Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 09 August 2021 18:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF863A11D7; Mon, 9 Aug 2021 11:46:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYXhrfBqqBXq; Mon, 9 Aug 2021 11:46:33 -0700 (PDT)
Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B4E3A117B; Mon, 9 Aug 2021 11:46:33 -0700 (PDT)
Received: by mail-yb1-f181.google.com with SMTP id c137so31004585ybf.5; Mon, 09 Aug 2021 11:46:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yf6hbNsbSjR1AqmKPBwm+AajrxlXPkRFWu1OU79rhyA=; b=mD9XxRb4ExWW1nvns+oShIbgBv36kjwSqHf4nWF44OhfxQaiToy/HFZ3mKekRYz2D2 vzxrWVv55XQgxlFHKAseKcevnjktLVWh/pxlO6otpaZiSONFQxLzefJDO22Wolo+UEMn XY2q0XG70fFV9DbPYkXJFGKp2B2vC/yPwajQ0TaiajgJKCbfeB6VSbWFxdhjD9VdgUeB HGuDqhqlNqxACSDcjSW4GwkwjxU3lg6m8qt74H8rUHRiByyWtXaypJsaYJzB4LApB0XE SaFe3s7e40DmhroJeT1GKNBjyQbrj0pAO9De/pPoPh6/MZovMtjmFF3VN7myy/CFPRVn NEBQ==
X-Gm-Message-State: AOAM532m2/Pa1DTajw7d03ls0m+YIaj+rp/zMFo0d2h06iIHTcqV/MoC ll63cbXZ2DMoXvjSAxcSBKUWuRzKUKLdhxoIY1c=
X-Google-Smtp-Source: ABdhPJxQCcMnjYdo/m5w1SfRZcXyieDNmdC2OsrknjDeZ0+rtwSeZrf9WSzbROW6Kq6zgtOlCC4hs6edvWr6mH9v1Bs=
X-Received: by 2002:a25:3604:: with SMTP id d4mr35970449yba.523.1628534792351; Mon, 09 Aug 2021 11:46:32 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S36pbw2angEmDpu5DnX2nix9KgxFs7ExU17x+JXQFs23TA@mail.gmail.com> <CALZ3u+Yt2X3faSVW7K0eaxmaQy6iA6p4=f0c4E_F4CP0tfjHYw@mail.gmail.com> <CALx6S343sL0=5wUTRSXMnhSamjTTZU=DzA9Y+dbJ4NRTu0_83w@mail.gmail.com> <CALZ3u+ad6Cecp4T+wfuKVJ4ZmnQvaCSX2njFPCN8DuctrU6uew@mail.gmail.com> <CALx6S37u=y1wX8+6d8aX-6=N1MFEqO9RwxQN5zhZnS4DLM8DcA@mail.gmail.com> <CALZ3u+bHbsdzQsHOHx-6nEe6yQBbHMDhH9_PWB=WHTchB8tj5w@mail.gmail.com> <CALx6S36MpCOh2mR+cfM__ASTdn9c4CuhxUrCnUgEv1WhORLyRg@mail.gmail.com> <CALZ3u+ZyQKUJc__HWu6drNyLSCJJ8bOsLfg1B18xwB9+HMe8GA@mail.gmail.com> <CALx6S366bXkCsyEkWCONBX5kcB9JzHU=aNF9hd+wT9FcTdShFw@mail.gmail.com> <CALZ3u+aP=v_1=w1xqfEKof7Cc6Ba3pwOYV3O=0b=NxS4hRWhiA@mail.gmail.com> <YRBdZrKV+MrrhUCG@mit.edu> <CALZ3u+aBdE3Bw3_ry+CuV4tS016c4mWewJFpr0aCbBnwj70Vzg@mail.gmail.com> <a3833e04-c123-ef52-95f9-cae80a1390e7@foobar.org> <CAMm+LwiAbiK618+kY9JTLr7_mQd-E5TKyNsGqOLrGQoLzjJo=A@mail.gmail.com> <CALZ3u+bLVUZf1fTHQvAVzOnToiPcsXEyTNt56hNAXz4=-G5-6w@mail.gmail.com> <CAHw9_i+k9x1g3bcst6rHcXpesEVwnPtV6DzsFAxi8dC6CRMZPw@mail.gmail.com>
In-Reply-To: <CAHw9_i+k9x1g3bcst6rHcXpesEVwnPtV6DzsFAxi8dC6CRMZPw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 09 Aug 2021 14:46:22 -0400
Message-ID: <CAMm+LwiXxRzqX6wF0+LNLWfSCGox0UP45hdowQ6jUJMQh_0mFA@mail.gmail.com>
Subject: Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?
To: Warren Kumari <warren@kumari.net>
Cc: Töma Gavrichenkov <ximaera@gmail.com>, Theodore Ts'o <tytso@mit.edu>, 6man WG <ipv6@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cd73f405c924cd34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/oySyO73PNmhkMt1tn8uhdyNxGy4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 18:46:43 -0000
On Mon, Aug 9, 2021 at 2:08 PM Warren Kumari <warren@kumari.net> wrote: > > > On Mon, Aug 9, 2021 at 1:08 PM Töma Gavrichenkov <ximaera@gmail.com> > wrote: > >> Peace, >> >> On Mon, Aug 9, 2021, 7:47 PM Phillip Hallam-Baker <phill@hallambaker.com> >> wrote: >> >>> We have people vigorously asserting that Linux broke IPv6 TCP over >>> Anycast five years ago and this is serious. >>> >>> And We have people vigorously asserting that TCP over Anycast works >>> absolutely perfectly and there are no issues. >>> >>> And they are the same people. >>> >> >> a) they're not really the same people, >> >> b) no one said that TCP works _perfectly_ over anycast per se, because >> it's understood that perfectionism just doesn't belong in the area or >> engineering. >> What's been actually said is that it works just fine in a number of >> applications, including almost every popular application, and these >> applications use it this way on purpose, >> > > ... including a number of content providers. > As examples (many aren't really documented), Fastly ( > https://docs.fastly.com/en/guides/using-fastly-with-apex-domains) and > CloudFlare ( > https://www.cloudflare.com/learning/cdn/glossary/anycast-network/, > https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/) > have offered this. > Fastly and CloudFlare both have some really smart people working for them, > and they collect and analyze lots of transport level stats. I suspect that > they'd be surprised to hear that what they've built doesn't work reliably... > > I'm often surprised just how often we end up in discussions in the IETF > where people make an assertion like "Foo will never work. Can't be done, no > way, no how.", and then someone else points at a bunch of existing > implementations. This feels like another instance of this. > The starting point for this is the assertion that Linux broke this five years ago. Either it works or it does not. While I agree with what you are saying about Fastly, Cloudflare etc, I am very much aware of what they are doing. But you are overlooking one very important qualifier, they didn't just deploy and forget, they are actively monitoring. and adapting their approach to reflect changing circumstances. If someone is going to sell any mitigation measure for any form of attack, they are going to have to continuously monitor performance or they will be quickly overwhelmed. What I am saying is that there is a difference between an undocumented feature being found to work and a perpetual commitment to making it work. If you are basing your business model on such a feature fine, just be prepared to adapt if circumstances change. Our job here is not to nag people into operating their infrastructure in a particular way. Our job here is to design an infrastructure that is robust in the face of incompetence, stupidity, greed, lust and technical failures. One lesson that most of us in the security area have learned but some obstinately refuse to learn is that it is the fault of implementers if the user can't use a system securely and it is the fault of designers and architects if zero effort security is not possible.
- Re: IPv6 Anycast has been killed by LINUX patch i… Toerless Eckert
- Re: IPv6 Anycast has been killed by LINUX patch i… Mark Smith
- Re: IPv6 Anycast has been killed by LINUX patch i… Jeff Tantsura
- Re: IPv6 Anycast has been killed by LINUX patch i… Mark Smith
- Re: IPv6 Anycast has been killed by LINUX patch i… Toerless Eckert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Toerless Eckert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Brian E Carpenter
- Re: IPv6 Anycast has been killed by LINUX patch i… Michael Tuexen
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Robert Raszuk
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Robert Raszuk
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Robert Raszuk
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Robert Raszuk
- Re: IPv6 Anycast has been killed by LINUX patch i… Simon Hobson
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… David Farmer
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Theodore Ts'o
- Re: IPv6 Anycast has been killed by LINUX patch i… Nick Hilliard
- Re: IPv6 Anycast has been killed by LINUX patch i… Brian E Carpenter
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Jen Linkova
- Re: IPv6 Anycast has been killed by LINUX patch i… Patrik Fältström
- Re: IPv6 Anycast has been killed by LINUX patch i… Ole Troan
- Re: IPv6 Anycast has been killed by LINUX patch i… Patrik Fältström
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- Re: IPv6 Anycast has been killed by LINUX patch i… Michael Tuexen
- Re: IPv6 Anycast has been killed by LINUX patch i… Michael Tuexen
- Re: IPv6 Anycast has been killed by LINUX patch i… Brian Carpenter
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Nick Hilliard
- Re: IPv6 Anycast has been killed by LINUX patch i… Templin (US), Fred L
- Re: IPv6 Anycast has been killed by LINUX patch i… Phillip Hallam-Baker
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- Re: IPv6 Anycast has been killed by LINUX patch i… Warren Kumari
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- Re: IPv6 Anycast has been killed by LINUX patch i… Tom Herbert
- Re: IPv6 Anycast has been killed by LINUX patch i… Phillip Hallam-Baker
- Re: IPv6 Anycast has been killed by LINUX patch i… Phillip Hallam-Baker
- Re: IPv6 Anycast has been killed by LINUX patch i… Warren Kumari
- Re: IPv6 Anycast has been killed by LINUX patch i… Christian Huitema
- Re: IPv6 Anycast has been killed by LINUX patch i… Robert Raszuk
- Re: IPv6 Anycast has been killed by LINUX patch i… Warren Kumari
- Re: IPv6 Anycast has been killed by LINUX patch i… Warren Kumari
- Re: IPv6 Anycast has been killed by LINUX patch i… Theodore Ts'o
- Re: IPv6 Anycast has been killed by LINUX patch i… Gyan Mishra
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- Re: IPv6 Anycast has been killed by LINUX patch i… Töma Gavrichenkov
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- Re: IPv6 Anycast has been killed by LINUX patch i… Gyan Mishra
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- Re: IPv6 Anycast has been killed by LINUX patch i… Gyan Mishra
- RE: IPv6 Anycast has been killed by LINUX patch i… Vasilenko Eduard
- Re: IPv6 Anycast has been killed by LINUX patch i… Gyan Mishra
- Driver for SRV6 [Re: IPv6 Anycast has been killed… Brian E Carpenter
- Re: Driver for SRV6 [Re: IPv6 Anycast has been ki… Gyan Mishra
- RE: Driver for SRV6 [Re: IPv6 Anycast has been ki… Vasilenko Eduard
- Re: Driver for SRV6 [Re: IPv6 Anycast has been ki… Stefano Salsano
- RE: Driver for SRV6 [Re: IPv6 Anycast has been ki… Vasilenko Eduard
- Re: Driver for SRV6 [Re: IPv6 Anycast has been ki… Gyan Mishra