IETF Logo Mail Archive

Re: Generic anycast addresses...

Fred Baker <fredbaker.ietf@gmail.com> Thu, 30 May 2019 17:50 UTC

Return-Path: <fredbaker.ietf@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3CC6120115 for <ipv6@ietfa.amsl.com>; Thu, 30 May 2019 10:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOgMhWI_ZCZO for <ipv6@ietfa.amsl.com>; Thu, 30 May 2019 10:50:06 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 423581201EE for <6man@ietf.org>; Thu, 30 May 2019 10:50:06 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id d126so4437638pfd.2 for <6man@ietf.org>; Thu, 30 May 2019 10:50:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=B34eBkiZ8/eXzprePzl+T41TAFyQAyyW/BWao0ECMw0=; b=GvduWg485xER1wfimDj4UzVoeKi1I2VDsuhj1Zctem57vq2aSvR3S/LOtW/FYtHJ+s wL+dlAqd6C+oA9iSldBZLuVvm3znpyc9puCwA+kugb8HD7P9eHeCCdtL1+Ln6And+VuE MW7vgb17c+S4oxp3QL7gq8wa71xxZMnKyQjVXMGNmzb2gd5XDmPeplF0r/jdiNGytybi cfnygvppqlAfBS1SmBNf18Ir1tBjO/0nZ0HNyxwk56k/QgqM8W1Lk/5ffqna98n1UlpU 98MvweFzal+w4OOfJI9Oygl0pDBuH9D7xxsGkGVeochgO1m/KR1LcifCDz8W9zO0n4Fc SSQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=B34eBkiZ8/eXzprePzl+T41TAFyQAyyW/BWao0ECMw0=; b=YxVas89qptJWpkoHrXelFSMsbYcsK2RkNx68FQUbmLP7R0EDwTsDaw1qDX/MsuBM2x OUqR04ZM5YBIzq9RQ2BLqJXczS8zGcckg+A8srD8I1VwNmg18QAvLCuWp+KvZwlmfRvA g8Rz1CBgNQydkuar+jOntdEpa0SgS7Nbr/h3THXUUE4DdbxY7ye6a0zhFc43skyzOcgI QIso0SxiBgXBnPG11PbLO15arO7zoKED6vBsWA+eVHV/Cdyzzki70/baQ4MNUwt6JUii V/QG8PVajd+laBMwOogbQXPI1xjuEmSAP1qgn9dqDaeahCTYQXTxhhR9nK06BAr2Lt5E C7NQ==
X-Gm-Message-State: APjAAAXUozS4qdACcTdgMaw2wZZujvHFmzsNHJYvo86+io7zpTWK+DrO ZgU9ZxjAhFEUF+xVktR25dg=
X-Google-Smtp-Source: APXvYqxh4Acy+5kxUSzEz39AxOsvj0k4bPHunlu5DvWObHOdJXkvxuvyM++veaeM7oLMa+9e6Hywsg==
X-Received: by 2002:a63:6f06:: with SMTP id k6mr4699995pgc.170.1559238605757; Thu, 30 May 2019 10:50:05 -0700 (PDT)
Received: from ?IPv6:2600:8802:5903:df16::1025? ([2600:8802:5903:df16::1025]) by smtp.gmail.com with ESMTPSA id r9sm2616059pgv.24.2019.05.30.10.50.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 May 2019 10:50:04 -0700 (PDT)
From: Fred Baker <fredbaker.ietf@gmail.com>
Message-Id: <AA201EA5-5FE1-418A-A574-3A73ED305F47@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_A333885D-20D8-4DEF-BA6E-4FB019C6CB73"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Subject: Re: Generic anycast addresses...
Date: Thu, 30 May 2019 10:50:01 -0700
In-Reply-To: <20190530002833.wfvjfbj2lv2ig664@faui48f.informatik.uni-erlangen.de>
Cc: Ted Lemon <mellon@fugue.com>, "6man@ietf.org" <6man@ietf.org>, Dave Thaler <dthaler@microsoft.com>
To: Toerless Eckert <tte@cs.fau.de>
References: <D22E680C-3EE3-4AD7-90C0-9339DA2E5A29@fugue.com> <BN6PR21MB04978DB375C05CB3CE4C914EA31F0@BN6PR21MB0497.namprd21.prod.outlook.com> <4EF97F31-1F39-4150-B044-955C46E96FB4@fugue.com> <20190530002833.wfvjfbj2lv2ig664@faui48f.informatik.uni-erlangen.de>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/t9mc8hW7xi8p2JAhAaWb05vGcfs>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 17:50:10 -0000


> On May 29, 2019, at 5:28 PM, Toerless Eckert <tte@cs.fau.de> wrote:
> 
> AFAIK, all the successful deployments of anycast even across the Internet
> are based on using addresses belonging to one organization, and
> that organization is able to control where the member instances
> are in the Internet and what apps they are used for and therefore
> one org can ensure the deployment model works. Example:
> anycast in DNS/CDN.
> 
> Whenever a solution attempts to go beyond this, it becomes difficult,
> and thorough understanding of rfc7094 i probably useful. Alas, there
> seems to be no good "great working anycast deployment recipes" RFC,
> which would probably be more helpful.

I second the observation. I'll add a bit: in anycast deployments for DNS, scope is handled using BGP, and is measured in policy hops, not router interfaces. My context here is that I am associated with ISC, which operates one of the DNS root services and is an anycast operation.

The issue I see is that not all servers are equal even within an anycast service. Without naming names (although there are many that could be named), imagine this scenario: there is an instance (call it "A") that is generally reachable through some domain, perhaps Central Asia, and there is some other instance (call it "B") that happens to be located in that domain but by policy only serves a smaller area, such as the systems located in a data center. Within the locality, the anycast instance near B announces its route with the community "No-export", meaning that it may be distributed freely in IBGP but is not to be exported in EBGP to a routing neighbor.

In that scenario, now place two users of the anycast service (which I will call "a" and "b" respectively) on either side of the dividing line between A and B. In routing, a will access the service at A, and b will access the service at B, even though they are each at most one routing hop from B and perhaps many EBGP hops from A.

From my perspective, this proposal would appear to work well in the Internet as it existed in 1983, but by acting in ignorance of the routing policy in force, fails dramatically at any time after the development of BGP.

I might suggest soliciting the comments of current operators of anycast services.
--------------------------------------------------------------------------------
Victorious warriors win first and then go to war,
Defeated warriors go to war first and then seek to win.
     Sun Tzu

v2.23.0 | Report a Bug | By Email