To:
dnsop@cafax.se
cc:
dns@ip.tele.dk
From:
Måns Nilsson <mansaxel@sunet.se>
Date:
Mon, 04 Nov 2002 20:44:35 +0100
Content-Disposition:
inline
In-Reply-To:
<7588BEEC-F00C-11D6-868E-0003934B2128@cisco.com>
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Monday, November 04, 2002 16:45:35 +0100 Patrik Fältström <paf@cisco.com> wrote: > My view is that this _is_ ok, if both copies of 1.2.3.4 is handled by the > same organization, so when A, or B calls the organization, they can check > both servers and see they are in sync. I think this is a wise precaution. Anycast holds a lot of promise, but as always with the latest and greatest, there is risk. Mitigating this risk by keeping the controls quite tight is good. Having said this, I notice that most of the Internet around me seems to be served by a "rogue" AS112 machine[0], not listed on the as112.net home page, and not set up to the usual AS112 standards, so this control is probably impossible to enforce. I however still think that we ought to try to get as many anycast servers for the crucial zones (esp. root) as possible to comply with some kind of cooperative control scheme. Seek them out and have them join the flock. - -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE We're sysadmins. To us, data is a protocol-overhead. [0] $ traceroute blackhole-1.iana.org. traceroute to blackhole-1.iana.org (192.175.48.6), 64 hops max, 40 byte packets 1 KTHNOC-1-GE6-0.sunet.se (192.36.125.1) 8.780 ms 2.465 ms 2.438 ms 2 stockholm1-SRP4.sunet.se (130.242.94.8) 2.688 ms 2.644 ms 2.598 ms 3 s-gw.nordu.net (193.10.252.181) 2.749 ms 3.989 ms 2.883 ms 4 dk-gw2.nordu.net (193.10.68.38) 11.100 ms 10.912 ms 15.517 ms 5 sl-gw10-cop-9-0.sprintlink.net (80.77.65.25) 24.712 ms 24.357 ms 16.482 ms 6 sle-teledanm-1-0.sprintlink.net (80.77.65.30) 13.202 ms 11.21 ms 11.579 ms 7 so-1-2-3.622M.albnxu1.ip.tele.dk (195.249.7.66) 13.539 ms 28.26 ms 11.936 ms 8 so-0-0-0.2488M.arcnxu1.ip.tele.dk (195.249.7.237) 15.998 ms 17.719 ms 21.30 ms 9 pos8-0.2488M.arcnxg1.ip.tele.dk (195.249.7.117) 14.765 ms 14.304 ms 14.780 ms 10 blackhole-1.iana.org (192.175.48.6) 19.989 ms 28.793 ms 23.670 ms $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE9xs4t02/pMZDM1cURAjXzAJwP7s+GIxYBey4gGXeWb3gzFCxWVgCfflN/ bitXv6ZEmObEX/1tx3X4B9U= =V5RA -----END PGP SIGNATURE----- #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.