| draft-ietf-grow-anycast-00.txt | draft-ietf-grow-anycast-01.txt | |||
|---|---|---|---|---|
| Network Working Group J. Abley | Network Working Group J. Abley | |||
| Internet-Draft ISC | Internet-Draft ISC | |||
| Expires: August 19, 2005 K. Lindqvist | Expires: January 19, 2006 K. Lindqvist | |||
| Netnod Internet Exchange | Netnod Internet Exchange | |||
| February 15, 2005 | July 18, 2005 | |||
| Operation of Anycast Services | Operation of Anycast Services | |||
| draft-ietf-grow-anycast-00.txt | draft-ietf-grow-anycast-01 | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is subject to all provisions | By submitting this Internet-Draft, each author represents that any | |||
| of Section 3 of RFC 3667. By submitting this Internet-Draft, each | applicable patent or other IPR claims of which he or she is aware | |||
| author represents that any applicable patent or other IPR claims of | have been or will be disclosed, and any of which he or she becomes | |||
| which he or she is aware have been or will be disclosed, and any of | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| which he or she become aware will be disclosed, in accordance with | ||||
| RFC 3668. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as | other groups may also distribute working documents as Internet- | |||
| Internet-Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on August 19, 2005. | This Internet-Draft will expire on January 19, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2005). | |||
| Abstract | Abstract | |||
| As the Internet has grown, and as systems and networked services | As the Internet has grown, and as systems and networked services | |||
| within enterprises have been more pervasive, many services with high | within enterprises have become more pervasive, many services with | |||
| availability requirements have emerged. These requirements have | high availability requirements have emerged. These requirements have | |||
| increased the demands on the reliability of the infrastructure on | increased the demands on the reliability of the infrastructure on | |||
| which those services rely. | which those services rely. | |||
| Various techniques have been employed to increase the availability of | Various techniques have been employed to increase the availability of | |||
| services deployed on the Internet. This document presents a series | services deployed on the Internet. This document presents commentary | |||
| of recommendations for distribution of services using anycast. | and recommendations for distribution of services using anycast. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Anycast Service Distribution . . . . . . . . . . . . . . . . . 5 | 3. Anycast Service Distribution . . . . . . . . . . . . . . . . . 5 | |||
| 3.1 General Description . . . . . . . . . . . . . . . . . . . 5 | 3.1 General Description . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.2 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 3.2 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | ||||
| 4. Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.1 Protocol Suitability . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1 Protocol Suitability . . . . . . . . . . . . . . . . . . . 6 | ||||
| 4.2 Node Placement . . . . . . . . . . . . . . . . . . . . . . 7 | 4.2 Node Placement . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.3 Routing Systems . . . . . . . . . . . . . . . . . . . . . 8 | 4.3 Routing Systems . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.3.1 Anycast within an IGP . . . . . . . . . . . . . . . . 8 | 4.3.1 Anycast within an IGP . . . . . . . . . . . . . . . . 8 | |||
| 4.3.2 Anycast within the Global Internet . . . . . . . . . . 9 | 4.3.2 Anycast within the Global Internet . . . . . . . . . . 9 | |||
| 4.4 Routing Considerations . . . . . . . . . . . . . . . . . . 9 | 4.4 Routing Considerations . . . . . . . . . . . . . . . . . . 9 | |||
| 4.4.1 Signalling Service Availability . . . . . . . . . . . 9 | 4.4.1 Signalling Service Availability . . . . . . . . . . . 9 | |||
| 4.4.2 Covering Prefix . . . . . . . . . . . . . . . . . . . 9 | 4.4.2 Covering Prefix . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.4.3 Equal-Cost Paths . . . . . . . . . . . . . . . . . . . 10 | 4.4.3 Equal-Cost Paths . . . . . . . . . . . . . . . . . . . 10 | |||
| 4.4.4 Route Dampening . . . . . . . . . . . . . . . . . . . 11 | 4.4.4 Route Dampening . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.4.5 Reverse Path Forwarding Checks . . . . . . . . . . . . 11 | 4.4.5 Reverse Path Forwarding Checks . . . . . . . . . . . . 12 | |||
| 4.4.6 Propagation Scope . . . . . . . . . . . . . . . . . . 12 | 4.4.6 Propagation Scope . . . . . . . . . . . . . . . . . . 12 | |||
| 4.4.7 Other Peoples' Networks . . . . . . . . . . . . . . . 13 | 4.4.7 Other Peoples' Networks . . . . . . . . . . . . . . . 13 | |||
| 4.4.8 Aggregation Risks . . . . . . . . . . . . . . . . . . 13 | 4.4.8 Aggregation Risks . . . . . . . . . . . . . . . . . . 14 | |||
| 4.5 Addressing Considerations . . . . . . . . . . . . . . . . 14 | 4.5 Addressing Considerations . . . . . . . . . . . . . . . . 14 | |||
| 4.6 Data Synchronisation . . . . . . . . . . . . . . . . . . . 14 | 4.6 Data Synchronisation . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.7 Node Autonomy . . . . . . . . . . . . . . . . . . . . . . 15 | 4.7 Node Autonomy . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 4.8 Multi-Service Nodes . . . . . . . . . . . . . . . . . . . 15 | 4.8 Multi-Service Nodes . . . . . . . . . . . . . . . . . . . 16 | |||
| 4.8.1 Multiple Covering Prefixes . . . . . . . . . . . . . . 16 | 4.8.1 Multiple Covering Prefixes . . . . . . . . . . . . . . 16 | |||
| 4.8.2 Pessimistic Withdrawal . . . . . . . . . . . . . . . . 16 | 4.8.2 Pessimistic Withdrawal . . . . . . . . . . . . . . . . 16 | |||
| 4.8.3 Intra-Node Interior Connectivity . . . . . . . . . . . 16 | 4.8.3 Intra-Node Interior Connectivity . . . . . . . . . . . 17 | |||
| 5. Service Management . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| 5. Service Management . . . . . . . . . . . . . . . . . . . . . . 17 | 5.1 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 5.1 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . 17 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | |||
| 6.1 Denial-of-Service Attack Mitigation . . . . . . . . . . . 19 | ||||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | 6.2 Service Compromise . . . . . . . . . . . . . . . . . . . . 19 | |||
| 6.1 Denial-of-Service Attack Mitigation . . . . . . . . . . . 17 | 6.3 Service Hijacking . . . . . . . . . . . . . . . . . . . . 19 | |||
| 6.2 Increased Risk of Service Compromise . . . . . . . . . . . 17 | 7. Protocol Considerations . . . . . . . . . . . . . . . . . . . 20 | |||
| 6.3 Service Hijacking . . . . . . . . . . . . . . . . . . . . 18 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 | |||
| 9. Acknowlegements . . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| 7. Protocol Considerations . . . . . . . . . . . . . . . . . . . 18 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 10.1 Normative References . . . . . . . . . . . . . . . . . . . 23 | ||||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 10.2 Informative References . . . . . . . . . . . . . . . . . . 23 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25 | |||
| A. Change History . . . . . . . . . . . . . . . . . . . . . . . . 26 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19 | Intellectual Property and Copyright Statements . . . . . . . . 27 | |||
| Intellectual Property and Copyright Statements . . . . . . . . 21 | ||||
| 1. Introduction | 1. Introduction | |||
| To distribute a service using anycast, the service is first | To distribute a service using anycast, the service is first | |||
| associated with a stable set of IP addresses, and reachability to | associated with a stable set of IP addresses, and reachability to | |||
| those addresses is advertised in a routing system from multiple, | those addresses is advertised in a routing system from multiple, | |||
| independent service nodes. Various techniques for anycast deployment | independent service nodes. Various techniques for anycast deployment | |||
| of services are discussed in RFC 1546 [4], ISC-TN-2003-1 [14] and | of services are discussed in [RFC1546], [ISC-TN-2003-1] and [ISC-TN- | |||
| ISC-TN-2004-1 [15]. | 2004-1]. | |||
| Anycast has in recent years become increasingly popular for adding | Anycast has in recent years become increasingly popular for adding | |||
| redundancy to DNS servers to complement the redundancy which the DNS | redundancy to DNS servers to complement the redundancy which the DNS | |||
| architecture itself already provides. Several root DNS server | architecture itself already provides. Several root DNS server | |||
| operators have distributed their servers widely around the Internet, | operators have distributed their servers widely around the Internet, | |||
| and both resolver and authority servers are commonly distributed | and both resolver and authority servers are commonly distributed | |||
| within the networks of service providers. Anycast distribution has | within the networks of service providers. Anycast distribution has | |||
| been used by commercial DNS authority server operators for several | been used by commercial DNS authority server operators for several | |||
| years. The use of anycast is not limited to the DNS, although the | years. The use of anycast is not limited to the DNS, although the | |||
| use of anycast imposes some additional limitations on the nature of | use of anycast imposes some additional limitations on the nature of | |||
| the service being distributed, including transaction longevity, | the service being distributed, including transaction longevity, | |||
| transaction state held on servers and data synchronisation | transaction state held on servers and data synchronisation | |||
| capabilities. | capabilities. | |||
| Although anycast is conceptually simple, its implementation | Although anycast is conceptually simple, its implementation | |||
| introduces some pitfalls for operation of the service. For example, | introduces some pitfalls for operation of services. For example, | |||
| monitoring the availability of the service becomes more difficult; | monitoring the availability of the service becomes more difficult; | |||
| the observed availability changes according to the location of the | the observed availability changes according to the location of the | |||
| client within the network, and the client catchment of individual | client within the network, and the client catchment of individual | |||
| anycast nodes is not static, nor especially deterministic. | anycast nodes is neither static, nor reliably deterministic. | |||
| This document will describe the use of anycast for both local scope | This document will describe the use of anycast for both local scope | |||
| distribution of services using an Interior Gateway Protocol (IGP) and | distribution of services using an Interior Gateway Protocol (IGP) and | |||
| global distribution using BGP [5]. Many of the issues for monitoring | global distribution using BGP [RFC1771]. Many of the issues for | |||
| and data synchronisation are common to both, but deployment issues | monitoring and data synchronisation are common to both, but | |||
| differ substantially. | deployment issues differ substantially. | |||
| 2. Terminology | 2. Terminology | |||
| Service Address: an IP address associated with a particular service | Service Address: an IP address associated with a particular service | |||
| (e.g. the address of a nameserver). | (e.g. the destination address used by DNS resolvers to reach a | |||
| particular authority server). | ||||
| Anycast: the practice of making a particular Service Address | Anycast: the practice of making a particular Service Address | |||
| available in multiple, discrete, autonomous locations, such that | available in multiple, discrete, autonomous locations, such that | |||
| datagrams sent are routed to one of several available locations. | datagrams sent are routed to one of several available locations. | |||
| Anycast Node: an internally-connected collection of hosts and routers | Anycast Node: an internally-connected collection of hosts and routers | |||
| which together provide service for an anycast Service Address. | which together provide service for an anycast Service Address. An | |||
| The entire anycast system for the service consists of two or more | Anycast Node might be as simple as a single host participating in | |||
| separate Anycast Nodes. | a routing protocol with adjacent routers, or it might include a | |||
| number of hosts connected in some more elaborate fashion; in | ||||
| either case, to the routing system across which the service is | ||||
| being anycast, each Anycast Node presents a unique path to the | ||||
| Service Address. The entire anycast system for the service | ||||
| consists of two or more separate Anycast Nodes. | ||||
| Local-Scope Anycast: reachability information for the anycast Service | Local-Scope Anycast: reachability information for the anycast Service | |||
| Address is propagated through a routing system in such a way that | Address is propagated through a routing system in such a way that | |||
| a particular anycast node is only visible to a subset of the whole | a particular anycast node is only visible to a subset of the whole | |||
| routing system. | routing system. | |||
| Local Node: an Anycast Node providing service using a Local-Scope | Local Node: an Anycast Node providing service using a Local-Scope | |||
| Anycast address. | Anycast address. | |||
| Global-Scope Anycast: reachability information for the anycast | Global-Scope Anycast: reachability information for the anycast | |||
| Service Address is propagated through a routing system in such a | Service Address is propagated through a routing system in such a | |||
| way that a particular anycast node is potentially visible to the | way that a particular anycast node is potentially visible to the | |||
| whole routing system. | whole routing system. | |||
| Global Node: an Anycast Node providing service using a Global-Scope | Global Node: an Anycast Node providing service using a Global-Scope | |||
| Anycast address. | Anycast address. | |||
| 3. Anycast Service Distribution | 3. Anycast Service Distribution | |||
| 3.1 General Description | 3.1 General Description | |||
| Anycast is the name given to the practice of making a Service Address | Anycast is the name given to the practice of making a Service Address | |||
| available to a routing system at Anycast Nodes in two or more | available to a routing system at Anycast Nodes in two or more | |||
| discrete locations. The service provided by each node is necessarily | discrete locations. The service provided by each node is consistent | |||
| consistent regardless of the particular node chosen by the routing | regardless of the particular node chosen by the routing system to | |||
| system to handle a particular request. | handle a particular request. | |||
| For services distributed using anycast, there is no inherent | For services distributed using anycast, there is no inherent | |||
| requirement for referrals to other servers or name-based service | requirement for referrals to other servers or name-based service | |||
| distribution ("round-robin DNS"), although those techniques could be | distribution ("round-robin DNS"), although those techniques could be | |||
| combined with anycast service distribution if an application required | combined with anycast service distribution if an application required | |||
| it. The routing system decides which node is used for each request, | it. The routing system decides which node is used for each request, | |||
| based on the topological design of the routing system and the point | based on the topological design of the routing system and the point | |||
| in the network at which the request originates. | in the network at which the request originates. | |||
| The Anycast Node chosen to service a particular query can be | The Anycast Node chosen to service a particular query can be | |||
| skipping to change at page 5, line 51 | skipping to change at page 5, line 38 | |||
| Load-balancing between Anycast Nodes is typically difficult to | Load-balancing between Anycast Nodes is typically difficult to | |||
| achieve (load distribution between nodes is generally unbalanced in | achieve (load distribution between nodes is generally unbalanced in | |||
| terms of request and traffic load). Distribution of load between | terms of request and traffic load). Distribution of load between | |||
| nodes for the purposes of reliability, and coarse-grained | nodes for the purposes of reliability, and coarse-grained | |||
| distribution of load for the purposes of making popular services | distribution of load for the purposes of making popular services | |||
| scalable can often be achieved, however. | scalable can often be achieved, however. | |||
| The scale of the routing system through which a service is anycast | The scale of the routing system through which a service is anycast | |||
| can vary from a small Interior Gateway Protocol (IGP) connecting a | can vary from a small Interior Gateway Protocol (IGP) connecting a | |||
| small handful of components, to the Border Gateway Protocol (BGP) [5] | small handful of components, to the Border Gateway Protocol (BGP) | |||
| connecting the global Internet, depending on the nature of the | [RFC1771] connecting the global Internet, depending on the nature of | |||
| service distribution that is required. | the service distribution that is required. | |||
| 3.2 Goals | 3.2 Goals | |||
| A service may be anycast for a variety of reasons. A number of | A service may be anycast for a variety of reasons. A number of | |||
| common objectives are: | common objectives are: | |||
| 1. Coarse ("unbalanced") distribution of load across nodes, to allow | 1. Coarse ("unbalanced") distribution of load across nodes, to allow | |||
| infrastructure to scale to increased numbers of queries and to | infrastructure to scale to increased numbers of queries and to | |||
| accommodate transient query peaks; | accommodate transient query peaks; | |||
| 2. Mitigation of non-distributed denial of service attacks by | 2. Mitigation of non-distributed denial of service attacks by | |||
| localising damage to single anycast nodes; | localising damage to single anycast nodes; | |||
| 3. Constraint of distributed denial of service attacks or flash | 3. Constraint of distributed denial of service attacks or flash | |||
| crowds to local regions around anycast nodes (perhaps restricting | crowds to local regions around anycast nodes (perhaps restricting | |||
| query traffic to local peering links, rather than paid transit | query traffic to local peering links, rather than paid transit | |||
| circuits); | circuits); | |||
| 4. To provide additional information to help locate location of | 4. To provide additional information to help locate location of | |||
| traffic sources in the case of attack (or query) traffic which | traffic sources in the case of attack (or query) traffic which | |||
| incorporates spoofed source addresses. This information is | incorporates spoofed source addresses. This information is | |||
| derived from the property of anycast service distribution that | derived from the property of anycast service distribution that | |||
| the the selection of the Anycast Node used to service a | the the selection of the Anycast Node used to service a | |||
| particular query may be related to the topological source of the | particular query may be related to the topological source of the | |||
| request. | request. | |||
| 5. Improvement of query response time, by reducing the network | 5. Improvement of query response time, by reducing the network | |||
| distance between client and server with the provision of a local | distance between client and server with the provision of a local | |||
| Anycast Node. The extent to which query response time is | Anycast Node. The extent to which query response time is | |||
| improved depends on the way that nodes are selected for the | improved depends on the way that nodes are selected for the | |||
| clients by the routing system. Topological nearness within the | clients by the routing system. Topological nearness within the | |||
| routing system does not, in general, correlate to round-trip | routing system does not, in general, correlate to round-trip | |||
| performance across a network; in some cases response times may | performance across a network; in some cases response times may | |||
| see no reduction, and may increase. | see no reduction, and may increase. | |||
| 6. To reduce a list of servers to a single, distributed address. | 6. To reduce a list of servers to a single, distributed address. | |||
| For example, a large number of authoritative nameservers for a | For example, a large number of authoritative nameservers for a | |||
| zone may be deployed using a small set of anycast Service | zone may be deployed using a small set of anycast Service | |||
| Addresses; this approach can increase the accessibility of zone | Addresses; this approach can increase the accessibility of zone | |||
| data in the DNS without increasing the size of a referral | data in the DNS without increasing the size of a referral | |||
| response from a nameserver authoritative for the parent zone. | response from a nameserver authoritative for the parent zone. | |||
| 4. Design | 4. Design | |||
| 4.1 Protocol Suitability | 4.1 Protocol Suitability | |||
| skipping to change at page 6, line 47 | skipping to change at page 7, line 10 | |||
| zone may be deployed using a small set of anycast Service | zone may be deployed using a small set of anycast Service | |||
| Addresses; this approach can increase the accessibility of zone | Addresses; this approach can increase the accessibility of zone | |||
| data in the DNS without increasing the size of a referral | data in the DNS without increasing the size of a referral | |||
| response from a nameserver authoritative for the parent zone. | response from a nameserver authoritative for the parent zone. | |||
| 4. Design | 4. Design | |||
| 4.1 Protocol Suitability | 4.1 Protocol Suitability | |||
| When a service is anycast between two or more nodes, the routing | When a service is anycast between two or more nodes, the routing | |||
| system effectively makes the node selection decision on behalf of a | system makes the node selection decision on behalf of a client. | |||
| client. Since it is usually a requirement that a single | Since it is usually a requirement that a single client-server | |||
| client-server interaction is carried out between a client and the | interaction is carried out between a client and the same server node | |||
| same server node for the duration of the transaction, it follows that | for the duration of the transaction, it follows that the routing | |||
| the routing system's node selection decision ought to be stable for | system's node selection decision ought to be stable for substantially | |||
| an order of magnitude longer than the expected transaction time, if | longer than the expected transaction time, if the service is to be | |||
| the service is to be provided reliably. | provided reliably. | |||
| Some services have very short transaction times, and may even be | Some services have very short transaction times, and may even be | |||
| carried out using a single packet request and a single packet reply | carried out using a single packet request and a single packet reply | |||
| in some cases (e.g. DNS transactions over UDP transport). Other | in some cases (e.g. DNS transactions over UDP transport). Other | |||
| services involve far longer-lived transactions (e.g. bulk file | services involve far longer-lived transactions (e.g. bulk file | |||
| downloads and audio-visual media streaming). | downloads and audio-visual media streaming). | |||
| Some anycast deployments have very predictable routing systems, which | Some anycast deployments have very predictable routing systems, which | |||
| can remain stable for long periods of time (e.g. anycast within an | can remain stable for long periods of time (e.g. anycast within an | |||
| well-managed and topologically-simple IGP, where node selection | well-managed and topologically-simple IGP, where node selection | |||
| skipping to change at page 7, line 38 | skipping to change at page 7, line 49 | |||
| This document deliberately avoids prescribing rules as to which | This document deliberately avoids prescribing rules as to which | |||
| protocols or services are suitable for distribution by anycast; to | protocols or services are suitable for distribution by anycast; to | |||
| attempt to do so would be presumptuous. | attempt to do so would be presumptuous. | |||
| 4.2 Node Placement | 4.2 Node Placement | |||
| Decisions as to where Anycast Nodes should be placed will depend to a | Decisions as to where Anycast Nodes should be placed will depend to a | |||
| large extent on the goals of the service distribution. For example: | large extent on the goals of the service distribution. For example: | |||
| o A DNS recursive resolver service might be distributed within an | o A DNS recursive resolver service might be distributed within an | |||
| ISP's network, one Anycast Node per PoP. | ISP's network, one Anycast Node per site. | |||
| o A root DNS server service might be distributed throughout the | o A root DNS server service might be distributed throughout the | |||
| Internet with nodes located in regions with poor external | Internet with nodes located in regions with poor external | |||
| connectivity, to ensure that the DNS functions adequately within | connectivity, to ensure that the DNS functions adequately within | |||
| the region during times of external network failure. | the region during times of external network failure. | |||
| o An FTP mirror service might include local nodes located at | o An FTP mirror service might include local nodes located at | |||
| exchange points, so that ISPs connected to that exchange point | exchange points, so that ISPs connected to that exchange point | |||
| could download bulk data more cheaply than if they had to use | could download bulk data more cheaply than if they had to use | |||
| expensive transit circuits. | expensive transit circuits. | |||
| In general node placement decisions should be made with consideration | In general node placement decisions should be made with consideration | |||
| of likely traffic requirements, the potential for flash crowds or | of likely traffic requirements, the potential for flash crowds or | |||
| denial-of-service traffic, the stability of the local routing system | denial-of-service traffic, the stability of the local routing system | |||
| and the failure modes with respect to node failure, or local routing | and the failure modes with respect to node failure, or local routing | |||
| system failure. | system failure. | |||
| skipping to change at page 8, line 31 | skipping to change at page 8, line 45 | |||
| provisioned can be made by network engineers without requiring such | provisioned can be made by network engineers without requiring such | |||
| operational complexities as regional variances in the configuration | operational complexities as regional variances in the configuration | |||
| of client computers, or deliberate DNS incoherence (causing DNS | of client computers, or deliberate DNS incoherence (causing DNS | |||
| queries to yield different answers depending on where the queries | queries to yield different answers depending on where the queries | |||
| originate). | originate). | |||
| When a service is anycast within an IGP the routing system is | When a service is anycast within an IGP the routing system is | |||
| typically under the control of the same organisation that is | typically under the control of the same organisation that is | |||
| providing the service, and hence the relationship between service | providing the service, and hence the relationship between service | |||
| transaction characteristics and network stability are likely to be | transaction characteristics and network stability are likely to be | |||
| relatively well-understood. This technique is consequently | well-understood. This technique is consequently applicable to a | |||
| applicable to a larger number of applications than Internet-wide | larger number of applications than Internet-wide anycast service | |||
| anycast service distribution (see Section 4.1). | distribution (see Section 4.1). | |||
| An IGP will generally have no inherent restriction on the length of | An IGP will generally have no inherent restriction on the length of | |||
| prefix that can be introduced to it. There may well therefore be no | prefix that can be introduced to it. There may well therefore be no | |||
| need to construct a covering prefix for particular Service Addresses; | need to construct a covering prefix for particular Service Addresses; | |||
| host routes corresponding to the Service Address can instead be | host routes corresponding to the Service Address can instead be | |||
| introduced to the routing system. See Section 4.4.2 for more | introduced to the routing system. See Section 4.4.2 for more | |||
| discussion of the requirement for a covering prefix. | discussion of the requirement for a covering prefix. | |||
| IGPs often feature little or no aggregation of routes, partly due to | IGPs often feature little or no aggregation of routes, partly due to | |||
| algorithmic complexities in supporting aggregation. There is little | algorithmic complexities in supporting aggregation. There is little | |||
| motiviation for aggregation in many networks' IGPs in any case, since | motivation for aggregation in many networks' IGPs in any case, since | |||
| the amount of routing information carried in the IGP is small enough | the amount of routing information carried in the IGP is small enough | |||
| that scaling concerns in routers do not arise. For discussion of | that scaling concerns in routers do not arise. For discussion of | |||
| aggregation risks in other routing systems, see Section 4.4.8. | aggregation risks in other routing systems, see Section 4.4.8. | |||
| By reducing the scope of the IGP to just the hosts providing service | By reducing the scope of the IGP to just the hosts providing service | |||
| (together with one or more gateway routers) this technique can be | (together with one or more gateway routers) this technique can be | |||
| applied to the construction of server clusters. This application is | applied to the construction of server clusters. This application is | |||
| discussed in some detail in [15]. | discussed in some detail in [ISC-TN-2004-1]. | |||
| 4.3.2 Anycast within the Global Internet | 4.3.2 Anycast within the Global Internet | |||
| Service Addresses may be anycast within the global Internet routing | Service Addresses may be anycast within the global Internet routing | |||
| system in order to distribute services across the entire network. | system in order to distribute services across the entire network. | |||
| The principal differences between this application and the IGP-scope | The principal differences between this application and the IGP-scope | |||
| distribution discussed in Section 4.3.1 are that: | distribution discussed in Section 4.3.1 are that: | |||
| 1. the routing system is, in general, controlled by other people; | 1. the routing system is, in general, controlled by other people; | |||
| and | ||||
| 2. the routing protocol concerned (BGP), and commonly-accepted | 2. the routing protocol concerned (BGP), and commonly-accepted | |||
| practices in its deployment, impose some additional constraints | practices in its deployment, impose some additional constraints | |||
| (see Section 4.4). | (see Section 4.4). | |||
| 4.4 Routing Considerations | 4.4 Routing Considerations | |||
| 4.4.1 Signalling Service Availability | 4.4.1 Signalling Service Availability | |||
| When a routing system is provided with reachability information for a | When a routing system is provided with reachability information for a | |||
| Service Address from an individual node, packets addressed to that | Service Address from an individual node, packets addressed to that | |||
| skipping to change at page 9, line 39 | skipping to change at page 10, line 6 | |||
| Where a routing advertisement from a node corresponds to a single | Where a routing advertisement from a node corresponds to a single | |||
| Service Address, this coupling might be such that availability of the | Service Address, this coupling might be such that availability of the | |||
| service triggers the route advertisement, and non-availability of the | service triggers the route advertisement, and non-availability of the | |||
| service triggers a route withdrawal. This can be achieved using | service triggers a route withdrawal. This can be achieved using | |||
| routing protocol implementations on the same server which provide the | routing protocol implementations on the same server which provide the | |||
| service being distributed, which are configured to advertise and | service being distributed, which are configured to advertise and | |||
| withdraw the route advertisement in conjunction with the availability | withdraw the route advertisement in conjunction with the availability | |||
| (and health) of the software on the host which processes service | (and health) of the software on the host which processes service | |||
| requests. An example of such an arrangement for a DNS service is | requests. An example of such an arrangement for a DNS service is | |||
| included in [15]. | included in [ISC-TN-2004-1]. | |||
| Where a routing advertisement from a node corresponds to two or more | Where a routing advertisement from a node corresponds to two or more | |||
| Service Addresses, it may not be appropriate to trigger a route | Service Addresses, it may not be appropriate to trigger a route | |||
| withdrawal due to the non-availability of a single service. Another | withdrawal due to the non-availability of a single service. Another | |||
| approach is to route requests for the service which is down at one | approach is to route requests for the service which is down at one | |||
| Anycast Node to a different Anycast Node at which the service is up. | Anycast Node to a different Anycast Node at which the service is up. | |||
| This approach is discussed in Section 4.8. | This approach is discussed in Section 4.8. | |||
| Rapid advertisement/withdrawal oscillations can cause operational | ||||
| problems, and nodes should be configured such that rapid oscillations | ||||
| are avoided (e.g. by implementing a minimum delay following a | ||||
| withdrawal before the service can be re-advertised). See | ||||
| Section 4.4.4 for a discussion of route oscillations in BGP. | ||||
| 4.4.2 Covering Prefix | 4.4.2 Covering Prefix | |||
| In some routing systems (e.g. the BGP-based routing system of the | In some routing systems (e.g. the BGP-based routing system of the | |||
| global Internet) it is not possible, in general, to propagate a host | global Internet) it is not possible, in general, to propagate a host | |||
| route with confidence that availability of the route will be | route with confidence that the route will propagate throughout the | |||
| signalled throughout the network. This is a consequence of | network. This is a consequence of operational policy, and not a | |||
| operational policy, and not a protocol restriction. | protocol restriction. | |||
| In such cases it is necessary to propagate a route which covers the | In such cases it is necessary to propagate a route which covers the | |||
| Service Address, and which has a sufficiently short prefix that it | Service Address, and which has a sufficiently short prefix that it | |||
| will not be discarded by commonly-deployed import policies. For IPv4 | will not be discarded by commonly-deployed import policies. For IPv4 | |||
| Service Addresses, this is often a 24-bit prefix, but there are other | Service Addresses, this is often a 24-bit prefix, but there are other | |||
| well-documented examples of IPv4 import polices which filter on | well-documented examples of IPv4 import polices which filter on | |||
| Regional Internet Registry (RIR) allocation boundaries, and hence | Regional Internet Registry (RIR) allocation boundaries, and hence | |||
| some experimentation may be prudent. Corresponding import policies | some experimentation may be prudent. Corresponding import policies | |||
| for IPv6 prefixes also exist. See Section 4.5 for more discussion of | for IPv6 prefixes also exist. See Section 4.5 for more discussion of | |||
| IPv6 Service Addresses and corresponding anycast routes. | IPv6 Service Addresses and corresponding anycast routes. | |||
| skipping to change at page 10, line 33 | skipping to change at page 11, line 6 | |||
| of that route and the individual services associated with the covered | of that route and the individual services associated with the covered | |||
| host routes. The resulting impact on signaling availability of | host routes. The resulting impact on signaling availability of | |||
| individual services is discussed in Section 4.4.1 and Section 4.8. | individual services is discussed in Section 4.4.1 and Section 4.8. | |||
| 4.4.3 Equal-Cost Paths | 4.4.3 Equal-Cost Paths | |||
| Some routing systems support equal-cost paths to the same | Some routing systems support equal-cost paths to the same | |||
| destination. Where multiple, equal-cost paths exist and lead to | destination. Where multiple, equal-cost paths exist and lead to | |||
| different anycast nodes, there is a risk that different request | different anycast nodes, there is a risk that different request | |||
| packets associated with a single transaction might be delivered to | packets associated with a single transaction might be delivered to | |||
| more than one node. Services provided over TCP necessarily involve | more than one node. Services provided over TCP [RFC0793] necessarily | |||
| transactions with multiple request packets, due to the TCP setup | involve transactions with multiple request packets, due to the TCP | |||
| handshake. | setup handshake. | |||
| Equal cost paths are commonly supported in IGPs. Multi-node | Equal cost paths are commonly supported in IGPs. Multi-node | |||
| selection for a single transaction can be avoided in most cases by | selection for a single transaction can be avoided in most cases by | |||
| careful consideration of IGP link metrics, or by applying equal-cost | careful consideration of IGP link metrics, or by applying equal-cost | |||
| multi-path (ECMP) selection algorithms which cause a single node to | multi-path (ECMP) selection algorithms which cause a single node to | |||
| be selected for a single multi-packet transaction. For a description | be selected for a single multi-packet transaction. For an example of | |||
| of hash-based ECMP selection, see [15]. | the use of hash-based ECMP selection in anycast service distribution, | |||
| see [ISC-TN-2004-1]. | ||||
| For services which are distributed across the global Internet using | For services which are distributed across the global Internet using | |||
| BGP, equal-cost paths are normally not a consideration: BGP's exit | BGP, equal-cost paths are normally not a consideration: BGP's exit | |||
| selection algorithm usually selects a single, consistent exit for a | selection algorithm usually selects a single, consistent exit for a | |||
| single destination regardless of whether multiple candidate paths | single destination regardless of whether multiple candidate paths | |||
| exist. Implementations of BGP exist that support multi-path exit | exist. Implementations of BGP exist that support multi-path exit | |||
| selection, however, and corner cases where dual selected exits route | selection, however, and corner cases where dual selected exits route | |||
| to different nodes are possible. Analysis of the likely incidence of | to different nodes are possible. Analysis of the likely incidence of | |||
| such corner cases for particular distributions of Anycast Nodes are | such corner cases for particular distributions of Anycast Nodes are | |||
| recommended for services which involve multi-packet transactions. | recommended for services which involve multi-packet transactions. | |||
| 4.4.4 Route Dampening | 4.4.4 Route Dampening | |||
| Frequent advertisements and withdrawals of individual prefixes in BGP | Frequent advertisements and withdrawals of individual prefixes in BGP | |||
| are known as flaps. Rapid flapping can lead to CPU exhaustion on | are known as flaps. Rapid flapping can lead to CPU exhaustion on | |||
| routers quite remote from the source of the instability, and for this | routers quite remote from the source of the instability, and for this | |||
| reason rapid route oscillations are frequently "damped", as described | reason rapid route oscillations are frequently "dampened", as | |||
| in [10]. | described in [RFC2439]. | |||
| A dampened path will be suppressed by routers for an interval which | A dampened path will be suppressed by routers for an interval which | |||
| increases according to the frequency of the observed oscillation; a | increases according to the frequency of the observed oscillation; a | |||
| suppressed path will not propagate. Hence a single router can | suppressed path will not propagate. Hence a single router can | |||
| prevent the propagation of a flapping prefix to the rest of an | prevent the propagation of a flapping prefix to the rest of an | |||
| autonomous system, affording other routers in the network protection | autonomous system, affording other routers in the network protection | |||
| from the instability. | from the instability. | |||
| Some implementations of flap dampening penalises oscillating | Some implementations of flap dampening penalise oscillating | |||
| advertisements based on the observed AS_PATH, and not on the NLRI. | advertisements based on the observed AS_PATH, and not on the NLRI. | |||
| For this reason, network instability which leads to route flapping | For this reason, network instability which leads to route flapping | |||
| from a single anycast node ought not to cause advertisements from | from a single anycast node ought not to cause advertisements from | |||
| other nodes (which have different AS_PATH attributes) to be dampened. | other nodes (which have different AS_PATH attributes) to be dampened. | |||
| As dampening works on advertisements with the same AS_PATH attribute, | To limit the opportunity of such implementations to penalise | |||
| care should be taken so that the AS_PATH is as diverse as possible | advertisements originating from different Anycast Nodes in response | |||
| for the anycasted nodes. The Anycasted nodes should have the same | to oscillations from just a single node, care should be taken to | |||
| origin AS for their advertisements, but they should have different | arrange that the AS_PATH attributes on routes from different nodes | |||
| upstream ASs for each node. If the upstream AS is the same at all | are as diverse as possible. For example, Anycast Nodes should use | |||
| locations, there is a risk that the upstream AS will peer with the | the same origin AS for their advertisements, but might have different | |||
| ASs at multiple locations and could therefore propagate the same | upstream ASs. | |||
| AS_PATH, but for different Anycast nodes. This could render the | ||||
| service for multiple Anycast nodes unavailable due to dampening | ||||
| caused by only one of them. | ||||
| Where different implementations of flap dampening are prevalent, | Where different implementations of flap dampening are prevalent, | |||
| individual nodes' instability may result in stable nodes becoming | individual nodes' instability may result in stable nodes becoming | |||
| unavailable. Judicious deployment of Local Nodes in combination with | unavailable. In mitigation, the following measures may be useful: | |||
| 1. Judicious deployment of Local Nodes in combination with | ||||
| especially stable Global Nodes (with high inter-AS path splay, | especially stable Global Nodes (with high inter-AS path splay, | |||
| redundant hardware, power, etc) may help mitigate such problems. | redundant hardware, power, etc) may help limit oscillation | |||
| problems to the Local Nodes' limited regions of influence; | ||||
| 2. Aggressive flap-dampening of the service prefix close to the | ||||
| origin (e.g. within an Anycast Node, or in adjcacent ASes of each | ||||
| Anycast Node) may also help reduce the opportunity of remote ASes | ||||
| to see oscillations at all. | ||||
| 4.4.5 Reverse Path Forwarding Checks | 4.4.5 Reverse Path Forwarding Checks | |||
| Reverse Path Forwarding (RPF) checks, first described in RFC 2267 | Reverse Path Forwarding (RPF) checks, first described in [RFC2267], | |||
| [8], are commonly deployed as part of ingress interface packet | are commonly deployed as part of ingress interface packet filters on | |||
| filters on routers in the global Internet in order to deny packets | routers in the Internet in order to deny packets whose source | |||
| whose source addresses are spoofed (see also RFC 2827 [11]). | addresses are spoofed (see also RFC 2827 [RFC2827]). Deployed | |||
| Deployed implementations of RPF make several modes of operation | implementations of RPF make several modes of operation available | |||
| available (e.g. "loose" and "strict"). | (e.g. "loose" and "strict"). | |||
| Some modes of RPF can cause non-spoofed packets to be denied when | Some modes of RPF can cause non-spoofed packets to be denied when | |||
| they originate from multi-homed site, since selected paths might | they originate from multi-homed site, since selected paths might | |||
| legitimately not correspond with the ingress interface of non-spoofed | legitimately not correspond with the ingress interface of non-spoofed | |||
| packets from the multi-homed site. This issue is discussed in RFC | packets from the multi-homed site. This issue is discussed in | |||
| 3704 [12]. | [RFC3704]. | |||
| A collection of anycast nodes deployed across the Internet is largely | A collection of anycast nodes deployed across the Internet is largely | |||
| indistinguishable from a distributed, multi-homed site to the routing | indistinguishable from a distributed, multi-homed site to the routing | |||
| system, and hence this risk also exists for anycast nodes, even if | system, and hence this risk also exists for anycast nodes, even if | |||
| individual nodes are not multi-homed. Care should be taken to ensure | individual nodes are not multi-homed. Care should be taken to ensure | |||
| that each anycast node is treated as a multi-homed network, and that | that each anycast node is treated as a multi-homed network, and that | |||
| the corresponding recommendations in RFC 3704 [12] with respect to | the corresponding recommendations in [RFC3704] with respect to RPF | |||
| RPF checks are heeded. | checks are heeded. | |||
| 4.4.6 Propagation Scope | 4.4.6 Propagation Scope | |||
| In the context of Anycast service distribution across the global | In the context of Anycast service distribution across the global | |||
| Internet, Global Nodes are those which are capable of providing | Internet, Global Nodes are those which are capable of providing | |||
| service to clients anywhere in the network; reachability information | service to clients anywhere in the network; reachability information | |||
| for the service is propagated globally, without restriction, by | for the service is propagated globally, without restriction, by | |||
| advertising the routes covering the Service Addresses for global | advertising the routes covering the Service Addresses for global | |||
| transit to one or more providers. | transit to one or more providers. | |||
| skipping to change at page 12, line 42 | skipping to change at page 13, line 22 | |||
| which only provides services to a local catchment of autonomous | which only provides services to a local catchment of autonomous | |||
| systems, and which is deliberately not available to the entire | systems, and which is deliberately not available to the entire | |||
| Internet; such nodes are referred to in this document as Local Nodes. | Internet; such nodes are referred to in this document as Local Nodes. | |||
| An example of circumstances in which a Local Node may be appropriate | An example of circumstances in which a Local Node may be appropriate | |||
| are nodes designed to serve a region with rich internal connectivity | are nodes designed to serve a region with rich internal connectivity | |||
| but unreliable, congested or expensive access to the rest of the | but unreliable, congested or expensive access to the rest of the | |||
| Internet. | Internet. | |||
| Local Nodes advertise covering routes for Service Addresses in such a | Local Nodes advertise covering routes for Service Addresses in such a | |||
| way that their propagation is restricted. This might be done using | way that their propagation is restricted. This might be done using | |||
| well-known community string attributes such as NO_EXPORT [7] or | well-known community string attributes such as NO_EXPORT [RFC1997] or | |||
| NOPEER [13], or by arranging with peers to apply a conventional | NOPEER [RFC3765], or by arranging with peers to apply a conventional | |||
| "peering" import policy instead of a "transit" import policy, or some | "peering" import policy instead of a "transit" import policy, or some | |||
| suitable combination of measures. | suitable combination of measures. | |||
| Advertising reachability to Service Addresses from Local Nodes should | Advertising reachability to Service Addresses from Local Nodes should | |||
| ideally be made using a routing policy that require presence of | ideally be made using a routing policy that require presence of | |||
| explicit attributes for propagation, rather than reling on implicit | explicit attributes for propagation, rather than reling on implicit | |||
| (default) policy. Inadvertant propagation of a route beyond its | (default) policy. Inadvertant propagation of a route beyond its | |||
| intended horizon can result in capacity problems for Local Nodes | intended horizon can result in capacity problems for Local Nodes | |||
| which might degrade service performance. | which might degrade service performance network-wide. | |||
| 4.4.7 Other Peoples' Networks | 4.4.7 Other Peoples' Networks | |||
| When Anycast services are deployed across networks operated by | When Anycast services are deployed across networks operated by | |||
| others, their reachability is dependent on routing policies and | others, their reachability is dependent on routing policies and | |||
| topology changes (planned and unplanned) which are unpredictable and | topology changes (planned and unplanned) which are unpredictable and | |||
| sometimes difficult to identify. Since the routing system may | sometimes difficult to identify. Since the routing system may | |||
| include networks operated by multiple, unrelated organisations, the | include networks operated by multiple, unrelated organisations, the | |||
| possibility of unforeseen interactions resulting from the | possibility of unforeseen interactions resulting from the | |||
| combinations of unrelated changes also exists. | combinations of unrelated changes also exists. | |||
| The stability and predictability of such a routing system should be | The stability and predictability of such a routing system should be | |||
| taken into consideration when assessing the suitability of anycast as | taken into consideration when assessing the suitability of anycast as | |||
| a distribution strategy for particular services and protocols (see | a distribution strategy for particular services and protocols (see | |||
| also Section 4.1). | also Section 4.1). | |||
| By way of mitigation, routing policies used by Anycast Nodes across | By way of mitigation, routing policies used by Anycast Nodes across | |||
| such routing systems should be conservative, individual nodes' | such routing systems should be conservative, individual nodes' | |||
| internal and external/connecting infrastructure should be scaled to | internal and external/connecting infrastructure should be scaled to | |||
| support loads far in excess of the average, and the service should be | support loads far in excess of the average, and the service should be | |||
| monitored proactively (Section 5.1) from many points in order to | monitored proactively from many points in order to avoid unpleasant | |||
| avoid unpleasant surprises. | surprises (see Section 5.1). | |||
| 4.4.8 Aggregation Risks | 4.4.8 Aggregation Risks | |||
| The propagation of a single route for each anycast service does not | The propagation of a single route for each anycast service does not | |||
| scale well for routing systems in which the load of routing | scale well for routing systems in which the load of routing | |||
| information which must be carried is a concern, and where there are | information which must be carried is a concern, and where there are | |||
| potentially many services to distribute. For example, an autonomous | potentially many services to distribute. For example, an autonomous | |||
| system which provides services to the Internet with N Service | system which provides services to the Internet with N Service | |||
| Addresses covered by a single exported route, for example, would need | Addresses covered by a single exported route, would need to advertise | |||
| to advertise (N+1) routes if each of those services were to be | (N+1) routes if each of those services were to be distributed using | |||
| distributed using anycast. | anycast. | |||
| The common practice of applying minimm prefix-length filters in | The common practice of applying minimum prefix-length filters in | |||
| import policies on the Internet (see Section 4.4.2) means that for a | import policies on the Internet (see Section 4.4.2) means that for a | |||
| route covering a Service Address to be usefully propagated the prefix | route covering a Service Address to be usefully propagated the prefix | |||
| length must be substantially less than that required to advertise | length must be substantially less than that required to advertise | |||
| just the host route. Widespread advertisement of short prefixes for | just the host route. Widespread advertisement of short prefixes for | |||
| individual services hence also has a negative impact on address | individual services hence also has a negative impact on address | |||
| conservation. | conservation. | |||
| Both of these issues can be mitigated to some extent by the use of a | Both of these issues can be mitigated to some extent by the use of a | |||
| single covering prefix to accommodate multiple Service Addresses, as | single covering prefix to accommodate multiple Service Addresses, as | |||
| described in Section 4.8). This implies a decoupling of the route | described in Section 4.8. This implies a decoupling of the route | |||
| advertisement from individual service availability (see | advertisement from individual service availability (see | |||
| Section 4.4.1), however, and can also impact the stability of the | Section 4.4.1), however, with attendant risks to the stability of the | |||
| service as a whole (see Section 4.7). | service as a whole (see Section 4.7). | |||
| In general, the scaling problems described here prevent anycast from | In general, the scaling problems described here prevent anycast from | |||
| being a useful, general approach for service distribution on the | being a useful, general approach for service distribution on the | |||
| global Internet. It remains, however, a useful technique for | global Internet. It remains, however, a useful technique for | |||
| distributing a limited number of Internet-critical services. | distributing a limited number of Internet-critical services, as well | |||
| as in smaller networks where the aggregation concerns discussed here | ||||
| do not apply. | ||||
| 4.5 Addressing Considerations | 4.5 Addressing Considerations | |||
| Service Addresses should be unique within the routing system that | Service Addresses should be unique within the routing system that | |||
| connects all Anycast Nodes to all possible clients of the service. | connects all Anycast Nodes to all possible clients of the service. | |||
| Service Addresses must also be chosen so that corresponding routes | Service Addresses must also be chosen so that corresponding routes | |||
| will be allowed to propagate within that routing system. | will be allowed to propagate within that routing system. | |||
| For an IPv4-numbered service deployed across the Internet, for | For an IPv4-numbered service deployed across the Internet, for | |||
| example, an address might be chosen from a block where the minimum | example, an address might be chosen from a block where the minimum | |||
| RIR allocation size is 24 bits, and reachability to that address | RIR allocation size is 24 bits, and reachability to that address | |||
| might be provided by originating the covering 24-bit prefix. | might be provided by originating the covering 24-bit prefix. | |||
| For an IPv4-numbered service deployed within a private network, a | For an IPv4-numbered service deployed within a private network, a | |||
| locally-unused RFC1918 [6] address might be chosen, and rechability | locally-unused [RFC1918] address might be chosen, and rechability to | |||
| to that address might be signalled using a (32-bit) host route. | that address might be signalled using a (32-bit) host route. | |||
| For IPv6-numbered services, Anycast Addresses are not scoped | For IPv6-numbered services, Anycast Addresses are not scoped | |||
| differently from unicast addresses (see RFC2713 [9]). As such the | differently from unicast addresses [RFC3513]. As such the guidelines | |||
| guidelines presented for IPv4 with respect to address suitability | presented for IPv4 with respect to address suitability follow for | |||
| follow for IPv6. | IPv6. | |||
| RFC2713 [9] also imposes two restrictions on the use of anycast which | ||||
| inhibit deployment of host-based services: | ||||
| o An [IPv6] anycast address must not be used as the source address | ||||
| of an IPv6 packet. | ||||
| o An anycast address must not be assigned to an IPv6 host, that is, | ||||
| it may be assigned to an IPv6 router only. | ||||
| Despite these restrictions (and in violation of them), production | ||||
| deployment of IPv6 anycast services across the Internet has taken | ||||
| place. | ||||
| 4.6 Data Synchronisation | 4.6 Data Synchronisation | |||
| Although some services have been deployed in localised form (such | Although some services have been deployed in localised form (such | |||
| that clients from particular regions are presented with | that clients from particular regions are presented with regionally- | |||
| regionally-relevant content) many services have the property that | relevant content) many services have the property that responses to | |||
| responses to client requests should be consistent, regardless of | client requests should be consistent, regardless of where the request | |||
| where the request originates. For a service distributed using | originates. For a service distributed using anycast, that implies | |||
| anycast, that implies that different Anycast Nodes must operate in a | that different Anycast Nodes must operate in a consistent manner and, | |||
| consistent manner and, where that consistent behaviour is based on a | where that consistent behaviour is based on a data set, that the data | |||
| data set, that the data concerned be synchronised between nodes. | concerned be synchronised between nodes. | |||
| The mechanism by which data is synchronised depends on the nature of | The mechanism by which data is synchronised depends on the nature of | |||
| the service; examples are zone transfers for authoritative DNS | the service; examples are zone transfers for authoritative DNS | |||
| servers and rsync for FTP archives. In general, the synchronisation | servers and rsync for FTP archives. In general, the synchronisation | |||
| of data between Anycast Nodes will involve transactions between | of data between Anycast Nodes will involve transactions between non- | |||
| non-anycast addresses. | anycast addresses. | |||
| Data synchronisation across public networks should be carried out | Data synchronisation across public networks should be carried out | |||
| with appropriate authentication and encryption. | with appropriate authentication and encryption. | |||
| 4.7 Node Autonomy | 4.7 Node Autonomy | |||
| For an Anycast deployment whose goals include improved reliability | For an Anycast deployment whose goals include improved reliability | |||
| through redundancy, it is important to minimise the opportunity for a | through redundancy, it is important to minimise the opportunity for a | |||
| single defect to compromise many (or all) nodes, or for the failure | single defect to compromise many (or all) nodes, or for the failure | |||
| of one node to provide a cascading failure bringing down additional | of one node to provide a cascading failure bringing down additional | |||
| skipping to change at page 15, line 38 | skipping to change at page 16, line 9 | |||
| The possibility of cascading failure due to load can also be reduced | The possibility of cascading failure due to load can also be reduced | |||
| by the deployment of both Global and Local Nodes for a single | by the deployment of both Global and Local Nodes for a single | |||
| service, since the effective fail-over path of traffic is, in | service, since the effective fail-over path of traffic is, in | |||
| general, from Local Node to Global Node; traffic that might sink one | general, from Local Node to Global Node; traffic that might sink one | |||
| Local Node is unlikely to sink all Local Nodes, except in the most | Local Node is unlikely to sink all Local Nodes, except in the most | |||
| degenerate cases. | degenerate cases. | |||
| The chance of cascading failure due to a software defect in an | The chance of cascading failure due to a software defect in an | |||
| operating system or server can be reduced in many cases by deploying | operating system or server can be reduced in many cases by deploying | |||
| nodes running different software implementations. | nodes running different implementations of operating system, server | |||
| software, routing protocol software, etc, such that a defect which | ||||
| appears in a single component does not affect the whole system. | ||||
| 4.8 Multi-Service Nodes | 4.8 Multi-Service Nodes | |||
| For a service distributed across a routing system where covering | For a service distributed across a routing system where covering | |||
| prefixes are required to announce reachability to a single Service | prefixes are required to announce reachability to a single Service | |||
| Address (see Section 4.4.2), special consideration is required in the | Address (see Section 4.4.2), special consideration is required in the | |||
| case where multiple services need to be distributed across a single | case where multiple services need to be distributed across a single | |||
| set of nodes. This results from the requirement to signal | set of nodes. This results from the requirement to signal | |||
| availability of individual services to the routing system so that | availability of individual services to the routing system so that | |||
| requests for service are not received by nodes which are not able to | requests for service are not received by nodes which are not able to | |||
| skipping to change at page 16, line 15 | skipping to change at page 16, line 36 | |||
| 4.8.1 Multiple Covering Prefixes | 4.8.1 Multiple Covering Prefixes | |||
| Each Service Address is chosen such that only one Service Address is | Each Service Address is chosen such that only one Service Address is | |||
| covered by each advertised prefix. Advertisement and withdrawal of a | covered by each advertised prefix. Advertisement and withdrawal of a | |||
| single covering prefix can be tightly coupled to the availability of | single covering prefix can be tightly coupled to the availability of | |||
| the single associated service. | the single associated service. | |||
| This is the most straightforward approach. However, since it makes | This is the most straightforward approach. However, since it makes | |||
| very poor utilisation of globally-unique addresses, it is only | very poor utilisation of globally-unique addresses, it is only | |||
| suitable for use for a small number of critical, infrastructural | suitable for use for a small number of critical, infrastructural | |||
| services such as root DNS servers. General deployment of services | services such as root DNS servers. General Internet-wide deployment | |||
| using this approach will not scale. | of services using this approach will not scale. | |||
| 4.8.2 Pessimistic Withdrawal | 4.8.2 Pessimistic Withdrawal | |||
| Multiple Service Addresses are chosen such that they are covered by a | Multiple Service Addresses are chosen such that they are covered by a | |||
| single prefix. Advertisement and withdrawl of the single covering | single prefix. Advertisement and withdrawl of the single covering | |||
| prefix is coupled to the availability of all associated services; if | prefix is coupled to the availability of all associated services; if | |||
| any individual service becomes unavailable, the covering prefix is | any individual service becomes unavailable, the covering prefix is | |||
| withdrawn. | withdrawn. | |||
| The coupling between service availability and advertisement of the | The coupling between service availability and advertisement of the | |||
| skipping to change at page 17, line 25 | skipping to change at page 18, line 20 | |||
| monitoring a non-distributed service, since the observed accuracy and | monitoring a non-distributed service, since the observed accuracy and | |||
| availability of the service is, in general, different when viewed | availability of the service is, in general, different when viewed | |||
| from clients attached to different parts of the network. When a | from clients attached to different parts of the network. When a | |||
| problem is identified, it is also not always obvious which node | problem is identified, it is also not always obvious which node | |||
| served the request, and hence which node is malfunctioning. | served the request, and hence which node is malfunctioning. | |||
| It is recommended that distributed services are monitored from probes | It is recommended that distributed services are monitored from probes | |||
| distributed representatively across the routing system, and, where | distributed representatively across the routing system, and, where | |||
| possible, the identity of the node answering individual requests is | possible, the identity of the node answering individual requests is | |||
| recorded along with performance and availability statistics. The | recorded along with performance and availability statistics. The | |||
| RIPE NCC DNSMON service [16] is an example of such monitoring for the | RIPE NCC DNSMON service [1] is an example of such monitoring for the | |||
| DNS. | DNS. | |||
| Monitoring the routing system (from a variety of places, in the case | Monitoring the routing system (from a variety of places, in the case | |||
| of routing systems where perspective counts) can also provide useful | of routing systems where perspective is relevant) can also provide | |||
| diagnostics for troubleshooting service availability. This can be | useful diagnostics for troubleshooting service availability. This | |||
| achieved using dedicated probes, or public route measurement | can be achieved using dedicated probes, or public route measurement | |||
| facilities on the Internet such as the RIPE NCC Routing Information | facilities on the Internet such as the RIPE NCC Routing Information | |||
| Service [17] and the University of Oregon Route Views Project [18]. | Service [2] and the University of Oregon Route Views Project [3]. | |||
| Monitoring the health of the component devices in an Anycast | ||||
| deployment of a service (hosts, routers, etc) is straightforward, and | ||||
| can be achieved using the same tools and techniques commonly used to | ||||
| manage other network-connected infrastructure, without the additional | ||||
| complexity involved in monitoring Anycast service addresses. | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| 6.1 Denial-of-Service Attack Mitigation | 6.1 Denial-of-Service Attack Mitigation | |||
| This document describes mechanisms for deploying services on the | This document describes mechanisms for deploying services on the | |||
| Internet which can be used to mitigate vulnerability to attack. | Internet which can be used to mitigate vulnerability to attack: | |||
| 6.2 Increased Risk of Service Compromise | 1. An Anycast Node can act as a sink for attack traffic originated | |||
| within its sphere of influence, preventing nodes elsewhere from | ||||
| having to deal with that traffic; | ||||
| 2. The task of dealing with attack traffic whose sources are widely | ||||
| distributed is itself distributed across all the nodes which | ||||
| contribute to the service. Since the problem of sorting between | ||||
| legitimate and attack traffic is distributed, this may lead to | ||||
| better scaling properties than a service which is not | ||||
| distributed. | ||||
| 6.2 Service Compromise | ||||
| The distribution of a service across several (or many) autonomous | The distribution of a service across several (or many) autonomous | |||
| nodes imposes increased monitoring as well as an increased systems | nodes imposes increased monitoring as well as an increased systems | |||
| administration burden on the operator of the service which might | administration burden on the operator of the service which might | |||
| reduce the effectiveness of host and router security. | reduce the effectiveness of host and router security. | |||
| The potential benefit of being able to take compromised servers | The potential benefit of being able to take compromised servers off- | |||
| off-line without compromising the service can only be realised if | line without compromising the service can only be realised if there | |||
| there are working procedures to do so quickly and reliably. | are working procedures to do so quickly and reliably. | |||
| 6.3 Service Hijacking | 6.3 Service Hijacking | |||
| It is possible that an unauthorised party might advertise routes | It is possible that an unauthorised party might advertise routes | |||
| corresponding to anycast Service Addresses across a network, and by | corresponding to anycast Service Addresses across a network, and by | |||
| doing so capture legitimate request traffic or process requests in a | doing so capture legitimate request traffic or process requests in a | |||
| manner which compromises the service (or both). A rogue Anycast Node | manner which compromises the service (or both). A rogue Anycast Node | |||
| might be difficult to detect by clients or by the operator of the | might be difficult to detect by clients or by the operator of the | |||
| service. | service. | |||
| skipping to change at page 18, line 27 | skipping to change at page 22, line 5 | |||
| routing system may make it more difficult to detect rogue nodes. | routing system may make it more difficult to detect rogue nodes. | |||
| 7. Protocol Considerations | 7. Protocol Considerations | |||
| This document does not impose any protocol considerations. | This document does not impose any protocol considerations. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| This document requests no action from IANA. | This document requests no action from IANA. | |||
| 9. References | 9. Acknowlegements | |||
| [1] Oran, D., "OSI IS-IS Intra-domain Routing Protocol", RFC 1142, | ||||
| February 1990. | ||||
| [2] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April | The authors gratefully acknowledge the contributions from various | |||
| 1992. | participants of the grow working group, and in particular Geoff | |||
| Huston, Pekka Savola, Danny McPherson and Ben Black. | ||||
| [3] Moy, J., "OSPF Version 2", RFC 1247, July 1991. | This work was supported by the US National Science Foundation | |||
| (research grant SCI-0427144) and DNS-OARC. | ||||
| [4] Partridge, C., Mendez, T. and W. Milliken, "Host Anycasting | 10. References | |||
| Service", RFC 1546, November 1993. | ||||
| [5] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 (BGP-4)", | 10.1 Normative References | |||
| RFC 1771, March 1995. | ||||
| [6] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and E. | [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | |||
| Lear, "Address Allocation for Private Internets", BCP 5, | RFC 793, September 1981. | |||
| RFC 1918, February 1996. | ||||
| [7] Chandrasekeran, R., Traina, P. and T. Li, "BGP Communities | [RFC1771] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 | |||
| Attribute", RFC 1997, August 1996. | (BGP-4)", RFC 1771, March 1995. | |||
| [8] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and | |||
| Defeating Denial of Service Attacks which employ IP Source | E. Lear, "Address Allocation for Private Internets", | |||
| Address Spoofing", RFC 2267, January 1998. | BCP 5, RFC 1918, February 1996. | |||
| [9] Hinden, R. and S. Deering, "IP Version 6 Addressing | [RFC1997] Chandrasekeran, R., Traina, P., and T. Li, "BGP | |||
| Architecture", RFC 2373, July 1998. | Communities Attribute", RFC 1997, August 1996. | |||
| [10] Villamizar, C., Chandra, R. and R. Govindan, "BGP Route Flap | [RFC2439] Villamizar, C., Chandra, R., and R. Govindan, "BGP Route | |||
| Damping", RFC 2439, November 1998. | Flap Damping", RFC 2439, November 1998. | |||
| [11] Ferguson, P. and D. Senie, "Network Ingress Filtering: | [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | Defeating Denial of Service Attacks which employ IP Source | |||
| Address Spoofing", BCP 38, RFC 2827, May 2000. | Address Spoofing", BCP 38, RFC 2827, May 2000. | |||
| [12] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 | |||
| (IPv6) Addressing Architecture", RFC 3513, April 2003. | ||||
| [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed | ||||
| Networks", BCP 84, RFC 3704, March 2004. | Networks", BCP 84, RFC 3704, March 2004. | |||
| [13] Huston, G., "NOPEER Community for Border Gateway Protocol (BGP) | 10.2 Informative References | |||
| Route Scope Control", RFC 3765, April 2004. | ||||
| [14] Abley, J., "Hierarchical Anycast for Global Service | [ISC-TN-2003-1] | |||
| Abley, J., "Hierarchical Anycast for Global Service | ||||
| Distribution", March 2003, | Distribution", March 2003, | |||
| <http://www.isc.org/pubs/tn/isc-tn-2003-1.html>. | <http://www.isc.org/pubs/tn/isc-tn-2003-1.html>. | |||
| [15] Abley, J., "A Software Approach to Distributing Requests for | [ISC-TN-2004-1] | |||
| DNS Service using GNU Zebra, ISC BIND 9 and FreeBSD", March | Abley, J., "A Software Approach to Distributing Requests | |||
| 2004, <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>. | for DNS Service using GNU Zebra, ISC BIND 9 and FreeBSD", | |||
| March 2004, | ||||
| <http://www.isc.org/pubs/tn/isc-tn-2004-1.html>. | ||||
| [16] <http://dnsmon.ripe.net/> | [RFC1546] Partridge, C., Mendez, T., and W. Milliken, "Host | |||
| Anycasting Service", RFC 1546, November 1993. | ||||
| [17] <http://ris.ripe.net> | [RFC2267] Ferguson, P. and D. Senie, "Network Ingress Filtering: | |||
| Defeating Denial of Service Attacks which employ IP Source | ||||
| Address Spoofing", RFC 2267, January 1998. | ||||
| [18] <http://www.route-views.org> | [RFC3765] Huston, G., "NOPEER Community for Border Gateway Protocol | |||
| (BGP) Route Scope Control", RFC 3765, April 2004. | ||||
| URIs | ||||
| [1] <http://dnsmon.ripe.net/> | ||||
| [2] <http://ris.ripe.net> | ||||
| [3] <http://www.route-views.org> | ||||
| Authors' Addresses | Authors' Addresses | |||
| Joe Abley | Joe Abley | |||
| Internet Systems Consortium, Inc. | Internet Systems Consortium, Inc. | |||
| 950 Charter Street | 950 Charter Street | |||
| Redwood City, CA 94063 | Redwood City, CA 94063 | |||
| USA | USA | |||
| Phone: +1 650 423 1317 | Phone: +1 650 423 1317 | |||
| skipping to change at page 20, line 4 | skipping to change at page 25, line 24 | |||
| Joe Abley | Joe Abley | |||
| Internet Systems Consortium, Inc. | Internet Systems Consortium, Inc. | |||
| 950 Charter Street | 950 Charter Street | |||
| Redwood City, CA 94063 | Redwood City, CA 94063 | |||
| USA | USA | |||
| Phone: +1 650 423 1317 | Phone: +1 650 423 1317 | |||
| Email: jabley@isc.org | Email: jabley@isc.org | |||
| URI: http://www.isc.org/ | URI: http://www.isc.org/ | |||
| Kurt Erik Lindqvist | Kurt Erik Lindqvist | |||
| Netnod Internet Exchange | Netnod Internet Exchange | |||
| Bellmansgatan 30 | Bellmansgatan 30 | |||
| 118 47 Stockholm | 118 47 Stockholm | |||
| Sweden | Sweden | |||
| Email: kurtis@kurtis.pp.se | Email: kurtis@kurtis.pp.se | |||
| URI: http://www.netnod.se/ | URI: http://www.netnod.se/ | |||
| Appendix A. Change History | ||||
| This section should be removed before publication. | ||||
| draft-kurtis-anycast-bcp-00: Initial draft. Discussed at IETF 61 in | ||||
| the grow meeting and adopted as a working group document shortly | ||||
| afterwards. | ||||
| draft-ietf-grow-anycast-00: Missing and empty sections completed; | ||||
| some structural reorganisation; general wordsmithing. Document | ||||
| discussed at IETF 62. | ||||
| draft-ietd-grow-anycast-01: This appendix added; acknowledgements | ||||
| section added; commentary on [RFC3513] prohibition of anycast on | ||||
| hosts removed; minor sentence re-casting and related jiggery- | ||||
| pokery. This revision published for discussion at IETF 63. | ||||
| Intellectual Property Statement | Intellectual Property Statement | |||
| The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||
| Intellectual Property Rights or other rights that might be claimed to | Intellectual Property Rights or other rights that might be claimed to | |||
| pertain to the implementation or use of the technology described in | pertain to the implementation or use of the technology described in | |||
| this document or the extent to which any license under such rights | this document or the extent to which any license under such rights | |||
| might or might not be available; nor does it represent that it has | might or might not be available; nor does it represent that it has | |||
| made any independent effort to identify any such rights. Information | made any independent effort to identify any such rights. Information | |||
| on the procedures with respect to rights in RFC documents can be | on the procedures with respect to rights in RFC documents can be | |||
| found in BCP 78 and BCP 79. | found in BCP 78 and BCP 79. | |||
| End of changes. | ||||
This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||||