karl, we raised the question of anycast risk with SECSAC in response to your concerns and the conclusion was that the risks had not materialized in the operation of anycast in roots that had already deployed it. There are lots of ways in which routing can be wedged - until we get some form of authentication, that risk will be with us. Moreover, even with authentication it is possible to misconfigure routing. Any table driven system that does not have an obvious syntactic or semantic way of detection a bad configuration is subject to these risks. vint At 06:29 PM 11/30/2003 -0800, Karl Auerbach wrote: >The switch to anycast for root servers is a good thing. But it was hardly >without risks. For example, do we really fully comprehend the dynamics of >anycast should there be a large scale disturbance to routing on the order >of 9/11? Could the machinery that damps rapid swings of routes turn out >to create blacked out areas of the net in which some portion of the root >servers become invisible for several hours? Could one introduce bogus >routing information into the net and drag some portion of resolvers to >bogus root servers? Vint Cerf SVP Technology Strategy MCI 22001 Loudoun County Parkway, F2-4115 Ashburn, VA 20147 703 886 1690 (v806 1690) 703 886 0047 fax vinton.g.cerf@xxxxxxx www.mci.com/cerfsup