IETF Logo Mail Archive

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

Leo Bicknell <bicknell@isc.org> Thu, 29 September 2011 19:06 UTC

Return-Path: <bicknell@isc.org>
X-Original-To: grow@ietfa.amsl.com
Delivered-To: grow@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1475521F8F42 for <grow@ietfa.amsl.com>; Thu, 29 Sep 2011 12:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.616
X-Spam-Level:
X-Spam-Status: No, score=-5.616 tagged_above=-999 required=5 tests=[AWL=4.383, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bpb-dLTgbwJP for <grow@ietfa.amsl.com>; Thu, 29 Sep 2011 12:05:47 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by ietfa.amsl.com (Postfix) with ESMTP id EED1521F8F31 for <grow@ietf.org>; Thu, 29 Sep 2011 12:05:47 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 834BFC9428; Thu, 29 Sep 2011 19:07:06 +0000 (UTC) (envelope-from bicknell@isc.org)
Received: by bikeshed.isc.org (Postfix, from userid 10294) id 6DCD9216C56; Thu, 29 Sep 2011 19:07:06 +0000 (UTC)
Date: Thu, 29 Sep 2011 19:07:06 +0000
From: Leo Bicknell <bicknell@isc.org>
To: Danny McPherson <danny@tcb.net>
Message-ID: <20110929190706.GA84607@bikeshed.isc.org>
References: <20110928193323.GA57548@bikeshed.isc.org> <CC4CB415-C615-4379-842F-2177B333D380@tcb.net> <20110928235156.GA65454@bikeshed.isc.org> <352BFFD6-B2C3-4ACD-96C1-46F28B5E5719@tcb.net> <20110929130632.GA76531@bikeshed.isc.org> <E6D92094-5836-4BB8-8E3A-5F620AA67696@tcb.net> <20110929133512.GA77671@bikeshed.isc.org> <10DB5C60-A228-4877-9EF0-F14F20DB06F5@tcb.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <10DB5C60-A228-4877-9EF0-F14F20DB06F5@tcb.net>
Organization: Internet Systems Consortium, Inc
Cc: "grow@ietf.org grow@ietf.org" <grow@ietf.org>
Subject: Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as
X-BeenThere: grow@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Grow Working Group Mailing List <grow.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/grow>, <mailto:grow-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/grow>
List-Post: <mailto:grow@ietf.org>
List-Help: <mailto:grow-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/grow>, <mailto:grow-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2011 19:06:04 -0000

In a message written on Thu, Sep 29, 2011 at 11:22:45AM -0400, Danny McPherson wrote:
> With normal unicast there's a single tree for the prefix in the routing 
> system, while anycasting inherently introduces a polytree for the prefix.  
> However, anycasting with a common origin AS creates a 'pseudo AS' at the 
> root of the graph (i.e., the illusion of a single tree).  By doing what 
> you describe, you force anyone doing routing system analysis to know 'a 
> priori' which prefixes employ a pseudo AS at the root of the tree - only 
> so that they can step deeper into the tree, to the actual polytree roots, 
> and then evaluate the adjacent nodes of those roots.  This is particularly 
> problematic when new nodes are introduced to the system.

I'm sure you have studied this in great detail, and so I will simply
assume you're correct that the method described is easier when
writing a program to find hijacked routes.

However, that is a small part of operating an Anycast system.  Far
more frequently than I help folks find hijacked routes (which are
fortunately rare) I help troubleshoot ordinary performance problems.
It's far easier for me to say "send me show ip bgp regex _3557$"
and get all the info I need than send a list of routes (3 in our
case) or local ASN's (about 55 in our case).  The same goes for
when I'm looking at various looking glasses to see what is going
on.

I also think, and this is totally subjective, that it is easier to
explain to folks on the phone, particularly folks with no Anycast
experience.  They can just pretend in their mind that 3557 is one
big global network that peers in a lot of places and their mental
image is complete.

So even if I spot you that it makes it easier for a third party to
programmatically detect hijacks I don't think that's enough alone
to rise to calling this method the "best current practice", which
is the path this draft is on.  It has impacts on day to day operations
(including things like the inconsistent asn reports) that also need
to be weighed.

But, I think we've both overmade our points.  I also realize I was late
to this game, you can't watch everything in every group all the time.
I think the question is if anyone else on the list cares one way or
another, because if no other opinions have been changed we might as well
stop.

-- 
Leo Bicknell; E-mail: bicknell@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org

v2.23.0 | Report a Bug | By Email