Anycast

Last updated

Visualization of anycast routing. Anycast-BM.svg
Visualization of anycast routing.

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

Contents

History

The first documented use of anycast routing for topological load-balancing of Internet-connected services was in 1989; [1] [2] the technique was first formally documented in the IETF four years later. [3] It was first applied to critical infrastructure in 2001 with the anycasting of the I-root nameserver. [2]

Early objections

Early objections to the deployment of anycast routing centered on the perceived conflict between long-lived TCP connections and the volatility of the Internet's routed topology. In concept, a long-lived connection, such as an FTP file transfer (which can take hours to complete for large files) might be re-routed to a different anycast instance in mid-connection due to changes in network topology or routing, with the result that the server changes mid-connection, and the new server is not aware of the connection and does not possess the TCP connection state of the previous anycast instance.

In practice, such problems were not observed, and these objections dissipated by the early 2000s. Many initial anycast deployments consisted of DNS servers, using principally UDP transport. [4] [2] Measurements of long-term anycast flows revealed very few failures due to mid-connection instance switches, far fewer (less than 0.017% [5] or "less than one flow per ten thousand per hour of duration" [1] according to various sources) than were attributed to other causes of failure. Numerous mechanisms were developed to efficiently share state between anycast instances. [6] And some TCP-based protocols, notably HTTP, incorporated "redirect" mechanisms, whereby anycast service addresses could be used to locate the nearest instance of a service, whereupon a user would be redirected to that specific instance prior to the initiation of any long-lived stateful transaction. [1] [7]

Internet Protocol version 4

Anycast can be implemented via Border Gateway Protocol (BGP). Multiple hosts (usually in different geographic areas) are given the same unicast IP address and different routes to the address are announced through BGP. Routers consider these to be alternative routes to the same destination, even though they are actually routes to different destinations with the same address. As usual, routers select a route by whatever distance metric is in use (the least cost, least congested, shortest). Selecting a route in this setup amounts to selecting a destination.

Internet Protocol version 6

Anycast is supported explicitly in the IPv6 addressing architecture. [8] The lowest address within an IPv6 subnet (interface identifier 0) is reserved as the "Subnet Router" anycast address. In addition, the highest 128 interface identifiers within a subnet are also reserved as anycast addresses. [9]

Most IPv6 routers on the path of an anycast packet through the network will not distinguish it from a unicast packet, but special handling is required from the routers near the destination (that is, within the scope of the anycast address) as they are required to route an anycast packet to the "nearest" interface within that scope which has the proper anycast address, according to whatever measure of distance (hops, cost, etc.) is being used.

The method used in IPv4 of advertising multiple routes in BGP to multiply-assigned unicast addresses also still works in IPv6, and can be used to route packets to the nearest of several geographically dispersed hosts with the same address. This approach, which does not depend on anycast-aware routers, has the same use cases together with the same problems and limitations as in IPv4.

Applications

With the growth of the Internet, network services increasingly have high-availability requirements. As a result, operation of anycast services has grown in popularity among network operators. [10]

Domain Name System

All Internet root nameservers are implemented as clusters of hosts using anycast addressing. [11] All 13 root servers A–M exist in multiple locations, with 11 on multiple continents. (Root servers B and H exist in two U.S. locations.) [12] [13] [14] The servers use anycast address announcements to provide a decentralized service. This has accelerated the deployment of physical (rather than logical) root servers outside the United States. Many commercial DNS providers have switched to an IP anycast environment to increase query performance and redundancy, and to implement load balancing. [2]

IPv6 transition

In IPv4 to IPv6 transitioning, anycast addressing may be deployed to provide IPv6 compatibility to IPv4 hosts. This method, 6to4, uses a default gateway with the IP address 192.88.99.1. [15] This allows multiple providers to implement 6to4 gateways without hosts having to know each individual provider's gateway addresses. 6to4 has been deprecated [16] in response to native IPv6 becoming more prevalent.

Content delivery networks

Content delivery networks may use anycast for actual HTTP connections to their distribution centers, or for DNS. Because most HTTP connections to such networks request static content such as images and style sheets, they are generally short-lived and stateless across subsequent TCP sessions. The general stability of routes and statelessness of connections makes anycast suitable for this application, even though it uses TCP. [5] [1]

Connectivity between Anycast and Multicast network

Anycast rendezvous point can be used in Multicast Source Discovery Protocol (MSDP) and its advantageous application as Anycast RP is an intra-domain feature that provides redundancy and load-sharing capabilities. If the multiple anycast rendezvous point is used, IP routing automatically will select the topologically closest rendezvous point for each source and receiver. It would provide a multicast network with the fault tolerance requirements. [17]

Security

Anycast allows any operator whose routing information is accepted by an intermediate router to hijack any packets intended for the anycast address. While this at first sight appears insecure, it is no different from the routing of ordinary IP packets, and no more or less secure. As with conventional IP routing, careful filtering of who is and is not allowed to propagate route announcements is crucial to prevent man-in-the-middle or blackhole attacks. The former can also be prevented by encrypting and authenticating messages, such as using Transport Layer Security, while the latter can be frustrated by onion routing.

Reliability

Anycast is normally highly reliable, as it can provide automatic failover without adding complexity or new potential points of failure. Anycast applications typically feature external "heartbeat" monitoring of the server's function, and withdraw the route announcement if the server fails. In some cases this is done by the actual servers announcing the anycast prefix to the router over OSPF or another IGP. If the servers die, the router will automatically withdraw the announcement. "Heartbeat" functionality is important because, if the announcement continues for a failed server, the server will act as a "black hole" for nearby clients; this is the most serious mode of failure for an anycast system. Even in this event, this kind of failure will only cause a total failure for clients that are closer to this server than any other, and will not cause a global failure. However, even the automation necessary to implement "heartbeat" routing withdrawal can itself add a potential point of failure, as seen in the 2021 Facebook outage.

Mitigation of denial-of-service attacks

In denial-of-service attacks, a rogue network host may advertise itself as an anycast server for a vital network service, to provide false information or simply block service.

Anycast methodologies on the Internet may be exploited to distribute DDoS attacks and reduce their effectiveness: As traffic is routed to the closest node, a process over which the attacker has no control, the DDoS traffic flow will be distributed amongst the closest nodes. Thus, not all nodes might be affected. This may be a reason to deploy anycast addressing. [18] The effectiveness of this technique depends upon maintaining the secrecy of any unicast addresses associated with anycast service nodes, however, since an attacker in possession of the unicast addresses of individual nodes can attack them from any location, bypassing anycast addressing methods. [19]

Local and global nodes

Some anycast deployments on the Internet distinguish between local and global nodes to benefit the local community, by addressing local nodes preferentially. An example is the Domain Name System. Local nodes are often announced with the no-export BGP community to prevent hosts from announcing them to their peers, i.e. the announcement is kept in the local area. Where both local and global nodes are deployed, the announcements from global nodes are often AS prepended (i.e. the AS is added a few more times) to make the path longer so that a local node announcement is preferred over a global node announcement. [20]

See also

Related Research Articles

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

An Internet Protocol address is a numerical label such as 192.0.2.1 that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface identification, and location addressing.

<span class="mw-page-title-main">IPv4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the first version of the Internet Protocol (IP) as a standalone specification. It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

<span class="mw-page-title-main">IPv6</span> Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer, such as Ethernet multicast, and at the internet layer for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).

<span class="mw-page-title-main">Subnet</span> Logical subdivision of an IP network

A subnetwork, or subnet, is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting.

Multihoming is the practice of connecting a host or a computer network to more than one network. This can be done in order to increase reliability or performance.

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.

6to4 is an Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to version 6 (IPv6) and a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.

In computer networking, Teredo is a Microsoft transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols such as 6to4, it can perform its function even from behind network address translation (NAT) devices such as home routers.

Multicast DNS (mDNS) is a computer networking protocol that resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatible with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets and is implemented by the Apple Bonjour and open-source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. It is the IP-specific form of multicast and is used for streaming media and other network applications. It uses specially reserved multicast address blocks in IPv4 and IPv6.

In computer networking, a link-local address is a network address that is valid only for communications on a local link, i.e. within a subnetwork that a host is connected to. Link-local addresses are typically assigned automatically through a process known as link-local address autoconfiguration, also known as auto-IP, automatic private IP addressing, and stateless address autoconfiguration. While most link-local addresses are unicast, this is not necessarily the case; e.g. IPv6 addresses beginning with ff02:, and IPv4 addresses beginning with 224.0.0. are multicast addresses that are link-local.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

<span class="mw-page-title-main">IPv6 address</span> Label to identify a network interface of a computer or other network node

An Internet Protocol version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.

An IPv6 packet is the smallest message entity exchanged using Internet Protocol version 6 (IPv6). Packets consist of control information for addressing and routing and a payload of user data. The control information in IPv6 packets is subdivided into a mandatory fixed header and optional extension headers. The payload of an IPv6 packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

<span class="mw-page-title-main">Multicast routing</span> Computer networking protocol for forwarding transmissions from one sender to multiple receivers

Multicast routing is one of the routing protocols in IP networking.

References

  1. 1 2 3 4 Woodcock, Bill (June 1996). "Best Practices in Anycast Routing" (PDF). Packet Clearing House.
  2. 1 2 3 4 Hernandez, Gael (October 10, 2017). "Building and Operating a Global Anycast Network" (PDF). Eurasia Network Operators Group.
  3. C. Partridge; T. Mendez; W. Milliken (November 1993). Host Anycasting Service. Network Working Group. doi: 10.17487/RFC1546 . RFC 1546.Informational.
  4. Woodcock, Bill (November 14, 2019). "TCP and Anycast". NANOG mailing list archive. North American Network Operators Group.
  5. 1 2 Levine, Matt; Lyon, Barrett; Underwood, Todd (June 2006). "TCP Anycast: Don't Believe the FUD - Operational experience with TCP and Anycast" (PDF). North American Network Operators Group.
  6. Herrin, William. "Anycast TCP Architecture" . Retrieved October 11, 2021.
  7. Katz-Bassett, Ethan; Gao, Ryan (July 2019). "Impact of TCP Loss on Regional Application Performance" (PDF). Microsoft. Azure Frontdoor uses anycast redirection to direct users to a nearby edge.
  8. R. Hinden; S. Deering (February 2006). IP Version 6 Addressing Architecture. Network Working Group. doi: 10.17487/RFC4291 . RFC 4291.Draft Standard. Obsoletes RFC  3513. Updated by RFC  5952, 6052, 7136, 7346, 7371 and 8064.
  9. D. Johnson; S. Deering (March 1999). Reserved IPv6 Subnet Anycast Addresses. Network Working Group. doi: 10.17487/RFC2526 . RFC 2526.Proposed Standard.
  10. J. Abley; K. Lindqvist (December 2006). Operation of Anycast Services. Network Working Group. doi: 10.17487/RFC4786 . BCP 126. RFC 4786.Best Common Practice.
  11. T. Hardie (April 2002). Distributing Authoritative Name Servers via Shared Unicast Addresses. Network Working Group. doi: 10.17487/RFC3258 . RFC 3258.Informational.
  12. Home-page B-root DNS server, visited 8 Feb. 2015
  13. "Report on Root Nameserver Locations". Packet Clearing House . Retrieved February 21, 2011.
  14. "Root Server Technical Operations Assn". root-servers.org. Retrieved February 16, 2013.
  15. C. Huitema (June 2001). An Anycast Prefix for 6to4 Relay Routers. Network Working Group. doi: 10.17487/RFC3068 . RFC 3068.Informational. Obsoleted by RFC  7526.
  16. O. Troan (May 2015). B. Carpenter (ed.). Deprecating the Anycast Prefix for 6to4 Relay Routers. Internet Engineering Task Force. doi: 10.17487/RFC7526 . BCP 196. RFC 7526.Best Current Practice. Obsoletes RFC  3068 and 6732.
  17. "Anycast Rendezvous Point". Cisco Systems. June 1, 2001.
  18. "ICANN Factsheet on root server attack on 6 February 2007" (PDF). Factsheet. The Internet Corporation for Assigned Names and Numbers (ICANN). March 1, 2007. Retrieved February 21, 2011.
  19. Metz, C. (2002). "IP Anycast: Point-to-(Any) Point Communication (sign-in required)". IEEE Internet Computing. 6 (2). IEEE: 94–98. doi:10.1109/4236.991450.
  20. Oki, Eiji; Rojas-Cessa, Roberto; Tatipamula, Mallikarjun; Vogt, Christian (April 24, 2012). Advanced Internet Protocols, Services, and Applications. John Wiley & Sons. pp. 102 & 103. ISBN   978-0-470-49903-0. Archived from the original on January 5, 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.