ANYCAST

1
ANYCAST

• Alireza Saleh .ir ccTLD
• Saleh_at_nic.ir

2
What is ( isnt ) anycast ?

• The term ANYCAST.
• Unicast 1---gtOne mapping
• Multicast 1---gtSome mapping
• Broadcast 1---gtAll mapping
• Anycast 1---gtNearest mapping
• It is not a protocol, it is not related to
  IDN.IDN )
• There is no need for any extra capabilities in
  the normal infrastructure of the DNS.
• It can be used in conjunction with existing
  infrastructure.
• It is just a method of configuration for
  large-scale implementation mostly for DNS.

3
How Does Anycast work?

• Multiple instances of a service sharing one IP
  address.
• The GLOBAL or LOCAL routing decision directs the
  packet to the nearest instance of a service

Path1 AS1 AS2 Asx AS3 ASx
DNS CLIENT
DNS CLIENT
Path2 AS10 Asx AS12 AS5 ASx
4
Implementation of ANYCAST

• ? Local Cluster
• Virtual interface attached to the loop-back
  device
• Virtual host handles the requests toward the
  backend servers using Destination NAT
• Virtual host handles the requests to the backend
  server using tunneling ( GRE )
• IGP routing protocols do the load-sharing ( if
  the servers are in different networks )

5
Implementations of ANYCAST

• Global Cluster
• Using BGP protocol to advertise Anycasted subnet.
• The Anycasted subnet shares the same AS number.
• Considering well distribution of the servers.
• Continues monitoring and changing the costs
  metrics to achieve the best performance.

6
.ir Experience and stats

• Case 1 Prepending Anycasted ASN, 2 times for
  the local instance
• Number of queries received by the instance
  outside the country 22100/hour
• Number of queries received by the instance in
  Iran 446/hour.
• Case 2 Prepending Anycasted ASN 1 time for the
  local instance
• Instance outside the country 18034/hour
• Instance inside the country 4120/hour
• The number of queries depends on many factors but
  regular monitoring will guide to achieve the best
  performance

7
RFC Considerations

• The host should respond to the queries only on
  the shared-unicast(Anycast) interface.
• Limit responses on that interfaces to zones for
  which the host is authoritative.
• To minimize to man-in-the-middle attack, zone
  files should be delivered to the administrative
  interface.
• Secured file transfer methods and strong
  authentication should be used for all transfers.
• Use synchronized clock for the hosts
  participating in the mesh.

8
Why Anycast

• Sinking DOS attacks.
• Reducing the latency for responding the DNS
  queries.
• Saving the costs of Internet usage for each host.

9
Problems

• Content synchronization
• Axfr, SSH file transfer , . . .
• Perform content synchronization checks.
• Host or Cluster Failure
• Withdraw the route ?
• Do Nothing ? ( RFC Recommends )
• The DNS failover method will take care the
  reachability of the data for the client.

10
Split-Destination

• May occur due to per-packet or round-robin load
  sharing but
• DNS mostly uses UDP
• DNS servers diversity will ensure servers have
  significantly different metrics.
• There are many possible and more popular load
  sharing mechanisms.
• In case of TCP, all servers for a specific zone
  shouldnt be part of an Anycast mesh. AND ALSO .
  . . . . .

11
Split-Destination

• To guard against multiple meshes affected by
  per-packet load sharing, organizations should
  provide at least one authoritative servers which
  is not a participant in any shared unicast
  (Anycast) mesh !
• This combining with round-robin algorithm of DNS
  will significantly reduce the effectiveness of
  Anycast.

12
Suggestion

• 1- Having weighted NS records in the zone to
  redirect more traffic to the Anycasted hosts.
• 2- Announcing a subnet by IANA in term of Anycast
  implementation for DNS.
• This subnet should not be included for
  round-robin or per-packet load sharing.
• 3- ?