, and as the end user, you will
> see many paths, hopefully. If you only see one because of your IBGP,
> then that's the path you'll take. If you see many, you'll take the one
> that *your* ospf or isis setup prefers.
> 
> 
>>As I see it, the problems with doing this in BGP are
>>
>>- it's static - no failover. If AS 701 and AS 1239 are both
>>announcing a route to foo, and your preferred route is "through" AS701,
>>and the AS701 foo goes down, then you do not
>>automatically switch over to the AS1239 foo, even if you could reach it.
>>
> 
> No. Its not static. You may have misunderstood. Anycast is not just
> multiple routes. It is also multiple machines in different places. So


That's the point :)


> there is really no single "foo". There are many "foos". Each one may
> have more than one connection to the net. The announcements appear
> behind many ASs. When your system sees many paths to "foo", it does not
> know that in fact, each path goes to a different machine entirely, on a
> different network even, in a different physical location. There's
> another part that goes with anycast use, and dns; when any particular
> foo goes down, or fails in any way, not just by physically failing, it
> stops announcing itself (the router or routing software it uses
> withdraws the route) and it is no longer one of the paths your network
> will see. So if you were seeing it from 701, and 1239, and if anycast is

Let's go through this a little.

Let's say that you and I are running the foo service in anycast. You 
announce the foo IP address (say in a /24) behind your AS, I announce 
the same /24 behind my AS. Now, if my foo server goes down, how do my 
routers know to withdraw the announcements ? If they don't, why wouldn't 
people "closer" to me still try and get the foo service from me, alas, 
without success. That's what I meant.

Or, are you saying that an anycast host has to be a router running BGP ? 
So if it goes down, so would the service and the announcements? This 
works for DNS, but not for the things I would like to anycast.


> truly being used, you'll actually see the route being withdrawn from the
> network(s) that has the foo that went bad. Unless, of course, there are
> multiple foos in that network. In which case you will see no change and
> you will still get to foo via the original route you preferred, just not
> the foo you had used previously. And it makes no difference to you,
> because in almost all of the cases, the query is answered in a single
> packet, so persistence is irrelevant.
> 
> 
>>- there is no way to have multiple anycast addresses within an AS
>>
> 
> Huh? What in the world do you mean here?
>


Sorry, too early in the AM. Withdrawn.

 
> 
>>- load balancing is tough
>>
> 
> Yes, which is why the load balancing services in the world are sold at a
> premium. And it is not all that tough. ;-) With anycast, it is not
> tough, at all, until you have to deal with the subject that brought this
> thread up, ddos attacks. In which case it need real engineering.
> 
> 
>>These may all be solved, though... it's hard to tell without a protocol
>>description.
>>
> 
> If you're talking about anycast and the way we're all using is in the
> dns, there is no protocol as such. It uses existing mechanisms. All the
> same protocols. You're currently making use of dns that uses anycast,
> but you didn't have to modify anything, or download any new software, or
> make any changes, did you?
> 


Nope. Thanks for the info.

Marshall


> 
>>>>>    > But the only IPv4 anycast
>>>>>    > that I know of does use MSDP :
>>>>>You seem to be confusing anycast with something complicated.  It's not a
>>>>>protocol, it's a method of assigning and routing addresses.
>>>>>
>>>>>                                -Bill
>>>>>
> 
> You really do seem to be fixated on multicast still. anycast /=
> multicast.
> 
> HTH
> 
> 


-- 
                                  Regards
                                  Marshall Eubanks

This e-mail may contain confidential and proprietary information of
Multicast Technologies, Inc, subject to Non-Disclosure Agreements


T.M. Eubanks
Multicast Technologies, Inc
10301 Democracy Lane, Suite 410
Fairfax, Virginia 22030
Phone : 703-293-9624       Fax     : 703-293-9609
e-mail : tme at multicasttech.com
http://www.multicasttech.com

Test your network for multicast :
http://www.multicasttech.com/mt/
  Status of Multicast on the Web  :
  http://www.multicasttech.com/status/index.html




More information about the NANOG mailing list