BTW, Iljitsch notes that "he is worried, but not as much as Dean seems to be". As I told Iljitsch, I'm not saying the sky is falling, but I am saying there is a problem, and instead of addressing the problem, people are just making personal attacks. ---------- Forwarded message ---------- Date: Sun, 3 Oct 2004 23:01:42 +0200 From: Iljitsch van Beijnum <iljitsch@muada.com> To: Stephane Bortzmeyer <bortzmeyer@nic.fr> Cc: dnsop@lists.uoregon.edu Subject: Re: [dnsop] Re: Root Anycast On 2-okt-04, at 21:42, Stephane Bortzmeyer wrote:
Troll Bot <dean@av8.com> keeps mentioning PPLB. May be some people more knowledgeable about BGP than I am will explain to me why PPLB is such a new issue for anycasting?
I have no idea how new this is, but I have to admit I'm slightly worried. Not to the degree Dean seems to be, though. It is true that if you turn on load balancing over multiple paths in BGP and then per packet load balancing between several links, packets belonging to one session can end up on different anycast instances. (This would be harmful in the case of TCP, but TCP will probably recover by retransmitting. It would be quite deadly in the case of fragmented UDP packets.) What can happen is this: A / \ B1 B2 | | C D | | E1 E2 AS A connects to two different routers in AS B, and each of these routers prefers a different external path towards different anycast instances of AS E. In order for this to happen the paths from B to both anycast instances E1 and E2 must be completely identical, except that for one router in B one path is preferred and for another router the other. This will only happen if these routers connect to ASes C and D themselves, or if one sees a better IGP metric towards the router connecting to C and another sees a better IGP metric towards the router connecting to D. Now the part that worries me is what's happening in .org. They only use two addresses in the delegation from the root, and both are heavily anycasted. This makes no sense at all as it effectively hides all but two of the .org TLD servers while there are no reasons at all for not making at least have a dozen others visible. End-user impacting issues with this have been reported (but have predictably been almost impossible to reproduce) but the situation persists. Fortunately, the root operators have more sense (or inherited a better situation). Still, I'm not entirely comfortable with the fact that each of them seems to make anycasting decisions on their own. Anycast has many things going for it as it allows root servers to be installed in many more places than could be done otherwise, but it's also risky as more and more root servers seem to be in the same place from any given viewpoint, and especially from not so well connected viewpoints. Problems such as congestion and BGP blackholes or (temporary) BGP instability can then impact most or even all of the root servers. (Only for some places connected to the net, though.) So I feel it's very important to have a reasonable number of root servers that are NOT anycast. Preferably, those should be in locations that are far apart. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html