1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
|
<pre>Internet Architecture Board (IAB) D. McPherson
Request for Comments: 7094 Verisign, Inc.
Category: Informational D. Oran
ISSN: 2070-1721 Cisco Systems
D. Thaler
Microsoft Corporation
E. Osterweil
Verisign, Inc.
January 2014
<span class="h1">Architectural Considerations of IP Anycast</span>
Abstract
This memo discusses architectural implications of IP anycast and
provides some historical analysis of anycast use by various IETF
protocols.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Architecture Board (IAB)
and represents information that the IAB has deemed valuable to
provide for permanent record. It represents the consensus of the
Internet Architecture Board (IAB). Documents approved for
publication by the IAB are not a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7094">http://www.rfc-editor.org/info/rfc7094</a>.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
<span class="grey">McPherson, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
Table of Contents
<a href="#section-1">1</a>. Overview ........................................................<a href="#page-2">2</a>
<a href="#section-2">2</a>. Background ......................................................<a href="#page-3">3</a>
<a href="#section-2.1">2.1</a>. Anycast History ............................................<a href="#page-3">3</a>
<a href="#section-2.2">2.2</a>. Anycast in IPv6 ............................................<a href="#page-6">6</a>
<a href="#section-2.3">2.3</a>. DNS Anycast ................................................<a href="#page-6">6</a>
<a href="#section-2.4">2.4</a>. <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> on Operation of Anycast Services ...................<a href="#page-8">8</a>
<a href="#section-3">3</a>. Principles ......................................................<a href="#page-8">8</a>
<a href="#section-3.1">3.1</a>. Layering and Resiliency ....................................<a href="#page-8">8</a>
<a href="#section-3.2">3.2</a>. Anycast Addresses as Destinations ..........................<a href="#page-9">9</a>
<a href="#section-3.3">3.3</a>. Anycast Addresses as Sources ..............................<a href="#page-10">10</a>
<a href="#section-3.4">3.4</a>. Service Discovery .........................................<a href="#page-10">10</a>
<a href="#section-4">4</a>. Analysis .......................................................<a href="#page-11">11</a>
<a href="#section-4.1">4.1</a>. Regarding Widespread Anycast Use ..........................<a href="#page-11">11</a>
<a href="#section-4.2">4.2</a>. Transport Implications ....................................<a href="#page-11">11</a>
<a href="#section-4.3">4.3</a>. Stateful Firewalls, Middleboxes, and Anycast ..............<a href="#page-12">12</a>
<a href="#section-4.4">4.4</a>. Security Considerations ...................................<a href="#page-12">12</a>
<a href="#section-4.5">4.5</a>. Deployment Considerations .................................<a href="#page-15">15</a>
<a href="#section-5">5</a>. Conclusions ....................................................<a href="#page-16">16</a>
<a href="#section-6">6</a>. Acknowledgements ...............................................<a href="#page-16">16</a>
<a href="#section-7">7</a>. Informative References .........................................<a href="#page-16">16</a>
<a href="#appendix-A">Appendix A</a>. IAB Members at the Time of Approval ...................<a href="#page-21">21</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Overview</span>
IP anycast is a technique with a long legacy and interesting
engineering challenges. However, at its core, it is a relatively
simple concept. As described in <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>], the general form
of IP anycast is the practice of making a particular Service Address
available in multiple, discrete, autonomous locations, such that
datagrams sent are routed to one of several available locations.
IP anycast is used for at least one critical Internet service: that
of the Domain Name System [<a href="./rfc1035" title=""Domain names - implementation and specification"">RFC1035</a>] root servers. By late 2007, at
least 10 of the 13 root name servers were already using IP anycast
[<a href="#ref-RSSAC29" title=""RSSAC 29 Meeting Minutes"">RSSAC29</a>]. Use of IP anycast is growing for other applications as
well. It has been deployed for over a decade for DNS resolution
services and is currently used by several DNS Top Level Domain (TLD)
operators. IP anycast is also used for other services in operational
environments, including Network Time Protocol (NTP) [<a href="./rfc5905" title=""Network Time Protocol Version 4: Protocol and Algorithms Specification"">RFC5905</a>]
services.
Anycast addresses are syntactically indistinguishable from unicast
addresses. Anycast addressing is equivalent to that of unicast in
multiple locations. Destination-based routing does best-effort
delivery of a packet to one interface among the set of interfaces
asserting reachability for the address. The expectation of delivery
<span class="grey">McPherson, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
is to the "closest" instance as determined by unicast routing
topology metric(s), and there is also a possibility that various
load-balancing techniques (e.g., per-packet, per-microflow) may be
used among multiple equal-cost routes to distribute load for an
anycasted prefix.
Unlike IP unicast, it is not considered an error to assert the same
anycast address on multiple interfaces within the same or multiple
systems.
When IP anycast is employed, many pitfalls and subtleties exist with
applications and transports as well as for routing configuration and
operation. In this document, we aim to capture many of the
architectural implications of IP anycast.
<a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] discusses several different deployment models with
IP anycast. Two additional distinctions beyond that document involve
"off-link anycast" and "on-link anycast". "Off-link anycast" takes
advantage of routing protocol preferences and the IP hop-by-hop
destination-based forwarding paradigm in order to direct packets to
the "closest" destination. This is the traditional method of anycast
largely considered in <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] and can be used for IPv4 and
IPv6. "On-link anycast" is the formal support of anycast in the
address resolution (duplicate address detection) protocol and is only
standardized for IPv6, with the introduction of designated anycast
addresses on the anycasted hosts, and the Override flag in Neighbor
Discovery (ND) Neighbor Advertisements (NAs) [<a href="./rfc4861" title=""Neighbor Discovery for IP version 6 (IPv6)"">RFC4861</a>]. There is no
standardized mechanism for this in IPv4.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Background</span>
As of this writing, the term "anycast" appears in 176 RFCs and 144
active Internet-Drafts. The following sections capture some of the
key appearances and discussion of anycasting within the IETF over the
years.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Anycast History</span>
The first formal specification of anycast was provided in "Host
Anycasting Service" [<a href="./rfc1546" title=""Host Anycasting Service"">RFC1546</a>]. The authors of this document did a
good job of capturing most of the issues that exist with IP anycast
today.
One of the first documented uses of anycast was in 1994 for a "Video
Registry" experiment [<a href="#ref-IMR9401" title=""INTERNET MONTHLY REPORT"">IMR9401</a>]. In the experiment, a UDP query was
transmitted to an anycasted address to locate the topologically
closest "supposedly equivalent network resource":
<span class="grey">McPherson, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
A video resource (for example, a catalog server that lists
available video clips) sends an anycast UDP datagram to locate the
nearest video registry. At most one registry responds with a
unicast UDP datagram containing the registry's IP address. Said
resource then opens a TCP connection to that [the received
registry address] address and sends a request to register itself.
Every 5 minutes or so, each registry multicasts to all other
registries all of the resources it knows from local registration
requests. It also immediately announces newly registered
resources. Remotely registered resources not heard about for 20
minutes are dropped.
There is also discussion that ISPs began using anycast for DNS
resolution services around the same time, although no public
references to support this are available.
In 1997, the IAB clarified that IPv4 anycast addresses were pure
"locators" and could never serve as "identifiers" of hosts or
interfaces [<a href="./rfc2101" title=""IPv4 Address Behaviour Today"">RFC2101</a>].
In 1998, the IAB conducted a routing workshop [<a href="./rfc2902" title=""Overview of the 1998 IAB Routing Workshop"">RFC2902</a>]. Of the
conclusions and output action items from the report, an Anycast
section is contained in <a href="#section-2.10.3">Section 2.10.3</a>. Specifically called out is
the need to describe the advantages and disadvantages of anycast and
the belief that local-scoped well-known anycast addresses will be
useful to some applications. In the subsequent section, an action
item was outlined that suggested a BOF should be held to plan work on
anycast, and if a working group forms, a paper on the advantages and
the disadvantages of anycast should be included as part of the
charter.
As a result of the recommendation in [<a href="./rfc2902" title=""Overview of the 1998 IAB Routing Workshop"">RFC2902</a>], an Anycast BOF
[<a href="#ref-ANYCASTBOF">ANYCASTBOF</a>] was held at IETF 46 in November of 1999. A number of
uses for anycast were discussed. No firm conclusion was reached
regarding use of TCP with anycasted services. However, it was
observed that anycasting was useful for DNS, although it did
introduce some new complexities. The use of global anycast was not
expected to scale (see <a href="#section-4.1">Section 4.1</a> below for more discussion) and,
hence, was expected to be limited to a small number of key uses.
In 2001, the Multicast and Anycast Group Membership [<a href="#ref-MAGMA" title=""Multicast and Anycast Group Membership (MAGMA)"">MAGMA</a>] WG was
chartered to address host-to-router signaling, including initial
authentication and access control issues for multicast and anycast
group membership, but other aspects of anycast, including
architecture and routing, were outside the group's scope.
<span class="grey">McPherson, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
Simple Network Time Protocol (SNTP) Version 4 [<a href="./rfc2030" title=""Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI"">RFC2030</a>] defined how
to use SNTP anycast for server discovery. This was extended in
[<a href="./rfc4330" title=""Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI"">RFC4330</a>] as an NTP-specific "manycast" service, in which anycast was
used for the discovery part.
IPv6 defined some reserved subnet anycast addresses [<a href="./rfc2526" title=""Reserved IPv6 Subnet Anycast Addresses"">RFC2526</a>] and
assigned one to "Mobile IPv6 Home-Agents" [<a href="./rfc3775" title=""Mobility Support in IPv6"">RFC3775</a>] (obsoleted by
[<a href="./rfc6275" title=""Mobility Support in IPv6"">RFC6275</a>]).
The original IPv6 transition mechanism [<a href="./rfc2893" title=""Transition Mechanisms for IPv6 Hosts and Routers"">RFC2893</a>] made use of IPv4
anycast addresses as tunnel endpoints for IPv6 encapsulated in IPv4,
but this was later removed [<a href="./rfc4213" title=""Basic Transition Mechanisms for IPv6 Hosts and Routers"">RFC4213</a>]. The 6to4 tunneling protocol
[<a href="./rfc3056" title=""Connection of IPv6 Domains via IPv4 Clouds"">RFC3056</a>] was augmented by a 6to4 relay anycast prefix [<a href="./rfc3068" title=""An Anycast Prefix for 6to4 Relay Routers"">RFC3068</a>] in a
move aimed at simplifying the configuration of 6to4 routers.
Incidentally, 6to4 deployment has shown a fair number of operational
and security issues [<a href="./rfc3964" title=""Security Considerations for 6to4"">RFC3964</a>] that result from using anycast as a
discovery mechanism. Specifically, one inference is that operational
consideration is needed to ensure that anycast addresses get
advertised and/or filtered in a way that produces the intended scope
(e.g., only advertise a route for your 6to4 relay to Autonomous
Systems (ASes) that conform to your own acceptable usage policy), an
attribute that can easily become quite operationally expensive.
In 2002, DNS' use of anycast was first specified in "Distributing
Authoritative Name Servers via Shared Unicast Addresses" [<a href="./rfc3258" title=""Distributing Authoritative Name Servers via Shared Unicast Addresses"">RFC3258</a>].
It is notable that it used the term "shared unicast address" rather
than "anycast address" for the service. This distinction was made
due to the IPv6 differentiation in the on-link model. "Shared
unicast" addresses are unicast (not multicast) in the IPv6 model and,
therefore, support the off-link anycast model (described earlier) but
not the on-link anycast model. At the same time, site-local-scoped
well-known addresses began being used for recursive resolvers
[<a href="#ref-DNS-DISC" title=""Well known site local unicast addresses for DNS resolver"">DNS-DISC</a>], but this use was never standardized (see below in
<a href="#section-3.4">Section 3.4</a> for more discussion).
Anycast was used for routing to rendezvous points (RPs) for PIM
[<a href="./rfc4610" title=""Anycast-RP Using Protocol Independent Multicast (PIM)"">RFC4610</a>].
"Operation of Anycast Services" <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] deals with how the
routing system interacts with anycast services and the operation of
anycast services.
"Requirements for a Mechanism Identifying a Name Server Instance"
[<a href="./rfc4892" title=""Requirements for a Mechanism Identifying a Name Server Instance"">RFC4892</a>] cites the use of anycast with DNS as a motivation to
identify individual name server instances, and the Name Server ID
(NSID) option was defined for this purpose [<a href="./rfc5001" title=""DNS Name Server Identifier (NSID) Option"">RFC5001</a>]. One could view
<span class="grey">McPherson, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
the addition of NSID as an incarnation of locator and identifier
separation (where the anycast address is a locator and the NSID is an
identifier).
The IAB's "Reflections on Internet Transparency" [<a href="./rfc4924" title=""Reflections on Internet Transparency"">RFC4924</a>] briefly
mentions how violating transparency can also damage global services
that use anycast.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Anycast in IPv6</span>
Originally, the IPv6 addressing architecture [<a href="./rfc1884" title=""IP Version 6 Addressing Architecture"">RFC1884</a>] [<a href="./rfc2373" title=""IP Version 6 Addressing Architecture"">RFC2373</a>]
[<a href="./rfc3513" title=""Internet Protocol Version 6 (IPv6) Addressing Architecture"">RFC3513</a>] severely restricted the use of anycast addresses. In
particular, the architecture provided that anycast addresses must not
be used as source addresses and must not be assigned to IPv6 hosts
(i.e., only routers). These restrictions were later lifted in 2006
[<a href="./rfc4291" title=""IP Version 6 Addressing Architecture"">RFC4291</a>].
In fact, the more recent "IPv6 Transition/Co-existence Security
Considerations" [<a href="./rfc4942" title=""IPv6 Transition/ Co-existence Security Considerations"">RFC4942</a>] overview now recommends:
To avoid exposing knowledge about the internal structure of the
network, it is recommended that anycast servers now take advantage
of the ability to return responses with the anycast address as the
source address if possible.
As discussed in the Overview, "on-link anycast" is employed expressly
in IPv6 via ND NAs; see <a href="./rfc4861#section-7.2.7">Section 7.2.7 of [RFC4861]</a> for additional
information.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. DNS Anycast</span>
"Distributed Authoritative Name Servers via Shared Unicast Addresses"
[<a href="./rfc3258" title=""Distributing Authoritative Name Servers via Shared Unicast Addresses"">RFC3258</a>] described how to reach authoritative name servers using
multiple unicast addresses, each one configured on a different set of
servers. It stated in <a href="#section-2.3">Section 2.3</a>:
This document presumes that the usual DNS failover methods are the
only ones used to ensure reachability of the data for clients. It
does not advise that the routes be withdrawn in the case of
failure; it advises instead that the DNS process shutdown so that
servers on other addresses are queried. This recommendation
reflects a choice between performance and operational complexity.
While it would be possible to have some process withdraw the route
for a specific server instance when it is not available, there is
considerable operational complexity involved in ensuring that this
occurs reliably. Given the existing DNS failover methods, the
marginal improvement in performance will not be sufficient to
justify the additional complexity for most uses.
<span class="grey">McPherson, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
In anycast more generally, most anycast benefits cannot be realized
without route withdrawals, since traffic will continue to be directed
to the link with the failed server. When multiple unicast addresses
are used with different sets of servers, a client can still fail over
to using a different server address and, hence, a different set of
servers. There can still be reliability problems, however, when each
set contains a failed server. If all servers in the same set are on
the same subnet, such problems could be minimized where address
resolution within the subnet will cause traffic to go to an available
server.
Other assertions included:
o It asserted (as an advantage) that no routing changes were needed.
o It recommended stopping DNS processes rather than withdrawing
routes to deal with failures, data synchronization issues, and
failover, as provided in the quoted text above. The spirit of
this advice was that DNS resolvers may (indeed) reach out and
query unavailable DNS name servers, but as their queries time out,
they will elect to pin themselves to other server addresses and,
hence, different servers.
o It argued that failure modes involving state were not serious,
because:
* the vast majority of DNS queries are UDP
* large routing metric disparity among authoritative server
instances would localize queries to a single instance for most
clients
* when the resolver tries TCP and it breaks, the resolver will
try to move to a different server address. In order to ensure
that this is possible, it is important that the DNS zone be
configured with multiple server addresses for different sets of
name servers. The advice given in Section 3.3 of [<a href="#ref-DNS-DISC" title=""Well known site local unicast addresses for DNS resolver"">DNS-DISC</a>]
describes, in more detail, why using multiple addresses is
important.
"Unique Per-Node Origin ASNs for Globally Anycasted Services"
[<a href="./rfc6382" title=""Unique Origin Autonomous System Numbers (ASNs) per Node for Globally Anycasted Services"">RFC6382</a>] makes recommendations regarding the use of per-node unique
origin Autonomous System Numbers (ASNs) for globally anycasted
critical infrastructure services in order to provide routing system
discriminators for a given anycasted prefix. The object was to allow
network management and monitoring techniques, or other operational
<span class="grey">McPherson, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
mechanisms to employ this new origin AS as a discriminator in
whatever manner fits their operating environment, either for
detection or policy associated with a given anycasted node.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> on Operation of Anycast Services</span>
"Operation of Anycast Services" <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] was a product of
the IETF's GROW working group. The primary design constraint
considered was that routing "be stable" for significantly longer than
a "transaction time", where "transaction time" is loosely defined as
"a single interaction between a single client and a single server".
It takes no position on what applications are suitable candidates for
anycast usage.
Furthermore, it views anycast service disruptions as an operational
problem: "Operators should be aware that, especially for long running
flows, there are potential failure modes using anycast that are more
complex than a simple 'destination unreachable' failure using
unicast".
The document primarily deals with global Internet-wide services
provided by anycast. Where internal topology issues are discussed,
they're mostly regarding routing implications rather than application
design implications. <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> also views networks employing
per-packet load balancing on equal cost paths as "pathological".
This was also discussed in [<a href="./rfc2991" title=""Multipath Issues in Unicast and Multicast Next-Hop Selection"">RFC2991</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Principles</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Layering and Resiliency</span>
Preserving the integrity of a modular layered design for IP protocols
on the Internet is critical to its continued success and flexibility.
One such consideration is that of whether an application should have
to adapt to changes in the routing system.
Applications should make minimal assumptions about routing stability,
just as they should make minimal assumptions about congestion and
packet loss. When designing applications, it would perhaps be safe
to assume that the routing system may deliver each anycast packet to
a different service instance, in any pattern, with temporal
reordering being a not-so-rare phenomenon.
Most stateful transport protocols (e.g., TCP), without modification,
do not understand the properties of anycast; hence, they will fail
probabilistically, but possibly catastrophically, when using anycast
addresses in the presence of "normal" routing dynamics.
Specifically, if datagrams associated with a given active transaction
<span class="grey">McPherson, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
are routed to a new anycasted end system and that end system lacks
state data associated with the active transaction, the session will
be reset; hence, it will need to be reinitiated. As another example,
different networks have different routing properties and therefore
will experience problems under different conditions. This can lead
to a protocol working fine in, say, a test lab but not in the global
Internet.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Anycast Addresses as Destinations</span>
When an anycast address is used as a destination address, different
packets with the same destination IP address may reach different
destination hosts, even if the packets are generated by the same
source host. Anycast addresses are thus "safe" to use as destination
addresses for an application if the following design points are all
met:
o A request message or "one shot" message is self-contained in a
single transport packet.
o A stateless transport (e.g., UDP) is used for the above.
o Replies are always sent to a unicast address; these can be
multipacket since the unicast destination is presumed to be
associated with a single "stable" end system and not an anycasted
source address. Note that this constrains the use of anycast as
source addresses in request messages, since reply messages sent
back to that address may reach a device that was not the source
that initially triggered it.
o The server side of the application keeps no hard state across
requests.
o Retries are idempotent; in addition to not assuming server state,
they do not encode any assumptions about loss of requests versus
loss of replies.
It is noteworthy, though, that even under the above circumstances
ICMP messages against packets with anycast source addresses may be
routed to servers other than those expected. In addition, Path
Maximum Transmission Unit Discovery (PMTUD) can encounter
complications when employed against anycast addresses, since
iterations in the PMTU discovery process may have packets routed to
different anycast service instances.
<span class="grey">McPherson, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Anycast Addresses as Sources</span>
When an anycast address is used as a source address, the source
address does not uniquely identify the source host; hence, replies
might be sent to a different host. As noted earlier, this concept is
sometimes referred to (e.g., in [<a href="./rfc3258" title=""Distributing Authoritative Name Servers via Shared Unicast Addresses"">RFC3258</a>]) as a "shared unicast
address". Anycast addresses are "safe" to use as source addresses
for an application if all of the following design points are met:
o No response message is generated by the receiver with the anycast
source used as a destination unless the application has some
private state synchronization that allows for the response message
arriving at a different instance.
o The source anycast address is reachable via the interface address
if unicast reverse path forwarding (RPF) [<a href="./rfc4778" title=""Operational Security Current Practices in Internet Service Provider Environments"">RFC4778</a>] checking is on,
or the service address is explicitly provisioned to bypass RPF
checks. In addition to the application defined in <a href="./rfc4778#section-4.4.5">[RFC4778],
Section 4.4.5</a> of <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] gives explicit consideration to
RPF checks in anycasting operations.
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Service Discovery</span>
Applications able to tolerate an extra round-trip time (RTT) to learn
a unicast destination address for multipacket exchanges might safely
use anycast destination addresses for service instance discovery.
For example, "instance discovery" messages are sent to an anycast
destination address, and a reply is subsequently sent from the unique
unicast source address of the interface that received the discovery
message, or a reply is sent from the anycast source address of the
interface that received the message, containing the unicast address
to be used to invoke the service. Only the latter of these will
avoid potential NAT binding and stateful firewall issues.
[<a id="ref-DNS-DISC">DNS-DISC</a>] discussed several options to address the need to configure
DNS servers, including the use of a "Well-known Anycast Address" for
recursive DNS service configuration in clients to ease configuration
and allow those systems to ship with these well-known addresses
configured "from the beginning, as, say, factory default". The
proposal was later dropped, but the analysis was used in publishing
[<a href="./rfc4339" title=""IPv6 Host Configuration of DNS Server Information Approaches"">RFC4339</a>].
After the final round of revisions to [<a href="#ref-DNS-DISC" title=""Well known site local unicast addresses for DNS resolver"">DNS-DISC</a>] was made, [<a href="./rfc4339" title=""IPv6 Host Configuration of DNS Server Information Approaches"">RFC4339</a>]
was published with a very similar focus and overlapping content. The
difference was that the writing in [<a href="./rfc4339" title=""IPv6 Host Configuration of DNS Server Information Approaches"">RFC4339</a>] focused on analysis,
while [<a href="#ref-DNS-DISC" title=""Well known site local unicast addresses for DNS resolver"">DNS-DISC</a>] covered both the analysis and a specific proposal.
The proposal details were removed in what became [<a href="./rfc4339" title=""IPv6 Host Configuration of DNS Server Information Approaches"">RFC4339</a>] although
<a href="#section-3.3">Section 3.3</a> of that RFC still discusses the approach of using a
<span class="grey">McPherson, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
well-known anycast address in this scenario. During publication, the
IESG requested that the following "IESG Note" be contained in the
document:
This document describes three different approaches for the
configuration of DNS name resolution server information in IPv6
hosts.
There is not an IETF consensus on which approach is preferred.
The analysis in this document was developed by the proponents for
each approach and does not represent an IETF consensus.
The 'RA option' and 'Well-known anycast' approaches described in
this document are not standardized. Consequently the analysis for
these approaches might not be completely applicable to any
specific proposal that might be proposed in the future.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Analysis</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Regarding Widespread Anycast Use</span>
Widespread use of anycast for global Internet-wide services or
inter-domain services has some scaling challenges. Similar in ways
to multicast, each service generates at least one unique route in the
global BGP routing system. As a result, additional anycast instances
result in additional paths for a given prefix, which scales
super-linearly as a function of denseness of inter-domain
interconnection within the routing system (i.e., more paths result in
more resources, more network interconnections result in more paths).
This is why the Anycast BOF concluded that "the use of global anycast
addresses was not expected to scale and hence was expected to be
limited to a small number of key uses".
However, one interesting note is that multiple anycast services can
share a route if they are all located in a single announced prefix
and if all the servers of all the services are always collocated. If
the announced prefix is aggregated differently in different locations
though, longest-match routing might result in some anycast locations
being unreachable. Hence, extra precaution must be taken when
aggregating prefixes used by anycast services.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Transport Implications</span>
UDP is the "lingua franca" for anycast today. Stateful transports
could be enhanced to be more anycast friendly. This was anticipated
in Host Anycasting Services [<a href="./rfc1546" title=""Host Anycasting Service"">RFC1546</a>], specifically:
<span class="grey">McPherson, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
The solution to this problem is to only permit anycast addresses
as the remote address of a TCP SYN segment (without the ACK bit
set). A TCP can then initiate a connection to an anycast address.
When the SYN-ACK is sent back by the host that received the
anycast segment, the initiating TCP should replace the anycast
address of its peer, with the address of the host returning the
SYN-ACK. (The initiating TCP can recognize the connection for
which the SYN-ACK is destined by treating the anycast address as a
wildcard address, which matches any incoming SYN-ACK segment with
the correct destination port and address and source port, provided
the SYN-ACK's full address, including source address, does not
match another connection and the sequence numbers in the SYN-ACK
are correct.) This approach ensures that a TCP, after receiving
the SYN-ACK is always communicating with only one host.
The reason for such considerations can be illustrated through an
example: one operationally observed shortcoming of using the
Transmission Control Protocol (TCP) [<a href="./rfc0793" title=""Transmission Control Protocol"">RFC0793</a>] and anycast nodes in
DNS is that even during the TCP connection establishment, IP control
packets from a DNS client may initially be routed to one anycast
instance, but subsequent IP packets may be delivered to a different
anycast instance if (for example) a route has changed. In such a
case, the TCP connection will likely elicit a connection reset but
will certainly result in the disruption of the connection.
Multi-address transports (e.g., SCTP) might be more amenable to such
extensions than TCP.
The features needed for address discovery when doing multihoming in
the transport layer are similar to those needed to support anycast.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Stateful Firewalls, Middleboxes, and Anycast</span>
Middleboxes (e.g., NATs) and stateful firewalls cause problems when
used in conjunction with some ways to use anycast. In particular, a
server-side transition from an anycast source IP address to a unique
unicast address may require new or additional session state, and this
may not exist in the middlebox, as discussed previously in
<a href="#section-3.4">Section 3.4</a>.
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Security Considerations</span>
Anycast is often deployed to mitigate or at least localize the
effects of distributed denial-of-service (DDoS) attacks. For
example, with the Netgear NTP fiasco [<a href="./rfc4085" title=""Embedding Globally-Routable Internet Addresses Considered Harmful"">RFC4085</a>] anycast was used in a
distributed sinkhole model [<a href="./rfc3882" title=""Configuring BGP to Block Denial-of-Service Attacks"">RFC3882</a>] to mitigate the effects of
embedded globally routed Internet addresses in network elements.
<span class="grey">McPherson, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
"Internet Denial-of-Service Considerations" [<a href="./rfc4732" title=""Internet Denial-of- Service Considerations"">RFC4732</a>] notes that: "A
number of the root nameservers have since been replicated using
anycast to further improve their resistance to DoS".
"Operation of Anycast Services" <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] cites DoS
mitigation, constraining DoS to localized regions, and identifying
attack sources using spoofed addresses as some motivations to deploy
services using anycast. Multiple anycast service instances such as
those used by the root name servers also add resiliency when network
partitioning occurs (e.g., as the result of transoceanic fiber cuts
or natural disasters).
When using anycast, care must be taken not to simply withdraw an
anycast route in the presence of a sustained DoS attack, since the
result would simply move the attack to another service instance,
potentially causing a cascaded failure. Anycast adds resiliency when
such an attack is instead constrained to a single service instance.
It should be noted that there is a significant man-in-the-middle
(MITM) exposure in either variant of anycast discovery (see
<a href="#section-3.4">Section 3.4</a>) that, in many applications, may necessitate the need for
end-to-end security models (e.g., using IPsec [<a href="./rfc6071" title=""IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap"">RFC6071</a>] or even
DNSSEC [<a href="./rfc4033" title=""DNS Security Introduction and Requirements"">RFC4033</a>]) that enable end systems to authenticate one
another, or the data itself.
However, when considering the above suggestion of enabling end
systems to authenticate each other, a potential complication can
arise. If the service nodes of an anycast deployment are
administered by separate authorities, any server-side authentication
credentials that are used must (necessarily) be shared across the
administrative boundaries in the anycast deployment. This would
likely also be the case with Secure Neighbor Discovery, described in
[<a href="./rfc5909" title=""Securing Neighbor Discovery Proxy: Problem Statement"">RFC5909</a>].
Furthermore, as discussed earlier in this document, operational
consideration needs to be given to ensure that anycast addresses get
advertised and/or filtered in a way that produces intended scope (for
example, only advertise a route to your 6to4 relay to ASes that
conform to your own Acceptable Use Policy (AUP)). This seems to be
operationally expensive, and is often vulnerable to errors outside of
the local routing domain, in particular when anycasted services are
deployed with the intent to scope associated announcements within
some local or regional boundary.
As previously discussed, [<a href="./rfc6382" title=""Unique Origin Autonomous System Numbers (ASNs) per Node for Globally Anycasted Services"">RFC6382</a>] makes recommendations regarding
the use of per-node unique origin ASNs for globally anycasted
critical infrastructure services in order to provide routing system
discriminators for a given anycasted prefix. Network management and
<span class="grey">McPherson, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
monitoring techniques, or other operational mechanisms, may then
employ this new discriminator in whatever manner fits their operating
environment, for either detection or policy associated with a given
anycasted node.
Moreover, the use of per-node unique origin ASNs has the additional
benefit of overcoming complications that might arise with the
potential deployment of the Resource Public Key Infrastructure (RPKI)
[<a href="./rfc6480" title=""An Infrastructure to Support Secure Internet Routing"">RFC6480</a>]. Without per-node unique origin ASNs, the cryptographic
certificates needed to attest to the Route Origin Authorizations
(ROAs) of a multi-administrative deployment of anycast would need to
be shared. However, if each service instance has a separate ASN,
then those ASNs can be managed separately in the RPKI.
Unlike multicast (but like unicast), anycast allows traffic stealing.
That is, with multicast, joining a multicast group doesn't prevent
anyone else who was receiving the traffic from continuing to receive
the traffic. With anycast, adding an anycasted node to the routing
system can prevent a previous recipient from continuing to receive
traffic because it may now be delivered to the new node instead. As
such, if an unauthorized anycast node can inject a route into the
network, or be resolved using ARP/Neighbor Discovery on a link with
an authorized anycast node, traffic can be diverted thereby
triggering DoS or other attacks. <a href="https://www.rfc-editor.org/bcp/bcp126#section-6.3">Section 6.3 of BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>]
provides expanded discussion on "Service Hijacking" and "traffic
stealing", and [<a href="#ref-FanInfocom13">FanInfocom13</a>] discusses measured instances of anycast
nodes and "benign masquerading or hostile hijacking of anycast
services", by unauthorized nodes.
Unlike unicast (but like multicast), the desire is to allow
applications to cause route injection. In multicast, one often
allows arbitrary applications on hosts to join multicast groups,
resulting in multicast routing state. Trying to apply that same
model to anycast would present new security concerns, which is why
[<a href="#ref-MAGMA" title=""Multicast and Anycast Group Membership (MAGMA)"">MAGMA</a>] only got so far. The security concerns include:
1. Allowing route injection can cause DOS to a legitimate address
owner.
2. Allowing route injection consumes routing resources and can hence
cause DOS to the routing system and impact legitimate
communications as a result.
These are two of the core issues that were part of the discussion
during [<a href="./rfc1884" title=""IP Version 6 Addressing Architecture"">RFC1884</a>], the [<a href="#ref-ANYCASTBOF">ANYCASTBOF</a>], and the MAGMA [<a href="#ref-MAGMA" title=""Multicast and Anycast Group Membership (MAGMA)"">MAGMA</a>] chartering.
Additional security considerations are scattered throughout the list
of references provided herein.
<span class="grey">McPherson, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
<span class="h3"><a class="selflink" id="section-4.5" href="#section-4.5">4.5</a>. Deployment Considerations</span>
<a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a> [<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] provides some very solid guidance related to
operations of anycasted services and, in particular, the operations
of DNS.
This document covers issues associated with the architectural
implications of anycast. This document does not address, in any
depth, the fact that there are deployed services with TCP transport
using anycast today. Evidence exists to suggest that such practice
is not "safe" in the traditional and architectural sense (as
described in <a href="#section-4.2">Section 4.2</a>). These sorts of issues are indeed
relative, and we recognize sometimes unpredictability in the routing
system beyond the local administrative domain can be manageable.
That is, despite the inherent architectural problems in the use of
anycast with stateful transport and connection-oriented protocols,
there is expanding deployment (e.g., for content distribution
networks) and situations exist where it may make sense (e.g., such as
with service discovery, short-lived transactions, or in cases where
dynamically directing traffic to topologically optimal service
instances is required). In general, operators should consider the
content and references provided herein and evaluate the benefits and
implications of anycast in their specific environments and
applications.
In addition, (as noted in <a href="#section-2.3">Section 2.3</a>) the issue of whether to
withdraw anycast routes when there is a service failure is only
briefly broached in [<a href="./rfc3258" title=""Distributing Authoritative Name Servers via Shared Unicast Addresses"">RFC3258</a>]. The advice given is that routes
should not be withdrawn, in order to reduce operational complexity.
However, the issue of route advertisements and service outages
deserves greater attention.
There is an inherent trade-off that exists between the operational
complexity of matching service outages with anycast route
withdrawals, and allowing anycast routes to persist for services that
are no longer available. [<a href="./rfc3258" title=""Distributing Authoritative Name Servers via Shared Unicast Addresses"">RFC3258</a>] maintains that DNS' inherent
failure recovery mechanism is sufficient to overcome failed nodes,
but even this advice enshrines the notion that these decisions are
both application-specific and subject to the operational needs of
each deployment. For example, the routing system plays a larger role
in DNS when services are anycast. Therefore, operational
consideration must be given to the fact that relying on anycast for
DNS deployment optimizations means that there are operational trade-
offs related to keeping route advertisements (and withdrawals)
symmetric with service availability. For example, in order to ensure
that the DNS resolvers in a failed anycast instance's catchment
[<a href="./rfc4786" title=""Operation of Anycast Services"">RFC4786</a>] are able to fail over and reach a non-failed catchment, a
route withdrawal is almost certainly required. On the other hand,
<span class="grey">McPherson, et al. Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
instability of a DNS process that triggers frequent route
advertisement and withdrawal might result in suppression of
legitimate paths to available nodes, e.g., as a result of route flap
damping [<a href="./rfc2439" title=""BGP Route Flap Damping"">RFC2439</a>].
Rather than prescribing advice that attempts to befit all situations,
it should simply be recognized that when using anycast with network
services that provide redundancy or resilience capabilities at other
layers of the protocol stack, operators should carefully consider the
optimal layer(s) at which to provide said functions.
As noted in <a href="#section-2.3">Section 2.3</a>, use of anycast within a subnet does not
necessarily suffer from the potential issues with route withdrawals.
As such, use of anycast to reach servers that reside in the same
subnet can be made more reliable than use of anycast to reach
topologically disparate server instances. Within a subnet, however,
care must be taken as stated in <a href="./rfc4862#section-5.4">Section 5.4 of [RFC4862]</a>, "Duplicate
Address Detection MUST NOT be performed on anycast addresses"; hence,
the servers must be configured appropriately.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Conclusions</span>
In summary, operators and application vendors alike should consider
the benefits and implications of anycast in their specific
environments and applications and also give forward consideration to
how new network protocols and application functions may take
advantage of anycast or how they may be negatively impacted if
anycasting is employed.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Acknowledgements</span>
Many thanks to Kurtis Lindqvist for his early review and feedback on
this document. Thanks to Brian Carpenter, Alfred Hoenes, and Joe
Abley for their usual careful review and feedback, as well as Mark
Smith, Lixia Zhang, Stephane Bortzmeyer, Masataka Ohta, and S.
Moonesamy for their detailed reviews. Helpful feedback was also
received from others including Edward Lewis, Jean-Michel Combes,
Wolfgang Nagele, Mark Townsley, and Abdussalam Baryun.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Informative References</span>
[<a id="ref-ANYCASTBOF">ANYCASTBOF</a>]
Deering, S., "IAB Anycast BOF Announcement", October 1999,
<<a href="http://www.ietf.org/mail-archive/web/ietf/current/msg11182.html">http://www.ietf.org/mail-archive/web/ietf/current/</a>
<a href="http://www.ietf.org/mail-archive/web/ietf/current/msg11182.html">msg11182.html</a>>.
<span class="grey">McPherson, et al. Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
[<a id="ref-DNS-DISC">DNS-DISC</a>] Durand, A., Hagino, J., and D. Thaler, "Well known site
local unicast addresses for DNS resolver", Work in
Progress, September 2002.
[<a id="ref-FanInfocom13">FanInfocom13</a>]
Fan, X., Heidemann, J., and R. Govindan, "Evaluating
Anycast in the Domain Name System", Proceedings of the
IEEE Infocom 2013, April 2013.
[<a id="ref-IMR9401">IMR9401</a>] RFC Editor, "INTERNET MONTHLY REPORT", January 1994,
<<a href="ftp://ftp.rfc-editor.org/in-notes/museum/imr/imr9401.txt">ftp://ftp.rfc-editor.org/in-notes/museum/imr/</a>
<a href="ftp://ftp.rfc-editor.org/in-notes/museum/imr/imr9401.txt">imr9401.txt</a>>.
[<a id="ref-MAGMA">MAGMA</a>] MAGMA (concluded), "Multicast and Anycast Group Membership
(MAGMA)", April 2006,
<<a href="http://www.ietf.org/wg/concluded/magma">http://www.ietf.org/wg/concluded/magma</a>>.
[<a id="ref-RFC0793">RFC0793</a>] Postel, J., "Transmission Control Protocol", STD 7, <a href="./rfc793">RFC</a>
<a href="./rfc793">793</a>, September 1981.
[<a id="ref-RFC1035">RFC1035</a>] Mockapetris, P., "Domain names - implementation and
specification", STD 13, <a href="./rfc1035">RFC 1035</a>, November 1987.
[<a id="ref-RFC1546">RFC1546</a>] Partridge, C., Mendez, T., and W. Milliken, "Host
Anycasting Service", <a href="./rfc1546">RFC 1546</a>, November 1993.
[<a id="ref-RFC1884">RFC1884</a>] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", <a href="./rfc1884">RFC 1884</a>, December 1995.
[<a id="ref-RFC2030">RFC2030</a>] Mills, D., "Simple Network Time Protocol (SNTP) Version 4
for IPv4, IPv6 and OSI", <a href="./rfc2030">RFC 2030</a>, October 1996.
[<a id="ref-RFC2101">RFC2101</a>] Carpenter, B., Crowcroft, J., and Y. Rekhter, "IPv4
Address Behaviour Today", <a href="./rfc2101">RFC 2101</a>, February 1997.
[<a id="ref-RFC2373">RFC2373</a>] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", <a href="./rfc2373">RFC 2373</a>, July 1998.
[<a id="ref-RFC2439">RFC2439</a>] Villamizar, C., Chandra, R., and R. Govindan, "BGP Route
Flap Damping", <a href="./rfc2439">RFC 2439</a>, November 1998.
[<a id="ref-RFC2526">RFC2526</a>] Johnson, D. and S. Deering, "Reserved IPv6 Subnet Anycast
Addresses", <a href="./rfc2526">RFC 2526</a>, March 1999.
[<a id="ref-RFC2893">RFC2893</a>] Gilligan, R. and E. Nordmark, "Transition Mechanisms for
IPv6 Hosts and Routers", <a href="./rfc2893">RFC 2893</a>, August 2000.
<span class="grey">McPherson, et al. Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
[<a id="ref-RFC2902">RFC2902</a>] Deering, S., Hares, S., Perkins, C., and R. Perlman,
"Overview of the 1998 IAB Routing Workshop", <a href="./rfc2902">RFC 2902</a>,
August 2000.
[<a id="ref-RFC2991">RFC2991</a>] Thaler, D. and C. Hopps, "Multipath Issues in Unicast and
Multicast Next-Hop Selection", <a href="./rfc2991">RFC 2991</a>, November 2000.
[<a id="ref-RFC3056">RFC3056</a>] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", <a href="./rfc3056">RFC 3056</a>, February 2001.
[<a id="ref-RFC3068">RFC3068</a>] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers",
<a href="./rfc3068">RFC 3068</a>, June 2001.
[<a id="ref-RFC3258">RFC3258</a>] Hardie, T., "Distributing Authoritative Name Servers via
Shared Unicast Addresses", <a href="./rfc3258">RFC 3258</a>, April 2002.
[<a id="ref-RFC3513">RFC3513</a>] Hinden, R. and S. Deering, "Internet Protocol Version 6
(IPv6) Addressing Architecture", <a href="./rfc3513">RFC 3513</a>, April 2003.
[<a id="ref-RFC3775">RFC3775</a>] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support
in IPv6", <a href="./rfc3775">RFC 3775</a>, June 2004.
[<a id="ref-RFC3882">RFC3882</a>] Turk, D., "Configuring BGP to Block Denial-of-Service
Attacks", <a href="./rfc3882">RFC 3882</a>, September 2004.
[<a id="ref-RFC3964">RFC3964</a>] Savola, P. and C. Patel, "Security Considerations for
6to4", <a href="./rfc3964">RFC 3964</a>, December 2004.
[<a id="ref-RFC4033">RFC4033</a>] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", <a href="./rfc4033">RFC</a>
<a href="./rfc4033">4033</a>, March 2005.
[<a id="ref-RFC4085">RFC4085</a>] Plonka, D., "Embedding Globally-Routable Internet
Addresses Considered Harmful", <a href="https://www.rfc-editor.org/bcp/bcp105">BCP 105</a>, <a href="./rfc4085">RFC 4085</a>, June
2005.
[<a id="ref-RFC4213">RFC4213</a>] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
for IPv6 Hosts and Routers", <a href="./rfc4213">RFC 4213</a>, October 2005.
[<a id="ref-RFC4291">RFC4291</a>] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", <a href="./rfc4291">RFC 4291</a>, February 2006.
[<a id="ref-RFC4330">RFC4330</a>] Mills, D., "Simple Network Time Protocol (SNTP) Version 4
for IPv4, IPv6 and OSI", <a href="./rfc4330">RFC 4330</a>, January 2006.
[<a id="ref-RFC4339">RFC4339</a>] Jeong, J., "IPv6 Host Configuration of DNS Server
Information Approaches", <a href="./rfc4339">RFC 4339</a>, February 2006.
<span class="grey">McPherson, et al. Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
[<a id="ref-RFC4610">RFC4610</a>] Farinacci, D. and Y. Cai, "Anycast-RP Using Protocol
Independent Multicast (PIM)", <a href="./rfc4610">RFC 4610</a>, August 2006.
[<a id="ref-RFC4732">RFC4732</a>] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
Service Considerations", <a href="./rfc4732">RFC 4732</a>, December 2006.
[<a id="ref-RFC4778">RFC4778</a>] Kaeo, M., "Operational Security Current Practices in
Internet Service Provider Environments", <a href="./rfc4778">RFC 4778</a>, January
2007.
[<a id="ref-RFC4786">RFC4786</a>] Abley, J. and K. Lindqvist, "Operation of Anycast
Services", <a href="https://www.rfc-editor.org/bcp/bcp126">BCP 126</a>, <a href="./rfc4786">RFC 4786</a>, December 2006.
[<a id="ref-RFC4861">RFC4861</a>] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", <a href="./rfc4861">RFC 4861</a>,
September 2007.
[<a id="ref-RFC4862">RFC4862</a>] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", <a href="./rfc4862">RFC 4862</a>, September 2007.
[<a id="ref-RFC4892">RFC4892</a>] Woolf, S. and D. Conrad, "Requirements for a Mechanism
Identifying a Name Server Instance", <a href="./rfc4892">RFC 4892</a>, June 2007.
[<a id="ref-RFC4924">RFC4924</a>] Aboba, B. and E. Davies, "Reflections on Internet
Transparency", <a href="./rfc4924">RFC 4924</a>, July 2007.
[<a id="ref-RFC4942">RFC4942</a>] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/
Co-existence Security Considerations", <a href="./rfc4942">RFC 4942</a>, September
2007.
[<a id="ref-RFC5001">RFC5001</a>] Austein, R., "DNS Name Server Identifier (NSID) Option",
<a href="./rfc5001">RFC 5001</a>, August 2007.
[<a id="ref-RFC5905">RFC5905</a>] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms
Specification", <a href="./rfc5905">RFC 5905</a>, June 2010.
[<a id="ref-RFC5909">RFC5909</a>] Combes, J-M., Krishnan, S., and G. Daley, "Securing
Neighbor Discovery Proxy: Problem Statement", <a href="./rfc5909">RFC 5909</a>,
July 2010.
[<a id="ref-RFC6071">RFC6071</a>] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap", <a href="./rfc6071">RFC 6071</a>,
February 2011.
[<a id="ref-RFC6275">RFC6275</a>] Perkins, C., Johnson, D., and J. Arkko, "Mobility Support
in IPv6", <a href="./rfc6275">RFC 6275</a>, July 2011.
<span class="grey">McPherson, et al. Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
[<a id="ref-RFC6382">RFC6382</a>] McPherson, D., Donnelly, R., and F. Scalzo, "Unique Origin
Autonomous System Numbers (ASNs) per Node for Globally
Anycasted Services", <a href="https://www.rfc-editor.org/bcp/bcp169">BCP 169</a>, <a href="./rfc6382">RFC 6382</a>, October 2011.
[<a id="ref-RFC6480">RFC6480</a>] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", <a href="./rfc6480">RFC 6480</a>, February 2012.
[<a id="ref-RSSAC29">RSSAC29</a>] "RSSAC 29 Meeting Minutes", December 2007,
<<a href="http://www.icann.org/en/groups/rssac/meetings/rssac-29-en.pdf">http://www.icann.org/en/groups/rssac/meetings/</a>
<a href="http://www.icann.org/en/groups/rssac/meetings/rssac-29-en.pdf">rssac-29-en.pdf</a>>.
<span class="grey">McPherson, et al. Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. IAB Members at the Time of Approval</span>
Bernard Aboba
Jari Arkko
Marc Blanchet
Ross Callon
Alissa Cooper
Joel Halpern
Russ Housley
Eliot Lear
Xing Li
Erik Nordmark
Andrew Sullivan
Dave Thaler
Hannes Tschofenig
<span class="grey">McPherson, et al. Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7094">RFC 7094</a> Arch Considerations of IP Anycast January 2014</span>
Authors' Addresses
Danny McPherson
Verisign, Inc.
12061 Bluemont Way
Reston, VA
USA
EMail: dmcpherson@verisign.com
Dave Oran
Cisco Systems
USA
EMail: oran@cisco.com
Dave Thaler
Microsoft Corporation
One Microsoft Way
Redmond, WA
USA
EMail: dthaler@microsoft.com
Eric Osterweil
Verisign, Inc.
12061 Bluemont Way
Reston, VA
USA
EMail: eosterweil@verisign.com
McPherson, et al. Informational [Page 22]
</pre>
|
