Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Fri, Sep 30, 2011 at 10:51:58AM -0400, Christopher 
Morrow wrote:
> the troubleshooting though with something like unique origin is
> 'simpler' for them: "Oh, as27 is NYC, as37 is WDC... why is Newark
> seeing WDC as the best path?"

I'm not sure I get it.

Unique origin ASN output (simplified)

  10.1.2.3/32
65000
65001
*   65002 (Best)
65003 65001

So we know it's coming from site 65002.

Using the F-Root model, with an origin of 65999 for the Anycast routes:

  10.1.2.3/32
65000 65999
65001 65999
*   65002 65999 (Best)
65003 65001 65999

We still know it's coming from site 65002 by just looking.  I have a
hard time calling one "simpler" than the other, indeed I would call them
pretty darn equal.

But here's the difference, let's say I have 20 Anycasted routes for
different services, but I originate them all from 65999, I can see the
status of all 20 with:

show bgp ipv4 uni regexp _65999$

I'll get 20 lines, showing me how each virtual is routed.

With a unique origin ASN configuration, to get the same info for 20
routes I would need 20 lines like:

show bgp ipv4 uni 10.1.2.3/32
show bgp ipv4 uni 10.1.2.4/32
show bgp ipv4 uni 10.2.2.1/32

And so on, or have the discipline to keep them all in one netblock so:

show bgp ipv4 uni 10.1.2.3/24 longer-prefixes

produces useful output.

Thus I think I can make a good argument that having a consistent
origin ASN makes troubleshooting easier when you have multiple
Anycast routes, because you can select the entire set of routes by
origin ASN.

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Christopher Morrow]

On Fri, Sep 30, 2011 at 10:20 AM, Leo Bicknell  wrote:
> In a message written on Fri, Sep 30, 2011 at 12:40:24AM -0400, Christopher 
> Morrow wrote:
>> keep in mind that 'enterprises' may be deploying anycast services
>> inside their wan's, NOT publicly visible... What advice would you give
>> them in such a situation?
>
> Just to level set here, I'm assuming you mean a large enterprise
> using something like a MPLS L3VPN service, and thus running BGP
> with their service provider inside the VPN to communicate routing

that's one option, enterprises come in lots of flavors... I've seen
them with mpls-vpn cores and with leased line cores and with
ipsec-over-internet cores. (I'm sure you have as well)

> information.  I clarify, because if it's a simpler IGP only Enterprise
> I don't think much of anything we've been discussing makes any
> difference, drop it in the IGP and be done.

sure.

>
> I think, basically, most of what we've discussed does not apply.
> If it really is a private network there will be no third parties
> doing route monitoring.  The chance of a rogue ASN injecting the
> route is near zero.  The provider of the service is also the end

the troubleshooting though with something like unique origin is
'simpler' for them: "Oh, as27 is NYC, as37 is WDC... why is Newark
seeing WDC as the best path?"

> user of the service, and has control of virutally every routing
> device in the middle, so there are a multitude of ways they could
> monitor and troubleshoot.  There will be no external services doing
> things like inconsistent asn reports.

true, we hope.

> Personally I would still originate all of my Anycast from a private
> ASN (a la what F does with 3557) for the sole reason that then the
> announcement is consistent, thus "show bgp ipv4 unicast inconsistent-as"
> actually produces useful output.  While it is far less likely to
> be used in an enterprise context, it is far more likely to be useful
> when it is used given the end to end control.  If the enterprise
> migrates routes from one site to another (e.g. virtuals in a data
> center move) the command will show if they are coming from two
> different sites quickly and easily.

you are highlighting one troubleshooting technique, yes. I highlighted
another. potato/potatoe. Again, for 'smart folks' who know their
service inside/out they'll figure this out on their own. For a new
deployment, however, some guidelines seem like a good plan.

> Honestly though, if I were providing recomendations to an enterprise
> I would likely encourage them not to run Anycast.  They control the
> end clients.  They can configure the clients for even better
> redundancy than Anycast provides given a little thought.  Plus, as
> you said, enterprises tend not to be staffed with super-bgp-ninjas,
> and so giving them something outside the CCNA traning class is not
> a good idea.

:) but that network world article... I agree with you mostly, I've
seen some good uses of anycast internal to enterprises. Again, 'smart
people' and all of that.

>
> Anycast is best used when you don't control, or have limited control
> over the end clients.  For instance root operators get to provide
> 1 IP address in root.hints or in the root zone, which limits the
> ability to do redundancy with multiple IP adddresses...

dns servers exist for desktop/vpn clients in corporations too. maybe
it's a little 'all I have is a hammer', but it does work well.

-chris
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Fri, Sep 30, 2011 at 12:40:24AM -0400, Christopher 
Morrow wrote:
> keep in mind that 'enterprises' may be deploying anycast services
> inside their wan's, NOT publicly visible... What advice would you give
> them in such a situation?

Just to level set here, I'm assuming you mean a large enterprise
using something like a MPLS L3VPN service, and thus running BGP
with their service provider inside the VPN to communicate routing
information.  I clarify, because if it's a simpler IGP only Enterprise
I don't think much of anything we've been discussing makes any
difference, drop it in the IGP and be done.

I think, basically, most of what we've discussed does not apply.
If it really is a private network there will be no third parties
doing route monitoring.  The chance of a rogue ASN injecting the
route is near zero.  The provider of the service is also the end
user of the service, and has control of virutally every routing
device in the middle, so there are a multitude of ways they could
monitor and troubleshoot.  There will be no external services doing
things like inconsistent asn reports.

Personally I would still originate all of my Anycast from a private
ASN (a la what F does with 3557) for the sole reason that then the
announcement is consistent, thus "show bgp ipv4 unicast inconsistent-as"
actually produces useful output.  While it is far less likely to
be used in an enterprise context, it is far more likely to be useful
when it is used given the end to end control.  If the enterprise
migrates routes from one site to another (e.g. virtuals in a data
center move) the command will show if they are coming from two
different sites quickly and easily.

Honestly though, if I were providing recomendations to an enterprise
I would likely encourage them not to run Anycast.  They control the
end clients.  They can configure the clients for even better
redundancy than Anycast provides given a little thought.  Plus, as
you said, enterprises tend not to be staffed with super-bgp-ninjas,
and so giving them something outside the CCNA traning class is not
a good idea.

Anycast is best used when you don't control, or have limited control
over the end clients.  For instance root operators get to provide
1 IP address in root.hints or in the root zone, which limits the
ability to do redundancy with multiple IP adddresses...

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Danny McPherson]

On Sep 30, 2011, at 12:40 AM, Christopher Morrow wrote:

> in the vein of 'new deployment folks may want to shortcut all of the
> bad lessons everyone else learned'

Indeed.. 

I understand the concern about "don't attempt to force me to do this" with a 
BCP track document- that is certainly not the intention was was attempted to
be conveyed in the document text as is - and I am completely open to 
documenting 
other deployment models and contrasting the benefits and trade-offs of each, 
that's the whole reason for this WG.  However, I will also note that this 
isn't just about folks that operate those services, it's also about folks who 
rely on or monitor the services they operate, as previously outlined.

That said, there were many requests for feedback and the WG and IETF last call 
process for IETF BCPs is well know -- I do see now that I didn't respond 
expressly 
to John's comments from last year, and although I don't think they would have 
changed my personal recommendations, and they didn't appear to sway the WG as 
provided in the mailing list archives, perhaps his concerns could have been 
better 
considered and accommodated in the text (of course, that's always the case in
instances like this, but I like John ;-).

Let me circle back with the chairs and see if we can find an amenable 
path forward here, and if it's not to late to at least hit the pause button
on publication of this documents as-is until we consider the broader 
feedback.

-danny


___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Christopher Morrow]

in the vein of 'new deployment folks may want to shortcut all of the
bad lessons everyone else learned'

On Thu, Sep 29, 2011 at 4:20 PM, Leo Bicknell  wrote:

> So the question to ask is, do we have a good reason to strongly
> encourage all new Anycast deployments to be in this model, as opposed to
> the alternative models?

keep in mind that 'enterprises' may be deploying anycast services
inside their wan's, NOT publicly visible... What advice would you give
them in such a situation?

I suppose my point is/was/will-be that documenting a path that's not
insane, works, could help new folks isn't bad. I agree that there are
2-3-17 ways this is currently deployed, each has their similarities,
troublepoints and wins... I fall back on the fact that most of these
are operated by very smart folk who know the innards of their
deployment/scenario (and the larger internet in most cases) very, very
well. As you say leo, telling them 'change your ways!!' is just not
sensible.

-chris

(keeping in mind that often enterprise IT folks are not
super-bgp-ninjas like leo...)
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Thu, Sep 29, 2011 at 03:04:03PM -0500, John Kristoff 
wrote:
> It seems to me this is VeriSign trying to document a BCP that works for
> them and may work for others.  So perhaps it is just the BCP status
> that is disconcerting?

That may be part of it.  At the risk of offending the group (since
many of them came out of here, I suspect) I believe many of the
"BCP" documents are more like "AWTDI" documents, A Way To Do It.

Look, anyone who's deployed a hundred nodes of Anycast, be it
Verisign or ISC, or any other, isn't going to change the deployment
without a really, really good reason.  If it's already deployed,
it's going to stay that way.

When writing a BCP, I think the target audence is folks who don't
do this at all.  The guy who's deploying the technology for the
first time, and looking for the wisdom of those with beards longer
and greyer than their own.  To that end, if there are three ways
to do it, each with pros and cons but no clear winner we should
document the three ways and say "pick one that fits you", not pick
one of them document it as "best" and then ignore the other two.

So the question to ask is, do we have a good reason to strongly
encourage all new Anycast deployments to be in this model, as opposed to
the alternative models?

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[John Kristoff]

On Thu, 29 Sep 2011 19:07:06 +
Leo Bicknell  wrote:

> time. I think the question is if anyone else on the list cares one
> way or another, because if no other opinions have been changed we
> might as well stop.

I often play contrarian or skeptic, if not an honest critic when I take
the time to review a proposal such as this.  My review posted to this
list almost a year ago resulted in no responses or changes in the
draft.  While I didn't find the initial draft as written very convincing
of BCP status, I don't feel strongly about it one way or another to
argue for changes.

It seems to me this is VeriSign trying to document a BCP that works for
them and may work for others.  So perhaps it is just the BCP status
that is disconcerting?

John
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Christopher Morrow]

jumping in in the middle...

On Thu, Sep 29, 2011 at 3:07 PM, Leo Bicknell  wrote:
> In a message written on Thu, Sep 29, 2011 at 11:22:45AM -0400, Danny 
> McPherson wrote:
>> With normal unicast there's a single tree for the prefix in the routing
>> system, while anycasting inherently introduces a polytree for the prefix.
>> However, anycasting with a common origin AS creates a 'pseudo AS' at the
>> root of the graph (i.e., the illusion of a single tree).  By doing what
>> you describe, you force anyone doing routing system analysis to know 'a
>> priori' which prefixes employ a pseudo AS at the root of the tree - only
>> so that they can step deeper into the tree, to the actual polytree roots,
>> and then evaluate the adjacent nodes of those roots.  This is particularly
>> problematic when new nodes are introduced to the system.
>
> I'm sure you have studied this in great detail, and so I will simply
> assume you're correct that the method described is easier when
> writing a program to find hijacked routes.
>
> However, that is a small part of operating an Anycast system.  Far
> more frequently than I help folks find hijacked routes (which are
> fortunately rare) I help troubleshoot ordinary performance problems.
> It's far easier for me to say "send me show ip bgp regex _3557$"
> and get all the info I need than send a list of routes (3 in our
> case) or local ASN's (about 55 in our case).  The same goes for
> when I'm looking at various looking glasses to see what is going
> on.
>

it sounds like for the case of (for example) Leo troubleshooting
specific ISC problems one method he has works well. (and if you see
F-root originated from anything BUT 3557 you KNOW there's a problem..
again, as an example he could have 25 asns for this, but I'm assuming
1)

For a more generic problem that Danny/authors are attempting to make
simpler, each 'anycast service' would have it's own group of asn's
which would correlate to a set of both transits/peers AND geographic
locations... So, (again as a purely hypothetical example) A-root from
AS12 behind AS4134 seen in London is likely far, far less happy
than A-root from AS12 behind AS9150 in London. Also, A-root from
AS15169 anywhere is just bad news... (again, making up an example of
both 'location aware' troubleshooting for performance and one for
'mis-originated')

I don't think that the subject doc was intended to force compliance in
one way or the other, just to document one possibly reasonable method
to do anycast service hosting (and show how it is considered
reasonable).

Smart operators of services likely already have lots of these guts for
themselves done, if it works don't fix it.

-chris
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Thu, Sep 29, 2011 at 11:22:45AM -0400, Danny McPherson 
wrote:
> With normal unicast there's a single tree for the prefix in the routing 
> system, while anycasting inherently introduces a polytree for the prefix.  
> However, anycasting with a common origin AS creates a 'pseudo AS' at the 
> root of the graph (i.e., the illusion of a single tree).  By doing what 
> you describe, you force anyone doing routing system analysis to know 'a 
> priori' which prefixes employ a pseudo AS at the root of the tree - only 
> so that they can step deeper into the tree, to the actual polytree roots, 
> and then evaluate the adjacent nodes of those roots.  This is particularly 
> problematic when new nodes are introduced to the system.

I'm sure you have studied this in great detail, and so I will simply
assume you're correct that the method described is easier when
writing a program to find hijacked routes.

However, that is a small part of operating an Anycast system.  Far
more frequently than I help folks find hijacked routes (which are
fortunately rare) I help troubleshoot ordinary performance problems.
It's far easier for me to say "send me show ip bgp regex _3557$"
and get all the info I need than send a list of routes (3 in our
case) or local ASN's (about 55 in our case).  The same goes for
when I'm looking at various looking glasses to see what is going
on.

I also think, and this is totally subjective, that it is easier to
explain to folks on the phone, particularly folks with no Anycast
experience.  They can just pretend in their mind that 3557 is one
big global network that peers in a lot of places and their mental
image is complete.

So even if I spot you that it makes it easier for a third party to
programmatically detect hijacks I don't think that's enough alone
to rise to calling this method the "best current practice", which
is the path this draft is on.  It has impacts on day to day operations
(including things like the inconsistent asn reports) that also need
to be weighed.

But, I think we've both overmade our points.  I also realize I was late
to this game, you can't watch everything in every group all the time.
I think the question is if anyone else on the list cares one way or
another, because if no other opinions have been changed we might as well
stop.

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Danny McPherson]

On Sep 29, 2011, at 9:35 AM, Leo Bicknell wrote:
> 
> Ok, fair enough.  So let's ask the direct question:
> 
>  Would it not be even better then for them to have a unique origin
>  ASN, and publish the list of paths that originate the route,
>  achieving the same result without needing to have an inconsistent
>  origin?

With normal unicast there's a single tree for the prefix in the routing 
system, while anycasting inherently introduces a polytree for the prefix.  
However, anycasting with a common origin AS creates a 'pseudo AS' at the 
root of the graph (i.e., the illusion of a single tree).  By doing what 
you describe, you force anyone doing routing system analysis to know 'a 
priori' which prefixes employ a pseudo AS at the root of the tree - only 
so that they can step deeper into the tree, to the actual polytree roots, 
and then evaluate the adjacent nodes of those roots.  This is particularly 
problematic when new nodes are introduced to the system.

I don't see how this is simpler.  

-danny

___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Thu, Sep 29, 2011 at 09:27:57AM -0400, Danny McPherson 
wrote:
> I never said "does not require any pre-knowledge".  As a matter of fact,  
> what I said, and what the draft says, is that with unique origins the 
> services operator _could publish in a well-known location a list of origin 
> ASNs for a given prefix and the feasible adjacent upstreams for each ASN.  
> With that information network operators can make informed decisions about 
> the legitimacy of a new path in the routing system for a critical Internet
> services prefix.

Ok, fair enough.  So let's ask the direct question:

  Would it not be even better then for them to have a unique origin
  ASN, and publish the list of paths that originate the route,
  achieving the same result without needing to have an inconsistent
  origin?

Seems like that would be a quick change to the draft...

And couldn't the entire draft thus be greatly simplifed to a single
paragraph?

  Anycast operators SHOULD publish a list of all valid AS-Paths to reach
  their Anycast service to aid in the detection of routing leaks.

I suppose bonus points if we could agree on a method for publishing
(RPSL?).

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Danny McPherson]

On Sep 29, 2011, at 9:06 AM, Leo Bicknell wrote:
> 
> Seriously, show me an algorythm to find a leak for a Anycast service
> that does not require any pre-knowledge about how the Anycast service is
> configured.  I submit such a thing does not exist.

I never said "does not require any pre-knowledge".  As a matter of fact,  
what I said, and what the draft says, is that with unique origins the 
services operator _could publish in a well-known location a list of origin 
ASNs for a given prefix and the feasible adjacent upstreams for each ASN.  
With that information network operators can make informed decisions about 
the legitimacy of a new path in the routing system for a critical Internet
services prefix.

Today, a prefix and common origin can appear from anywhere and network 
operators have no indication of whether it is feasible or not (I know of 
at least two occurrences of this that have impacted consumers), and operators 
have very little to inform them as to how to detect rogue nodes or malicious 
paths, and nothing to apply policy to a path known to be undesirable, or how 
to determine if a new node is legitimate or not.

These static policies in no way provide the long-term fix, but in the 
interim they provide a routing system discriminator and visibility to 
operators.  If you don't believe a discriminator in the routing system 
for anycasted prefixes is useful, well, duly noted.

-danny
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Wed, Sep 28, 2011 at 09:35:55PM -0400, Danny McPherson 
wrote:
> Simply put, if detection or policies can't be defined (discriminated) 
> based on authorized origin and a single upstream adjacent AS alone then 
> adjacent ASes and upstreams need to be codified.  If the origins are 
> consistent in all locations and adjacent ASes are unique per location 
> via the same operator, the origin, adjacent ASes, and upstream adjacent 
> sets all need to be enumerated in detection or routing policies for the 
> prefix, that's the only way you can find a unique discriminator in the 
> set to key off of.

I think I see where your world view and mine do not match.

In a world where an Anycast service contracts with 4-8 upstream
networks for transit they can easily enumerate all of the paths
that might appear, and send it to someone.

In a world where an Anycast service peers with a large number of
networks, this is totally impractical.

If I wanted to list the full set of possible paths by which you
might see F-Root that list would be about 3,000 ASN's long right
now.  I suspect you don't notice that because we also make generous
use of no-export both directly and indirectly, meaning a lot of
these paths may not be visible to you, from your vantage point.

I find, and track down (mostly innocent) route leaks of F on a
weekly basis due to our rich peering.  I can honestly say, for us,
the approch you describe would not make things one bit easier for
me.  

> But it can't today!  Again, the very application of a common origin 
> in all locations for a given prefix, and the thought that that prefix 
> might well appear in some new place with the same origin and a new 
> upstream AS, or escape outside of it's intended catchment illustrates 
> just the problem.  I.e., if it's leaked or hijacked how the heck would 
> anyone know?

I have no idea how anyone, other than the operator of the service
would know.  In all proposed configurations the operator of the
service knows how they configured it, and is the only one qualified
to diagnose.

Simply: A third party cannot know if the route is legitimate unless the
Anycast operator tells them.

If the operator must enumerate all paths anyway, the difference
between your proposal and say the way F does it is the +1 ASN (N
for your proposal, N+1 for F), but the list of paths is exactly the
same length, N.  That one extra ASN means inconsistent origin isn't
required.

So the operator can provide a list of N things in your proposal, or the
same N things the way F does it, except our way doesn't go against the
tradition of inconsistent origin being a "bad" thing.  Indeed, I can
write the vi transform easily:

   s/$/ 3557/

It's my hope that in the future DNSSEC, SecureBGP, RPKI, or some other
out of band (to the routing system) method will be able to verify, but
until then this proposal doesn't advance things.

> > I see many of the arguments for this proposal were that it helped
> > in diagnostic capabilities.  Yet in all of the GROW archives I have
> > read so far, and in the RFC itself I do not see a single example
> > of how this configuration leads to faster/more accurate troubleshooting
> > than say the F-Root model.  
> 
> OK, re-read the draft, and read the responses above, perhaps they help
> clarify.

Not really.  An example would be:

router> show ..

>>> This line has foo and bar in it, which mean a leak.

Seriously, show me an algorythm to find a leak for a Anycast service
that does not require any pre-knowledge about how the Anycast service is
configured.  I submit such a thing does not exist.

If it doesn't, this draft does not advance anything, it recommends
one method out of many with no particular advantage, and at least one
easy to document disadvantage (inconsistent origin).

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

In a message written on Wed, Sep 28, 2011 at 06:25:47PM -0400, Danny McPherson 
wrote:
> The timing of your responses is unfortunate, given that this document 
> has been with the RFC Editor for a while now, and essentially just 
> completed AUTH-48 state.  That said, IMO I do not believe your issues, 
> addressed individually below, would materially influence the current 
> content of the document either way.

I agree the timing is unfortunate, but wanted to comment to be on
record that I don't feel this documents the "Best Current Practice",
which I believe is the point of the exercise.  I feel bad when the
industry recommends to the uninformed a method that may not be the
best.

Having read all the back posts I can find, I think I see part of the
disconnect.

There appears to be two kinds of identification at work here.  There
is identifing the Anycast node that is serving a particular customer,
and then there is identifing if the route should be originated from
a particular node.  It is my feeling that more discussion was given
to the second part in the previous reviews of this draft, while my
response focused almost entirely on the first part.

With respect to detecting hijacked routes I think this proposal is
totally backwards.  There have been efforts in the RIR community
to track the origin ASN of a prefix
(https://www.arin.net/policy/proposals/2006_3.html), which only
allow a single origin ASN to be specified.  Research has been done
on inconsistent-origin ASN's with interesting results
(http://www.routeviews.org/papers/nanog_origin.pdf).  Several of
the BGP monitoring services only allow a single origin ASN when
monitoring a route.  The IETF's own documents recommend using a
consistent origin ASN for troubleshooting purposes
(http://www.ietf.org/rfc/rfc4116.txt, section 3.1.2.2).

The document requires N ASN's, where N is the number of "sites"
in the Anycast cloud.  ISC's current method with F-Root requires a
scant N+1 ASN's, using the +1 to be the consistent origin ASN.  This
is far easier to input into many of the tools (listing one origin
ASN, rather than hundreds), and easier to explain to other operators
(if F isn't originated from 3557, it's wrong).

However, I think the most interesting and relevant quote comes out of
http://irl.cs.ucla.edu/papers/originChange.pdf:

  Only the origin itself (UCLA in our example) could easily and
  accurately distinguish be- tween a legitimate origin change and a prefix
  hijack [4].

The fact is there is no way to detect these events without some
knowledge.  You either have to know the list of valid ASN's (likely
only the origator does), or rely on them to publish you the
information.  Given groups like ARIN are now collecting (a single)
origin ASN with a route, there is a source for this data but only
if the origin is consistent.

In terms of advice to someone new to Anycast who wants to set up their
first cloud I think this is actively harmful advice.  They will find
that inconsistent origins do not square with the history of BGP
recommendations, the tools available today, or the expectations of those
on the other end of the phone.  I see no way such a method could be
called Best Current Practice.

Now, with that out of the way we can return to the more end user facing
problem of identifing an anycast node...

[Re point #1]

> In reading your comment, and the recent discussion of 
> draft-anycast-diagnostics.txt on dns...@ietf.org the last couple 
> of days, I do agree that the definition of "node" is perhaps 

The question is entirely how granular the information in the routing
system should be to enable the functionality this draft seeks to
enable.  For instance an ASN may have 100 servers Anycasted internally
with OSPF, that generates a single external route from that ASN
which is Anycasted with other ASN's.  What level of detection is
required to be useful?

[Re point #2]

> The utility of these reports is relative; I consider them of less utility 
> than you, and in fact largely because today prefixes are originated from 
> the same partitioned origin AS (e.g., the F-root model you outline and 
> similar models employed by many others) in multiple locations, and as a
> result routing system information provides no discriminators of utility
> to aid in visibility and diagnosis of routing problems based solely on 
> origin AS and identifiers for various services therein -- I'd prefer active
> data in the routing system providing this indication, hence the 
> recommendations in the draft.

I think before the IETF renders an entire set of reports useless with a
policy change it would be worth at least seeking out some of the users
of those reports and finding out why and how they use them.  I am
disturbed that none of the folks who commented appear to be users of
these reports, and yet are eager to make them useless.

No additional comment on point #3.

[Point #4]

> False.  Additional routes ("paths") for the prefixes in question exist 
> either way in

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Danny McPherson]

Regarding your "industry" and "uniformed" comment, I'm certain many 
folks who commented and reviewed and were involved in this effort have
as much operational experience as you and I alike, and given that 
this issue was conceived based on an operational issue observed with 
anycasted DNS operations by at least one operator with which I am 
intimately familiar, incidents that also impacted operations of 
services which you are likely intimately familiar, I suggest you 
find another card to play.

There was an operational trigger related to anycasted prefixes leaked 
outside of their intended catchment that lead to the development of 
this technique.  Obviously, the desire would be that any globally 
anycasted service resolve services universally, which was presumably 
the case at least at the origin servers, but when that is not what is
observed by the services consumer techniques to more rapidly identify 
and classify a given operational issue triggered by the routing system
issues within the routing system have real utility.

> There appears to be two kinds of identification at work here.  There
> is identifing the Anycast node that is serving a particular customer,
> and then there is identifing if the route should be originated from
> a particular node.  It is my feeling that more discussion was given
> to the second part in the previous reviews of this draft, while my
> response focused almost entirely on the first part.

No, I think the intention and discussion of this document was
precisely to that effect, and particularly to the case where 
anycasting deviates from traditional models of unicast services 
in that an autonomous system MAY be non-contiguous and MAY have 
multiple non-intuitive "autonomous" operations from many 
locations with a single origin AUTONOMOUS system number.  Providing 
a discriminator in the form of unique origin ASes at the routing 
layer to illustrate the variances is the objective here.

> With respect to detecting hijacked routes I think this proposal is
> totally backwards.  There have been efforts in the RIR community
> to track the origin ASN of a prefix
> (https://www.arin.net/policy/proposals/2006_3.html), which only
> allow a single origin ASN to be specified.  

False.

S 3.5.1: "This additional field will be used to record a list of the 
ASes that the user permits to originate address prefixes within the 
address block."

"list" == plural.

All additional discussion in the sub-bullets related to this item 
are clearly plural as well, as is all the RPKI-esque capabilities
(e.g., multiple ROAs for a given prefix) related to this topic to 
date.  

> Research has been done
> on inconsistent-origin ASN's with interesting results
> (http://www.routeviews.org/papers/nanog_origin.pdf).

Slide 4: The fact that 31% of the prefixes in that study, albeit 
a decade old, have inconsistent origins, nicely illustrates the 
lack of utility of inconsistent origin AS reporting.

Slide 6: Indictors for what's causes "Fluctuating" in the routing 
system would be far easier to identify and attribute if all anycasted 
sources were from unique origin ASes.  I.e., a discriminator in the
routing system for anycasted prefixes would aid in origin-based routing 
system analysis of anycasted prefixes.

Slide 20: Regarding flap damping, if per-path penalty models (rather 
than per-prefix) were employed unstable paths would not penalize the 
entire prefix (e.g., paths learned from stable nodes), could even 
optimize for origin only in the particular example.  Of course, per
path implementations would improve many other issues as well.

I see _nothing in this work that suggests unique origins are a bad 
idea, although I can certainly see attributes that could be further 
analyzed based on their work if unique origin ASes were used.

Can you be specific about something this technique would impair?

>  Several of
> the BGP monitoring services only allow a single origin ASN when
> monitoring a route.  The IETF's own documents recommend using a
> consistent origin ASN for troubleshooting purposes
> (http://www.ietf.org/rfc/rfc4116.txt, section 3.1.2.2).

Hence the need to discuss the technique in this document, where folks
who offer these services or build tools in house have not already 
adapted their policy and detection capabilities.  

That said, regarding: S.3.1.2.2: 

  "Operational troubleshooting is facilitated by the use of a consistent
   origin AS.  This allows import policies to be based on a route's true
   origin rather than on intermediate routing details, which may change
   (e.g., as transit providers are added and dropped by the multihomed
   site)."

Could definitely be argued inversely in that using unique upstream ASNs 
as a detection or policy trigger point (as you currently do) is more 
problematic from a policy perspective, it's certainly the case in routing 
policies and detection indicators I've attempted to enumerate.  

Simply put, if detection or policies can't be def

Re: [GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Danny McPherson]

Leo, 
I'm not going to comment on your blog, I have cc'd you on this 
message directly and would encourage you to join the mailing list 
and share your views on topics like this into the future.  

The timing of your responses is unfortunate, given that this document 
has been with the RFC Editor for a while now, and essentially just 
completed AUTH-48 state.  That said, IMO I do not believe your issues, 
addressed individually below, would materially influence the current 
content of the document either way.

In general, and as outlined in the document several times, if this 
doesn't accommodate your current operational model then you certainly
aren't required to use it; diversity is arguably an advantage of the 
current system.  That said, I stand by the recommendations in the 
document as providing utility to network operations.  

Regarding the five issues you did bring up on your blog:

-
1) ""Node" is not well defined.  For ISC a node is at least two servers, 
however if the method in the draft were to approximate the level of granularity 
found in the RFC 4892 method each server would need to have an ASN so it could 
be identified by routing.  This would require ISC to more than double the 
number of ASNs in use for F-Root."

In reading your comment, and the recent discussion of 
draft-anycast-diagnostics.txt on dns...@ietf.org the last couple 
of days, I do agree that the definition of "node" is perhaps 
ambiguous.  In hindsight, and for the reasons you outline, perhaps
this is a feature, as in my mind "node" could encompass one OR
more servers (e.g., 100s), and the routing architectures associated 
with those servers is left to the devises of the operator, but I'd 
expect that in most deployment models servers which share a common 
physical location and network connectivity model should certainly 
consider using the same routing domain identifier.

BTW: the draft does NOT say "each server == node", so in your example 
you could in aggregate actually use one less AS than you appear to be 
using today ;-)

-
2) "This method would all but render the various inconsistent-origin ASN 
reports available to be useless.  To remain relevant, these reports would need 
to white-list all Anycasted services so they do not appear on the reports which 
would be a significant additional burden.  These reports prove quite useful 
when networks with IP space, but without ASN's (or BGP) move from provider to 
provider."

The utility of these reports is relative; I consider them of less utility 
than you, and in fact largely because today prefixes are originated from 
the same partitioned origin AS (e.g., the F-root model you outline and 
similar models employed by many others) in multiple locations, and as a
result routing system information provides no discriminators of utility
to aid in visibility and diagnosis of routing problems based solely on 
origin AS and identifiers for various services therein -- I'd prefer active
data in the routing system providing this indication, hence the 
recommendations in the draft.

-
3) "There are other mechanisms already in place that provide this level of 
data, often with increased precision.  For instance, even if ISC were to drop 
the use of ASN 3557 and originate the service prefix from all of the local 
ASN's it would be impossible to identifiy a particular server via that method.  
ISC would continue to recommend using hostname.bind, the RFC 4892 mechanism, to 
identify F-Root servers; and would even view the RFC 5001 method as superior."

I don't see any additional "precision" in your model that's not already 
enumerated in the current document, e.g., "service level query capabilities" 
in the Introduction.  Both network and service level capabilities are useful, 
as conveyed in the current text.

-
4) "This mechanism would likely increase the size of the DFZ routing table.  
While an Anycast prefix would only take up a single routing slot entry in a BGP 
device, BGP devices must also consider the paths available to reach that 
prefix.  By creating more unique paths there will be increased memory 
consumption on all devices in the DFZ."

False.  Additional routes ("paths") for the prefixes in question exist 
either way in the respective Adj-RIBs-Ins throughout the routing system, 
as appropriate, and neither model should result in larger DFZ RIB or 
derived FIB sizes.  

On the other hand, as a purely academic exercise I think you could make a 
case that the extra path you add as a unique intermediate AS does consume 
additional Adj-RIB-In memory, as do any external elements that have to 
enumerate it and the common origin in AS-based routing or other 
policies  ;-)

-
5) "This mechanism is unlikely to help end users.  Many Internet end users 
don't receive BGP feeds.  Should their provider run a looking glass or similar 
service, it may not point to the same Anycast instance as the users connection 
due to the way that Anycast rout

[GROW] ISC Response to draft-ietf-grow-unique-origin-as

[Leo Bicknell]

ISC, operator of the F-Root nameserver was recently made aware of
draft-ietf-grow-unique-origin-as.  After some discussion internally
on the benefits and pitfalls of this method, as well as taking our
own operational experience with the F-Root Anycast instance I drafted
our thoughts into a blog post on our web site.

https://www.isc.org/community/blog/201109/origin-asn-anycasted-services

The short version is that we don't feel this provides any added
benefit over the method we currently use, but does come with a
number of down sides.  We would find it disappointing if this method
further eroded the usefulness of inconsistent origin ASN reports,
or caused increased routing table bloat.  Further, given we don't see
any benefits it is unlikely ISC would consider changing its current
practice as a result of this draft.

Note that I am not a member of the GROW mailing list.  Feel free
to reply to me directly or keep me CC'ed if you want discussion to
remain on the GROW list.

-- 
Leo Bicknell; E-mail: bickn...@isc.org, Phone: +1 650 423 1358
INOC*DBA *3357*592; Internet Systems Consortium, Inc.  www.isc.org


pgpapFdWCUPUA.pgp
Description: PGP signature
___
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow