IETF Logo Mail Archive

Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?

Töma Gavrichenkov <ximaera@gmail.com> Mon, 09 August 2021 10:48 UTC

Return-Path: <ximaera@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 337043A0805; Mon, 9 Aug 2021 03:48:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUnwkPprKNkf; Mon, 9 Aug 2021 03:48:08 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 806B23A0802; Mon, 9 Aug 2021 03:48:08 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id d11so3704506eja.8; Mon, 09 Aug 2021 03:48:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xcBJV06Zd+mAOWFQVbMB12cLGe0nyGJpC0ogjq8wvI4=; b=aaCRLa9XPQ6asr1X9fUouEKcVPwFXbP8Dr09qRrTaODeatx5FhIRHWZah4S/gDcZNm nN/44/pvS7jhoECA/pwkmk8KbAOjDhUIUc2NamWFlv/GWHKtwS6S2ZTDzQDJtQFtEYqY nSU77Zhh/MiIcygkRBPp0Z1r15fr374nXz5CkpVEJO1eL7jLEh9Wn7cKYvzMu+rhBZlo o/SyzEZ619TG7Y35zcvIxVVVotz1Hnzgw47yi2SpN6qkJhE+lm475EH5esMJ4SMMMnWe rIXNVkXhFRb7irCiUN9qnnN+g6A5P/PLZmAXzSi6gmqGnHTNpBAUE2IlERziW4S8XocM AqxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xcBJV06Zd+mAOWFQVbMB12cLGe0nyGJpC0ogjq8wvI4=; b=OerBDV9WbNqrSe7gYsHWkKzMWs6V93cRg03ob6dMvjwuYPjib0GqkPqvS02P0v7JwY abAgIQKP8f+mW0YLMq8Xfsbar/b3KH6REDaXnV24hJvskZTjCdRmAhjEqinmCvIIiM62 iNjr9+kvOssnZyo7uBG4mE9AhHJ0RN4nkvBobf1P1Hi2Pqb+TowlhddGaIRN63XCu1i4 cwjs1pSiFlFnHEqyNSMHR0JE9M68jgZSLRY1B6DjW9yzfKWl5eulLBlKWYPnrCTU1y1b 4zJ3o3rdKERBAlkHtiQYVkHpETA1CtYGHMFWDusteaWAIbbJ/8Ee98kdp3cHNp7UdcTt P6HA==
X-Gm-Message-State: AOAM533pe82tofQtf6XkvAmzk6FTwA20TIqf4v/eTF7TjlJMnXnzD7Ay OkMrqg2kOEflqlwTFEiD1kznn/u//SRU9zm6bZ4=
X-Google-Smtp-Source: ABdhPJxWfiA1/9dSUO/HphopFeTFBtIAgBmmXwP+uSSUxCeyYVVqiXWzRim+zCGxs/Ca+UR5A0je/xt/7G+ieGwH3dw=
X-Received: by 2002:a17:906:c087:: with SMTP id f7mr21560962ejz.487.1628506085498; Mon, 09 Aug 2021 03:48:05 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S36pbw2angEmDpu5DnX2nix9KgxFs7ExU17x+JXQFs23TA@mail.gmail.com> <CALZ3u+Yt2X3faSVW7K0eaxmaQy6iA6p4=f0c4E_F4CP0tfjHYw@mail.gmail.com> <CALx6S343sL0=5wUTRSXMnhSamjTTZU=DzA9Y+dbJ4NRTu0_83w@mail.gmail.com> <CALZ3u+ad6Cecp4T+wfuKVJ4ZmnQvaCSX2njFPCN8DuctrU6uew@mail.gmail.com> <CALx6S37u=y1wX8+6d8aX-6=N1MFEqO9RwxQN5zhZnS4DLM8DcA@mail.gmail.com> <CALZ3u+bHbsdzQsHOHx-6nEe6yQBbHMDhH9_PWB=WHTchB8tj5w@mail.gmail.com> <CALx6S36MpCOh2mR+cfM__ASTdn9c4CuhxUrCnUgEv1WhORLyRg@mail.gmail.com> <CALZ3u+ZyQKUJc__HWu6drNyLSCJJ8bOsLfg1B18xwB9+HMe8GA@mail.gmail.com> <CALx6S366bXkCsyEkWCONBX5kcB9JzHU=aNF9hd+wT9FcTdShFw@mail.gmail.com> <CALZ3u+aP=v_1=w1xqfEKof7Cc6Ba3pwOYV3O=0b=NxS4hRWhiA@mail.gmail.com> <YRBdZrKV+MrrhUCG@mit.edu>
In-Reply-To: <YRBdZrKV+MrrhUCG@mit.edu>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Mon, 09 Aug 2021 13:47:53 +0300
Message-ID: <CALZ3u+aBdE3Bw3_ry+CuV4tS016c4mWewJFpr0aCbBnwj70Vzg@mail.gmail.com>
Subject: Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?
To: Theodore Ts'o <tytso@mit.edu>
Cc: Tom Herbert <tom@herbertland.com>, 6man WG <ipv6@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bda42f05c91e1e45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/llQY2JuoBOOnRB_03zp6T8vyDmI>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 10:48:10 -0000

Peace,

On Mon, Aug 9, 2021, 1:40 AM Theodore Ts'o <tytso@mit.edu> wrote:

> Which of the top 5, 10, 100 sites on the Internet use anycast?
>

You should understand that this is a wrong question to ask, because there's
just no way of reliably figuring that out.

Anycast isn't just something which is written all over your BGP
announcement.  By the nature of it, anycast is the announcement of the same
IP prefix, through BGP, from multiple physical locations.  And, the concept
of a "physical location" is not incorporated within BGP or any globally
available network layer protocol.

You can, probably, carry a research, of course, to a certain level of
reliability only, using something like hundreds of RIPE Atlas probes with a
good geographic AND source network distribution (not the same thing), and
measure which IP flows land within which ranges of expected intervals of
time.  Based if the value of the speed of light, it will then show you
(with some level of reliability) which sites of the group certainly use
anycast, and there's no real way of telling if any of them don't, because
the locations could be just too close to each other.

That is a massive piece of work, and I hope you didn't just suggest that
I'd do it, right?
Anyhow, this doesn't mean a lot, because:


If Facebook, Amazon, Google, Wikipedia, etc., are using standard IPv4
> and IPv6 endpoints and are *not* using anycast, and they have
> successly fielded defenses against DDOS's without using anycast,
> wouldn't that tend to blow a gigantic, gaping hole in your assertion?
>

A gigantic, gaping hole in my assertion and experience would be blown by
anyone who's ready to come up with an autonomous system architecture, able
to reliably process and mitigate stateful layer 7-enabled (including
combined vectors) DDoS attacks towards a layer 7 network service with no
(or, insignificant) impact to the legitimate users of the service, with no
particular scrubbing centers likely to overload during the attack, without
anycast.

So far, no one was able to even draft this after a week of chatting,
grumbling, and architecture astronautics.

--
Töma

>

v2.23.0 | Report a Bug | By Email