Anycast
Encyclopedia
Anycast is a network addressing and routing
methodology in which datagram
s from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.
and other network addressing systems recognize three main addressing methodologies;
, anycast is usually implemented by using BGP
to simultaneously announce the same destination IP address
range from many different places on the Internet. This results in packets addressed to destination addresses in this range being routed to the "nearest" point on the net announcing the given destination IP address. In the past, anycast was suited to connectionless protocol
s (generally built on UDP
), rather than connection-oriented protocol
s such as TCP
that keep their own state. However, there are many cases where TCP
anycast is now used. With TCP
anycast, there are cases where the receiver selected for any given source may change from time to time as optimal routes change, silently breaking any conversations that may be in progress at the time. These conditions are typically referred to as a "pop switch". To correct for this issue, there have been proprietary advancements within custom IP stacks which allow for healing of stateful protocols where it is required. For this reason, anycast is generally used as a way to provide high availability
and load balancing for stateless
services such as access to replicated data; for example, DNS
service is a distributed service over multiple geographically dispersed servers.
s are implemented as clusters of hosts using anycast addressing. The A, C, F, I, J, K, L and M servers exist in multiple locations on different continents, using anycast address announcements to provide a decentralized service. This has accelerated the deployment of physical (rather than logical) root servers outside the United States
. RFC 3258 documents the use of anycast addressing to provide authoritative DNS services. Many commercial DNS providers have switched to an IP anycast environment to increase query performance, redundancy, and to implement load balancing. Hardened Linux based appliances from Dell/TCPWave take a step further by providing intelligence into the routing protocol by controlling the Anycast advertisement via BGP/OSPF. The route injection is done depending upon the health of DNS
responses. Two flavors of DNS (Bind and non-BIND) back up each other on the Dell/TCPWave appliances, thereby reducing the DNS exploits on recursive cache servers. Hooks are built into SNMP, which provides an end to end insight of the global Anycast deployment.
to IPv6
transitioning, anycast addressing may be deployed to provide IPv6 compatibility to IPv4 hosts. This method, 6to4
, uses a default gateway with the IP address 192.88.99.1, cf. RFC 3068. This allows multiple providers to implement 6to4 gateways without hosts having to know each individual provider's gateway addresses.
s may use anycast for actual HTTP connections to their distribution centers, or for DNS
. Because most HTTP connections to such networks request static content such as images and style sheets, they are short-lived and stateless. The general stability of routes and statelessness of connections makes anycast suitable for this application, even though it uses TCP
.
or blackhole attack
s.
or another IGP
protocol. If the servers die, the router will automatically withdraw the announcement.
"Heartbeat" functionality is important because, if the announcement continues for a failed server, the server will act as a "black hole" for nearby clients; this failure mode is the most serious mode of failure for an anycast system. Even in this event, this kind of failure will only cause a total failure for clients that are closer to this server than any other, and will not cause a global failure.
Anycast methodologies on the Internet may be exploited to distribute DDoS attacks and reduce their effectiveness: As traffic is routed to the closest node, a process over which the attacker has no control, the DDoS traffic flow will be distributed amongst the closest nodes. Thus, not all nodes might be affected. This may be a reason to deploy anycast addressing.
The effectiveness of this technique to divert attacks is questionable, however, because unicast addresses (used for maintenance) can be easy to obtain, at least on IPv6
. RFC 2373 defines that "An anycast address must not be used as the source address of an IPv6 packet." Therefore, pinging an anycast address will return the unicast
address of the closest node, since the reply must come from a unicast address. An attacker can then attack individual nodes from any location, bypassing anycast addressing methods. This same method works on some, but not all, IPv4 anycast addresses. RFC 2373 also restricted anycast IPv6 addresses to routers only. However, both of these restrictions were lifted in RFC 4291.
Authentication of anycast transmissions may solve this problem.
prepended (i.e. the AS is added a few more times) to make the path longer so that a local node announcement is preferred over a global node announcement.
Routing
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
methodology in which datagram
Datagram
A datagram is a basic transfer unit associated with a packet-switched network in which the delivery, arrival time, and order are not guaranteed....
s from a single sender are routed to the topologically nearest node in a group of potential receivers all identified by the same destination address.
Addressing methodologies
The Internet ProtocolInternet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
and other network addressing systems recognize three main addressing methodologies;
- UnicastUnicastright|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
addressing uses a one-to-one association between destination address and network endpoint: each destination address uniquely identifies a single receiver endpoint. - Broadcast or multicastMulticastIn computer networking, multicast is the delivery of a message or information to a group of destination computers simultaneously in a single transmission from the source creating copies automatically in other network elements, such as routers, only when the topology of the network requires...
addressing uses a one-to-many association, datagrams are routed from a single sender to multiple endpoints simultaneously in a single transmission. The network automatically replicates datagrams as needed for all network segments (links) that contain an eligible receiver. - Anycast addressing routes datagrams to a single member of a group of potential receivers that are all identified by the same destination address. This is a one-to-one-of-many association.
Details
On the InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, anycast is usually implemented by using BGP
Border Gateway Protocol
The Border Gateway Protocol is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or 'prefixes' which designate network reachability among autonomous systems . It is described as a path vector protocol...
to simultaneously announce the same destination IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
range from many different places on the Internet. This results in packets addressed to destination addresses in this range being routed to the "nearest" point on the net announcing the given destination IP address. In the past, anycast was suited to connectionless protocol
Connectionless protocol
In telecommunications, connectionless describes communication between two network end points in which a message can be sent from one end point to another without prior arrangement. The device at one end of the communication transmits data addressed to the other, without first ensuring that the...
s (generally built on UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
), rather than connection-oriented protocol
Connection-oriented protocol
A connection-oriented networking protocol is one that establishes a communication session, then delivers a stream of data in the same order as it was sent. It may be a circuit switched connection, or a virtual circuit connection in a packet switched network...
s such as TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
that keep their own state. However, there are many cases where TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
anycast is now used. With TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
anycast, there are cases where the receiver selected for any given source may change from time to time as optimal routes change, silently breaking any conversations that may be in progress at the time. These conditions are typically referred to as a "pop switch". To correct for this issue, there have been proprietary advancements within custom IP stacks which allow for healing of stateful protocols where it is required. For this reason, anycast is generally used as a way to provide high availability
High availability
High availability is a system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period....
and load balancing for stateless
Stateless server
In computing, a stateless protocol is a communications protocol that treats each request as an independent transaction that is unrelated to any previous request so that the communication consists of independent pairs of requests and responses...
services such as access to replicated data; for example, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
service is a distributed service over multiple geographically dispersed servers.
Applications
With the growth of the Internet, network services increasingly have high-availability requirements. As a result, operation of anycast services (RFC 4786) has grown in popularity among network operators.Domain Name System
Some Internet root nameserverRoot nameserver
A root name server is a name server for the Domain Name System's root zone. It directly answers requests for records in the root zone and answers other requests returning a list of the designated authoritative name servers for the appropriate top-level domain...
s are implemented as clusters of hosts using anycast addressing. The A, C, F, I, J, K, L and M servers exist in multiple locations on different continents, using anycast address announcements to provide a decentralized service. This has accelerated the deployment of physical (rather than logical) root servers outside the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
. RFC 3258 documents the use of anycast addressing to provide authoritative DNS services. Many commercial DNS providers have switched to an IP anycast environment to increase query performance, redundancy, and to implement load balancing. Hardened Linux based appliances from Dell/TCPWave take a step further by providing intelligence into the routing protocol by controlling the Anycast advertisement via BGP/OSPF. The route injection is done depending upon the health of DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
responses. Two flavors of DNS (Bind and non-BIND) back up each other on the Dell/TCPWave appliances, thereby reducing the DNS exploits on recursive cache servers. Hooks are built into SNMP, which provides an end to end insight of the global Anycast deployment.
IPv6 transition
In IPv4IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
to IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
transitioning, anycast addressing may be deployed to provide IPv6 compatibility to IPv4 hosts. This method, 6to4
6to4
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels...
, uses a default gateway with the IP address 192.88.99.1, cf. RFC 3068. This allows multiple providers to implement 6to4 gateways without hosts having to know each individual provider's gateway addresses.
Content delivery networks
Content delivery networkContent Delivery Network
A content delivery network or content distribution network is a system of computers containing copies of data placed at various nodes of a network....
s may use anycast for actual HTTP connections to their distribution centers, or for DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
. Because most HTTP connections to such networks request static content such as images and style sheets, they are short-lived and stateless. The general stability of routes and statelessness of connections makes anycast suitable for this application, even though it uses TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
.
Security
Anycast allows any operator whose routing information is accepted by an intermediate router to hijack any packets intended for the anycast address. While this at first sight appears insecure, it is no different from the routing of ordinary IP packets, and no more or less secure. As with conventional IP routing, careful filtering of who is and is not allowed to propagate route announcements is crucial to prevent man-in-the-middleMan-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
or blackhole attack
Packet drop attack
In computer networking, a packet drop attack or blackhole attack is a type of denial-of-service attack in which a router supposed to relay packets discards them instead. This usually occurs from a router becoming compromised from a number of different causes. One cause mentioned in research is...
s.
Reliability
Anycast is normally highly reliable, as it can provide automatic failover. Anycast applications typically feature external "heartbeat" monitoring of the server's function, and withdraw the route announcement if the server fails. In some cases this is done by the actual servers announcing the anycast prefix to the router over OSPFOpen Shortest Path First
Open Shortest Path First is an adaptive routing protocol for Internet Protocol networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system . It is defined as OSPF Version 2 in RFC 2328 for IPv4...
or another IGP
Interior gateway protocol
An interior gateway protocol is a routing protocol that is used to exchange routing information within an autonomous system ....
protocol. If the servers die, the router will automatically withdraw the announcement.
"Heartbeat" functionality is important because, if the announcement continues for a failed server, the server will act as a "black hole" for nearby clients; this failure mode is the most serious mode of failure for an anycast system. Even in this event, this kind of failure will only cause a total failure for clients that are closer to this server than any other, and will not cause a global failure.
Mitigating denial-of-service attacks
In denial-of-service attacks, a rogue network host may advertise itself as an anycast server for a vital network service, to provide false information or simply block service.Anycast methodologies on the Internet may be exploited to distribute DDoS attacks and reduce their effectiveness: As traffic is routed to the closest node, a process over which the attacker has no control, the DDoS traffic flow will be distributed amongst the closest nodes. Thus, not all nodes might be affected. This may be a reason to deploy anycast addressing.
The effectiveness of this technique to divert attacks is questionable, however, because unicast addresses (used for maintenance) can be easy to obtain, at least on IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
. RFC 2373 defines that "An anycast address must not be used as the source address of an IPv6 packet." Therefore, pinging an anycast address will return the unicast
Unicast
right|200pxIn computer networking, unicast transmission is the sending of messages to a single network destination identified by a unique address.-Addressing methodologies:...
address of the closest node, since the reply must come from a unicast address. An attacker can then attack individual nodes from any location, bypassing anycast addressing methods. This same method works on some, but not all, IPv4 anycast addresses. RFC 2373 also restricted anycast IPv6 addresses to routers only. However, both of these restrictions were lifted in RFC 4291.
Authentication of anycast transmissions may solve this problem.
Local and global nodes
Some anycast deployment on the Internet distinguish between local and global nodes to provide benefit for the direct local community, by addressing local nodes preferentially. An example is the Domain Name System. Local nodes are often announced with the no-export BGP community to prevent hosts from announcing them to their peers, i.e. the announcement is kept in the local area. Where both local and global nodes are deployed, the announcements from global nodes are often ASAutonomous system (Internet)
Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
prepended (i.e. the AS is added a few more times) to make the path longer so that a local node announcement is preferred over a global node announcement.
External links
- Best Practices in IPv4 Anycast Routing Tutorial on anycast routing configuration.
- DNS Service Architectures Packet Clearing House paper on the use of anycast addressing in the construction of DNS service architectures.
- Anycast Performance Analysis of the performance and geographic specificity of anycast DNS servers.
- Anycast Addressing on the Internet
- Distributing Authoritative Name Servers via Shared Unicast Addresses, IETF RFC describing the distribution of authoritative DNS servers using anycast.
- Operation of Anycast Services, IETF RFC offering advice on how to deploy services using anycast.
- Hierarchical Anycast for Global Service Distribution, ISC document on anycast
- Effect of anycast on K-root, presentation by Lorenzo Colitti (RIPE NCCRIPE NCCThe Réseaux IP Européens Network Coordination Centre is the Regional Internet Registry for Europe, the Middle East and parts of Central Asia...
) at DNS-OARC in July 2005 - The Impact of anycast on Root DNS Servers: The Case of K-root, presentation by Lorenzo Colitti (RIPE NCCRIPE NCCThe Réseaux IP Européens Network Coordination Centre is the Regional Internet Registry for Europe, the Middle East and parts of Central Asia...
) at RIPE 52 in April 2006 - Icann DNS Attack Fact Sheet Report by ICANN on how the anycast technology contributed to the resistance against the DDOS attack on the DNS root servers on 6 February 2007
- Architectural Considerations of IP Anycast, IETF working document
- A Whitepaper on DNS Anycast, Dell/TCPWave DNS Appliances