Home page logo
/

nanog logo nanog mailing list archives

Re: Reliable Cloud host ?
From: William Herrin <bill () herrin us>
Date: Tue, 28 Feb 2012 13:22:14 -0500

On Tue, Feb 28, 2012 at 9:02 AM, Jared Mauch <jared () puck nether net> wrote:
On Feb 27, 2012, at 2:53 PM, Valdis.Kletnieks () vt edu wrote:
On Mon, 27 Feb 2012 14:02:04 EST, William Herrin said:

The net result is that when you switch the IP address of your server,
a percentage of your users (declining over time) will be unable to
access it for hours, days, weeks or even years regardless of the DNS
TTL setting.

Amen brother.

So just for grins, after seeing William's I set up a listener on an address
that had an NTP server on it many moons ago. As in the machine was shut down
around 2002/06/30 22:49 and we didn't re-assign the IP address ever since
*because* it kept getting hit with NTP packets..  Yes, a decade ago.

In the first 15 minutes, 234 different IP's have tried to NTP to that address.

I hereby reject the principle that one can not renumber a
host/name and move it.
I reject the idea that you can't move a service, or have one
MX, DNS, etc.. host be down and have it be fatal without
something else being SERIOUSLY broken.  If you are right,
nobody could ever renumber anything ever, nor take a
service down ever in the most absolute terms.

Something else IS seriously broken. Several something elses actually:

1. DNS TTL at the application boundary, due in part to...

2. Pushing the name to layer 3 address mapping process up from layer 4
to layer 7 where each application has to (incorrectly) reinvent the
process, and...

3. A layer 4 protocol which overloads the layer 3 address as an
inseverable component of its transport identifier.

Even stuff like SMTP which took care to respect the DNS TTL in its own
standards gets busted at the back end: too many antispam process
components rely on the source IP address, crushing large scale servers
that suddenly appear, transmitting large amounts of email from a fresh
IP address.


Shockingly enough we have a strongly functional network despite this
brokenness. But, it's broken all the same and renumbering is majorly
impaired as a consequence.


Renumbering in light of these issues isn't impossible. An overlap
period is required in which both old and new addresses are operable.
The duration of that overlap period is not defined by the the protocol
itself. Rather, it varies with the tolerable level or residual
brokenness, literally how many nines of users should be operating on
the new address before the old address can go away.

Regards,
Bill Herrin


-- 
William D. Herrin ................ herrin () dirtside com  bill () herrin us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault