Deploying IP Anycast

Kevin Miller
Carnegie Mellon Network Group
[email protected]
NANOG 29 October 2003

Overview
Why anycast?

Server load balancing

Service reliability
Client transparency
Locality / latency improvements
Distributed response to DoS

Assume experience with unicast

routing
http://www.net.cmu.edu/pres/anycast
2

Agenda
What is Anycast?
Deploying IPv4 anycast services
Anycast usage case studies
Advanced Topics

Not Unicast
Unicast: Single host receives all traffic

Not Multicast
Multicast: Many hosts receive (all) traffic
to multicast group

Anycast
Multiple nodes configured to accept
traffic on single IP address
Usually, one node receives each
packet
Packet could be dropped like any other
Preferably only one node receives
packet, but no absolute guarantee

The node that receives a specific

packet is determined by routing.
6

Anycast
Three nodes configured with
anycast address (10.5.0.1)

Anycast
Potentially equal-cost multi-path

Anycast
Sequential packets may be
delivered to different anycast
nodes

Anycast
Traffic from different nodes may
follow separate paths

10

Anycast
Server receiving a packet is
determined by unicast routing
Sequential packets from a client to
an anycast address may be
delivered to different servers
Best used for single
request/response type protocols

11

Anycast
Clients, servers, and routers
require no special
software/firmware
Does not negatively interfere with
existing networks
Just leveraging existing
infrastructure

12

Anycast Documented
Concept discussed in RFC1546
(11/93)
Current practices have evolved from
operational experience
CIDR eliminated a hurdle from 1546

Evolution is briefly documented in

RFC2101 (2/97)
Anycast DNS noted in RFC2181 (7/97)
Reply source address must match
request dest address
13

Anycast Documented
IPv6 anycast different, will discuss later

Architecture (RFC1884, now RFC3513)

Reserved anycast addresses (RFC2526)
Anycast v4 prefix for 6to4 routers (RFC3068)
Source address selection (RFC3484)
DHCP (RFC3315)

Anycast authoritative name service

(RFC3258)
Anycast for multicast RP (RFC3446)
ISC Technote (ISC-TN-2003-1)
Term anycast used in 51 RFCs total
14

Agenda
Deploying IPv4 anycast
services

15

Address selection
Host configuration
Service configuration
Network configuration
Monitoring and using anycasted
service

Address Selection
Current practice is to assign anycast
addresses from unicast IP space
Designate small subnet(s) for anycast
use
Consider best practices of inter-domain
routing announcements
/24 is a popular selection
Subnet may not be attached to any
interface
16

Host Configuration
Hosts need to be configured to
accept traffic to anycast address
Want to maintain a unique
management address on each host
Typically, anycast addresses are
configured as additional loopbacks
Make sure ingress filters are
updated!
17

Configuring Addresses
Linux
# ifconfig lo:1 10.5.0.1 netmask 255.255.255.255 up
# ifconfig lo:1
lo:1
Link encap:Local Loopback
inet addr:10.5.0.1 Mask:255.255.255.255
UP LOOPBACK RUNNING MTU:16436 Metric:1

OpenBSD
# ifconfig lo0 alias 10.5.0.1 netmask 255.255.255.255
# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet 10.5.0.1 netmask 0xffffffff

18

Configuring Addresses
Solaris
# ifconfig lo0 addif 10.5.0.1/32 up
Created new logical interface lo0:1
# ifconfig lo0:1
lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4>
inet 10.5.0.1 netmask ffffffff

19

Network Configuration
Correctly configuring the network
may be the trickiest aspect of
anycast
Intra-domain vs. inter-domain
configuration

20

Intra-Domain
Configuration
If the anycasted service is entirely
within your routing domain, only
intra-domain consideration is
needed
All anycast nodes are within domain
Or multiple intra-domain locations

Need to configure routing to deliver

anycast traffic to servers
21

Static IGP Routes

Simple: configure static routes on firsthop routers (host routes)
Ensure routes are propagated through
domain

22

Static IGP Routes

Simple to configure
Doesnt respond quickly to server
failure
Provides the ability to relocate
servers without service outage,
though

23

Dynamic IGP Routes

Run a host-based routing daemon
on anycast servers
GateD
Zebra/Quagga

Host itself is route originator

When host is down, route is
withdrawn
Leverages routing infrastructure
24

Dynamic IGP Routes

Each host announces route to IGP cloud

25

Dynamic IGP Routes

Configuration obviously specific to
IGP
Connected route redistribution, if
anycast addresses are host loopbacks

Host up doesnt imply service is up

Want a mechanism for withdrawing
routes automatically when service is
unusable
26

Inter-Domain
Configuration
Follow traditional BGP operating
rules
Announce from a consistent origin AS
Advertise the service/anycast
supernet
Limit route flapping
Provider-independent IP space

27

Inter-Domain
Configuration
Intra-domain routing must be
correct
Servers can be iBGP peered; network
style announcement on the host
Can use IGP with redistribution

Withdraw routes when service is

unavailable at a particular location

28

Inter-Domain
Configuration
Some deployments distinguish global
nodes from local nodes
Global nodes are announced without limitation;
upstream provides transit
Local nodes add no-export community to
limit the clients that will use the node

Why?
Money (global/local imply different
relationships)
Node stability, capabilities (due to service
area)
29

Inter-Domain
Configuration
AS6551
AS6551
55
End
End
Site
Site

Global 1
10.5.0.1/24
AS65500
AS65510
AS65510
Transit
Transit
Peer
Peer

AS65530
AS65530
NoExport
NoExport
Peer
Peer

30

AS6553
AS6553
55
End
End
Site
Site

AS6550
AS6550
55
End
End
Site
Site

AS6550
AS6550
11
Transit
Transit

AS6552
AS6552
00
NoExpor
NoExpor
Local
tt 1
10.5.0.1/24
AS65500

AS6552
AS6552
55
End
End
Site
Site

Service Configuration
Obviously depends on implementation
Configure service to listen on anycast IP
Most require no special configuration
Verify that service responds from anycast
address when queried
May want to limit service to listen only on
anycast IP address

Assume: identical service by each

server
31

Anycast Address Use

Clients told to use anycast
addresses
Anycast service configured by
name
Authoritative DNS, Syslog, Kerberos
Can use round-robin DNS for
;; ANSWER SECTION:
additional redundancy
ns1.example.com.
86400 IN
A
10.5.0.1
32

Anycast Address Use

Caching DNS Service
Assign server addresses by DHCP, PPP,
word of mouth
Note the poor behavior of OS stub
resolvers
The first configured DNS Server is tried on
every query
Results in multi-second delays for many
queries
Perfect opportunity for anycast
33

Monitoring
Monitoring is more complicated
Could monitor the unique (nonanycast) IPs, but doesnt verify the
actual service
Monitoring the anycast (service) IP
cant be done centrally
Distributed monitoring needed for
distributed service
Also want to monitor routes
34

Agenda
What is Anycast?
Deploying IPv4 anycast services
Anycast usage case studies
Advanced Topics

35

Anycast in Action
Authoritative DNS
AS 112
Root Servers: F, I, K, others
.ORG Top Level Domain

Caching DNS
Anycast for Multicast RP
Anycast Sink Holes
6to4 routers (RFC3068)
36

AS112 Project
Problem: Many clients try queries and
updates for/to RFC1918/link local
reverse zones
Goal: Reduce unnecessary root server
load from these queries/updates
Solution: Delegate reverse zones to
anycasted black-hole servers.
www.as112.net
37

AS112 Project
Black-hole servers use IPs in
192.175.48.0/24

Announced from 16 locations

worldwide
Common origin AS112

38

Configuring BGP
One Vendor..
router bgp 112
bgp router-id 192.175.48.254
network 192.175.48.0
neighbor PEER_IP remote-as PEER_AS
neighbor PEER_IP ebgp-multihop
neighbor PEER_IP next-hop-self

[http://www.chagreslabs.net/jmbrown/research/as
112/]

Another Vendor..
policy-statement advertise-aggregate {
term first-term {
from protocol aggregate;
then accept;
}
term second-term {
from route-filter 192.175.48.0/24 longer;
then reject;
}
}
[continued]
39

Configuring BGP
Another Vendor..
# set routing-options aggregate route 192.175.48.0/24
[edit
# set
# set
# set
# set

40

protocols bgp group 112]

export advertise-aggregate
type external
peer-as PEER_AS
neighbor PEER_IP

AS112 Project
BIND Configuration
zone 10.in-addr.arpa { type master; file db.RFC-1918; };
zone 254.169.in-addr.arpa { type master; file db.RFC-1918; };
...

Zone File: db.RFC-1918

$TTL 300
@ IN SOA prisoner.iana.org. hostmaster.root-servers.org. (
2002040800 30m 15m 1w 1w )
NS blackhole-1.iana.org.
NS blackhole-2.iana.org.
[http://www.chagreslabs.net/jmbrown/research/as
112/]

41

Root Servers
Problems:
Low concentration of root servers outside
the US (high latency, higher cost links)
DoS attacks hurt the root servers and
infrastructure in between
Cant just add more NS records to root zone

Goal: Add root servers to

underrepresented areas of the world
Solution: Use inter-domain anycast to
serve existing root server IP addresses
42

Root Servers
F root server (ISC) anycasted
First cloned node announced Nov.
2002
Now have 12 locations
Common origin AS3557
Second hop AS for local nodes also
assigned to the ISC

Global Node AS Path Local Node AS Path (Ex)

... 3557 3557 3557

43

... 23709 3557

.ORG Top Level Domain

Recent NANOG discussion analyzing
anycast use for .ORG
Suggestion of an outage at one
location
the monitors that test each of the
anycast nodes reported no outages

DNS provided by 2 anycast servers

(204.74.112.1, 204.74.113.1)
Two /24s; different transit providers
Eleven total second-hop ASs
44

.ORG Top Level Domain

Highlights anycast lessons
Operators will encounter anycast
Different locations, different experiences

Service availability and routing

announcements are coupled
Consider reliability mechanisms built
into service they can help or hurt

45

Caching DNS
Problems:
Hosts respond poorly when caching
nameserver is unreachable
Caching NS is hard to re-IP (static
configs)

Goal: Always have caching DNS

service on first client-configured IP
Solution: Use anycasted servers;
configure anycast IPs on clients
46

Caching DNS
We designated 128.2.1.0/26 for intradomain anycast use (from our IP
space)
Two caching server IPs: 128.2.1.10,
128.2.1.11

Using BIND9
Configured on 4 servers; 6 interfaces
Addresses assigned by DHCP, PPP
47

Caching DNS
Each server runs host-based
routing daemon (Quagga) to join
OSPF cloud
Using OSPF NSSA areas to hosts
Minimizes the number of routes on the
servers
Enables multiple interfaces on servers
in separate NSSA areas but no
forwarding through server
48

Caching DNS Config

BIND 9 Changes
options {
listen-on { 128.2.1.10; 128.2.1.11; };
query-source address 128.2.4.21;
};

Upstream Router Changes

router ospf 1
area 0.0.0.0 authentication message-digest
area 128.2.4.0 authentication message-digest
area 128.2.4.0 nssa default-information-originate no-summary
network 128.2.4.0 0.0.0.63 area 128.2.4.0
network 128.2.0.0 0.0.255.255 area 0.0.0.0

49

Caching DNS Config

BIND 9 Changes
options {
listen-on { 128.2.1.10; 128.2.1.11; };
query-source address 128.2.4.21;
};

Note generic lesson:

sureChanges
servers arent
UpstreamMake
Router
router ospf 1sourcing non-response
area 0.0.0.0 authentication
message-digest
traffic from anycast
area 128.2.4.0 authentication
addresses. message-digest

area 128.2.4.0 nssa default-information-originate no-summary

network 128.2.4.0 0.0.0.63 area 128.2.4.0
network 128.2.0.0 0.0.255.255 area 0.0.0.0

50

Caching DNS Config

Upstream Router, Said Another Way
[edit protocols ospf]
area 4 {
nssa {
area-range 128.2.4.0/26;
default-lsa {
default-metric metric;
type-7;
}
no-summaries;
}
authentication-type md5;
interface interface;
}

51

Host-Based Router
Config

quagga.conf

ospfd.conf

interface eth0
ip address 128.2.4.21/26
!
interface lo:1
ip address 128.2.1.10/32
!
interface lo:2
ip address 128.2.1.11/32

interface eth0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 [key]
!
router ospf
ospf router-id 128.2.4.21
ospf abr-type cisco
compatible rfc1583
area 128.2.4.0 authentication message
area 128.2.4.0 nssa
network 128.2.4.21/26 area 128.2.4.0
redistribute connected
distribute-list 50 out connected
!
access-list 50 permit host 128.2.1.10
access-list 50 permit host 128.2.1.11

52

Multicast RP
Problem:
PIM-SM specifies one active RP per multicast
group at a time
A routing domain may be too large for this to be
feasible (RP on the other coast)
Slow failover if RP fails
Not directly possible for shared-tree load
balancing

Goal: Multiple RPs for same group within a

routing domain
Solution: Use anycast addresses for RP
(RFC3446)
53

Multicast RP
Designate more than one RP
Assign anycast address as loopback
on each RP
Configure all other routers to use
anycast address as RP for all groups
Setup MSDP mesh among all RPs
(using unique addresses)
RP address cannot be used in SA
messages
54

Multicast RP
RP Routers
interface Loopback0
description Router Management
ip address 10.2.4.249 255.255.255.255
ip pim sparse-mode
interface Loopback1
description Anycast RP Interface
ip address 10.2.1.130 255.255.255.255
ip pim sparse-mode
!
ip msdp peer 10.2.4.248 connect-source Loopback0
ip msdp peer 10.2.4.250 connect-source Loopback0
ip msdp mesh-group CMU-MSDP 10.2.4.248
ip msdp mesh-group CMU-MSDP 10.2.4.250
ip msdp cache-sa-state
ip msdp originator-id Loopback0

Non-RP Routers
ip pim rp-address 10.2.1.130 override
ip pim accept-rp 10.2.1.130

55

Multicast RP

56

RP Routers

Non-RP Routers

[edit interfaces lo0 unit 0 family inet]

# set address 10.2.4.249/32
# set address 10.2.1.130/32
[edit protocols pim]
rp {
local {
address 10.2.1.130;
}
}
interface all {
mode sparse;
version 2;
}
[edit protocols msdp]
group CMU-MSDP {
local-address 10.2.4.249;
mode mesh-group;
peer 10.2.4.248;
peer 10.2.4.250;
}

[edit protocols pim]

rp {
static {
address 10.2.1.130 {
version 2;
}
}
}

Multicast RP
Non-Anycast RP
Single RP for
Group(s)

Source
RP

RP might be
inconvenient
for shared
tree

Receiver
57

eBGP,
MBGP
Speaking
Routers

Multicast RP
Anycast RP
MSDP
Mesh,
Unique
Addresses

RP

Receiver
58

RP

Multiple RPs
for same
group(s)

Can optimize
RP placement
for locality

Source

RP
eBGP,
MBGP
Speaking
Routers

Anycast Sinkholes
Problem: Homeless network traffic (e.g.
turbo worms, backscatter, etc) can cause
problems for core routers to sink;
sinkholes help but also dont want to
send traffic across large network to sink
Goal: Want to be able to forward traffic to
multiple sinkhole points for analysis
Solution: Use anycast to enable
distributed sinkholes throughout a large
network
59

Anycast Sinkholes
Traffic can be directed to sinkhole via:
default route
pieces of unused IP space
BGP next-hop triggering, ex: for DoS victims

Multiple sinkholes can be deployed using

anycast as sinkhole destination address
Very good slides by Greene, McPherson
(see resources page for links)

60

6to4 Routers
Problem: Connecting islands of v6
across existing v4 infrastructure
involves 6to4 relay routers
Goal: Provide an easy way for end
sites to locate relays into the native
v6 world
Solution: Use a well-known IPv4
anycast prefix for 6to4 relay routers
61

6to4 Routers
Native IPv6 Site
Using 6to4
Prefix
6to4
R

IPv4 Backbone

Advertise
0::/0
internally
6to4
RR

Advertise
anycast v4 6to4
prefix
192.88.99.0/24
IPv6 Backbone
62

6to4
RR

Advertise
2002::/16
to
v6
backbone

TCP-Based Services
Unwise to use anycast for long-term
TCP services, due to route changes
Experience shows that routes are
generally stable, though
Especially inter-domain, due to routing
protocols
Equal cost load balancing would cause
problems
But, routers often do flow path caching

63

TCP-Based Services
Very few knobs to direct traffic in
response to server load, as well
as long as you don't make silly assumptions about client
locality based on "which anycasted server heard it", such that
you give back incoherent answers in hopes that they will be
somehow client-optimal, bgp-anycast isn't even
controversial at this point in time.
- Paul Vixie, 4/03

64

Other (Potential) Uses

NTP/Time
Syslog
RADIUS
Kerberos
Single packet request-response
UDP protocols are easy

65

Agenda
What is Anycast?
Deploying IPv4 anycast services
Anycast usage case studies
Advanced Topics
Multi-homed hosts
IPv6

66

Multi-Homed Hosts
Multi-homing at the host physical
interface
Can be used with anycast addressing
Special case: single multi-homed host
configured with anycast address

67

More appropriately a service address

Server redundancy, no service separation
Much of the same configuration
Additional complications with default
route

IPv6 Anycast
IPv6 Anycast, per RFC3513, is different
from shared-unicast addressing (what
were calling anycast)
3513: Eliminate constraints on routing
infrastructure, upper-layer protocols
Decouple Anycast from any thought about
TCP/UDP (and still make it work)
Shared Unicast IPv6 would generally map
from v4 experiences

Hagino, Ettikan draft addresses the

differences and limitations
68

3513 vs Shared Unicast

Issue

69

RFC3513
Anycast

Shared Unicast

Identifying
anycast
dest.

Same address format

as unicast

Same address format

as unicast

Deterministi
c
packet
delivery

None seq. packets

may reach diff. hosts

None seq. packets

may reach diff. hosts

Anycast
host
addresses

Disallowed; routers
only

No restriction

Anycast as
Disallowed
source addr.
IPsec

Required for current

operational use

Difficult instability of Difficult instability of

3513 vs Shared Unicast

Issue
Identifying
anycast
dest.

70

RFC3513
Anycast

Shared Unicast

Why?
Questions
hostsformat
Same address
format about
Samehow
address
into domain.
as unicast announce routes
as unicast
Shared-unicast solutions apply.

Deterministi
c
packet
delivery

None seq. packets

may reach diff. hosts

None seq. packets

may reach diff. hosts

Anycast
host
addresses

Disallowed; routers
only

No restriction

Anycast as
Disallowed
source addr.
IPsec

Required for current

operational use

Difficult instability of Difficult instability of

3513 vs Shared Unicast

Issue
Identifying
anycast
dest.
Deterministi
c
packet
delivery

Anycast
host
addresses

71

RFC3513
Anycast

Same address format Same address format

as unicast
as
unicast
Why?
Anycast addresses dont uniquely
None seq. packets
identify source
None
node.
seq.
Trying
packets
to
may reach define
diff. hosts
may reach
diff. hosts
most generic
solution
at IP
layer.
Disallowed; routers
only

Anycast as
Disallowed
source addr.
IPsec

Shared Unicast

No restriction

Required for current

operational use

Difficult instability of Difficult instability of

IPv6 Anycast
Improvements
Allow hosts to have 3513 Anycast addresses
Just need to define mechanism(s) for announcing
routes into domain

Provide deterministic endpoint with anycast

Could use routing header specifying non-anycast
address as intermediate hop

Anycast address as source address?

Source address is unique machine address
Home address option of Anycast address
Would break semantic equality of source
address/home address
72

IPv6 Anycast Protocol

Issues
3513 and UDP
DNS, etc. require matching source
address as queried destination
Use better security and drop the checks

3513 and TCP

Connections identified by address/port
pair of source/destination
Provide a means for changing address of
connection/initiating new connection?
73

IPv6 Anycast General

Issues
With emphasis on route
aggregation, questions arise about
global inter-domain shared-unicast
3513 Anycast specifically: host
routes must be carried within
aggregation domain encompassing
all interfaces of specific Anycast IP

74

IPv6 Anycast Addresses

Reserved addresses/ranges (3513)
Subnet-Router Anycast Address
n bits

128-n bits

subnet prefix

0000000000000

Reserved Anycast Addresses

NonEUI-64
EUI-64
Local
75

n bits
subnet prefix
64 bits
subnet prefix

121-n bits

7 bits

11111111111

anycast ID

57 bits

7 bits

111111011..11 anycast ID

Summary
Anycast is relatively simple to
deploy in existing networks
Operators are finding new uses for
it in different areas
Look for some changes as v6
comes around

76

Questions?
Presentation resources:
http://www.net.cmu.edu/pres/anyca
st
Kevin Miller: [email protected]

77

Identifying Specific
Node
F Root Server
dig hostname.bind @f.root-servers.net chaos txt

K Root Server
dig id.server @k.root-servers.net chaos txt

.ORG TLD Servers

dig whoareyou.ultradns.net @tld1.ultradns.net
dig whoareyou.ultradns.net @tld2.ultradns.net

83