[dnsop] Re: Root Anycast (fwd)
Dean Anderson
dean at av8.com
Tue May 3 21:56:01 UTC 2005
BTW, Iljitsch notes that "he is worried, but not as much as Dean seems to
be". As I told Iljitsch, I'm not saying the sky is falling, but I am
saying there is a problem, and instead of addressing the problem, people
are just making personal attacks.
---------- Forwarded message ----------
Date: Sun, 3 Oct 2004 23:01:42 +0200
From: Iljitsch van Beijnum <iljitsch at muada.com>
To: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Cc: dnsop at lists.uoregon.edu
Subject: Re: [dnsop] Re: Root Anycast
On 2-okt-04, at 21:42, Stephane Bortzmeyer wrote:
> Troll Bot <dean at av8.com> keeps mentioning PPLB. May be some people
> more knowledgeable about BGP than I am will explain to me why PPLB is
> such a new issue for anycasting?
I have no idea how new this is, but I have to admit I'm slightly
worried. Not to the degree Dean seems to be, though.
It is true that if you turn on load balancing over multiple paths in
BGP and then per packet load balancing between several links, packets
belonging to one session can end up on different anycast instances.
(This would be harmful in the case of TCP, but TCP will probably
recover by retransmitting. It would be quite deadly in the case of
fragmented UDP packets.)
What can happen is this:
A
/ \
B1 B2
| |
C D
| |
E1 E2
AS A connects to two different routers in AS B, and each of these
routers prefers a different external path towards different anycast
instances of AS E. In order for this to happen the paths from B to both
anycast instances E1 and E2 must be completely identical, except that
for one router in B one path is preferred and for another router the
other. This will only happen if these routers connect to ASes C and D
themselves, or if one sees a better IGP metric towards the router
connecting to C and another sees a better IGP metric towards the router
connecting to D.
Now the part that worries me is what's happening in .org. They only use
two addresses in the delegation from the root, and both are heavily
anycasted. This makes no sense at all as it effectively hides all but
two of the .org TLD servers while there are no reasons at all for not
making at least have a dozen others visible. End-user impacting issues
with this have been reported (but have predictably been almost
impossible to reproduce) but the situation persists.
Fortunately, the root operators have more sense (or inherited a better
situation). Still, I'm not entirely comfortable with the fact that each
of them seems to make anycasting decisions on their own. Anycast has
many things going for it as it allows root servers to be installed in
many more places than could be done otherwise, but it's also risky as
more and more root servers seem to be in the same place from any given
viewpoint, and especially from not so well connected viewpoints.
Problems such as congestion and BGP blackholes or (temporary) BGP
instability can then impact most or even all of the root servers.
(Only for some places connected to the net, though.) So I feel it's
very important to have a reasonable number of root servers that are NOT
anycast. Preferably, those should be in locations that are far apart.
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
More information about the NANOG
mailing list