To:
Randy Bush <randy@psg.com>
Cc:
dnsop@cafax.se
From:
Patrik Fältström <paf@cisco.com>
Date:
Mon, 4 Nov 2002 16:45:35 +0100
In-Reply-To:
<E188j8y-000Bdu-00@rip.psg.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
On måndag, nov 4, 2002, at 16:28 Europe/Stockholm, Randy Bush wrote: >>>> When _people_ see problems with data from one IP-address, they call >>>> whatever party is responsible for that IP address. >>> no, they call their isp. the vast majority of them wouldn't know >>> an ip address if it bit them on the butt. >> Who do people at the ISP call? > > when it is a dns problem, their dns folk. No, not if the DNS problem has to do with problems at a DNS server they don't have inside their network. > do remember that this > happens today and has been happening for many years. isps have > been using anycast dns for many years. Yes, but not for what we are now discussing, if I understand things correctly. See my question below. Also, when you say "isps", you are using a very very very broad brush, and that argument doesn't help in this discussion. >> Say I buy IP from ISP A, which in turn buy transit from B which >> buys transit from C. If C internally have an anycast copy of IP >> address 1.2.3.4, and I send a packet to that address, will the >> packet go to the copy of the 1.2.3.4 address at ISP C, or to ISP >> D where the "original" is, the one which is mentioned in whois? > > first, this is the same problem as any transitive service. > > second, as many of us have repeatedly said, routing of anycast > addresses has to be appropriately scoped, as it has to be today. > it would be useful to have a discussion of 'appropriately' if we > could stop ratholing on other issues. I thought I had a very specific question? Default route for ISP A is to B, for B is to C. If C _internally_ have a copy of the IP address 1.2.3.4 for it's own use, will traffic from B to C reach that server, or the real 1.2.3.4 which is at D which B ask C to transit traffic to? Customer -> A -> B -> C ----> D | | v v 1.2.3.4 1.2.3.4 I.e. it is one thing if ISP C have multiple copies of server 2.3.4.5 which it own, and all copies are within the AS of ISP C. My scenario is something different. I talk about ISP C hijacking traffic which B think should go to D, and it goes to C instead. My view is that this _is_ ok, if both copies of 1.2.3.4 is handled by the same organization, so when A, or B calls the organization, they can check both servers and see they are in sync. paf #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.