IETF Logo Mail Archive

Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 09 August 2021 18:46 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF863A11D7; Mon, 9 Aug 2021 11:46:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.048
X-Spam-Level:
X-Spam-Status: No, score=-1.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL=0.5, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYXhrfBqqBXq; Mon, 9 Aug 2021 11:46:33 -0700 (PDT)
Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44B4E3A117B; Mon, 9 Aug 2021 11:46:33 -0700 (PDT)
Received: by mail-yb1-f181.google.com with SMTP id c137so31004585ybf.5; Mon, 09 Aug 2021 11:46:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yf6hbNsbSjR1AqmKPBwm+AajrxlXPkRFWu1OU79rhyA=; b=mD9XxRb4ExWW1nvns+oShIbgBv36kjwSqHf4nWF44OhfxQaiToy/HFZ3mKekRYz2D2 vzxrWVv55XQgxlFHKAseKcevnjktLVWh/pxlO6otpaZiSONFQxLzefJDO22Wolo+UEMn XY2q0XG70fFV9DbPYkXJFGKp2B2vC/yPwajQ0TaiajgJKCbfeB6VSbWFxdhjD9VdgUeB HGuDqhqlNqxACSDcjSW4GwkwjxU3lg6m8qt74H8rUHRiByyWtXaypJsaYJzB4LApB0XE SaFe3s7e40DmhroJeT1GKNBjyQbrj0pAO9De/pPoPh6/MZovMtjmFF3VN7myy/CFPRVn NEBQ==
X-Gm-Message-State: AOAM532m2/Pa1DTajw7d03ls0m+YIaj+rp/zMFo0d2h06iIHTcqV/MoC ll63cbXZ2DMoXvjSAxcSBKUWuRzKUKLdhxoIY1c=
X-Google-Smtp-Source: ABdhPJxQCcMnjYdo/m5w1SfRZcXyieDNmdC2OsrknjDeZ0+rtwSeZrf9WSzbROW6Kq6zgtOlCC4hs6edvWr6mH9v1Bs=
X-Received: by 2002:a25:3604:: with SMTP id d4mr35970449yba.523.1628534792351; Mon, 09 Aug 2021 11:46:32 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S36pbw2angEmDpu5DnX2nix9KgxFs7ExU17x+JXQFs23TA@mail.gmail.com> <CALZ3u+Yt2X3faSVW7K0eaxmaQy6iA6p4=f0c4E_F4CP0tfjHYw@mail.gmail.com> <CALx6S343sL0=5wUTRSXMnhSamjTTZU=DzA9Y+dbJ4NRTu0_83w@mail.gmail.com> <CALZ3u+ad6Cecp4T+wfuKVJ4ZmnQvaCSX2njFPCN8DuctrU6uew@mail.gmail.com> <CALx6S37u=y1wX8+6d8aX-6=N1MFEqO9RwxQN5zhZnS4DLM8DcA@mail.gmail.com> <CALZ3u+bHbsdzQsHOHx-6nEe6yQBbHMDhH9_PWB=WHTchB8tj5w@mail.gmail.com> <CALx6S36MpCOh2mR+cfM__ASTdn9c4CuhxUrCnUgEv1WhORLyRg@mail.gmail.com> <CALZ3u+ZyQKUJc__HWu6drNyLSCJJ8bOsLfg1B18xwB9+HMe8GA@mail.gmail.com> <CALx6S366bXkCsyEkWCONBX5kcB9JzHU=aNF9hd+wT9FcTdShFw@mail.gmail.com> <CALZ3u+aP=v_1=w1xqfEKof7Cc6Ba3pwOYV3O=0b=NxS4hRWhiA@mail.gmail.com> <YRBdZrKV+MrrhUCG@mit.edu> <CALZ3u+aBdE3Bw3_ry+CuV4tS016c4mWewJFpr0aCbBnwj70Vzg@mail.gmail.com> <a3833e04-c123-ef52-95f9-cae80a1390e7@foobar.org> <CAMm+LwiAbiK618+kY9JTLr7_mQd-E5TKyNsGqOLrGQoLzjJo=A@mail.gmail.com> <CALZ3u+bLVUZf1fTHQvAVzOnToiPcsXEyTNt56hNAXz4=-G5-6w@mail.gmail.com> <CAHw9_i+k9x1g3bcst6rHcXpesEVwnPtV6DzsFAxi8dC6CRMZPw@mail.gmail.com>
In-Reply-To: <CAHw9_i+k9x1g3bcst6rHcXpesEVwnPtV6DzsFAxi8dC6CRMZPw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 09 Aug 2021 14:46:22 -0400
Message-ID: <CAMm+LwiXxRzqX6wF0+LNLWfSCGox0UP45hdowQ6jUJMQh_0mFA@mail.gmail.com>
Subject: Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?
To: Warren Kumari <warren@kumari.net>
Cc: Töma Gavrichenkov <ximaera@gmail.com>, Theodore Ts'o <tytso@mit.edu>, 6man WG <ipv6@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cd73f405c924cd34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/oySyO73PNmhkMt1tn8uhdyNxGy4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 18:46:43 -0000

On Mon, Aug 9, 2021 at 2:08 PM Warren Kumari <warren@kumari.net> wrote:

>
>
> On Mon, Aug 9, 2021 at 1:08 PM Töma Gavrichenkov <ximaera@gmail.com>
> wrote:
>
>> Peace,
>>
>> On Mon, Aug 9, 2021, 7:47 PM Phillip Hallam-Baker <phill@hallambaker.com>
>> wrote:
>>
>>> We have people vigorously asserting that Linux broke IPv6 TCP over
>>> Anycast five years ago and this is serious.
>>>
>>> And We have people vigorously asserting that TCP over Anycast works
>>> absolutely perfectly and there are no issues.
>>>
>>> And they are the same people.
>>>
>>
>> a) they're not really the same people,
>>
>> b) no one said that TCP works _perfectly_ over anycast per se, because
>> it's understood that perfectionism just doesn't belong in the area or
>> engineering.
>> What's been actually said is that it works just fine in a number of
>> applications, including almost every popular application, and these
>> applications use it this way on purpose,
>>
>
> ... including a number of content providers.
> As examples (many aren't really documented), Fastly (
> https://docs.fastly.com/en/guides/using-fastly-with-apex-domains) and
> CloudFlare (
> https://www.cloudflare.com/learning/cdn/glossary/anycast-network/,
> https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/)
> have offered this.
> Fastly and CloudFlare both have some really smart people working for them,
> and they collect and analyze lots of transport level stats. I suspect that
> they'd be surprised to hear that what they've built doesn't work reliably...
>
> I'm often surprised just how often we end up in discussions in the IETF
> where people make an assertion like "Foo will never work. Can't be done, no
> way, no how.", and then someone else points at a bunch of existing
> implementations. This feels like another instance of this.
>

The starting point for this is the assertion that Linux broke this five
years ago. Either it works or it does not.

While I agree with what you are saying about Fastly, Cloudflare etc, I am
very much aware of what they are doing. But you are overlooking one very
important qualifier, they didn't just deploy and forget, they are
actively monitoring. and adapting their approach to reflect changing
circumstances.

If someone is going to sell any mitigation measure for any form of attack,
they are going to have to continuously monitor performance or they will be
quickly overwhelmed.

What I am saying is that there is a difference between an undocumented
feature being found to work and a perpetual commitment to making it work.
If you are basing your business model on such a feature fine, just be
prepared to adapt if circumstances change.

Our job here is not to nag people into operating their infrastructure in a
particular way. Our job here is to design an infrastructure that is robust
in the face of incompetence, stupidity, greed, lust and technical failures.

One lesson that most of us in the security area have learned but some
obstinately refuse to learn is that it is the fault of implementers if the
user can't use a system securely and it is the fault of designers and
architects if zero effort security is not possible.

v2.23.0 | Report a Bug | By Email