To:
Brad Knowles <brad.knowles@skynet.be>
CC:
Bruce Campbell <bruce.campbell@ripe.net>, dnsop@cafax.se
From:
Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date:
Wed, 6 Nov 2002 08:08:08 +0859 ()
In-Reply-To:
<a05200d03b9ecc39c852f@[10.0.1.3]> from Brad Knowles at "Nov 4,2002 06:40:08 pm"
Sender:
owner-dnsop@cafax.se
Subject:
Re: DoS and anycast
Brad; > > *sigh*. 'Anycast' just means that a given route is advertised by multiple > > points (could be the same entity, could be different entities). Your > > normal BGP path-selection algorithms choose the 'nearest' server based on > > the shortest path that your router sees. > > Right, but if the route changes in the middle of the session, > you'll get a TCP connection reset by the different server, and you'll > have to start that conversation all over again. UDP survives anycast > since it's a single packet. TCP won't do so reliably, and therefore > it is not practical to try to use TCP anycast. For query, which is short, TCP is fine. For zone transfer, it is insecure to rely on anycast addresses. If you are supplied forged data, you can't later identify which identity supplied it. Use unicast address of the anycast server, details on which are described in my ID. Masataka Ohta #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.