IETF Logo Mail Archive

Re: [dns-privacy] [DNSOP] FW: New Version Notification for draft-pan-dnsop-edns-isp-location-00

Lanlan Pan <abbypan@gmail.com> Thu, 23 March 2017 07:32 UTC

Return-Path: <abbypan@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90CC912D574; Thu, 23 Mar 2017 00:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bXT5xDULQD6; Thu, 23 Mar 2017 00:32:11 -0700 (PDT)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1106312E6D7; Thu, 23 Mar 2017 00:32:10 -0700 (PDT)
Received: by mail-wm0-x231.google.com with SMTP id u132so53629393wmg.0; Thu, 23 Mar 2017 00:32:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EGqu4Q1ErFRt96OWJjN0bxcoUvpWqK/6nt2MfuTT5Pk=; b=eRqZq2E5l2N+lM52ae/K2rGPNzWkRGFkuFjq81UsG+LNYpoKOSQozd/5HHiOgOM6i8 0EiWIzQyyFlzdODDBoSBYCW0GRQkFh5QPh1iHNgfSk6p8YnCo5cuDYgNB6z1OnBEd+IP BqLXzjszCDDLcAMphQ7KPmOkxEiLlUUh4GzO7v7OBJebk9tdRXOLOb9EGXCukiPm4Iyg O0yyoqgdInZlVNEbm6K6AWfMdnt5H4Qgmh4svayMpICcXmMCIBeAj4YRIS8xizU/mH98 vsmwhjyMxMsRsu3yn0Qbp6Y6TGN7M+7FN9q846rrgJMrojCuTSGWcPcKceNDoDdycpZx H6Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EGqu4Q1ErFRt96OWJjN0bxcoUvpWqK/6nt2MfuTT5Pk=; b=uONR3zXpmogut+zni6I+qBDRDv2SSqthKK9ITJG2WuYikoIr/2LvjwtZDO1+pLlHXB 7GotfOms/qYhdDdP75o69pHOdFfodQ0ve8Ensg9smumj/v5f3ApKXtNzuQey4UpU617J pCzAUiym3h7GhHYWeDgH3b27bmc7dypn9T1KwpM/K9vmY4cvQh9QzKJO7df3wlvJdUAI nOwjVIBFQgyZmrleK/DhroAN88Zm5WN0kSPyN7iADjjGZu7Lr8l1zeJ5yHt+/Ek9plAz DA2yhggTp5k8dRLUcJ/6piB3RpzVC5mMTQU076qjJ/bWPuZyM6Yx0P8Wsf+3qWRN4drk U/vw==
X-Gm-Message-State: AFeK/H2eU1444Q9+Y5zixC83zAvEgiyOHzQoI2chKsrZ5/t1wE44dNR9nr7VQn4N22O3PQLR7zy2SqGdTeCyNA==
X-Received: by 10.28.152.11 with SMTP id a11mr11648384wme.64.1490254328125; Thu, 23 Mar 2017 00:32:08 -0700 (PDT)
MIME-Version: 1.0
References: <000f01d29dfe$50b6b190$f22414b0$@cn> <CANLjSvXGO3rSpqb7hzwmV=vfm=UTHnQYqfBmt=uD9Mi8cL59Jg@mail.gmail.com> <16B293AD-27A2-4A6D-8A96-7CD847B59708@senki.org> <CANLjSvUJfU1cafGXHyg=DuCnhm09mBm5z4ve2_g6j2ONgt2tRQ@mail.gmail.com> <BBCEC002-D8D9-498E-8567-507181F9215E@develooper.com> <CANLjSvXA03qGN9TZ2oON7bJfygU7Uzor6H3ku83E_NhA3FBa7A@mail.gmail.com> <3C0E763C-4C7F-4A63-A178-58F2AD77D3AC@develooper.com> <CANLjSvWMYt1khfETApcW4Wt3aourPmhY-7Kz3Jrxjv4x89=3HA@mail.gmail.com> <58D22F02.60505@redbarn.org> <CANLjSvUfbOTXZCva-1zuiaxKoF_L02ZJ95c55cPdefeoroZwEg@mail.gmail.com> <58D257F4.8090506@redbarn.org>
In-Reply-To: <58D257F4.8090506@redbarn.org>
From: Lanlan Pan <abbypan@gmail.com>
Date: Thu, 23 Mar 2017 07:31:57 +0000
Message-ID: <CANLjSvX9gUH4Mv3Z6B7LTNJ--JcP4Z63QbDct=gKhnGhBaQbeA@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: Ask Bjørn Hansen <ask@develooper.com>, "fuyu@cnnic.cn" <fuyu@cnnic.cn>, dns-privacy@ietf.org, Barry Raveendran Greene <bgreene@senki.org>, dnsop <dnsop@ietf.org>, petr.spacek@nic.cz
Content-Type: multipart/alternative; boundary="001a114b9412da5ce3054b60df5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/_lQzcg7U29rl5fRP-4hFpgCZH-o>
Subject: Re: [dns-privacy] [DNSOP] FW: New Version Notification for draft-pan-dnsop-edns-isp-location-00
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 07:32:16 -0000

Hi Paul,

Thanks for your comments and detail expatiation, :-)


*Why I think ECS is actually based on the map of " client subnet ->
geolocation (country, province, isp) " ? *

Of course, we all read RFC 7871, they said "Topologically Close" , not
"Geographically close".
Everyone know that geolocation is not precisely equal to realtime network
topology.

But, the duck test – "If it looks like a duck, swims like a duck, and
quacks like a duck, then it probably is a duck".
As last mail I replied to Ask, AUTH will not choose to detect network
topology connection speed with each subnet one by one, but summarized the
subnet into some critical information: AS Number, Country, Province, ISP
name. Most of time, AUTH will select some subnets for sample test, then,
configure by geolocation area.

I don't mean that AUTH decide response based on physical geolocation
distance. I mean that AUTH decide response base on *network topology
distance between the isp geolocation area.*
Imagine that,  www.xxxcdn.com  build two datacenter in (CHINA, SHANGHAI,
UNICOM), (CHINA, LIAONING, UNICOM)

   - physical distance: BEIJING - SHANGHAI  >  BEIJING - LIAONING
   - network topology distance: BEIJING - SHANGHAI <  BEIJING - LIAONING

the AUTH of www.xxxcdn.com  will return (CHINA, SHANGHAI, UNICOM) response
to the user from  (CHINA, BEIJING, UNICOM).

There are some examples:

1) Google Public DNS FAQ :
https://developers.google.com/speed/public-dns/faq#locations

In addition, Google Public DNS engineers have proposed a technical solution
called EDNS Client Subnet
<https://datatracker.ietf.org/doc/draft-ietf-dnsop-edns-client-subnet/>.
This proposal allows resolvers to pass in part of the client's IP address
(the first 24/64 bits or less for IPv4/IPv6 respectively) as the source IP
in the DNS message, so that name servers can return optimized results *based
on the user's location* rather than that of the resolver. To date, we have
deployed an implementation of the proposal for many large CDNs (including
Akamai) and Google properties. The majority of *geo-sensitive* domain names
are already covered.

2) Dyn’s ECS Implementation:
https://help.dyn.com/edns-client-subnet-faq-info/

When a DNS query is received by our nameservers, we analyze the query in
order to determine what response we provide. During this analysis, we will
notice if ECS information is provided and whether a Traffic Director
service will be involved in the response. If both is the case, we will *use
the ECS information for our geolocation lookup* instead of the source IP
address.
Once a geolocation is found and a response is selected, Traffic Director
will provide a DNS response back to the source IP address. As part of this
response we will include information via ECS regarding what subnet the
response should be cached for.

3) Amazon Route 53:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

To improve the accuracy of *geolocation routing*, Amazon Route 53 supports
the edns-client-subnet extension of EDNS0. (EDNS0 adds several optional
extensions to the DNS protocol.) Amazon Route 53 can use edns-client-subnet
only when DNS resolvers support it
When a browser or other viewer uses a DNS resolver that does support
edns-client-subnet, the DNS resolver sends Amazon Route 53 a truncated
version of the user's IP address. Amazon Route 53 *determines the location
of the user based on the truncated IP address* rather than the source IP
address of the DNS resolver; this typically provides a more accurate
estimate of the user's location. Amazon Route 53 then responds to
geolocation queries with the DNS record for the user's location.

4)  Gdnsd (an AUTH software) 's Geoip plugin, which support ECS:
https://github.com/gdnsd/gdnsd/wiki/GdnsdPluginGeoip
gdnsd-plugin-geoip uses MaxMind's GeoIP binary databases to map address and
CNAME results based on *geography* and monitored service availability. It
fully supports both IPv6 and the emerging edns-client-subnet standard.




*Is geolocation information good for CDN and DNS? *
In the mid-1990's, network resource is rare and uneven, network path is
inconsistent with geolocation. Therefore, in the mid-1990's, many network
operators usually ignored geography.
There was a popular sentence for Chinese network topology, decribed similar
condition: The distance between China Telecom and China Unicom, is much
longer than the distance between China Telecom and United State.

However, Internet grow up dramatically since 1990s. Nowadays, Internet is
critical information infrastructure, global network path connect every
where. Even into remote mountain village, information spread rapidly.
With internet network path connect every where, the aerial view network
topology distance improve like road path more and more.
CDN do best effort to make end user to visit the closest edge server,
consider about geolocation more and more. They call that geolocation
lookup, geolocation routing, geolocation delivery, and so on.

I AGREE WITH this sentence of your post :
*it has never been wise to assume that a DNS request's IP source address
gives any hint of an end-system Web browser's network location.*
This assumption is not correct in theopy, but the reality is that almost
all smart-auth-dns-resolution working based on this assumption.
So I support ECS's idea : give more precisely information to AUTH.

In the mid-1990's,  DNS is pure. Not work with CDN that contains 50+
datacenters to choose for dns response.
In the mid-1990's,  there is not public recursive resolver. Not increase
the distance between client ip and resolver ip.
Consider about these nowadays problem,  ECS is designed, partly change
traditional dns query, *give addtional subnet information for AUTH to make
a better decision*.
ECS can make DNS query & response more satisfied with nowadays content
delivery ( one domain -> multiple servers distributed in different location
datacenters ), if they don't deploy ip anycast.

Again, as I methioned above, AUTH actually use ECS subnet information
mapped into geolocation information, then make dns decision.



*Why I think EIL can make some revisions to ECS ? *
EIL : We tell Authorative servers that, "*I want to know what is most
satisfied ip address for clients from (CHINA, BEIJING, UNICOM) at network
topology distance*".  The (CHINA, BEIJING, UNICOM) is geolocation,  but
AUTH decide dns response by network topology distance between the
geolocation nodes.

   - *Privacy*:  The biggest privacy concern on ECS is that client subnet
   information is personally identifiable. EIL adjust the sensitive client
   subnet information to aerial view geolocation information for user privacy
   protection.


   - *Operation*:  In P-model (details in my *Paper
   <https://drive.google.com/open?id=0B5gNT4RRJ0xPaG9nZ045VXRrZzg>*), EIL
   move back the "guess geolocation of client’s IP" work from authoritative
   server to public recursive resolver, lighten the burden of authoritative
   server. Anyway, the origin of user latency problem is the public recursive
   service providers couldn't deploy servers in every country and every ISP's
   network.
   - *Cache Size*:  The cache size of ECS grows up with the number of
   client subnets. under future IPv6 environment, huge number of subnet,  the
   cache size of EIL will be smaller than ECS.


Paul Vixie <paul@redbarn.org>于2017年3月22日周三 下午6:54写道:

> Lanlan Pan wrote:
> > ... Because ECS is also based on the map of
> > "*client subnet -> geolocation*" information.
>
> Paul Vixie <paul@redbarn.org>于2017年3月22日周
> > wait, what?
>
> Lanlan Pan wrote:
> > Hi Paul,
>
> hi.
>
> > https://www.cdnplanet.com/blog/which-cdns-support-edns-client-subnet/
>
> this web page is factually incorrect in that it presupposes that geo-ip
> is used. i have added a comment there to this effect.
>
> the original ECS web site
> (http://www.afasterinternet.com/howitworks.htm) is somewhat
> marketing-oriented, but says only that "With this more intelligent
> routing, customers will have a better Internet experience with lower
> latency and faster speeds." in other words, it expects that a CDN will
> apply its server-selection logic on an address basis, but using the
> truncated client subnet rather than to the DNS request source address.
> it does not dictate what the CDN's server-selection logic has to be or do.
>
> in RFC 7871 (http://www.afasterinternet.com/ietfrfc.htm) we see this
> definition:
>
> > Topologically Close:  Refers to two hosts being close in terms of the
> >       number of hops or the time it takes for a packet to travel from
> >       one host to the other.  The concept of topological distance is
> >       only loosely related to the concept of geographical distance: two
> >       geographically close hosts can still be very distant from a
> >       topological perspective, and two geographically distant hosts can
> >       be quite close on the network.
>
> there is an error on page 22 which is directly on-point:
>
> >    o  Recursive Resolvers implementing ECS should only enable it in
> >       deployments where it is expected to bring clear advantages to the
> >       end users, such as when expecting clients from a variety of
> >       networks or from a wide geographical area.  Due to the high cache
> >       pressure introduced by ECS, the feature SHOULD be disabled in all
> >       default configurations.
>
> from context, it's clear that they meant "topological area".
>
> actual CDN technology, from as far back as Cisco Distributed Director in
> the mid-1990's, has usually ignored geography, for the reasons i gave
> up-thread: overlapping and incoherent topology within a geo-ip region
> means that geo-location is a very poor predictor of per-path performance.
>
> let me state (again) for the record that i was and remain opposed to ECS
> because it's an obviously bad idea and the apparent need for it merely
> proves that Stupid DNS Tricks
> (http://queue.acm.org/detail.cfm?id=1647302) did not and could not solve
> their chosen problem in the first place. it's architectural
> cost-shifting, which is a form of both intellectual conversion and
> economic compulsion. sad!
>
> however, if you're going to propose a replacement for ECS, you should
> correctly describe how it works. <<Because ECS is also based on the map
> of "*client subnet -> geolocation*">> is not a correct description. if
> EIL is geo-based, then it is completely different from ECS.
>
> --
> P Vixie
>
> --
致礼  Best Regards

潘蓝兰  Pan Lanlan

v2.23.0 | Report a Bug | By Email