Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?

Nick Hilliard <nick@foobar.org> Sun, 08 August 2021 23:08 UTC

Return-Path: <nick@foobar.org>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5653A1C20; Sun, 8 Aug 2021 16:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NP0GPC3II5zj; Sun, 8 Aug 2021 16:08:50 -0700 (PDT)
Received: from mail.netability.ie (mail.netability.ie [IPv6:2a03:8900:0:100::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45FDF3A1C1F; Sun, 8 Aug 2021 16:08:48 -0700 (PDT)
X-Envelope-To: ipv6@ietf.org
Received: from crumpet.local (admin.ibn.ie [46.182.8.8]) (authenticated bits=0) by mail.netability.ie (8.16.1/8.16.1) with ESMTPSA id 178N8hLT016536 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Aug 2021 00:08:43 +0100 (IST) (envelope-from nick@foobar.org)
X-Authentication-Warning: cheesecake.ibn.ie: Host admin.ibn.ie [46.182.8.8] claimed to be crumpet.local
Subject: Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?
To: Theodore Ts'o <tytso@mit.edu>
Cc: Töma Gavrichenkov <ximaera@gmail.com>, 6man WG <ipv6@ietf.org>, IETF discussion list <ietf@ietf.org>
References: <CALx6S36pbw2angEmDpu5DnX2nix9KgxFs7ExU17x+JXQFs23TA@mail.gmail.com> <CALZ3u+Yt2X3faSVW7K0eaxmaQy6iA6p4=f0c4E_F4CP0tfjHYw@mail.gmail.com> <CALx6S343sL0=5wUTRSXMnhSamjTTZU=DzA9Y+dbJ4NRTu0_83w@mail.gmail.com> <CALZ3u+ad6Cecp4T+wfuKVJ4ZmnQvaCSX2njFPCN8DuctrU6uew@mail.gmail.com> <CALx6S37u=y1wX8+6d8aX-6=N1MFEqO9RwxQN5zhZnS4DLM8DcA@mail.gmail.com> <CALZ3u+bHbsdzQsHOHx-6nEe6yQBbHMDhH9_PWB=WHTchB8tj5w@mail.gmail.com> <CALx6S36MpCOh2mR+cfM__ASTdn9c4CuhxUrCnUgEv1WhORLyRg@mail.gmail.com> <CALZ3u+ZyQKUJc__HWu6drNyLSCJJ8bOsLfg1B18xwB9+HMe8GA@mail.gmail.com> <CALx6S366bXkCsyEkWCONBX5kcB9JzHU=aNF9hd+wT9FcTdShFw@mail.gmail.com> <CALZ3u+aP=v_1=w1xqfEKof7Cc6Ba3pwOYV3O=0b=NxS4hRWhiA@mail.gmail.com> <YRBdZrKV+MrrhUCG@mit.edu>
From: Nick Hilliard <nick@foobar.org>
Message-ID: <9129410f-bdef-9341-9f42-0ee585f01a69@foobar.org>
Date: Mon, 09 Aug 2021 00:08:42 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.48
MIME-Version: 1.0
In-Reply-To: <YRBdZrKV+MrrhUCG@mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/r46ePvN9Rk9anlhWHl8Qjq8LT4c>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Aug 2021 23:08:53 -0000

Theodore Ts'o wrote on 08/08/2021 23:40:
> Which of the top5, 10,  100 sites on the Internet use anycast?

for starters, all the dns root servers. For content delivery, some of 
Cloudflare's content is delivered to end users using anycast on the 
front side.  Are the DNS root servers top-5, top-10 or top-100 sites 
(asking for a friend)?

> If Facebook, Amazon, Google, Wikipedia, etc., are using standard IPv4
> and IPv6 endpoints and are *not* using anycast, and they have
> successly fielded defenses against DDOS's without using anycast,
> wouldn't that tend to blow a gigantic, gaping hole in your assertion?

It's the norm to build ddos defenses without anycast, but it has its 
place as a technology.

Otherwise: anycast is one of many tools in the box; rewriting the ipv6 
flow label hurts ipv6 anycast when DDOS traffic sinkers use ECMP for 
load balancing; tcp anycast is a hack which works quite nicely for 
short-lived tcp sessions and barely at all for long-lived sessions (this 
is well-understood in network engineering circles).

@Tom your suggestions for tuning down the flow label rewriting 
aggression level sound reasonable.

Nick