Re: IPv6 Anycast has been killed by LINUX patch in 2016 - who cares?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Peace,

On Mon, Aug 9, 2021, 1:40 AM Theodore Ts'o <tytso@xxxxxxx> wrote:
Which of the top 5, 10, 100 sites on the Internet use anycast?

You should understand that this is a wrong question to ask, because there's just no way of reliably figuring that out.

Anycast isn't just something which is written all over your BGP announcement.  By the nature of it, anycast is the announcement of the same IP prefix, through BGP, from multiple physical locations.  And, the concept of a "physical location" is not incorporated within BGP or any globally available network layer protocol.

You can, probably, carry a research, of course, to a certain level of reliability only, using something like hundreds of RIPE Atlas probes with a good geographic AND source network distribution (not the same thing), and measure which IP flows land within which ranges of expected intervals of time.  Based if the value of the speed of light, it will then show you (with some level of reliability) which sites of the group certainly use anycast, and there's no real way of telling if any of them don't, because the locations could be just too close to each other.

That is a massive piece of work, and I hope you didn't just suggest that I'd do it, right?
Anyhow, this doesn't mean a lot, because:


If Facebook, Amazon, Google, Wikipedia, etc., are using standard IPv4
and IPv6 endpoints and are *not* using anycast, and they have
successly fielded defenses against DDOS's without using anycast,
wouldn't that tend to blow a gigantic, gaping hole in your assertion?

A gigantic, gaping hole in my assertion and experience would be blown by anyone who's ready to come up with an autonomous system architecture, able to reliably process and mitigate stateful layer 7-enabled (including combined vectors) DDoS attacks towards a layer 7 network service with no (or, insignificant) impact to the legitimate users of the service, with no particular scrubbing centers likely to overload during the attack, without anycast.

So far, no one was able to even draft this after a week of chatting, grumbling, and architecture astronautics.

--
Töma
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux