ANYCAST

1. Alireza Saleh .ir ccTLD Saleh@nic.ir ANYCAST APTLD Meeting/Dubai

2. The term ANYCAST. Unicast: 1--->One mapping Multicast: 1--->Some mapping Broadcast: 1--->All mapping Anycast : 1--->Nearest mapping It is not a protocol, it is not related to IDN.IDN :) There is no need for any extra capabilities in the normal infrastructure of the DNS. It can be used in conjunction with existing infrastructure. It is just a method of configuration for large-scale implementation mostly for DNS. What is ( isn’t ) anycast ? APTLD Meeting/Dubai

3. Multiple instances of a service sharing one IP address. The GLOBAL or LOCAL routing decision directs the packet to the nearest instance of a service How Does Anycast work? Path1: AS1 AS2 Asx AS3 ASx DNS CLIENT DNS CLIENT Path2: AS10 Asx AS12 AS5 ASx APTLD Meeting/Dubai

4.  Local Cluster : Virtual interface attached to the loop-back device Virtual host handles the requests toward the backend servers using Destination NAT Virtual host handles the requests to the backend server using tunneling ( GRE ) IGP routing protocols do the load-sharing ( if the servers are in different networks ) Implementation of ANYCAST APTLD Meeting/Dubai

5. Global Cluster Using BGP protocol to advertise Anycasted subnet. The Anycasted subnet shares the same AS number. Considering well distribution of the servers. Continues monitoring and changing the costs metrics to achieve the best performance. Implementations of ANYCAST APTLD Meeting/Dubai

6. Case 1 : Prepending Anycasted ASN, 2 times for the local instance : Number of queries received by the instance outside the country = 22100/hour Number of queries received by the instance in Iran = 446/hour. Case 2: Prepending Anycasted ASN 1 time for the local instance: Instance outside the country = 18034/hour Instance inside the country = 4120/hour The number of queries depends on many factors but regular monitoring will guide to achieve the best performance .ir Experience and stats APTLD Meeting/Dubai

7. The host should respond to the queries only on the shared-unicast(Anycast) interface. Limit responses on that interfaces to zones for which the host is authoritative. To minimize to man-in-the-middle attack, zone files should be delivered to the administrative interface. Secured file transfer methods and strong authentication should be used for all transfers. Use synchronized clock for the hosts participating in the mesh. RFC Considerations APTLD Meeting/Dubai

8. Sinking DOS attacks. Reducing the latency for responding the DNS queries. Saving the costs of Internet usage for each host. Why Anycast APTLD Meeting/Dubai

9. Content synchronization : Axfr, SSH file transfer , . . . Perform content synchronization checks. Host or Cluster Failure : Withdraw the route ? Do Nothing ? ( RFC Recommends ) The DNS failover method will take care the reachability of the data for the client. Problems APTLD Meeting/Dubai

10. May occur due to per-packet or round-robin load sharing but : DNS mostly uses UDP DNS servers diversity will ensure servers have significantly different metrics. There are many possible and more popular load sharing mechanisms. In case of TCP, all servers for a specific zone shouldn’t be part of an Anycast mesh. AND ALSO . . . . . . Split-Destination APTLD Meeting/Dubai

11. To guard against multiple meshes affected by per-packet load sharing, organizations should provide at least one authoritative servers which is not a participant in any shared unicast (Anycast) mesh ! This combining with round-robin algorithm of DNS will significantly reduce the effectiveness of Anycast. Split-Destination APTLD Meeting/Dubai

12. 1- Having weighted NS records in the zone to redirect more traffic to the Anycasted hosts. 2- Announcing a subnet by IANA in term of Anycast implementation for DNS. This subnet should not be included for round-robin or per-packet load sharing. 3- ? Suggestion APTLD Meeting/Dubai