ISC-TN-2003-1 J. Abley
ISC
March 2003
Hierarchical Anycast for Global Service Distribution
Copyright Notice
Copyright (C) ISC, Inc. (2003). All Rights Reserved.
Abstract
This document describes an approach which allows a particular service
on the Internet to be distributed, such that the service can be
implemented by geographically and topologically dispersed components.
By distributing components in this manner a stable service may be
provided to a wide audience even in the event of serious problems
which cause individual components of the distributed service
infrastructure to fail or otherwise become unavailable. In addition:
o The average network latency between client and server across the
entire Internet is reduced. For services whose transaction
latencies are closely aligned to network latencies between client
and server this may represent a useful optimisation.
o Denial-of-service (DoS) or other malicious traffic is distributed
with client query traffic. This can lead to the effects of an
attack on a service being isolated to particular parts of the
Internet, rather than causing impact network-wide. The pattern of
attack traffic seen at different service nodes can also aid in the
location of attack sources.
Service for the F root nameserver (f.root-servers.net) is currently
provided using this technique.
Abley [Page 1]
�
Hierarchical Anycast March 2003
Table of Contents
1. General Approach . . . . . . . . . . . . . . . . . . . . . . . 3
2. Node Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Node Selection . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Node Capabilities . . . . . . . . . . . . . . . . . . . . . . 4
3. Addressing Issues . . . . . . . . . . . . . . . . . . . . . . 4
4. Routing Policy . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1 All Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 Global Nodes . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3 Local Nodes . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Failure Modes . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1 Global Node Failure . . . . . . . . . . . . . . . . . . . . . 5
5.2 Local Node Failure . . . . . . . . . . . . . . . . . . . . . . 6
5.3 Internal Node Failures . . . . . . . . . . . . . . . . . . . . 6
5.4 Routing Policy Failures . . . . . . . . . . . . . . . . . . . 6
6. Measurement and Management . . . . . . . . . . . . . . . . . . 7
6.1 Service Measurement . . . . . . . . . . . . . . . . . . . . . 7
6.2 Routing System Monitoring . . . . . . . . . . . . . . . . . . 7
6.3 Traffic Monitoring . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7.1 Distribution of Attack Traffic . . . . . . . . . . . . . . . . 8
7.2 Risk of Rogue Nodes . . . . . . . . . . . . . . . . . . . . . 8
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 9
Abley [Page 2]
�
Hierarchical Anycast March 2003
1. General Approach
Sets of host and network components which are capable of autonomously
providing the service to be distributed are deployed in physically
and topologically diverse points of the Internet. Each set of
components is referred to as a "node" in this document.
The services being distributed are associated with particular IP
addresses. Supernet routes which cover those IP addresses ("service
supernets" in this document) are injected into the global routing
system by each node. Request datagrams from clients of the
distributed services are routed to exactly one node, where they are
processed. This general approach is in common use, and is generally
known as "anycast".
This document refines the general anycast technique described above
by imposing additional structure on the routing policy associated
with different nodes. This allows very widespread service
distribution (very many nodes) and to allow nodes to be deployed
within regions with marginal network infrastructure without
sacrificing global stability of the service.
2. Node Hierarchy
Two classes of node are described in this document:
Global Nodes advertise their service supernets such that they are
propagated globally through the routing system (i.e. they
advertise them for transit), and hence potentially provide service
for the entire Internet.
Local Nodes advertise their service supernets such that the radius of
propagation in the routing system is limited, and hence provide
service for a contained local catchment area.
Global Nodes provide a baseline degree of proximity to the entire
Internet. Multiple global nodes are deployed to ensure that the
general availability of the service does not rely on the availability
or reachability of a single global node.
Local Nodes provide contained regions of optimisation. Clients within
the catchment area of a local node may have their queries serviced by
a Local Node, rather than one of the Global Nodes.
2.1 Node Selection
The desired algorithm for node selection by remote networks is for a
path to a Local Node to be chosen in preference to a path to a Global
Abley [Page 3]
�
Hierarchical Anycast March 2003
Node. A low-latency, uncongested path is preferred to a high-latency,
congested path.
The natural routing policy employed by network operators (in
combination with the route export policy from Local Nodes and Global
Nodes) approximates this behaviour.
2.2 Node Capabilities
Each deployed Global Node should be designed to handle a full, global
load of client requests. The catchment area of each Global Node is
large, and the stability of Global Nodes is correspondingly
important. Global Nodes should be well-connected and internally
resistent to failure.
Each deployed Local Node should be designed and scaled to handle a
full load of client requests from its local catchment area. The
performance, internal robustness and connectivity requirements of
Local Nodes are less than those of Global Nodes; however, it is
important for clients within the catchment of a Local Node that the
availability of the service that node is stable (i.e. it does not
oscillate, causing undue instability in the local routing system).
3. Addressing Issues
Availability of a service is signalled to the routing system by a
node using BGP; a supernet which covers the service address is
advertised to other ASes. Care should be taken to ensure that:
o addresses within the advertised supernet which do not correspond
to anycast services are unused, and
o the advertised supernet is chosen such that its propagation is not
blocked by common BGP filters used by ISPs.
4. Routing Policy
4.1 All Nodes
Each node advertises a consistent set of service supernets, each with
a consistent origin AS. The length of the AS_PATH attribute of
advertisements made to external networks by all nodes should be the
same.
4.2 Global Nodes
Global Nodes should be provisioned with a rich set of transit
Abley [Page 4]
�
Hierarchical Anycast March 2003
providers and local peers, in order to make them highly reachable to
the entire Internet.
4.3 Local Nodes
The desired routing policy for a Local Node is one which allows the
service supernets to propagate within a local catchment area, but
which does not allow them to propagate globally. This policy is
important since Local Nodes will typically not have the network
connectivity or server capability required for a global load of
queries.
Local Nodes advertise service supernets to external networks as
peers, and not for transit. An AS which receives a route from a peer
should advertise it to their customers, but not to any other peer or
transit provider. If all adjacent ASes to the Local Node accept the
service supernet advertisements as they would a route from a peer,
the desired route policy of the Local Node is achieved.
This approach distributes the enforcement of the desired propagation
policy amongst a set of peer networks, and an operational problem in
any one of those networks might lead to the service supernets being
leaked beyond their intended propagation radius. The probability of
such failures increases with the number of peers of a Local Node.
This is not a desirable scaling characteristic.
To reduce the possibility of the service subnet being leaked, Local
Nodes advertise service supernets to peers with the well-known
"no-export" BGP community attribute. The default behaviour of the
peer's routers should be to suppress advertisements of the prefixes
to any other AS; this should reduce the chance that service supernets
are accidentally leaked, since the "no-export" community is handled
automatically by most vendors.
In some cases, the default policy imposed by the "no-export"
community attribute may limit the catchment area of a Local Node to
an extent which is draconian and undesirable. Peers may choose to
strip the "no-export" community and apply other appropriate local
policy; however, it is highly desirable that this activity is
coordinated with the node operator, so that the expected propagation
of service supernets is well-known.
5. Failure Modes
5.1 Global Node Failure
In the event of a failure of a Global Node, traffic which had been
handled by that Global Node will shift to another Global Node, if one
Abley [Page 5]
�
Hierarchical Anycast March 2003
is available. Clients whose requests are serviced by other nodes will
see zero impact. Clients of the failed Global Node may experience
short-term service disruption as the routing system converges.
5.2 Local Node Failure
In the event of a failure of a Local Node, traffic which had been
handled by that local node will shift to a Global Node, if one is
available. Clients whose requests are serviced by other nodes will
see zero impact. Clients of the failed Local Node may experience
short-term service disruption as the routing system reconverges.
It is possible that the catchment areas of two or more Local Nodes
may overlap. Requests from a client located in the intersection of
these catchment areas will be serviced by exactly one Local Node; in
the event of a failure of that node, the client's request traffic may
well shift to one of the other Local Nodes available to the client.
For clients that are not within overlapping catchment areas, request
traffic will always shift to a Global Node in the event that the
Local Node fails, and never to another Local Node.
5.3 Internal Node Failures
Since a node will typically be constructed from a variety of
different host and network components, there is a possibility that a
partial node failure will occur; for example, hosts may fail due to
some software problem, while routers and switches remain operational.
The internal failure modes of the node should be considered carefully
in order that advertisement of service supernets ceases as soon as a
node is no longer able to respond to queries. A node which continues
to advertise service supernets without the internal capability to
service queries will deny service to clients within its catchment
area.
5.4 Routing Policy Failures
If a peer of a Local Node leaks the service supernet to peers and
transit providers, the catchment area of the Local Node may be
extended beyond the desired radius. This has the potential to deny
service to clients within the enlarged radius, as connectivity
between that new service region and the Local Node may not be
sufficient to handle the increased traffic load. Such leaks are not
uncommon in the Internet, due mainly to operator error but also in
some cases due to software faults in routers.
Certain precautions are taken to make it less likely that such leaks
will occur (see Section 4.3).
Abley [Page 6]
�
Hierarchical Anycast March 2003
The potential damage caused by such a leak can also be naturally
mitigated by a rich deployment of Global Nodes and other Local Nodes;
if clients within the enlarged propagation radius of the leaked
service supernet are better served by another node, the Local Node
leak will have no residual effect on the service as seen by those
clients.
A leak of a service supernet originating from a particular Local Node
may be eliminated by withdrawing the announcement of the service
supernet from that node. It may be appropriate to institute manual or
automated procedures to perform such an exercise in the event that a
leak is detected (see Section 6.2).
6. Measurement and Management
6.1 Service Measurement
Although each node is intended to be reached by a particular
community of clients, there is also a requirement to be able to reach
individual nodes in a predictable fashion for the purposes of systems
administration, and so that service performance can be monitored. For
this reason each node has a set of unique, unicast management
addresses associated with it.
Where interior connectivity connects all nodes (e.g. through a
private frame-relay management network) that internal network can be
used to provide management access to each node. Where interior
connectivity does not exist, each node may obtain transit from local
ISPs such that appropriate reachability to management addresses is
provided to each node through the Internet.
6.2 Routing System Monitoring
To detect routing policy failures due to leaked service supernets
(see Section 5.4) the global routing system should be measured in
appropriate places. It is recommended that the route propagation
policy for the service supernet is chosen such that origin node for a
particular advertisement are identifiable using attributes found in
the route such as AS_PATH or community strings in order to facilitate
the construction of a robust anomoly detection algorithm.
6.3 Traffic Monitoring
There may be additional benefits in monitoring traffic at each node
for a distributed service, in addition to the benefits of monitoring
traffic directed at a non-distributed service (see Section 7.1).
Abley [Page 7]
�
Hierarchical Anycast March 2003
7. Security Considerations
7.1 Distribution of Attack Traffic
Many Internet services attract malicious traffic. The distribution of
denial-of-service attack traffic along with non-malicious traffic
provides the following opportunities:
1. A denial-of-service attack launched from a single point on the
Internet will be routed to a single node. The potential impact on
the service due to a single-source attack is hence reduced, since
other nodes will be unaffected.
2. Distributed denial-of-service traffic may be routed to multiple
nodes. Depending on the extent of distribution of attack traffic
sources, and the degree to which attack traffic volume is limited
near its source, it is possible that the attack traffic received
by each node might be lower than that experienced by a
non-distributed service. In this case strain on the service
infrastructure is reduced, and the threshold of attack intensity
at which service damage occurs is raised.
3. For attacks which are performed using spoofed source addresses,
the pattern of incidence of attack traffic across multiple nodes
may give useful data to help triangulate the real source of the
attack traffic.
7.2 Risk of Rogue Nodes
The possibility that foreign Internet routers might advertise a
service supernet, constructing a rogue service node with which to
divert client queries, exists for all services, distributed and
non-distributed.
Distribution of services using anycast will tend to decrease the
possible catchment of such a rogue node, since the rogue node must
compete in the routing system with more paths to the service address
than would be the case for a non-distributed service. Careful
monitoring of the routing system will aid detection of rogue nodes
(see Section 6.2).
There is an increased risk, however, that a rogue node will be more
difficult to identify for a third party operator when a service is
distributed. Legitimate nodes may be added and removed by the service
operator quite regularly, and distinguishing between legitimate and
illegitimate changes is more difficult than simply noticing a new
path, or a new advertised prefix length.
Abley [Page 8]
�
Hierarchical Anycast March 2003
It is recommended that the community of operators interested in the
availability of particular services be kept informed of legitimate
routing policy changes, in order that rogue nodes can be more easily
identified.
8. Acknowledgements
Much of the material in this technical note is based on work done by
Stephen Stuart and Paul Vixie in providing anycast service for the F
root server.
Author's Address
Joe Abley
ISC
950 Charter Street
Redwood City, CA 94063
US
Phone: +1 519 641-4368
EMail: jabley@isc.org
Abley [Page 9]
�