From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7094.txt | 1235 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1235 insertions(+) create mode 100644 doc/rfc/rfc7094.txt (limited to 'doc/rfc/rfc7094.txt') diff --git a/doc/rfc/rfc7094.txt b/doc/rfc/rfc7094.txt new file mode 100644 index 0000000..617dc17 --- /dev/null +++ b/doc/rfc/rfc7094.txt @@ -0,0 +1,1235 @@ + + + + + + +Internet Architecture Board (IAB) D. McPherson +Request for Comments: 7094 Verisign, Inc. +Category: Informational D. Oran +ISSN: 2070-1721 Cisco Systems + D. Thaler + Microsoft Corporation + E. Osterweil + Verisign, Inc. + January 2014 + + + Architectural Considerations of IP Anycast + +Abstract + + This memo discusses architectural implications of IP anycast and + provides some historical analysis of anycast use by various IETF + protocols. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Architecture Board (IAB) + and represents information that the IAB has deemed valuable to + provide for permanent record. It represents the consensus of the + Internet Architecture Board (IAB). Documents approved for + publication by the IAB are not a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7094. + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. + + + + + +McPherson, et al. Informational [Page 1] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + +Table of Contents + + 1. Overview ........................................................2 + 2. Background ......................................................3 + 2.1. Anycast History ............................................3 + 2.2. Anycast in IPv6 ............................................6 + 2.3. DNS Anycast ................................................6 + 2.4. BCP 126 on Operation of Anycast Services ...................8 + 3. Principles ......................................................8 + 3.1. Layering and Resiliency ....................................8 + 3.2. Anycast Addresses as Destinations ..........................9 + 3.3. Anycast Addresses as Sources ..............................10 + 3.4. Service Discovery .........................................10 + 4. Analysis .......................................................11 + 4.1. Regarding Widespread Anycast Use ..........................11 + 4.2. Transport Implications ....................................11 + 4.3. Stateful Firewalls, Middleboxes, and Anycast ..............12 + 4.4. Security Considerations ...................................12 + 4.5. Deployment Considerations .................................15 + 5. Conclusions ....................................................16 + 6. Acknowledgements ...............................................16 + 7. Informative References .........................................16 + Appendix A. IAB Members at the Time of Approval ...................21 + +1. Overview + + IP anycast is a technique with a long legacy and interesting + engineering challenges. However, at its core, it is a relatively + simple concept. As described in BCP 126 [RFC4786], the general form + of IP anycast is the practice of making a particular Service Address + available in multiple, discrete, autonomous locations, such that + datagrams sent are routed to one of several available locations. + + IP anycast is used for at least one critical Internet service: that + of the Domain Name System [RFC1035] root servers. By late 2007, at + least 10 of the 13 root name servers were already using IP anycast + [RSSAC29]. Use of IP anycast is growing for other applications as + well. It has been deployed for over a decade for DNS resolution + services and is currently used by several DNS Top Level Domain (TLD) + operators. IP anycast is also used for other services in operational + environments, including Network Time Protocol (NTP) [RFC5905] + services. + + Anycast addresses are syntactically indistinguishable from unicast + addresses. Anycast addressing is equivalent to that of unicast in + multiple locations. Destination-based routing does best-effort + delivery of a packet to one interface among the set of interfaces + asserting reachability for the address. The expectation of delivery + + + +McPherson, et al. Informational [Page 2] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + is to the "closest" instance as determined by unicast routing + topology metric(s), and there is also a possibility that various + load-balancing techniques (e.g., per-packet, per-microflow) may be + used among multiple equal-cost routes to distribute load for an + anycasted prefix. + + Unlike IP unicast, it is not considered an error to assert the same + anycast address on multiple interfaces within the same or multiple + systems. + + When IP anycast is employed, many pitfalls and subtleties exist with + applications and transports as well as for routing configuration and + operation. In this document, we aim to capture many of the + architectural implications of IP anycast. + + BCP 126 [RFC4786] discusses several different deployment models with + IP anycast. Two additional distinctions beyond that document involve + "off-link anycast" and "on-link anycast". "Off-link anycast" takes + advantage of routing protocol preferences and the IP hop-by-hop + destination-based forwarding paradigm in order to direct packets to + the "closest" destination. This is the traditional method of anycast + largely considered in BCP 126 [RFC4786] and can be used for IPv4 and + IPv6. "On-link anycast" is the formal support of anycast in the + address resolution (duplicate address detection) protocol and is only + standardized for IPv6, with the introduction of designated anycast + addresses on the anycasted hosts, and the Override flag in Neighbor + Discovery (ND) Neighbor Advertisements (NAs) [RFC4861]. There is no + standardized mechanism for this in IPv4. + +2. Background + + As of this writing, the term "anycast" appears in 176 RFCs and 144 + active Internet-Drafts. The following sections capture some of the + key appearances and discussion of anycasting within the IETF over the + years. + +2.1. Anycast History + + The first formal specification of anycast was provided in "Host + Anycasting Service" [RFC1546]. The authors of this document did a + good job of capturing most of the issues that exist with IP anycast + today. + + One of the first documented uses of anycast was in 1994 for a "Video + Registry" experiment [IMR9401]. In the experiment, a UDP query was + transmitted to an anycasted address to locate the topologically + closest "supposedly equivalent network resource": + + + + +McPherson, et al. Informational [Page 3] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + A video resource (for example, a catalog server that lists + available video clips) sends an anycast UDP datagram to locate the + nearest video registry. At most one registry responds with a + unicast UDP datagram containing the registry's IP address. Said + resource then opens a TCP connection to that [the received + registry address] address and sends a request to register itself. + Every 5 minutes or so, each registry multicasts to all other + registries all of the resources it knows from local registration + requests. It also immediately announces newly registered + resources. Remotely registered resources not heard about for 20 + minutes are dropped. + + There is also discussion that ISPs began using anycast for DNS + resolution services around the same time, although no public + references to support this are available. + + In 1997, the IAB clarified that IPv4 anycast addresses were pure + "locators" and could never serve as "identifiers" of hosts or + interfaces [RFC2101]. + + In 1998, the IAB conducted a routing workshop [RFC2902]. Of the + conclusions and output action items from the report, an Anycast + section is contained in Section 2.10.3. Specifically called out is + the need to describe the advantages and disadvantages of anycast and + the belief that local-scoped well-known anycast addresses will be + useful to some applications. In the subsequent section, an action + item was outlined that suggested a BOF should be held to plan work on + anycast, and if a working group forms, a paper on the advantages and + the disadvantages of anycast should be included as part of the + charter. + + As a result of the recommendation in [RFC2902], an Anycast BOF + [ANYCASTBOF] was held at IETF 46 in November of 1999. A number of + uses for anycast were discussed. No firm conclusion was reached + regarding use of TCP with anycasted services. However, it was + observed that anycasting was useful for DNS, although it did + introduce some new complexities. The use of global anycast was not + expected to scale (see Section 4.1 below for more discussion) and, + hence, was expected to be limited to a small number of key uses. + + In 2001, the Multicast and Anycast Group Membership [MAGMA] WG was + chartered to address host-to-router signaling, including initial + authentication and access control issues for multicast and anycast + group membership, but other aspects of anycast, including + architecture and routing, were outside the group's scope. + + + + + + +McPherson, et al. Informational [Page 4] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + Simple Network Time Protocol (SNTP) Version 4 [RFC2030] defined how + to use SNTP anycast for server discovery. This was extended in + [RFC4330] as an NTP-specific "manycast" service, in which anycast was + used for the discovery part. + + IPv6 defined some reserved subnet anycast addresses [RFC2526] and + assigned one to "Mobile IPv6 Home-Agents" [RFC3775] (obsoleted by + [RFC6275]). + + The original IPv6 transition mechanism [RFC2893] made use of IPv4 + anycast addresses as tunnel endpoints for IPv6 encapsulated in IPv4, + but this was later removed [RFC4213]. The 6to4 tunneling protocol + [RFC3056] was augmented by a 6to4 relay anycast prefix [RFC3068] in a + move aimed at simplifying the configuration of 6to4 routers. + Incidentally, 6to4 deployment has shown a fair number of operational + and security issues [RFC3964] that result from using anycast as a + discovery mechanism. Specifically, one inference is that operational + consideration is needed to ensure that anycast addresses get + advertised and/or filtered in a way that produces the intended scope + (e.g., only advertise a route for your 6to4 relay to Autonomous + Systems (ASes) that conform to your own acceptable usage policy), an + attribute that can easily become quite operationally expensive. + + In 2002, DNS' use of anycast was first specified in "Distributing + Authoritative Name Servers via Shared Unicast Addresses" [RFC3258]. + It is notable that it used the term "shared unicast address" rather + than "anycast address" for the service. This distinction was made + due to the IPv6 differentiation in the on-link model. "Shared + unicast" addresses are unicast (not multicast) in the IPv6 model and, + therefore, support the off-link anycast model (described earlier) but + not the on-link anycast model. At the same time, site-local-scoped + well-known addresses began being used for recursive resolvers + [DNS-DISC], but this use was never standardized (see below in + Section 3.4 for more discussion). + + Anycast was used for routing to rendezvous points (RPs) for PIM + [RFC4610]. + + "Operation of Anycast Services" BCP 126 [RFC4786] deals with how the + routing system interacts with anycast services and the operation of + anycast services. + + "Requirements for a Mechanism Identifying a Name Server Instance" + [RFC4892] cites the use of anycast with DNS as a motivation to + identify individual name server instances, and the Name Server ID + (NSID) option was defined for this purpose [RFC5001]. One could view + + + + + +McPherson, et al. Informational [Page 5] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + the addition of NSID as an incarnation of locator and identifier + separation (where the anycast address is a locator and the NSID is an + identifier). + + The IAB's "Reflections on Internet Transparency" [RFC4924] briefly + mentions how violating transparency can also damage global services + that use anycast. + +2.2. Anycast in IPv6 + + Originally, the IPv6 addressing architecture [RFC1884] [RFC2373] + [RFC3513] severely restricted the use of anycast addresses. In + particular, the architecture provided that anycast addresses must not + be used as source addresses and must not be assigned to IPv6 hosts + (i.e., only routers). These restrictions were later lifted in 2006 + [RFC4291]. + + In fact, the more recent "IPv6 Transition/Co-existence Security + Considerations" [RFC4942] overview now recommends: + + To avoid exposing knowledge about the internal structure of the + network, it is recommended that anycast servers now take advantage + of the ability to return responses with the anycast address as the + source address if possible. + + As discussed in the Overview, "on-link anycast" is employed expressly + in IPv6 via ND NAs; see Section 7.2.7 of [RFC4861] for additional + information. + +2.3. DNS Anycast + + "Distributed Authoritative Name Servers via Shared Unicast Addresses" + [RFC3258] described how to reach authoritative name servers using + multiple unicast addresses, each one configured on a different set of + servers. It stated in Section 2.3: + + This document presumes that the usual DNS failover methods are the + only ones used to ensure reachability of the data for clients. It + does not advise that the routes be withdrawn in the case of + failure; it advises instead that the DNS process shutdown so that + servers on other addresses are queried. This recommendation + reflects a choice between performance and operational complexity. + While it would be possible to have some process withdraw the route + for a specific server instance when it is not available, there is + considerable operational complexity involved in ensuring that this + occurs reliably. Given the existing DNS failover methods, the + marginal improvement in performance will not be sufficient to + justify the additional complexity for most uses. + + + +McPherson, et al. Informational [Page 6] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + In anycast more generally, most anycast benefits cannot be realized + without route withdrawals, since traffic will continue to be directed + to the link with the failed server. When multiple unicast addresses + are used with different sets of servers, a client can still fail over + to using a different server address and, hence, a different set of + servers. There can still be reliability problems, however, when each + set contains a failed server. If all servers in the same set are on + the same subnet, such problems could be minimized where address + resolution within the subnet will cause traffic to go to an available + server. + + Other assertions included: + + o It asserted (as an advantage) that no routing changes were needed. + + o It recommended stopping DNS processes rather than withdrawing + routes to deal with failures, data synchronization issues, and + failover, as provided in the quoted text above. The spirit of + this advice was that DNS resolvers may (indeed) reach out and + query unavailable DNS name servers, but as their queries time out, + they will elect to pin themselves to other server addresses and, + hence, different servers. + + o It argued that failure modes involving state were not serious, + because: + + * the vast majority of DNS queries are UDP + + * large routing metric disparity among authoritative server + instances would localize queries to a single instance for most + clients + + * when the resolver tries TCP and it breaks, the resolver will + try to move to a different server address. In order to ensure + that this is possible, it is important that the DNS zone be + configured with multiple server addresses for different sets of + name servers. The advice given in Section 3.3 of [DNS-DISC] + describes, in more detail, why using multiple addresses is + important. + + "Unique Per-Node Origin ASNs for Globally Anycasted Services" + [RFC6382] makes recommendations regarding the use of per-node unique + origin Autonomous System Numbers (ASNs) for globally anycasted + critical infrastructure services in order to provide routing system + discriminators for a given anycasted prefix. The object was to allow + network management and monitoring techniques, or other operational + + + + + +McPherson, et al. Informational [Page 7] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + mechanisms to employ this new origin AS as a discriminator in + whatever manner fits their operating environment, either for + detection or policy associated with a given anycasted node. + +2.4. BCP 126 on Operation of Anycast Services + + "Operation of Anycast Services" BCP 126 [RFC4786] was a product of + the IETF's GROW working group. The primary design constraint + considered was that routing "be stable" for significantly longer than + a "transaction time", where "transaction time" is loosely defined as + "a single interaction between a single client and a single server". + It takes no position on what applications are suitable candidates for + anycast usage. + + Furthermore, it views anycast service disruptions as an operational + problem: "Operators should be aware that, especially for long running + flows, there are potential failure modes using anycast that are more + complex than a simple 'destination unreachable' failure using + unicast". + + The document primarily deals with global Internet-wide services + provided by anycast. Where internal topology issues are discussed, + they're mostly regarding routing implications rather than application + design implications. BCP 126 also views networks employing + per-packet load balancing on equal cost paths as "pathological". + This was also discussed in [RFC2991]. + +3. Principles + +3.1. Layering and Resiliency + + Preserving the integrity of a modular layered design for IP protocols + on the Internet is critical to its continued success and flexibility. + One such consideration is that of whether an application should have + to adapt to changes in the routing system. + + Applications should make minimal assumptions about routing stability, + just as they should make minimal assumptions about congestion and + packet loss. When designing applications, it would perhaps be safe + to assume that the routing system may deliver each anycast packet to + a different service instance, in any pattern, with temporal + reordering being a not-so-rare phenomenon. + + Most stateful transport protocols (e.g., TCP), without modification, + do not understand the properties of anycast; hence, they will fail + probabilistically, but possibly catastrophically, when using anycast + addresses in the presence of "normal" routing dynamics. + Specifically, if datagrams associated with a given active transaction + + + +McPherson, et al. Informational [Page 8] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + are routed to a new anycasted end system and that end system lacks + state data associated with the active transaction, the session will + be reset; hence, it will need to be reinitiated. As another example, + different networks have different routing properties and therefore + will experience problems under different conditions. This can lead + to a protocol working fine in, say, a test lab but not in the global + Internet. + +3.2. Anycast Addresses as Destinations + + When an anycast address is used as a destination address, different + packets with the same destination IP address may reach different + destination hosts, even if the packets are generated by the same + source host. Anycast addresses are thus "safe" to use as destination + addresses for an application if the following design points are all + met: + + o A request message or "one shot" message is self-contained in a + single transport packet. + + o A stateless transport (e.g., UDP) is used for the above. + + o Replies are always sent to a unicast address; these can be + multipacket since the unicast destination is presumed to be + associated with a single "stable" end system and not an anycasted + source address. Note that this constrains the use of anycast as + source addresses in request messages, since reply messages sent + back to that address may reach a device that was not the source + that initially triggered it. + + o The server side of the application keeps no hard state across + requests. + + o Retries are idempotent; in addition to not assuming server state, + they do not encode any assumptions about loss of requests versus + loss of replies. + + It is noteworthy, though, that even under the above circumstances + ICMP messages against packets with anycast source addresses may be + routed to servers other than those expected. In addition, Path + Maximum Transmission Unit Discovery (PMTUD) can encounter + complications when employed against anycast addresses, since + iterations in the PMTU discovery process may have packets routed to + different anycast service instances. + + + + + + + +McPherson, et al. Informational [Page 9] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + +3.3. Anycast Addresses as Sources + + When an anycast address is used as a source address, the source + address does not uniquely identify the source host; hence, replies + might be sent to a different host. As noted earlier, this concept is + sometimes referred to (e.g., in [RFC3258]) as a "shared unicast + address". Anycast addresses are "safe" to use as source addresses + for an application if all of the following design points are met: + + o No response message is generated by the receiver with the anycast + source used as a destination unless the application has some + private state synchronization that allows for the response message + arriving at a different instance. + + o The source anycast address is reachable via the interface address + if unicast reverse path forwarding (RPF) [RFC4778] checking is on, + or the service address is explicitly provisioned to bypass RPF + checks. In addition to the application defined in [RFC4778], + Section 4.4.5 of BCP 126 [RFC4786] gives explicit consideration to + RPF checks in anycasting operations. + +3.4. Service Discovery + + Applications able to tolerate an extra round-trip time (RTT) to learn + a unicast destination address for multipacket exchanges might safely + use anycast destination addresses for service instance discovery. + For example, "instance discovery" messages are sent to an anycast + destination address, and a reply is subsequently sent from the unique + unicast source address of the interface that received the discovery + message, or a reply is sent from the anycast source address of the + interface that received the message, containing the unicast address + to be used to invoke the service. Only the latter of these will + avoid potential NAT binding and stateful firewall issues. + + [DNS-DISC] discussed several options to address the need to configure + DNS servers, including the use of a "Well-known Anycast Address" for + recursive DNS service configuration in clients to ease configuration + and allow those systems to ship with these well-known addresses + configured "from the beginning, as, say, factory default". The + proposal was later dropped, but the analysis was used in publishing + [RFC4339]. + + After the final round of revisions to [DNS-DISC] was made, [RFC4339] + was published with a very similar focus and overlapping content. The + difference was that the writing in [RFC4339] focused on analysis, + while [DNS-DISC] covered both the analysis and a specific proposal. + The proposal details were removed in what became [RFC4339] although + Section 3.3 of that RFC still discusses the approach of using a + + + +McPherson, et al. Informational [Page 10] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + well-known anycast address in this scenario. During publication, the + IESG requested that the following "IESG Note" be contained in the + document: + + This document describes three different approaches for the + configuration of DNS name resolution server information in IPv6 + hosts. + + There is not an IETF consensus on which approach is preferred. + The analysis in this document was developed by the proponents for + each approach and does not represent an IETF consensus. + + The 'RA option' and 'Well-known anycast' approaches described in + this document are not standardized. Consequently the analysis for + these approaches might not be completely applicable to any + specific proposal that might be proposed in the future. + +4. Analysis + +4.1. Regarding Widespread Anycast Use + + Widespread use of anycast for global Internet-wide services or + inter-domain services has some scaling challenges. Similar in ways + to multicast, each service generates at least one unique route in the + global BGP routing system. As a result, additional anycast instances + result in additional paths for a given prefix, which scales + super-linearly as a function of denseness of inter-domain + interconnection within the routing system (i.e., more paths result in + more resources, more network interconnections result in more paths). + + This is why the Anycast BOF concluded that "the use of global anycast + addresses was not expected to scale and hence was expected to be + limited to a small number of key uses". + + However, one interesting note is that multiple anycast services can + share a route if they are all located in a single announced prefix + and if all the servers of all the services are always collocated. If + the announced prefix is aggregated differently in different locations + though, longest-match routing might result in some anycast locations + being unreachable. Hence, extra precaution must be taken when + aggregating prefixes used by anycast services. + +4.2. Transport Implications + + UDP is the "lingua franca" for anycast today. Stateful transports + could be enhanced to be more anycast friendly. This was anticipated + in Host Anycasting Services [RFC1546], specifically: + + + + +McPherson, et al. Informational [Page 11] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + The solution to this problem is to only permit anycast addresses + as the remote address of a TCP SYN segment (without the ACK bit + set). A TCP can then initiate a connection to an anycast address. + When the SYN-ACK is sent back by the host that received the + anycast segment, the initiating TCP should replace the anycast + address of its peer, with the address of the host returning the + SYN-ACK. (The initiating TCP can recognize the connection for + which the SYN-ACK is destined by treating the anycast address as a + wildcard address, which matches any incoming SYN-ACK segment with + the correct destination port and address and source port, provided + the SYN-ACK's full address, including source address, does not + match another connection and the sequence numbers in the SYN-ACK + are correct.) This approach ensures that a TCP, after receiving + the SYN-ACK is always communicating with only one host. + + The reason for such considerations can be illustrated through an + example: one operationally observed shortcoming of using the + Transmission Control Protocol (TCP) [RFC0793] and anycast nodes in + DNS is that even during the TCP connection establishment, IP control + packets from a DNS client may initially be routed to one anycast + instance, but subsequent IP packets may be delivered to a different + anycast instance if (for example) a route has changed. In such a + case, the TCP connection will likely elicit a connection reset but + will certainly result in the disruption of the connection. + + Multi-address transports (e.g., SCTP) might be more amenable to such + extensions than TCP. + + The features needed for address discovery when doing multihoming in + the transport layer are similar to those needed to support anycast. + +4.3. Stateful Firewalls, Middleboxes, and Anycast + + Middleboxes (e.g., NATs) and stateful firewalls cause problems when + used in conjunction with some ways to use anycast. In particular, a + server-side transition from an anycast source IP address to a unique + unicast address may require new or additional session state, and this + may not exist in the middlebox, as discussed previously in + Section 3.4. + +4.4. Security Considerations + + Anycast is often deployed to mitigate or at least localize the + effects of distributed denial-of-service (DDoS) attacks. For + example, with the Netgear NTP fiasco [RFC4085] anycast was used in a + distributed sinkhole model [RFC3882] to mitigate the effects of + embedded globally routed Internet addresses in network elements. + + + + +McPherson, et al. Informational [Page 12] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + "Internet Denial-of-Service Considerations" [RFC4732] notes that: "A + number of the root nameservers have since been replicated using + anycast to further improve their resistance to DoS". + + "Operation of Anycast Services" BCP 126 [RFC4786] cites DoS + mitigation, constraining DoS to localized regions, and identifying + attack sources using spoofed addresses as some motivations to deploy + services using anycast. Multiple anycast service instances such as + those used by the root name servers also add resiliency when network + partitioning occurs (e.g., as the result of transoceanic fiber cuts + or natural disasters). + + When using anycast, care must be taken not to simply withdraw an + anycast route in the presence of a sustained DoS attack, since the + result would simply move the attack to another service instance, + potentially causing a cascaded failure. Anycast adds resiliency when + such an attack is instead constrained to a single service instance. + + It should be noted that there is a significant man-in-the-middle + (MITM) exposure in either variant of anycast discovery (see + Section 3.4) that, in many applications, may necessitate the need for + end-to-end security models (e.g., using IPsec [RFC6071] or even + DNSSEC [RFC4033]) that enable end systems to authenticate one + another, or the data itself. + + However, when considering the above suggestion of enabling end + systems to authenticate each other, a potential complication can + arise. If the service nodes of an anycast deployment are + administered by separate authorities, any server-side authentication + credentials that are used must (necessarily) be shared across the + administrative boundaries in the anycast deployment. This would + likely also be the case with Secure Neighbor Discovery, described in + [RFC5909]. + + Furthermore, as discussed earlier in this document, operational + consideration needs to be given to ensure that anycast addresses get + advertised and/or filtered in a way that produces intended scope (for + example, only advertise a route to your 6to4 relay to ASes that + conform to your own Acceptable Use Policy (AUP)). This seems to be + operationally expensive, and is often vulnerable to errors outside of + the local routing domain, in particular when anycasted services are + deployed with the intent to scope associated announcements within + some local or regional boundary. + + As previously discussed, [RFC6382] makes recommendations regarding + the use of per-node unique origin ASNs for globally anycasted + critical infrastructure services in order to provide routing system + discriminators for a given anycasted prefix. Network management and + + + +McPherson, et al. Informational [Page 13] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + monitoring techniques, or other operational mechanisms, may then + employ this new discriminator in whatever manner fits their operating + environment, for either detection or policy associated with a given + anycasted node. + + Moreover, the use of per-node unique origin ASNs has the additional + benefit of overcoming complications that might arise with the + potential deployment of the Resource Public Key Infrastructure (RPKI) + [RFC6480]. Without per-node unique origin ASNs, the cryptographic + certificates needed to attest to the Route Origin Authorizations + (ROAs) of a multi-administrative deployment of anycast would need to + be shared. However, if each service instance has a separate ASN, + then those ASNs can be managed separately in the RPKI. + + Unlike multicast (but like unicast), anycast allows traffic stealing. + That is, with multicast, joining a multicast group doesn't prevent + anyone else who was receiving the traffic from continuing to receive + the traffic. With anycast, adding an anycasted node to the routing + system can prevent a previous recipient from continuing to receive + traffic because it may now be delivered to the new node instead. As + such, if an unauthorized anycast node can inject a route into the + network, or be resolved using ARP/Neighbor Discovery on a link with + an authorized anycast node, traffic can be diverted thereby + triggering DoS or other attacks. Section 6.3 of BCP 126 [RFC4786] + provides expanded discussion on "Service Hijacking" and "traffic + stealing", and [FanInfocom13] discusses measured instances of anycast + nodes and "benign masquerading or hostile hijacking of anycast + services", by unauthorized nodes. + + Unlike unicast (but like multicast), the desire is to allow + applications to cause route injection. In multicast, one often + allows arbitrary applications on hosts to join multicast groups, + resulting in multicast routing state. Trying to apply that same + model to anycast would present new security concerns, which is why + [MAGMA] only got so far. The security concerns include: + + 1. Allowing route injection can cause DOS to a legitimate address + owner. + + 2. Allowing route injection consumes routing resources and can hence + cause DOS to the routing system and impact legitimate + communications as a result. + + These are two of the core issues that were part of the discussion + during [RFC1884], the [ANYCASTBOF], and the MAGMA [MAGMA] chartering. + + Additional security considerations are scattered throughout the list + of references provided herein. + + + +McPherson, et al. Informational [Page 14] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + +4.5. Deployment Considerations + + BCP 126 [RFC4786] provides some very solid guidance related to + operations of anycasted services and, in particular, the operations + of DNS. + + This document covers issues associated with the architectural + implications of anycast. This document does not address, in any + depth, the fact that there are deployed services with TCP transport + using anycast today. Evidence exists to suggest that such practice + is not "safe" in the traditional and architectural sense (as + described in Section 4.2). These sorts of issues are indeed + relative, and we recognize sometimes unpredictability in the routing + system beyond the local administrative domain can be manageable. + That is, despite the inherent architectural problems in the use of + anycast with stateful transport and connection-oriented protocols, + there is expanding deployment (e.g., for content distribution + networks) and situations exist where it may make sense (e.g., such as + with service discovery, short-lived transactions, or in cases where + dynamically directing traffic to topologically optimal service + instances is required). In general, operators should consider the + content and references provided herein and evaluate the benefits and + implications of anycast in their specific environments and + applications. + + In addition, (as noted in Section 2.3) the issue of whether to + withdraw anycast routes when there is a service failure is only + briefly broached in [RFC3258]. The advice given is that routes + should not be withdrawn, in order to reduce operational complexity. + However, the issue of route advertisements and service outages + deserves greater attention. + + There is an inherent trade-off that exists between the operational + complexity of matching service outages with anycast route + withdrawals, and allowing anycast routes to persist for services that + are no longer available. [RFC3258] maintains that DNS' inherent + failure recovery mechanism is sufficient to overcome failed nodes, + but even this advice enshrines the notion that these decisions are + both application-specific and subject to the operational needs of + each deployment. For example, the routing system plays a larger role + in DNS when services are anycast. Therefore, operational + consideration must be given to the fact that relying on anycast for + DNS deployment optimizations means that there are operational trade- + offs related to keeping route advertisements (and withdrawals) + symmetric with service availability. For example, in order to ensure + that the DNS resolvers in a failed anycast instance's catchment + [RFC4786] are able to fail over and reach a non-failed catchment, a + route withdrawal is almost certainly required. On the other hand, + + + +McPherson, et al. Informational [Page 15] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + instability of a DNS process that triggers frequent route + advertisement and withdrawal might result in suppression of + legitimate paths to available nodes, e.g., as a result of route flap + damping [RFC2439]. + + Rather than prescribing advice that attempts to befit all situations, + it should simply be recognized that when using anycast with network + services that provide redundancy or resilience capabilities at other + layers of the protocol stack, operators should carefully consider the + optimal layer(s) at which to provide said functions. + + As noted in Section 2.3, use of anycast within a subnet does not + necessarily suffer from the potential issues with route withdrawals. + As such, use of anycast to reach servers that reside in the same + subnet can be made more reliable than use of anycast to reach + topologically disparate server instances. Within a subnet, however, + care must be taken as stated in Section 5.4 of [RFC4862], "Duplicate + Address Detection MUST NOT be performed on anycast addresses"; hence, + the servers must be configured appropriately. + +5. Conclusions + + In summary, operators and application vendors alike should consider + the benefits and implications of anycast in their specific + environments and applications and also give forward consideration to + how new network protocols and application functions may take + advantage of anycast or how they may be negatively impacted if + anycasting is employed. + +6. Acknowledgements + + Many thanks to Kurtis Lindqvist for his early review and feedback on + this document. Thanks to Brian Carpenter, Alfred Hoenes, and Joe + Abley for their usual careful review and feedback, as well as Mark + Smith, Lixia Zhang, Stephane Bortzmeyer, Masataka Ohta, and S. + Moonesamy for their detailed reviews. Helpful feedback was also + received from others including Edward Lewis, Jean-Michel Combes, + Wolfgang Nagele, Mark Townsley, and Abdussalam Baryun. + +7. Informative References + + [ANYCASTBOF] + Deering, S., "IAB Anycast BOF Announcement", October 1999, + . + + + + + + +McPherson, et al. Informational [Page 16] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + [DNS-DISC] Durand, A., Hagino, J., and D. Thaler, "Well known site + local unicast addresses for DNS resolver", Work in + Progress, September 2002. + + [FanInfocom13] + Fan, X., Heidemann, J., and R. Govindan, "Evaluating + Anycast in the Domain Name System", Proceedings of the + IEEE Infocom 2013, April 2013. + + [IMR9401] RFC Editor, "INTERNET MONTHLY REPORT", January 1994, + . + + [MAGMA] MAGMA (concluded), "Multicast and Anycast Group Membership + (MAGMA)", April 2006, + . + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC + 793, September 1981. + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC1546] Partridge, C., Mendez, T., and W. Milliken, "Host + Anycasting Service", RFC 1546, November 1993. + + [RFC1884] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 1884, December 1995. + + [RFC2030] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 + for IPv4, IPv6 and OSI", RFC 2030, October 1996. + + [RFC2101] Carpenter, B., Crowcroft, J., and Y. Rekhter, "IPv4 + Address Behaviour Today", RFC 2101, February 1997. + + [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 2373, July 1998. + + [RFC2439] Villamizar, C., Chandra, R., and R. Govindan, "BGP Route + Flap Damping", RFC 2439, November 1998. + + [RFC2526] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast + Addresses", RFC 2526, March 1999. + + [RFC2893] Gilligan, R. and E. Nordmark, "Transition Mechanisms for + IPv6 Hosts and Routers", RFC 2893, August 2000. + + + + + +McPherson, et al. Informational [Page 17] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + [RFC2902] Deering, S., Hares, S., Perkins, C., and R. Perlman, + "Overview of the 1998 IAB Routing Workshop", RFC 2902, + August 2000. + + [RFC2991] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and + Multicast Next-Hop Selection", RFC 2991, November 2000. + + [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains + via IPv4 Clouds", RFC 3056, February 2001. + + [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", + RFC 3068, June 2001. + + [RFC3258] Hardie, T., "Distributing Authoritative Name Servers via + Shared Unicast Addresses", RFC 3258, April 2002. + + [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6 + (IPv6) Addressing Architecture", RFC 3513, April 2003. + + [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support + in IPv6", RFC 3775, June 2004. + + [RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service + Attacks", RFC 3882, September 2004. + + [RFC3964] Savola, P. and C. Patel, "Security Considerations for + 6to4", RFC 3964, December 2004. + + [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "DNS Security Introduction and Requirements", RFC + 4033, March 2005. + + [RFC4085] Plonka, D., "Embedding Globally-Routable Internet + Addresses Considered Harmful", BCP 105, RFC 4085, June + 2005. + + [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms + for IPv6 Hosts and Routers", RFC 4213, October 2005. + + [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 4291, February 2006. + + [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 + for IPv4, IPv6 and OSI", RFC 4330, January 2006. + + [RFC4339] Jeong, J., "IPv6 Host Configuration of DNS Server + Information Approaches", RFC 4339, February 2006. + + + + +McPherson, et al. Informational [Page 18] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + [RFC4610] Farinacci, D. and Y. Cai, "Anycast-RP Using Protocol + Independent Multicast (PIM)", RFC 4610, August 2006. + + [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of- + Service Considerations", RFC 4732, December 2006. + + [RFC4778] Kaeo, M., "Operational Security Current Practices in + Internet Service Provider Environments", RFC 4778, January + 2007. + + [RFC4786] Abley, J. and K. Lindqvist, "Operation of Anycast + Services", BCP 126, RFC 4786, December 2006. + + [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, + "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, + September 2007. + + [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless + Address Autoconfiguration", RFC 4862, September 2007. + + [RFC4892] Woolf, S. and D. Conrad, "Requirements for a Mechanism + Identifying a Name Server Instance", RFC 4892, June 2007. + + [RFC4924] Aboba, B. and E. Davies, "Reflections on Internet + Transparency", RFC 4924, July 2007. + + [RFC4942] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/ + Co-existence Security Considerations", RFC 4942, September + 2007. + + [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", + RFC 5001, August 2007. + + [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network + Time Protocol Version 4: Protocol and Algorithms + Specification", RFC 5905, June 2010. + + [RFC5909] Combes, J-M., Krishnan, S., and G. Daley, "Securing + Neighbor Discovery Proxy: Problem Statement", RFC 5909, + July 2010. + + [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and + Internet Key Exchange (IKE) Document Roadmap", RFC 6071, + February 2011. + + [RFC6275] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support + in IPv6", RFC 6275, July 2011. + + + + +McPherson, et al. Informational [Page 19] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + + [RFC6382] McPherson, D., Donnelly, R., and F. Scalzo, "Unique Origin + Autonomous System Numbers (ASNs) per Node for Globally + Anycasted Services", BCP 169, RFC 6382, October 2011. + + [RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support + Secure Internet Routing", RFC 6480, February 2012. + + [RSSAC29] "RSSAC 29 Meeting Minutes", December 2007, + . + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +McPherson, et al. Informational [Page 20] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + +Appendix A. IAB Members at the Time of Approval + + Bernard Aboba + Jari Arkko + Marc Blanchet + Ross Callon + Alissa Cooper + Joel Halpern + Russ Housley + Eliot Lear + Xing Li + Erik Nordmark + Andrew Sullivan + Dave Thaler + Hannes Tschofenig + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +McPherson, et al. Informational [Page 21] + +RFC 7094 Arch Considerations of IP Anycast January 2014 + + +Authors' Addresses + + Danny McPherson + Verisign, Inc. + 12061 Bluemont Way + Reston, VA + USA + + EMail: dmcpherson@verisign.com + + + Dave Oran + Cisco Systems + USA + + EMail: oran@cisco.com + + + Dave Thaler + Microsoft Corporation + One Microsoft Way + Redmond, WA + USA + + EMail: dthaler@microsoft.com + + + Eric Osterweil + Verisign, Inc. + 12061 Bluemont Way + Reston, VA + USA + + EMail: eosterweil@verisign.com + + + + + + + + + + + + + + + + + +McPherson, et al. Informational [Page 22] + -- cgit v1.2.3