On Mon, Mar 29, 2010 at 12:16 PM, RL Vaughn <[email protected]> wrote:
> On 3/29/10 9:53 AM, [email protected] wrote: > > > http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_spreads_overseas > > > > So was this a DNS or BGP issue? The reporter appears to be confused, or > > was it the Arbor Networks talking head? > It was a DNS issue. One host in i-root was providing incorrect answers. > The reason for those incorrect answers is unknown but the solution was > to remove the responsible host from the i-root anycast. > Anycast, of course, being a BGP technology that multihomes a single IP across multiple locations, exposing the "fastest endpoint" as per BGP calculations to any node on the net. So it's both DNS and BGP. The larger issue, which I guess nobody wants to talk about, is that the Internet is very much designed to be flat along certain dimensions. Anycast itself is a bit of a hack against that -- the same IP is not actually the same endpoint globally -- but at least presumably the backing organization behind the IP is supposed to be constant. Even enterprise level filtering does not violate this rule, because enterprises are *endpoints* and not *routing nodes* on the net. Scaling this sort of operation past the enterprise has scoping issues, that ultimately, predictably, and unfixably lead to network instability.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
