Peter Check out Digital Island they run a private ATM network which is connected to most Tier1 ISP's worldwide you buy a pipe to them and they handle the redundancy issues I used them for a project and was VERY sucessful especially to the pacific rim where the public net tends to have somewhat indefferent perfomance. Scott "Peter A. van Oene" wrote:
This is great feedback / moderate flaming. However, consider the following.
I have only moderate experience with the F5 3DNS & similar products however I am familiar with BGP routing. My client base are high traffic e-commerce style (for lack of a better over used marketing term) web sites. They sit on /28's and smaller in some cases. I'm certainly not going to be successful in acquiring ASN's for these people to do proper load balancing between multiple ISP's and most major ISP's see little benefit in modifying route tables to include our small netblock. Its these cases I'm concerned with. In my mind, irrespective of the comments on the functionality of DNS for this purpose, I see little other choice.
As a direct FYI, the 3DNS can make fairly intelligent decisions about where to direct traffic beyond simply gauging TCP/53 handshake times. These is quite a detailed, informatative interaction that can take place between the 3DNS and F5's local load distributor, the BIG-IP.
That being said, if anyone has better ideas on how to provide for high availability to millions of web sites worldwide, please let me know.
Pete
*********** REPLY SEPARATOR ***********
On 3/12/00 at 1:32 PM Chris Brenton wrote:
"Peter A. van Oene" wrote:
Essentially, the 3DNS box assumes the DNS entry for the site for which
the
customer requires multihoming and it intelligently balances traffic amongst any geographically disparate sites. This allows for high availability.
If I'm not mistaken, it accomplishes this in a somewhat obtrusive manner. The box attempts an xfer back to TCP/53 on the querying DNS server. Based on response time, a proper route is chosen. I've seen a lot of posts to Intrusion & GIAC from people who assumed someone was trying enumeration in preparation for an attack, only to find out it was one of these boxes.
I also seem to remember a post on GIAC showing Snort traces of one of these boxes actually performing a full xfer if the box was not locked down. Do you use one of these boxes? If so, any idea what happens to the xfer data?
Ignoring the argument as to whether its appropriate to attempt xfers on unsuspecting networks, I also see this as being pretty inefficient. A good quantity of sites are now running split DNS so the querying server is not even reachable. This means a fair percentage of the time the load balance attempt will outright fail.
Don't see this replacing BGP anytime soon. ;)
Chris -- ************************************** cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
------- Peter Van Oene Senior Systems Engineer UNIS LUMIN Inc. www.unislumin.com