nanog mailing list archives

Re: Suspecious anycast prefixes

From: David Miller <dmiller () tiggee com>
Date: Thu, 05 May 2011 09:43:52 -0400

On 5/5/2011 8:59 AM, Danny McPherson wrote:

On May 3, 2011, at 6:17 AM, Bill Woodcock wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 2, 2011, at 12:35 PM, Joe Abley wrote:

It's perhaps worth noting that there is work in the IETF to recommend that every prefix originated as part of an anycast cloud 
uses a unique origin AS (see<http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00>). I'm not personally convinced 
of the arguments in the draft, but mentioning it in this thread seems reasonable.

I'm also not convinced of the arguments in the draft, since it argues that it would be a best-practice

'A', not 'the', for the reasons conveyed in the draft (e.g., control
plane discriminator, RPKI foundations, etc..).  If you don't like it,
don't do it, it's certainly easier to not do it.

for me to originate my address space from more than 8,000 different ASNs,

8000 is a very large number.

when I currently do just fine advertising it from three.

"You" as a service operator do just fine, and it's surely much
simpler from a configuration and provisioning standpoint.  But
what about those folks that consume the service, and have no
indication of which node they may be utilizing from an Internet
control plane perspective, or all the associated derivatives?

In a properly functioning system - folks that consume the service don'tneed to know which node they are utilizing.

Providing the capability for well behaved customers to select/prefer aparticular node over another would also allow evildoers to select/prefera particular node over others - thereby increasing the attack surface ofthis node, yes?


Not a fan.

  I'd much rather there not exist a document that clueless people can point at and claim is a "best common practice" when 
it's neither best nor common.

'clueless people' wouldn't care which node they utilize, where
it resides, or what other attributes might exist and be associated
with it.  Providing a discriminator in the control plane for the
consumer of critical network services might well be of utility to
some.

-danny

Current thread:

Re: Suspecious anycast prefixes, (continued)
- - - Re: Suspecious anycast prefixes John Kristoff (May 05)
    - Re: Suspecious anycast prefixes bmanning (May 05)
    - Re: Suspecious anycast prefixes Yaoqing(Joey) Liu (May 05)
    - Re: Suspecious anycast prefixes bmanning (May 05)
    - Re: Suspecious anycast prefixes Yaoqing(Joey) Liu (May 09)
    - Re: Suspecious anycast prefixes Randy Bush (May 10)
    - Re: Suspecious anycast prefixes bmanning (May 05)
  - Re: Suspecious anycast prefixes Bill Woodcock (May 03)
    - Re: Suspecious anycast prefixes David Miller (May 03)
    - Re: Suspecious anycast prefixes Danny McPherson (May 05)
    - Re: Suspecious anycast prefixes David Miller (May 05)
    - Re: Suspecious anycast prefixes Danny McPherson (May 05)
    - Re: Suspecious anycast prefixes David Miller (May 05)
    - Re: Suspecious anycast prefixes Danny McPherson (May 05)
    - Re: Suspecious anycast prefixes bmanning (May 05)
    - Re: Suspecious anycast prefixes Randy Bush (May 06)