On Sun, Aug 8, 2021, 4:10 PM Nick Hilliard <nick@xxxxxxxxxx> wrote:
Theodore Ts'o wrote on 08/08/2021 23:40:
> Which of the top5, 10, 100 sites on the Internet use anycast?
for starters, all the dns root servers. For content delivery, some of
Cloudflare's content is delivered to end users using anycast on the
front side. Are the DNS root servers top-5, top-10 or top-100 sites
(asking for a friend)?
Route changes wouldn't impact stateless UDP use of anycast.
> If Facebook, Amazon, Google, Wikipedia, etc., are using standard IPv4
> and IPv6 endpoints and are *not* using anycast, and they have
> successly fielded defenses against DDOS's without using anycast,
> wouldn't that tend to blow a gigantic, gaping hole in your assertion?
It's the norm to build ddos defenses without anycast, but it has its
place as a technology.
Otherwise: anycast is one of many tools in the box; rewriting the ipv6
flow label hurts ipv6 anycast when DDOS traffic sinkers use ECMP for
load balancing; tcp anycast is a hack which works quite nicely for
short-lived tcp sessions and barely at all for long-lived sessions (this
is well-understood in network engineering circles).
Perhaps, but I would hope users are aware of the susceptibility of anycast to arbitrary routing changes in the path (flow label modulation being just one example). It's also a question of how much we should accommodate protocols like this that aren't aligned with the core architecture of the Internet. At some point such accomodations impede evolution of protocols and the Internet
@Tom your suggestions for tuning down the flow label rewriting
aggression level sound reasonable.
Nick
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@xxxxxxxx
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
